Mental Alteration Recruit 2010

After a long time away trapped in a 'nop' loop (very similar to this one: for (;;) {Sleep(99999999);})

...whatever. I though that may be I wasn't actually having much fun lately and I think that it was becoz I was doing not really what I wanted to do... Fuck yeah, I think I'll do whatever I want whenever I want... Fuck the rest.

Anyways that haven't anything to do with the recruit I'm presenting ya. Which, btw, will bring you nowhere. But have fun cracking it.

Difficulty? Let's see, I guess 1/5 since I'd put moar effort and attention into the gfx than the rest... So this one hasn't anything to do with the previous recruit. [hint]In fact it has moar to do with a previous keygenme I'd done.[/hint]
I could had added a couple of things I had, in order to increase a little bit it's complexity, but... nah.

This one didn't took me too much tiem (about 2 hours for gfx'ing, and an hour for da code... another hour for testing and keygenning, divided in two days) so I guess it'll take ya liek a minute to break it...

There are a couple of memory leaks and gfx stuff to fix but I haven't any interest into solve that crap. Particullary the main dialog font is't really convincent to me... but can't find anything better... another thing is the buttons flickering when pressed. Well to be honest the whole 'image button' code has major issues... yet again I don't really care...

That's all foar now...

Example keys:

Mental Alteration



Brainfuck - part 1

I'd knowledge of Brainfuck as an esoteric programming language way ago. It interest me from the beginning but had no real intentions on implementing it on my own.
Recently I was hook by VM structures and implementation and so I quickly found my self borrowing information and conducting a deep research about the language... Which actually means reading Wikipedia's article:

"Urban Müller created brainfuck in 1993 with the intention of designing a language which could be implemented with the smallest possible compiler, inspired by the 1024 byte compiler for the FALSE programming language." [1]

The thing is that Brainfuck isn't a programming language on itself, IMHO. It's a Turing machine [2]. Duh. What I mean is that you're using the machine instruction set itself. Like writing directly with x86 opcodes.
Dunno if it can be properly called a language. But, fuck it, it doesn't really matter at all.

Brainfuck only comprehends 8 instructions which manipulates the components of the machine in some way. Differently from the well known Intel machines there are no registers, stack, eflags etc. The machine is straight simple:
A 30k working memory (called cells), an Instruction Pointer and a Data Pointer used to access individual elements of the cells.

The working memory is 30k bytes (conventionally) and it's accessed only by bytes (that's the only way to access data in Brainfuck). From an implementation point of view the cell is an array of bytes:

int[] cells = new int[30000];

cells db 30000 dup(?)
The Instruction Pointer is only alterated by two instructions otherwise it's just incrementing after each to point to the next one.
Our implementation won't use any IP so you'll see how we'll deal with it.

The Data Pointer is used as an index on the cell array to access elements of it. In some implementation of Brainfuck this DP is limited to the size of the cells (wrapping to the next valid range if it over/underflows the cells size). We won't take any considerations. Our Data Pointer looks as follow:

int dataptr = 0;

mov edi, offset cells ; We'll access the cells directly.

All instructions of the machine, except two, works over the Data Pointer or the Cells pointed by it. Those instructions are:

"+": This instruction works over the cell pointed by the Data Pointer. It takes the value stored at that cell and increments it one unit.


inc byte ptr [edi] ; Holy sh---

"-": This is the opposite of the previous one:

dec byte ptr [edi]

">": This instruction increment the value of the pointer, thus pointing to the next element of the cell:


inc edi ; Straight simple lol

"<": Nothing relevant to mention. The opposite.

dec edi

",": This instruction takes an input from the user and write it to the cell pointed by the Data Pointer. The input is ussually a character from the Standard Input.

cells[dataptr] = System.Console.ReadLine();

invoke ReadFile, hConsole, edi, 1, addr lpdwBytesRead, 0

".": As before this instruction is the opposite of the previous one and it just writtes to the Standard Output the byte at the Data Pointer.


invoke WriteFile, hConsole, edi, 1, addr lpdwBytesRead, 0

The following instructions manipulates the Instruction Pointer and are the only ones that can be used to break the flow of a program:

"[": With this instruction the Brainfuck machine verifies the cell at Data Pointer and, if it's value is non-zero the next instruction following the current one is executed. Otherwise the next instruction to execute is the one after the end of the block, marked as "]". Work very similar to "jz" instruction.

"]": This instruction jumps directly to the beginning of the block, "[". Similar to a "jmp" instruction.

[1] -
[2] -

Defeating pDriLl´s Crypto keygenmes

Days ago I come across some nice crypto keygenmes by pDriLl. so far I´d seen 3 of them, but AFAIK there are four total. I´m missing the first one... so if someone have it point me please where it is... And I´m still working on the 4th keygenme...

Thanks to drizz for his miracl header for MASM :)

Have a nice day everyone!
Keygen for pDriLl´s keygenme #2, keygen for pDriLl´s keygenme #3


Reversing/Keygenning Tutorials

Well after talking with b_W (or whatever nick he had changed to now...) about a tutorial for "newbies" about keygenning I told him I will make at least two just to help him, and here they are!
Working on the AWESOME keygen for Keygenme#3

In these two first tutorial you will see how I analize and reverse a crackme, EasyCrack by Kwazy Webbit, in the first one, and Keygenme#3 by Enforcer in the second place.


- Basic knowledge of programming, assembly language, debugger use (OllyDbg mainly.)

Working on the keygen for Kwazy EasyCrack

- Show the workflow of a common reversing/keygening session. The use of tools and analizys and understanding of code and algorithms

Reversing Keygenme#3
What it's NOT:

- It's not a tutorial about assembly language, neither about specific tools. It's not theory. If you want to indeep into some topics you should follow mentioned references.


- OllyDbg [site][standalone - version 1.10][modified version 1.10][full package][full + tools * list of tools] (not yet, sorry)
- WinAsm [site][installer][portable], MASM32 package [site][installer][full package]

Reversing EasyCrack
System requeriments:
- Flash v6.0 or above [site][SWF player]
- 256MB memory at least

PS: A day after established release date. Well done! Never such a punctual before!


Tutorial #2 - Keygenning Enforcer´s Keygenme#3 - [keygen source]

GFX/SFX package

Here is some keygen templates with and without GFX. Also a couple chiptunes I like.
Some templates are pretty old; some of them where written when I just started at this thingy, so you may will notice the evolution of my code from the oldest to the newest.
Also there are a couple of things from my short walk-thought FoFF team. Hope they don´t mind. Those things are just old now...

This is a keygen a made for the FoFF trial 2008. Kinda cool isn´t? btw I didn´t made that image lol.

This one is from a keygen for an Encrypto km, I guess... I don´t remember exactly...

And this is a test template for a rain effect library. It´s pretty soft rain but it could be improved I guess... Rain library is from The Great "Water Effect" Demo by Tom Kenny.

Those gfxs combined with  some cool chiptune will make a really cool keygen. It´s just question of sitting down and test---


Download GFX / SFX 

Neko v3 Final

I´d done with it since while ago- but I just forget to post it. lol. So, here it´s a funny thingy  I´d done in JS (Opera Widget) and now in Assembly.

There are four characters to choose: Neko, ´dancer´, Ghost and Pirate (dancer and pirate comes from a Razor keygen template here)

Neko has an artwork from Oneko by Masayuki Koba. It was AMOR'd by Chris Spiegel and later widgetized by me.

And the others: Ghost comes in the AMoR package. Pirate and Dancer are works of Razor1911 team, I just dump it from resources XD

Well that´s all. Nothing interesting really just for the fun of coding something rare.... mmm I really miss objects when coding it. It was pretty different than the widget version. (well obvious isn´t?) Kinda easier for me... :-/



    Wow, to quiet here. No updates since nov 23. This blog is dead... hey wait... this is MY blog... WTF!! ^_^

    Well let´s share my projects. Currently in working on a bunch of projects, most of them related to malware or anon networks.
    In my top priorities is my Darknet project. A P2P, decentralized and anonymous botnet. It´s in a very early development state but it´s being updated and most of all it´s core is being reviewed and thinked as much as I can so no vaporware in here ;) This network will be up and running and I´ll get some fun with it until it get bored and them I´ve to move on.... :P
    Let´s see the two main features of this Darknet:
    • Secure communication between peers. This is done establishing a secure, encrypted, way for data exchange. This will be transparent to the peers; relaying on the network layer of the protocol. As a short description peers will:
      1. Generate a pair of pub/private keys. This is my main problem ´till now because I´ve to build a good bignum library to work with to generate valid and secure pub/priv key pairs.
      2. Establish a ephemeral key for symmetric encryption following Diffie-Hellman Key Exchange Agreement. I´d already coded a keygenme to uses Diffie-hellman protocol so I only have to use that library and update it with appropriate, secure keys.
      3. Encrypt and send the ephemeral keys. With the ephemeral keys now available for symmetric encryption we can exchange data unreadable by third parties. Of course MIM attacks can be achieved since the protocol it´s by it´s nature insecure (all of them). But, of course, it only can affect individual nodes in the network.
    • Anonymous routing. This is send and receive data with no hints of who is requesting or who is send such data. Similar to Freenet routing idea (in fact it comes from that). This way botnet owners can be tracked down when sends orders or updates to nodes.
      1. Node A sends a request for a file to Node B.
      2. Node B check that request and if it doesn´t have that file It re-routes the request.
      3. Node B sends a request for a file to Node C.
      4. Node C owns that file and returns the query to Node B
      5. Node B knows that query had came from Node A so it re-routes the send to Node A 
    Currently my preoccupation is it lacks of documentation. I´ve to work pretty hard to get some good, understandable documentation.

    Second project that captures all my attention is my  ´Advanced virus programming´ series of tutorials- I´d only released a single tutorial about all forms of injections I know. It was pretty small in terms of words. But to compensate there were lot and lots of code. All in assembly and pretty straight forward IMHO. And it was my intention that people GET in the CODE! Not just in the theory... I think it´s the best way to learn: Practice.
    Well when I can get some time to write next tutorials for this series I´ll try to put some more words and theory but no to much XD. There will come:
    •  Entry Point Obscuring. Various forms I know about EPO. A good and interesting technique to avoid AVs detection.
    •  Self-mailing worms. I´d still need to work with MX servers to get something working. But anyways It´s pretty interesting to see.
    • IRC-based botnets. I´d already coded a simple, understandable plug-ing based IRC botnet for the tutorial. I just need to WRITE it.
    I´ve other ideas for this series but I need to finish those first :D

    And well those are the two main projects I´ve in my to-do list since I´m really currently working on a Apache, PHP web project (that you don´t want to know :P).

    We shall not cease from explaration, and the end
    of all our exploring will be to arrive where we started,
    and know the place for the first time.