Follow us on Twitter!
Hacking isn't just Computers & Exploits. It's a Philosophy. - Mr_Cheese
Thursday, April 24, 2014
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 18
Guests Online: 17
Members Online: 1

Registered Members: 82904
Newest Member: jamessmith123
Latest Articles

Application 9 creating keygen

Arrow Image Solving application 9 challange by developing a keygen (spoiler free).

I just solved this challenge and I decided to share my experience.
There are several ways to solve this. In the other articles about application 9 challenge is explained how to reach to the password at the end but this is not the description of the challenge (Keygen). So if you want to pass this challenge quickly read other articles on the topic otherwise prepare to create a keygen.
First run crackme1.exe. Explore it. What do you see. There is 2 textboxes (Username and Code), one button and a menu. In the menu there is an interesting item (Hint). Press it. A message box appears with the text: “You need to see what the app does with your name!\". So it seems that the program is encoding the username somehow and may be this is the Code. Try to type something in the username and code text boxes and press try it button. A message box with the error message “Sorry, Try Again” appears.
Now let’s see this in debugger.
I’m using OllyDbg like most of the crackers do today I think. Open crackme1.exe in olly and search for all referenced text strings. There is our error message \"Sorry, Try Again\" as well as the congratulations screen “Well done, you did it!\". Double-click on one of these references. You will be brought to the code that is displaying the message box with the corresponding message. Here is the end of the code checking logic. Here you can solve the challenge only by changing a single instruction. But our purpose is to create a keygen not just to solve the challenge. So move up until you see a reference to GetWindowTextA WinAPI function. Here the program is reading the data from both text boxes Username and Code and is storing it to global variables. Right after that the username encoding begins. To see what happens next put a breakpoint after GetWindowTextA, Click Debug/Run, enter some username (better with at least 8 characters) and some code and hit Try It. Right now you will reach the breakpoint in Olly. Begin tracing the code with F8 (Step Over) and notice what happens in the code, in the stack and in the registers. The encoding algorithm is very simple. It seems that only 8 characters of the username are used for the code generation. Step over and write down (in some text editor or whatever you like) all the calculations that the program is doing with your username.
After a several lines you will reach the code:
00401305 |. 57 PUSH EDI
After this line several lines of code will be repeated 8 times. If you manage to found out what is doing one of these code fragments the keygen creation will be very easy.
At the end of those 8 fragments there is a check that compares the calculated code with your code and if they equals then enjoy.
So at this point you must know how the Username becomes Code. If you don’t then try trace it all over again.
I wrote my keygen in C++ , you can use any language even PHP if you want. The rest is just to implement the written during tracing instructions into your keygen source and to try the result Code on the crackme1 application.

This becomes an Olly tutorial more then an Application 9 guide but I hope there will be people that will find this helpful.


system_meltdownon May 10 2006 - 18:19:49
Nice article, this should help a few who are stuck on this
lukem_95on September 10 2006 - 14:30:10
i have no idea how to get the algorithm :'(
icebraker101on December 30 2006 - 11:37:36
smack300on January 13 2007 - 07:43:26
Holy crap im lost
DigitalFireon May 02 2007 - 00:47:35
beat app 9 before reading this, but yeah good article.
kakebokon May 17 2007 - 16:27:30
This was indeed a good article, beaten app 9 nowSmile
ludison May 02 2011 - 14:35:33
tnx for the article Smile helped me a lot
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.