Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
HTML-код
- Опубликовано: 11 сен 2024
- InfoSec clickbait title by BuzzSec! Key validation with Algorithm and creating a Keygen - Part 1/2
=[ 🔴 Stuff I use ]=
→ Microphone:* geni.us/ntg3b
→ Graphics tablet:* geni.us/wacom-...
→ Camera#1 for streaming:* geni.us/sony-c...
→ Lens for streaming:* geni.us/sony-l...
→ Connect Camera#1 to PC:* geni.us/cam-link
→ Keyboard:* geni.us/mech-k...
→ Old Microphone:* geni.us/mic-at...
US Store Front:* www.amazon.com...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#ReverseEngineering
You need to add some catchy 8bit tunes to your keygen.
That's the most important part!
Super Loud! Without a mute button.
Ideally, Unreal Superhero 3.
Please help me, how did he modify the programme and how what is keygen.
Lets not forget about female characters!
Your channel is my very favorite thing that I've found on RUclips. I would really really appreciate if after modifying your scripts, you could pause for literally one second before saving your file. Throughout the series I've had to pause/unpause as fast as I could to make sure I wasn't missing any changes you made. Huge thanks again for the channel and love your attitude/personality.
Use the , and . keys to navigate the video frame by frame.
Not easy if the focused window is not RUclips.
Zoom in, highlight some parts, is good too. But thanks in advance anyway. Great job.
@@gafeht THIS, is what I learned from this video. Thanks! The rest was over my head, but interesting to watch.
For anyone using rizin (fork of radare), the main difference is that you don't specify an address to set a breakpoint at with the "db" command anymore. You have to seek to where you want to set it with "s ", then you can set a breakpoint with "db"
For who was unable to understand , just learn more about c pointer and how addresses are stocked , it will help a lot .
any good resource?
If anyone is reading this later and confused about pointers a good way to understand them a lot better is to go through the arduous process of dynamic memory allocation in C.
Holy crap. Man, finally some really interesting stuff. I really thought that there are a lot videos for beginners in linux or programming, and no videos for middle/senior specialists. That's totally blew my mind. Thanks!
For those who are watching this video with an earlier version of radare2, the use of afvn function changed: Now is "afvn new_name old_name" (Without the quotes)
They should also change the step-over [Shift]+[S] to be the default (without having to hold the [Shift] key pressed). Because it is more frequent (at least for me) to stay at the current level of code than digging into function call tree depth-first :q I can press the [Shift] key when I need to go deeper.
I have some trouble with getting the breakpoints to work. I always get the error "base addr should not be larger than the breakpoint address." After setting the breakpoint with "db 0xEXAMPLE", when I run the program with oop it doesn't stop at the breakpoint.
In another crackme, the program stopped at a breakpoint, but that was different from the one I set before, and also I was not able to set the rip afterwards. Can you help me with that?
@@lowlight-beats9731 i have the same problem, did you solve it maybe?
@@lukaaxdw sorry man, I dont think I found a fix but I can’t remember, it’s been a while :)
radare2 comes with a tool to convert values, rax2. So instead of using python you could have done: "rax2 0x394" in another terminal, or even better just run "!rax2 0x394" inside of radare2.
Thanks for the tutorials!
Beau Galbraith but python is dope yo
@@Illu07 lol nice argument :P
Even better:
? 0x394
After watching this I realize how far I have to go
probably the best tech related explanation channel on youtube
How did you know my brain turned off?! :D
because, as he said in the beginning, every system is crackable
@nameless google account savage; i like it
i dont unsterstand a thing, but the videos are actually informative and interresting to watch, I'm just too bad
DarkHunterxD
No You are just inexperienced :)
practise and fail alott ;) dont be afraid to fail alott. (and do actualy follow the examples, those are ment to be finished, will give you a good feeling instead of directly starting to attack this 1000$ program that has serverside hashing and encryption everytwhere)
Its weird that sometimes a simple jmp can make a program be registered.
u sound like mr.robot actually explaining vulnerabilities and exploits. love u man!! u'r the best!
8:00 where we move "i" the in the EAX register, was so confusing for me untill I understood that RAX is the 64 bit "container" that includes EAX which is the first 32 bit of that "container" and when we move i to EAX, that basically means the same thing as we would move i to RAX since it lives in the same "container" so basically they are the same place, but just refering to different parts of the same place. I initially thought of them as different "containers" for data and thats why I didn't understand this part. I hope my rambling may be of help for somebody. I learnt this from "Learn Assembly Programming - Introduction to Registers" by Daniel Ross if anybody is interested on learning more.
I know you probably are going to answer this in the continuation of the video, but since I had to stop watching because class started, I wanted to ask it before I forget :D:
Isn't addition not a good way to do so?
because few keys can have the same sum..
That feels like something that has to do with a hash function,
if you hash your key, with a good hash function, you're going to hope that each value has a different output,
Like in mathematics there's an "Injective function", which means, that :
if :
(f(x
is equals to
(f(y
Then the only option for that, is if x is equals to y, an Injective function would do the work, but I really think that
a this is not that easy to find, and for example,
if f(x) is x, then we have to compare it to the string, in the code, which is problematic, because we have to store the string somewhere, so that's kind of a puzzle...
Please correct me if I'm wrong, but that's how I understood it,
Thanks and have a great day!!
"Don't worry if you get lost for the next minute."
No problem, I was already lost.
You could use rax2 (comes with radare) to convert types
also nice thing about it is that you can pipe it to "rev" for string literals
Everyone thought Denuvo would stop game piracy. but low and behold, it got steamrolled and is no longer relevant apart from being a delaying factor.
dude maybe I am too dumb. this video took me 2 hours to finish... tf...
but you are awesome... the way you explain things.
This is the video I've been looking for after practicing on reverse engineering, creating your own challenges helps a lot!!!
Thank you Liveoverflow!
Enjoying the videos so far :)
Management: "Make it uncrackable!" Developer: (SMH) Listen we can't make it uncrackable, we can add some countermeasures that may or may not increase the duration in which it takes someone to break into the system. If someone wants in bad enough they will break the system.
at 3:14, You can directly evaluate hex value using radare2, like this "? 0x394"
in rizin (fork of radare), you can use "% 0x394"
0:41 algorrrirrrr:) sorry
I have a dumb question. No matter which way the key is stored, in the end there's still an if-else somewhere right? So can't you just change the value returned by the if-statement to "true"?
yes absolutely! Just sometimes it's more elegant to create a keygen. Or there are so many if-else conditions spread around the whole program, that it's tedious to change them all.
@smt Yeah of course.
smt ok i will try that later after i gain a little more knowledge and then come back to this series
smt Which is why the thing to do is to take the information from the license key to influence various game variables, like say change a characters weight simulated by a physics engine just barely so that you can just barely not make the jump to a platform on a specific level or that a certain key needed to unlock a door is not on the map or other game events just don't take place. Good luck with beating that because you will be test playing and debugging a game for weeks. In fact it could be rigged that there are a tons of bad license keys for every good one and they all do unlock the game but then set things up like I describe above.
I'll bet delaying the penalty until some point near the middle of the game will persuade a number of people to go and buy a license key. In fact they could mention some of these pitfalls on their support site. "Can't find bla or bla does not appear after I did bla: The solution is very simple: click here to purchase the game". In future a good license protection will infuse code algorithmically with subtle dependencies on the license state, something you will not be able to fix with turning a jmp instruction into a bunch of nops.
Sayam Qazi Yes of course they can use a known good key but with good obfuscation methods it should be made hard to track down where exactly an initial calculation involving the license state occurs, that influences another calculation subtly from which later in a different thread say the strength of a boss's armor is calculated.
12:45 Or instead of reverse engineering the key descramble algorithm, you can just use it in your code to do the hard work for you :) (that is, turn the original program into a keygen).
I think patching would undermine his purpose. Since he's teaching re, not understanding what the program won't do good.
"Then you should find a way to prevent people from RE'n it." Managers don't do logic,
Just fyi, you don't need to cast a char to int, because in an arithmetical expression it's done so automatically. C converts types lower than int *to* int in calculations.
Great job! It's rare to find videos with no dislikes.. :-)
so i had some problems setting the breakpoint at 3:30 because radare told me: "Cannot place a breakpoint on 0x00000768 unmapped memory.See e? dbg.bpinmaps". i googled a little bit and found an answer to a stackoverflow question that solved my problem. i had to compile my c program with the flag "-no-pie" to make it an ELF executable. if i dont do that it is an ELF shared object.
so my questions are: whats is the difference between a ELF shared object and an ELF executable, how come that error didnt happen to you and is what im doing a sensible solution?
almost. It's not a shared object. PIE (position independent code) is typical for shared objects, but you can also have normal programs compiled with this. basically this means it has full ASLR.
So my compiled didn't default to full ASLR (PIE).
Shared objects are just like executables, they just miss the entrypoint to actually execute anything. Because they are libraries that can be used by other programs. So it's a binary you can link in your code, and call the functions in that shared object. For example libc is such a shared library.
Is it possible that you had ASLR disabled on your system when you added new breakpoints after reloading with "ood" ? I just spent few hours trying to figure out why all my adresses messed up after ood :D I mean the program can be continued (with dc) and runs normally, but since ASLR kicked in and i guess r2 remembered the old function analysis, i just got "invalid" instructions when pdf. Even "aaa" after "ood" doesn't do anything.
so how do you effectively debug PIE binaries with r2? i mean do i have to reload the whole r2 and set my breakpoints again just to rerun the program ? :D
also maybe its a bug ( github.com/radare/radare2/issues/13439 ) because even by disabling aslr with rarun2 it just doesn't work and analyses invalid stuff.
i'm lost for now lol
ok looks like this behaviour isn't or cannot be implemented yet in r2 (github.com/radare/radare2/issues/12914)
in python you can just
sum([ord(c) for c in key])
Such a cool toy example. Thank you so much for these.
Pronouncing "array" with the stress on the first syllable... (and "parameter" with stress on 3rd syllable instead of 2nd)
Braces on the same line as the block.....
No space between operators and operands...!
8 WIDTH INDENTING!!!
#triggered
Seriously though, good tutorials, enjoyed the vids. :)
hahhaha
Braces on the same line as the block is the only reasonable choice! It saves vertical space, makes the code easier to read, and it’s beautifully aligned with the block instead of being thrown in another arbitrary line.
braces, _* cough, cough _* python, *_ cough, cough *_
@@2Pzp It's quite hard to use indentation in text templates :q And it's a pain to edit the indentation after you copy-paste some code from a different place with a different indentation scheme :q Braces? They always work.
+Alojzy Bąbel Indentation? Just Ctrl + Shift + L that shit! PC PyCharm Python masterrace ;) Braces are for dummies ;) Pozdrowionka Bąbel ;)
I know this video was put up 2 years ago, but did you change any settings for radare? Your instructions read as "mov dword [rbp - 0x18], 0" but mine reads as "mov dword [local_18h], 0" in visual mode. This isn't that big of a deal because I still understand and follow along with everything, but I was wondering if this is due to a preference saved/set somewhere or if this is just how the program displays instructions since it's been updated since. I haven't been able to find anything online talking about it.
in this cas the key = "aaaaaaaaa+" is correct "a" = (97)dec & "+"=(43)dec . (97*9) + 43 = 916 , you must use the regular expression to specify format of key
for those who are getting errors:
open your terminal and type the following commands :-
gcc license_2.c -no-pie -o license_2
radare2 -zzz license_2
... and now follow the video and there will be no errors. ; )
love you, can you please explain what u did please so i can gain some knowledge
Could you make a general guide for Ubuntu/Linux ?
Like environment setup , workflow , some commands in terminal
Thanks :b
I really like your videos
His English has gotten much better.
Phenomenal and still relevant.
I really don't know how to thank you for everything that you did, but I'll try, so thank you
Amazing informations!! thanks dude 4 your channes exists!!
if you say "Continuum" to someone suicidal they'll live forever lol
I've got a problem, when i ood like in the third minute, i get a warning message
WARNING: bin strings buffer is too big use -zzz or set maxstringbuf
when i go on and try to set the breakpoint it says:
Cannot place a breakpoint unmapped memory.
nevertheless awesome series, keep it up!
Nevermind i just had to restart it manually like
r2 -d license_2 wrongkey
when i set the address that the rip is pointing to, it just puts out
selecting and continuing
child stopped with pid 11
Try to use gcc with -no-pie flag
Son Goku did u fix that? I am facing this plz tell me how to fix it
i solved it.
open your terminal and type the following commands :-
gcc license_2.c -no-pie -o license_2
radare2 -zzz license_2
... and now follow the video and there will be no errors. ; )
If someone is curious about ASCII values of the key: '65+65+65+65+45+90+49+48+78+45+52+50+45+79+75'
1 line in python3:
'+'.join([str(ord(x)) for x in license_key])
I believe a bunch of people can just read that immediately. For common people, that'd seem like reading raining green code.
why cant you make the key algorithmic, make the program scramble itself differently based on the different input keys then the key would never even touch the bianary, only the algorithm to scramble the code would
then how would you know if a correct key even exists, and if it did how long would it be? you can't have users typing a key thats 1024 characters long
why it doesnt let me rename the variable name? radare2 call it "var_14h" for me, so i do "afvn var_14h i" and it says "cant find var by name"
KEYGEN
if you play deltarune you know why its written like that
I got confused in one part that deals with rax. When we say rax points to a string and rax+8 is being assigned to rdx. Isn't it pointing to the second character?
This is a bit late 😂. But for anyone else who is struggling with this like I did,it is adding 8 to get to the next input argument in argv, which is the string, then grabbing the character from that string with I. Points to this bit: argv[1][I]
There is an error at 8:10. rax+3 points to the 4th 'A', not the 3rd. Indeed, rax+0 points to the 1st byte of the key (1st 'A').
Hi, I'm new in the domain! I just want to have fun burn key generators for Microsoft products! Can I do that?!? Thanks for taking the time to reply to this comment!
Very interesting video as I had always asked myself how keygens actually worked. Now I thought about how to avoid such attempts and came to the following -admittedly naive- idea:
Given your key has a length of N characters, divide your key in two chunks we call A and B. Now we calculate the sum of each chunk again, but add some more bloating to conciderably blow up the resulting number. That could for example be done by generating a few permutations of A and B respectively and / or by using some -maybe even dynamic- multiplicator for each characters value. The goal would be to turn both chunks A and B into two huge prime numbers. The check would then be the product of the two numbers, like "if ( A*B == C)".
Since by reverse-engineering the program, an attacker could only find C and not the primes used to generate it, wouldn't we essentially force the attacker to reverse-engineer RSA?
To make things even harder, A and B could even overlap or be hashed with KECCAK before the bloating, but I am not sure wether we would limit our own choice of valid keys too much by that. After all, if there is only one possible character combination that solves this problem for a arbitrary C, we could ditch the process entirely since each and every customer would get the same key.
I'm confused: at 08:15, how does "add rax, rdx" add the start of the array 3 ? I mean, rdx points to the beginning of the text "AAAA-...", and rax points to the argv[1] (I guess), and we are adding the registers directly, which I don't know that is supposed do.
rax first points to argv (not argv[1]). Then you: add 0x8 to rax.
After that you load argv[1] into rdx, by doing: mov rdx, [rax].
now in rdx you have a pointer to argv[1].
Then we load the iteratior/counter i into rax.
At 8:15 we then add the counter i (rax) to argv[1] (rdx).
@@LiveOverflow where does iterator is loaded into rax ? I see only the value of rdp-i is loaded to eax.
ah, now I understand your confusion. You are getting confused by the assembler notation here.
"RBP-i" is already renamed to indicate this is the address of the iterator/counter "i".
In "reality" the instruction would be something like: mov eax, dword [rbp+0x12]
We know that local variables are typically addressed with offsets from the basepointer like: [rbp+0x12]
So here in the disassembly you see it being renamed to reflect which local variable it is: [rbp+0x12] -> [rbp-i]
In the first line you see a local variable that was not renamed and still has the generic [rbp-local_6].
long story short, that is exactly the line where the value of "i" is loaded into eax.
@@LiveOverflow but as you said, the value of "i" is loaded to eax, not rax.
EAX is RAX. EAX is 32bits of the 64bit wide RAX register.
I explain that somehwere :D I would have hoped I did that in this or a previous video - but might also be a later one.
Do they still use an explicit "legit or not" branches? I would say integrate the key check (or online validation) with the program itself. Make an encrypted box of memory which is mixed with data, and obscure the exact effect of the key on the operation of the software. It will simply misbehave provided with a wrong key, and finding a keygen would be debugging the entire software. How about that?
me at the end of the video "...what ??"
seventh video finished. jesus h christ took too whole afternoons. now to keep going info sec gig here he go.✊
So, if we build a program, with own propietary coding software and own engineering, it would be impossible to crack that program right?
On a time trial where is the information stored on the hard drive to let it know the expiry time is over.
On my sandbox, I have radare2 0.9.6. When I do VV, it launches my browser to create the flow graph in graphiz, then loads the web version of radare2. Any idea how to force it to use ASCII graphs? Also, V! doesn't give my any 'boxes', like your view. Any ideas? THanks for the videos.
Z1on, 42-OK? Zion is the meaning of life and OK? Nah BDS
may you help me cracking a domestic software?
hi all! I need help with extending a trial software forever. can someone help?
The best way to make Uncrackable Programs is to make sure the user doesn't even have the source code on their machine.
here is another valid key ~~~~~~~"
Unless key decrypts stuff then you just inline.... Armadillo first did it years ago with symmetric. Even then just inline key or decryption handler with leaked key
nothing to do with the video but if you really want to make a program uncrackable: for small programs they could be crypted and decrypted at runtime with the serial key as decryption key. To check if the correct key was entered it could be compared in hashed version like most web apps do
edit: to me that would be "uncrackable" ... or am i missing something? Ofc. this would only be reasonable for very small programs
In the end once you find a program working you can just snapshot it. OR. You can modify the binary to skip that check and return true in any case
How do you make the ascii rabbit?
thanks for sharing
Hi
I recently found this channel and I am about 4 years late to the party. As I try to follow the instructions I get stuck at the point where I try to set the breakpoint. It says "Cannot set a breakpoint on unmapped memory."
Is it because every-time I re-run r2 in debug mode using "ood" the address changes? Or is there a different reason?
Thanks!
I don't have any experience in r2 but this type of problem mostly occurs in gdb because addresses change when you run program so, set a break point on main and after executing...set other breakpoints...
guys use gdb-peda for more colorful outputs and more .. it helped me alot
Not much you can do to stop a patch.. part 2 was very interesting, but you can easily prevent someone making a keygen with pub/priv verification.
or just have a server side check :) but that would also be hard to keep people from faking reponses etc...
tldr: infosec is hard
It's not that difficult.... kinda.
Just make sure some information is missing for the application to function properly.
Make people buy or subscribe to user-accounts that hold their data for instance.
In terms of encryption, the password is the missing bit that prevents the decryption from returning sensible data.
Making sure people don't crack standalone applications is impossible though.
FCore It's kind of impossible to crack.an online service. The best you can so is spend many many hours reverse engineering an entire service solely based on network traffic.which will be useless in the end. No more updates no more support no other users.
FCore When a server is used only for licensing, you're likely not missing any data.
I'm talking about a server that is necessary for the client to perform its tasks. Simplest example would be a browser using a webserver
Even a lot of real-time applications need a client-server architecture. The most famous example of real-time client-server examples would probably be any multiplayer game.
Tbh, the delay isn't that bad in most cases and you can take a lot of steps to compensate for said delay.
the first one since you just sum it.. so I can write the key in any order? or just put key aslong the total sum is the required sum?
nvm i think u xD did that already in the end i skip it
You r genius man..!!!
Is it OK to make a keygen for Avast Premium Security antivirus? Could you make a tutorial showing how to do it?
so great!
Hi, I’m using a software that has dongle emulator, and also has sentinel ldk, I keep getting sentinel internal error 0x7101, is there a way to remove / bypass sentinel in my software so it works without license? I paid a lot for it for a 3rd party seller who was selling it a hell of a lot less than from original developer, and I feel like he has me by the balls as keeps charging me to fix error... if using ollydbg what do I need to look out for to bypass ?
This is great
this video is great
i am a total noob in these kind of things but i had only one question popping up in my mind why every pc game gets cracked except online games
If you do a hash of the key (like SHA256) and then do a simple string comparison, I guess the only way at cracking it would be brute force right?
Or just jumping around that
you got a subscriber
Dude..how you know all that?My head is gonna explode...
Learning basics of ASM
Write own "CrackMes" and analyze and crack them through Reversing.
Then crack some other CrackMes.
Learn Things about Hooks(Detour Functions)
And a lots of trial and error ^^
what is the value of "rax" in "add rax, rdx"?
Very interesting stuff, but tiny fonts and hard to see.
any info about how to set my radare2 0x00000000 and some time 0x000000000000 to 1 value that will be every where ?
Why wouldnt you just hash the key and compare it with the known hash? Even using MD5 it would seem to be much harder (if not impossible) to bruteforce a long serial key containing numbers and letters.
crypto.stackexchange.com/questions/1434/are-there-two-known-strings-which-have-the-same-md5-hash-value or just nop/jmp over the hashcheck.
KEYGEN
I have some trouble with getting the breakpoints to work. I always get the error "base addr should not be larger than the breakpoint address." After setting the breakpoint with "db 0xEXAMPLE", when I run the program with oop it doesn't stop at the breakpoint.
In another crackme, the program stopped at a breakpoint, but that was different from the one I set before, and also I was not able to set the rip afterwards. Can you help me with that?
I'm having the same breakpoint problem right now...did you ever figure it out?
Commenting again in case anyone else has this problem: I got it to work by re-entering the s sym.main and pdf commands, then doing the breakpoint with the address on the jne
SF Thanks, I think I found another way to do it, it was some time ago... but thank you!
or just bypass that by deleting those code lines
Will You Plz Crack WavesNx And Bass Treble Booster?
I have the problem that oob will give me the errormessage "file license_2 reopened in read-only mode" Does anyone know what my mistake is?
at8:06 you say we add the i (which is the eax register), to rax. But the assembly instruction is add rax, rdx! And not add rax,eax. So is this a mistake?
And rdx stores the value of the string.
rax is the 64 bit version of eax, so they are the same registers, but eax uses 32 bits. So in the line "mov eax, dword [rbp - i]" we are actually setting rax (since eax is the same register, but uses only the last 32 bits). The key is that the cdqe operation makes a 64 bit integer out of the 32 bit integer in eax, which we set to i. So when we add rdx and rax, we are actually adding i to the start of the string.
But what is rdx?
is this reverse engeniering?
I would never use:
An unhackable program
- "Why?"
Because I don't think they exist
What is keygan?
4:20 addresses are different ood and dc and dr check it please I don't know why this is not happening in my pc...🙏
From where you find 916 is equal to key ???
I know it's a dump question but pls explain it 😭😭😭
Ye just pointout the time
Hi, you probably found the solution but I was struggling to find it but I did. At around the 3:00 mark, he converts the hex value he found to decimal, which outputs the 916 key.
Can someone help me at 2:47? I'm good up till then, but once I open the file in radare2, I type aaa and get "cannot find function at 0x00401090 sym. and entry0 (aa)" if I follow his next steps, "s sym.main" the address in the prompt changes to 0x00401176. Then if I type "pdf" and hit enter, it says, "cannot find function at 0x00401176". I did verify that is at 00401176 with objdump, for what it's worth. I also did figure out that I only get this problem if I compile the .c file myself with gcc license_2.c -o license_2, but if i use your binary from github, it works. Why is that?
well i got all the way to 3:33 or so and radare2 doesn't stop at my breakpoint, but continues on to 0x0040064a. after a dc, the rip is at 0040064a. if i set it to 0040064b like in the video, i have to type dc and hit enter twice, and it does end up saying access granted, but obviously, this is not intuitive and as a noob, i really don't understand what going on. probably just updates to r2 since you made this video im guessing...
hey, thanks for this useful video.
also can you please make a video on how we can bypass a debugger is detected running in your computor.
The software I want to test is protected by VMProtect v5.X.
I will be waiting for your response.
how do I generate a program need the input key