Download PuTTY. PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows platform. PuTTY is open source software that is available with source code and is developed and supported by a group of volunteers. Aug 09, 2010 Working Dead Space 3 Keygen Download, Dead Space 3 Crack Free Download - YouTube. Dead space 3 PC Crack Keygen 100% WORKING!!! Xee is a lightweight, fast and convenient image viewer and browser. It is designed to be a serious tool for image viewing and management, with a sleek and powerful interface. Xee is useful as a more powerful replacement for Preview, or most any other image viewer available on OS X. Contribute to openam-jp/openam development by creating an account on GitHub. Dismiss Join GitHub today. GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together. PuTTY is an SSH and Telnet client for Windows. Download latest release (0.70) here, with installation and SSH key setup instructions.
Hi everybody!
Our second challenge (which was a reverse engineering one) came to its end, as well. This one was solver much faster than our XSS challenge, meaning that either our reversing experts are not as good as our XSS experts, or that reverse engineers out there are much better than XSS experts; or something else.
On this challenge, we required the participants to submit write-ups as well, because hackers are lazy, and we knew that they would only submit partial write-ups, and then we would do the other half (we’re hackers too!).
We had almost 186 participants, and here’s the list of three winners:
- Eloi Vanderbéken @elvanderb
- Dominique Bongard @reversity
- deroko @deroko_(He actually solved it too fast, but arrived late! Also won the best writeup.)
Link to the challenge: https://zdresearch.com/challenges/binary1/
Xee Keygen Download
Writeups
by Deroko
by Eloi
by Dominique
by ZDResearch
In this section, we will provide you with write-ups provided by our winners, and finally our own write-up. On top of that, keygen codes are linked to the bottom of each writeup:
Writeup by Deroko of ARTeam:
The first step was to see how key is obtained. As usual breakpoint on
file apis leads us to proper place:
Right after that we will find interesting code which deals with strings
deofbsucation. No wonder why IDA can’t see them:
Function which decrypts strings is doing that by adding 0x30 to every character, so no need
to speen too much time explaining it. But for the sake of writeup here it is:
Nexts steps which follow are, getting file size, allocating memory, and reading filesize to the memory, and
then calling function which will split file properly, and pass it back to the function which will do the magic.
It’s very important to know that we are dealing with C++ code, and also to note that there is custom getprocaddress
function which uses this function as a hash (we will need it as a part of keygen to give it MessageBoxA as last
argument):
Now we will dig a little bit into Objects here, as it’s important to know it’s layout to be able to properly handle
keygen.
There is GlobalObject which calls functions related to keygens. First member of object is yet another object which
is used to deal with windows APIs, so their lpVtbl can be seen here:
First function which is called is do_the_dead which will call OpenFileCheckKey, which in turn look for “lic.dat”
file. Once file is read, function which will process input file, and allocate it is SomeFunnyFunc1:
There are many decoys here, so what this will do is to simply add 0x80000000 to 1st and 3rd dword
from input file. This is very important to note sar instruction, which might give us small headache
as theoretically what’s happening here is to give you back same number, as long as you don’t make
number to have 31st bit set. This is very important, as it’s needed for bypassing time checks.
Eg. value is caluclated as:
Next code which comes is:
msvcrt_time_wrapper gets time() from msvcr.dll via custom getprocaddress, and returns back value. When this
value is parsed via SomeFunnyFunc0 becomes????:
After deobsfucation of a function, what happens is that input arg is divided by: 0x1DFC040, and
0x7B2 is added to the code. Now to pass these checks we need to find numbers such that:
time() should return atm something in form of 0x5xxxxxxx thus we will pass these checks if our
1st number is < 0x5xxxxxxx and 3rd dword > 0x5xxxxxxx, so after a little bit of caluclation, and
considering sar in computing values:
So we passed these checks 🙂 Next interesting part is spliting of input file:
What happens now is that DWORD is read from buffer, and size is allocated to copy data following this
value. Thus if we look at 004023BB we see hint that we need at least 4 of these data. File layout looks
like:
Now we will exit this function, aslo be aware that you can’t singlestep this code, as timers will catch you!!
Here is code:
Ok now, once data is split we go back to do_the_dead function, at will handle all our data.
Note 4 local variables which are set to -1, it’s very important!!!
When we exit from here it’s very important to note is that we case switch with only 4
posibilities, thus when existing this loop we need to have ecx = 0/1/2/3 this means
that we need [DATA_SIZE] part of every chunk to have certain data, values which we need
are: 0xB, 0x13, 0x1E, 0x31 thus [DATA_SIZE] for every chunk must be:
This will give us posibility to initialize all values on stack with 0,1,2,3
In FinalHashingFunction (key check function):
2nd chunk must be 0xA bytes as code shows us later on:
Now 2nd chunks is obsfucated a little bit:
This part of code we don’t need to understand, as it’s needed to compute keygen. So what we can do here
is to RIP it out of the code and use it. Now comes obsfucation of “username” (1st data chunk), in such way
that generated hash from above code is used to obsfucate every char from “username” (1st data chunk). Also
size of buffer where final key is generated length is username_len * 0xA.
As we may see, every char from username is obsfucated which characters from generated hash, or
in python/C it is:
Now comes final check:
If all went good we will get eax = 1 and we can go on:
So what happens is that code uses NtQueryInformationProcess to query NoDebugInherit, if flag is set
code will use 0xCAFEBABE to locae API from user32.dll which doesn’t exist. Otherwise, if process is
not debugged, DWORD from chunk4 will be used to locate API and here we use MessageBoxA as chunk4:
0xBC4DA2A8
And if everything worked fine we are done with code and can have full keygen.
So full keygen is:
Writeup by Eloi:
1] First steps…We launch the crack-me, no name/serial boxes : must be a keyfile.
We launch the crack-me under olly with the Phantom plugin[1] to avoid basic anti-debuggers (I don’t want to lose time on that…). We set a BP on CreateFileW, we click the check button : Break! It’s trying to read a lic.dat file!
Quick tracing, there is some anti-debuggers (PEB flags tricks @ 0040207C), if they detect a debugger, file handle is modified so subsequent use of the handle will fail.
The file is read in allocated memory, we put an HBP on the buffer and we resume the crakme.
Xee Keygen 2017
2] Breaking the first part.
The HBP is fired in the function located at 004022C0. There is a very basic obfuscation :
We can see that some API address are found by loading library (DLL names are “deciphered” at 00401CB0) and by locating export by their name hash (GetProcAddr fun @ 00401E20 and hash function @ 00401DF0).
Still the same basic obfuscation trick.
msvcrt.time is called by using this trick @ 00402361. Result is passed to the function @ 00402150. This function is quite ugly but actually pretty simple. It just extracts the year from the time return value (year(X) = X / 31440960 + 1970).
Serial is then treated like this : d1 | d2 | d3 | XXXX
First check is OK if year((2 * d1 >> 1) + 0x80000000) <= year(time()) <= year((2 * d3 >> 1) + 0x80000000)
To pass the first check, all we have to do is to generate a lic using the following code :
Next part of the check is a little bit trickier. The XXX part is a list of binary strings, d2 is actually the number of strings (and must be >= 4 and < 16).
Strings are encoded as follow :
Where the d_i are little endian dword d_1 & 0x3ffff = len(str_1) (the rest of the dword will be used later 🙂 )
(btw, you can specify arbitrary len and crash the crackme).
String and d_i are stored in a list.
Then the high parts of d_is are check. It’s a little bit tricky to explain but to solve this part, all you have to do is to set those bits to particular (and constant) values. Here is the code that does this :
Then you find and other call that, from the 2 first provided strings, calculate a buffer of bytes. If the 3rd string is equal to this buffer then you pass the third check. We didn’t reverse the code (it seems boring …), we just dumped the buffer just before the memcmp :
We just have to modify our source to incorporate the dumped key :
An other little anti-dbg …
The last check is not really a check ; the last DWORD is used to find an API in user32. We guess it’s MessageBoxA. All we have to do is to find the hash for MessageBoxA, to find it we just change the argument when the hash function is called to point on a “MessageBoxA” we previously put in memory (wherever there is a place). And this hash is 0xBC4DA2A8.
All the pieces together :
Writeup by Dominique
Here is a code for binary one that should work in most cases (no error checks).
I first removed the ASLR flag from the binary.
I then I found the address of the check routine with procmon.
Then I reversed the function to find:
The license has several sections, the number of sections is in the 5th byte.
Each section starts with the following bytes {length, 0,0, (tag<<1)}.
The license must have 4 sections with the tags 8, 0x13,0x1e,0x31.
Section 8 contains the user name
Section 0x13 can be anything
Section 0x1e contains a sort of hash of the user name which length is 10* user name length
Section 0x31 contains a 32 bytes value that is a sort of hash of the string MessageBoxA (used to find the function that will display the congratulations message).
There were probably a few other checks, but they don’t matter once you have a working “license skeleton” by trial and error.
The anti-debugging was trivial so no need to talk about it (I attached instead of starting the binary in the debugger, and to avoid the timechecks, just don’t single step around them).
ZDResearch Keygen
Name: XeeVersion: – 3.1
Mac Platform: Intel
Includes: KG
OS version: 10.7 or higher
64 bit
Link for more information: http://xee.c3.cx/
Xee is a lightweight, fast and convenient image viewer and browser. It is designed to be a serious tool for image viewing and management, with a sleek and powerful interface.
Xee is useful as a more powerful replacement for Preview, or most any other image viewer available on OS X. It is very fast, and uses less memory than most other image viewing tools. It also uses OpenGL to display and scroll images much more smoothly than other viewers. Its interface is highly streamlined and has easily configurable keyboard shortcuts.
Whats new:
Options for different loading animations.
Directional browsing keyboard shortcuts now also scroll the image.
Better colour matching, with support for multiple monitors with different colour profiles.
Added an option for whether Xee should use the discrete GPU on machines that have one.
Added separate options for which file types to open from the Finder, and which to browse.
Fixed crashing on OS X 10.9 in the non-App Store version.
Some tweaks for keyboard shortcuts, and better functionality on the Dvorak-Qwerty layout.
Bug fixes for the infamous PSD loader.
Add quantization table detection for many Olympus cameras.
Keygen courtesy of C.O.R.E