In case the link goes away, here is a zip of the executable. crackme

I cheated on this one and used reflector. This was an excuse for me to try reflector out… so I started with that in mind.

The Checking code ends up being in crackme->WindowsFormsApplication4->Form1. You can deduce what most the buttons do. The relevant one turns out to be in asd. The keygen is basically straight from the verifying function found there, written in C#.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace keygen
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.Write("Name: ");
            string Name = Console.ReadLine();
            if (Name.Length < 4)
            {
                Console.WriteLine("Name must be 4 characters");
                Environment.Exit(0);
            }

            string str3 = "";
            char[] chArray = Name.ToCharArray();
            foreach (char ch in chArray)
            {
                int num2 = Convert.ToInt32(ch);
                string str4 = string.Format("{0:X}", num2);
                str3 = str3 + str4;
            }
            char[] array = str3.ToCharArray();
            Array.Reverse(array);
            string str5 = new string(array);
            if (str5.Length > 9)
            {
                str5 = str5.Remove(9, str5.Length - 9);
            }
            decimal num4 = Convert.ToDecimal(Convert.ToInt32(str5));
            double num5 = Math.Pow((double)Name.Length, 3.0);
            decimal num6 = Math.Round((decimal)(num4 * Convert.ToDecimal(num5)), 0);
            Console.WriteLine(num6);
        }
    }
}

You can download the binary here.  Be careful, it can erase you hd.

It is an elf binary, and it runs fine on Linux.  I ran in a (snapshotted) vm to hopefully mitigate some of the nasty things it could do – which luckily it did. It is packed with upx, which i found with strings, so first thing i unpacked it with upx-ucl.  From there, I backtraced it with IDA and found the correct path for the key (which is thermonuclear war -> US -> St. Petersberg run as root).  It then prints out the key before erasing your hd (more specifically your boot sector), so I put a breakpoint at the end to stop this from happening.

Anyway, this is a fun challenge.  good luck!

The easiest thing in the world is to get this thing to validate.  Just run it and put a breakpoint at 00401288, and look at the value in 00406749.  That’s it! You’re validated.

A lot more tricky was writing the keygen.  To do it, I just stepped through the code very slowly, and duplicated the logic. ugh.

Ok, now here is my keygen of the executable.  To simplify things, I just considered usernames that are 5 chacters long.  Note all the mods.  Longer usernames will work, but will require minor mods to the keygen (and I didn’t have the patience to step through the code again).

/**************************************************************************
 * keygen.c
 *
 * This crackme, while easy to break (just look at the end value) took
 * quite awhile to step through the key generating process, which includes
 * a lot of xoring with prestored constants and with itself. It's almost
 * like a small hash or something...
 *
 * To simplify things I only consider Usernames of 5 characters.  Otherwise
 * the code needs to be modified slightly
 *
 * ************************************************************************/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void usage() {
  printf("Usage: keygen <5-letter-username>\n");
  exit(0);
}

int main(int argc, char*argv[]) {

  if (argc != 2 || strlen(argv[1]) != 5) {
    usage();
  }

  char* username = argv[1];
  int i;
  /*initialize xorconst and xorop */

  /*xorconst is stored at */
  unsigned char xorconst[5];
  xorconst[0] = 0xAA;
  xorconst[1] = 0x89;
  xorconst[2] = 0xC4;
  xorconst[3] = 0xFE;
  xorconst[4] = 0x46;

  unsigned char xorop[5];
  for (i =0; i< 5; i++) {
    xorop[i] = 0;
  }

  /* calculate xorop, which is the value eventually stored at 0x40634a
     when the code finishes it's for loop at 0x401197 */
  xorop[4] = 0x46;
  for (i = 0; i<strlen(username)-1; i++) {
    xorop[i%5] = (unsigned char)(xorconst[i%5] ^ username[i]);
  }

  /*start second loop */
  /*initialize second xorconst */
  unsigned char xorconst2[5];
  xorconst2[0] = 0x78;
  xorconst2[1] = 0xF0;
  xorconst2[2] = 0xD0;
  xorconst2[3] = 0x03;
  xorconst2[4] = 0xE7;

  /* take xorop (and some more since we may need more than 5) and xor with
     the 40632D constant.
     To simplify, we'll only deal with 5 letter long unames for now */

  unsigned char xorop2[5];
  for (i = 0; i<strlen(username); i++) {
    xorop2[strlen(username)-i-1] = xorop[strlen(username)-i-1] ^ xorconst2[i];
  }

  /*xorop2 now contains the string in 0x40634a at 0x004011BD
    though it does change more */

  /*now do the third loop, starting at 0x4011d1 */
  /*initialize the third xorconst */
  unsigned char xorconst3[5];
  xorconst3[0] = 0xF7;
  xorconst3[1] = 0xFD;
  xorconst3[2] = 0xF4;
  xorconst3[3] = 0xE7;
  xorconst3[4] = 0xB9;

  unsigned char xorop3[5];
  for (i = 0; i<strlen(username); i++) {
    xorop3[i] = xorop2[i] ^ xorconst3[i];
  }

  /* xorop3 now contains 0x40634a at the end of the third loop ~ 0x4011F0 */
  /* and it appears xorop2 is stored at 0x406334 */

  /*looks like there's one more loop, then some garbage */

  /*the fourth loop xors xorop3[end to start] with xorconst4[starttoend]
    the xored result is stored in (reverse order) 40634a
    xorop3 is preserved at 406336 */

  unsigned char xorconst4[5];
  xorconst4[0] = 0xB5;
  xorconst4[1] = 0x1B;
  xorconst4[2] = 0xC9;
  xorconst4[3] = 0x50;
  xorconst4[4] = 0x73;

  unsigned char xorop4[5];
  for (i = 0; i<5; i++) {
    xorop4[5-i-1] = xorop3[5-i-1] ^ xorconst4[i];
  }

  /*xorop4 is now stored in 0040634a at the end of the fourth loop */
  /*xorop3 (al) is now stored at 406336 */

  /*loop 5 */
  /*ecx = 406345 (which is initially 0) AND 3
    bx = xorop4[i + ecx] + 00406345[i]
    final iteration:
      xorop5[0-3] = xorop4[allbutlast]
      xorop5[0] = xorop[0] + xorop[4]
    then xorop5 is stored in 406345
  */
  unsigned char xorop5[4];
  /*first copy xorop4, but xorop5[0] = xorop4[0] + xorop4[4]*/

  for (i = 0; i<4; i++) {
    xorop5[i] = xorop4[i];
  }
  xorop5[0] = xorop4[0] + xorop4[4];

  /*ends fifth loop xorop5 is in 406345 right before xorop4*/

  unsigned int remainder;

  /*this could probably be done with an __asm__, but this is fine*/
  unsigned int thisint = xorop5[3]*16*16*16*16*16*16 + xorop5[2]*16*16*16*16
                + xorop5[1]*16*16 + xorop5[0];

  char finalpass [20];
  i = 0;
  while (thisint != 0) {

    remainder = (thisint % 10) + 0x30;
    thisint = thisint / 10;
    finalpass[i] = remainder;
    i++;
  }

  int length = i;
  /*finalpass is the final password, but in reverse order */
  for(i=length-1; i>=0; i--) {
    printf("%c",finalpass[i]);
  } 

  printf("\n");
  return 0;
}

Here is a dump of the applicable assembly instructions with comments.

0040117A   > 8A0C16         MOV CL,BYTE PTR DS:[ESI+EDX]             ;  code to get 40634a stuff... has to do with length.
0040117D   . 8AD9           MOV BL,CL
0040117F   . 3298 28634000  XOR BL,BYTE PTR DS:[EAX+406328]          ;  xor with constant AA 89 C4 FE 46
00401185   . 40             INC EAX
00401186   . 83F8 05        CMP EAX,5                                ;  rehashes same 5 chars again and again
00401189   . 881C32         MOV BYTE PTR DS:[EDX+ESI],BL             ;  final compare value
0040118C   . 8888 27634000  MOV BYTE PTR DS:[EAX+406327],CL
00401192   . 75 02          JNZ SHORT crackme.00401196
00401194   . 33C0           XOR EAX,EAX
00401196   > 46             INC ESI
00401197   . 3BF5           CMP ESI,EBP                              ;  for i < len username
00401199   .^72 DF          JB SHORT crackme.0040117A
0040119B   . 33FF           XOR EDI,EDI
0040119D   . 33C9           XOR ECX,ECX
0040119F   . 85ED           TEST EBP,EBP
004011A1   . 76 26          JBE SHORT crackme.004011C9
004011A3   > 8A9F 2D634000  MOV BL,BYTE PTR DS:[EDI+40632D]
004011A9   . 8BF5           MOV ESI,EBP
004011AB   . 2BF1           SUB ESI,ECX
004011AD   . 4E             DEC ESI
004011AE   . 8A0432         MOV AL,BYTE PTR DS:[EDX+ESI]             ;  last character first in 40634a + srrlen?
004011B1   . 32D8           XOR BL,AL
004011B3   . 47             INC EDI
004011B4   . 881C32         MOV BYTE PTR DS:[EDX+ESI],BL
004011B7   . 8887 2C634000  MOV BYTE PTR DS:[EDI+40632C],AL
004011BD   . 83FF 05        CMP EDI,5
004011C0   . 75 02          JNZ SHORT crackme.004011C4
004011C2   . 33FF           XOR EDI,EDI
004011C4   > 41             INC ECX
004011C5   . 3BCD           CMP ECX,EBP
004011C7   .^72 DA          JB SHORT crackme.004011A3                ;  end loop
004011C9   > 33F6           XOR ESI,ESI
004011CB   . 33FF           XOR EDI,EDI
004011CD   . 85ED           TEST EBP,EBP                             ;  ebp begins as strlen?
004011CF   . 76 21          JBE SHORT crackme.004011F2
004011D1   > 8A043A         MOV AL,BYTE PTR DS:[EDX+EDI]             ;  0040634a + i
004011D4   . 8A8E 32634000  MOV CL,BYTE PTR DS:[ESI+406332]          ;  406332 constant???
004011DA   . 32C8           XOR CL,AL
004011DC   . 46             INC ESI
004011DD   . 880C3A         MOV BYTE PTR DS:[EDX+EDI],CL
004011E0   . 8886 31634000  MOV BYTE PTR DS:[ESI+406331],AL
004011E6   . 83FE 05        CMP ESI,5
004011E9   . 75 02          JNZ SHORT crackme.004011ED
004011EB   . 33F6           XOR ESI,ESI                              ;  esi = esi % 5
004011ED   > 47             INC EDI
004011EE   . 3BFD           CMP EDI,EBP
004011F0   .^72 DF          JB SHORT crackme.004011D1                ;  end loop
004011F2   > 33FF           XOR EDI,EDI                              ;  start fourth loop
004011F4   . 33C9           XOR ECX,ECX
004011F6   . 85ED           TEST EBP,EBP
004011F8   . 76 26          JBE SHORT crackme.00401220
004011FA   > 8A9F 37634000  MOV BL,BYTE PTR DS:[EDI+406337]
00401200   . 8BF5           MOV ESI,EBP
00401202   . 2BF1           SUB ESI,ECX
00401204   . 4E             DEC ESI
00401205   . 8A0432         MOV AL,BYTE PTR DS:[EDX+ESI]
00401208   . 32D8           XOR BL,AL
0040120A   . 47             INC EDI
0040120B   . 881C32         MOV BYTE PTR DS:[EDX+ESI],BL
0040120E   . 8887 36634000  MOV BYTE PTR DS:[EDI+406336],AL
00401214   . 83FF 05        CMP EDI,5
00401217   . 75 02          JNZ SHORT crackme.0040121B
00401219   . 33FF           XOR EDI,EDI                              ;  edi = edi%5
0040121B   > 41             INC ECX
0040121C   . 3BCD           CMP ECX,EBP
0040121E   .^72 DA          JB SHORT crackme.004011FA                ;  end fourth loop
00401220   > 8D3D 45634000  LEA EDI,DWORD PTR DS:[406345]            ;  is 406345 a constant???
00401226   . 33C0           XOR EAX,EAX                              ;  start fifth loop
00401228   . 85ED           TEST EBP,EBP
0040122A   . C705 45634000 >MOV DWORD PTR DS:[406345],0
00401234   . 76 17          JBE SHORT crackme.0040124D
00401236   > 8BC8           MOV ECX,EAX
00401238   . 83E1 03        AND ECX,3                                ;  ecx = eax%3
0040123B   . 8A1C0F         MOV BL,BYTE PTR DS:[EDI+ECX]
0040123E   . 8D340F         LEA ESI,DWORD PTR DS:[EDI+ECX]
00401241   . 8A0C02         MOV CL,BYTE PTR DS:[EDX+EAX]
00401244   . 02D9           ADD BL,CL                                ;  bl = bl + cl
00401246   . 40             INC EAX
00401247   . 3BC5           CMP EAX,EBP
00401249   . 881E           MOV BYTE PTR DS:[ESI],BL                 ;  eventually eax == this
0040124B   .^72 E9          JB SHORT crackme.00401236                ;  end fifth for loop
0040124D   > 5D             POP EBP
0040124E   . B9 0A000000    MOV ECX,0A                               ;  ecx = 10
00401253   . A1 45634000    MOV EAX,DWORD PTR DS:[406345]            ;  eax = ??
00401258   . 33DB           XOR EBX,EBX
0040125A   > 33D2           XOR EDX,EDX
0040125C   . F7F1           DIV ECX                                  ;  edx:eax = edx:eax/ecx
0040125E   . 80C2 30        ADD DL,30
00401261   . 8893 49654000  MOV BYTE PTR DS:[EBX+406549],DL          ;  move char of serial here
00401267   . 43             INC EBX
00401268   . 85C0           TEST EAX,EAX
0040126A   .^75 EE          JNZ SHORT crackme.0040125A
0040126C   . 68 49654000    PUSH crackme.00406549                    ; /String = ""
00401271   . E8 86010000    CALL <JMP.&kernel32.lstrlenA>            ; \lstrlenA
00401276   . 33DB           XOR EBX,EBX
00401278   > 8A88 48654000  MOV CL,BYTE PTR DS:[EAX+406548]
0040127E   . 888B 49674000  MOV BYTE PTR DS:[EBX+406749],CL
00401284   . 43             INC EBX
00401285   . 48             DEC EAX
00401286   .^75 F0          JNZ SHORT crackme.00401278
00401288   . 68 49674000    PUSH crackme.00406749                    ; /String2 = ""
0040128D   . 68 49654000    PUSH crackme.00406549                    ; |String1 = crackme.00406549
00401292   . E8 5F010000    CALL <JMP.&kernel32.lstrcpyA>            ; \lstrcpyA
00401297   . 68 00020000    PUSH 200                                 ; /Count = 200 (512.)
0040129C   . 68 49694000    PUSH crackme.00406949                    ; |Buffer = crackme.00406949
004012A1   . 6A 64          PUSH 64                                  ; |ControlID = 64 (100.)
004012A3   . FF75 08        PUSH DWORD PTR SS:[EBP+8]                ; |hWnd
004012A6   . E8 E5000000    CALL <JMP.&user32.GetDlgItemTextA>       ; \GetDlgItemTextA
004012AB   . 68 49654000    PUSH crackme.00406549                    ; /String2 = ""
004012B0   . 68 49694000    PUSH crackme.00406949                    ; |String1 = ""
004012B5   . E8 36010000    CALL <JMP.&kernel32.lstrcmpA>            ; \lstrcmpA
004012BA   . 0BC0           OR EAX,EAX
004012BC   . 75 16          JNZ SHORT crackme.004012D4
004012BE   . 6A 40          PUSH 40                                  ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004012C0   . 68 DB624000    PUSH crackme.004062DB                    ; |Title = "Good boy..."
004012C5   . 68 AC624000    PUSH crackme.004062AC                    ; |Text = "Yep, thats the right code!
Go write a keygen!"
004012CA   . FF75 08        PUSH DWORD PTR SS:[EBP+8]                ; |hOwner
004012CD   . E8 CA000000    CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA
004012D2   . EB 14          JMP SHORT crackme.004012E8
004012D4   > 6A 10          PUSH 10                                  ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004012D6   . 68 06634000    PUSH crackme.00406306                    ; |Title = "Bad boy..."
004012DB   . 68 E7624000    PUSH crackme.004062E7                    ; |Text = "Nope, thats not it!
Try again"
004012E0   . FF75 08        PUSH DWORD PTR SS:[EBP+8]                ; |hOwner
004012E3   . E8 B4000000    CALL <JMP.&user32.MessageBoxA>           ; \MessageBoxA