2 minutes read

The post is about creating keyfile generator for KeyMe by BadSector/k23

Download: hybrid-analysis, VirusTotal.

I encourage you to do it yourself before reading the solution.

It opens reginf.k23 file and reads 0x24 bytes from it:

In Check 1 it checks if the first byte contains two same nibbles, for example, 'w' is same as 0x77 in hex, if so it goes to invalid keyfile message.

In Check 2 it checks if the second byte is the reverse of first one, for example, if the first byte is 0x64 , second must be 0x46 .

In Check 3 , the third byte must be sum of first two ones.

In Check 4 , the fourth byte must be 0 :

We can implement this part of keyfile generator in C++:

After that, it modifies middle part of the key (from 5 to 20), in modification it uses the third byte of the key:

We can randomly generate this part:

It modifies the last part of the key (from 21 to 36), in modification it uses a table of bytes (this table as an array is in keyfile generator code), it uses xlatb instruction to get a byte from the table:

After that, it compares results of the last two modifications:

What we know:

Nibbles in the first byte should not be same.

The second byte should be reverse of the first one.

The third is a sum of first two ones.

The fourth is 0 .

. This is the first part of a key and we can generate this one.

We can also generate middle part of a key which uses the third byte the first part.

After modification of the last part of the key, it should be same as middle part after modification, we can brute-force this part and that’s exactly what I’m doing in my keyfile generator .

Source of the keyfile generator :

Any feedback appreciated.

Twitter: @_qaz_qaz