cd ../crack_me

KeyMe by BadSector/k23

2 minutes read

The post is about creating keyfile generator for KeyMe by BadSector/k23


Download: hybrid-analysis, VirusTotal.

I encourage you to do it yourself before reading the solution.

It opens reginf.k23 file and reads 0x24 bytes from it:


In Check 1 it checks if the first byte contains two same nibbles, for example, 'w' is same as 0x77 in hex, if so it goes to invalid keyfile message.

In Check 2 it checks if the second byte is the reverse of first one, for example, if the first byte is 0x64, second must be 0x46.

In Check 3, the third byte must be sum of first two ones.

In Check 4, the fourth byte must be 0:


We can implement this part of keyfile generator in C++:

After that, it modifies middle part of the key (from 5 to 20), in modification it uses the third byte of the key:


We can randomly generate this part:

It modifies the last part of the key (from 21 to 36), in modification it uses a table of bytes (this table as an array is in keyfile generator code), it uses xlatb instruction to get a byte from the table:


After that, it compares results of the last two modifications:


What we know:

  • Nibbles in the first byte should not be same.
  • The second byte should be reverse of the first one.
  • The third is a sum of first two ones.
  • The fourth is 0.
  • This is the first part of a key and we can generate this one.
  • We can also generate middle part of a key which uses the third byte the first part.
  • After modification of the last part of the key, it should be same as middle part after modification, we can brute-force this part and that’s exactly what I’m doing in my keyfile generator.

Source of the keyfile generator:


Any feedback appreciated.

Twitter: @_qaz_qaz