Crackme – OGSystems Registrations.exe

This is a new crackme that’s created by r4v3n. This is challenge 1 and you can download the binary here.
Edit: It is now available at crackmes.de.

crackme-1-prog

I like to launch PEiD (their site seem to have expired but there are other similar tools around (pestudio, cff explorer)) and check what information that is available.
crackme-1-id

It would seem it is either C# or .NET. With some luck we can explore the binary in a .NET reflector and view the source-code in clear text. I’m going to use redgate’s reflector. As we can see in the first picture the program got 4 text boxes, 1 label and 1 button. It is likely that what we’re after is located in the button. Navigate to Button1_Click(Object, EventArgs) and inspect its content. We’ll find the following source-code.

 


private void Button1_Click(object sender, EventArgs e)
{
    if (!Versioned.IsNumeric(this.TextBox1.Text))
    {
        Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
        this.TextBox1.Text = "0000";
    }
    if (!Versioned.IsNumeric(this.TextBox2.Text))
    {
        Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
        this.TextBox2.Text = "0000";
    }
    if (!Versioned.IsNumeric(this.TextBox3.Text))
    {
        Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
        this.TextBox3.Text = "0000";
    }
    if (!Versioned.IsNumeric(this.TextBox4.Text))
    {
        Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
        this.TextBox4.Text = "0000";
    }
    if ((((this.TextBox1.Text == "") | (this.TextBox2.Text == "")) | (this.TextBox3.Text == "")) | (this.TextBox4.Text == ""))
    {
        Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.msg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
    }
    this.vala = Conversions.ToInteger(this.TextBox1.Text);
    this.valb = Conversions.ToInteger(this.TextBox2.Text);
    this.valc = Conversions.ToInteger(this.TextBox3.Text);
    this.vald = Conversions.ToInteger(this.TextBox4.Text);
    if (Operators.ConditionalCompareObjectEqual(((Conversions.ToDouble(this.TextBox1.Text) * Conversions.ToDouble(this.TextBox2.Text)) * Conversions.ToDouble(this.TextBox3.Text)) * Conversions.ToDouble(this.TextBox4.Text), this.sval, false))
    {
        Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.gmsg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.gtitle));
    }
    else
    {
        Interaction.MsgBox(RuntimeHelpers.GetObjectValue(this.dmsg), MsgBoxStyle.ApplicationModal, RuntimeHelpers.GetObjectValue(this.title));
    }
}

The line we’re interested is this: if (Operators.ConditionalCompareObjectEqual(((Conversions.ToDouble(this.TextBox1.Text) * Conversions.ToDouble(this.TextBox2.Text)) * Conversions.ToDouble(this.TextBox3.Text)) * Conversions.ToDouble(this.TextBox4.Text), this.sval, false))
It would seem that it takes the value of the 4 text boxes and multiply them together and then check their value against a variable.
TextBox1 * TextBox2 * TextBox3 * TextBox4 == sval
If the following statement equals true then the program will be successfully cracked. So, next step would be to find the value of sval. After poking around in the reflector I come across the following section.

crackme-1-ctor

The value of sval is 0x94bdd4c01693, which is a hex value. So we’ll need to convert it to decimal. This can be done by the reflector but you can also use your favorite scripting/programming language or the windows calculator if you’re so inclined.

 

print str(0x94bdd4c01693)
163543039088275

So, an updated version of the statement would look like this.
TextBox1 * TextBox2 * TextBox3 * TextBox4 == 163543039088275

This means we need 4 numbers, multiply them with each other and they should end up with the sum 163543039088275. Another limitation is that each number must have a maximum length of four, this because that’s what the maximum length is on each TextBox. To find the 4 numbers we need with a max length of 4 we need to perform magic (math) or writie a tool which will brute-force it. Now, I’m no math wizard but I figured I’d go for the prime factors of the number and see how that looks.

crackme-1-math
I know the picture is quite big but I didn’t want it to become unreadable.
Anyhow, the prime factors are: 5^2 7 11 29 43 101 653 1033
If all of those are multiplied together we will get the same number that is required for the serial to be valid. But, now we need to multiply a few of the numbers together and create 4 numbers with the maximum length of 4.

1033 * 7 = 7231
653 * 11 = 7183
101 * 43 = 4343
29 * 5^2 = 725

7231 * 7183 * 4343 * 725 = 163543039088275

The math looks correct so it is time to put the numbers into program and see if it works.
crackme-1-cracked

Tags: