Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Friday, April 03 2020 @ 07:14 AM CEST

Solution for Detten Crackme 5

   

TutorialsLevel : beginner

Bruteforcing a simple serial algorithm.
C source code included.

http://www.reversing.be/article.php?story=20050220201934102

DETTEN CRACKME #5
*****************
Cracker: figugegl
Email: figugegl_2000@yahoo.de
Date: 22.10.2001
Tools: Softice, IDA
Level 1-10: 3



This time we have to brute-force a serial. The algo is pretty simple, but it takes quite a long time to calculate the serial - i should have coded the program in asm. I have never used inline asm in the Lcc-Win32 compiler, as it doesn't use the intel convention but motorola and i'm not used to that. I might code it again in masm, but i've spent enough time with this crackme already.

Let's have a look at the listing:

004010B3 68 00 02 00 00 push 200h
004010B8 68 A4 30 40 00 push offset dword_4030A4
004010BD 68 B8 0B 00 00 push 0BB8h
004010C2 FF 75 08 push [ebp+arg_0]
004010C5 E8 F0 00 00 00 call j_GetDlgItemTextA ; get serial
004010CA 57 push edi
004010CB 53 push ebx
004010CC 52 push edx
004010CD 56 push esi
004010CE 51 push ecx
004010CF 50 push eax
004010D0 33 F6 xor esi, esi ; esi = 0
004010D2 B8 AD DE 00 00 mov eax, 0DEADh
004010D7 8B C8 mov ecx, eax
004010D9 33 C9 xor ecx, ecx
004010DB 33 DB xor ebx, ebx
004010DD ; start loop 1
004010DD BF D2 04 00 00 mov edi, 4D2h ; edi = 4D2h
004010E2 8B 1D A4 30 40 00 mov ebx, dword_4030A4 ; load chars 0..3 from serial
004010E8 33 D2 xor edx, edx ; edi = 0
004010EA 83 FB 40 cmp ebx, 40h ; char > 40h ?
004010ED 7C 7C jl short loc_40116B ; no, error !
004010EF ; start loop 2
004010EF 8A D3 mov dl, bl ; char from serial s[i]
004010F1 03 FA add edi, edx ; edi += s[i]
004010F3 03 F6 add esi, esi ; esi += esi
004010F5 33 F7 xor esi, edi ; esi ^= edi
004010F7 C1 E7 02 shl edi, 2 ; edi <<= 2
004010FA C1 EB 08 shr ebx, 8 ; next char from serial
004010FD 83 FB 00 cmp ebx, 0
00401100 75 ED jnz short loc_4010EF ; end loop 2
00401102 41 inc ecx
00401103 83 F9 06 cmp ecx, 6 ; counter loop 1
00401106 75 D5 jnz short loc_4010DD ; end loop 1
00401108 03 F7 add esi, edi ; esi += edi
0040110A 8B C6 mov eax, esi ; save esi --> (a)
0040110C 33 C9 xor ecx, ecx
0040110E ; start loop 3
0040110E 8B 1D A8 30 40 00 mov ebx, dword_4030A8 ; load chars 4..7 from serial
00401114 BF 2E 16 00 00 mov edi, 162Eh ; edi = 162Eh
00401119 33 D2 xor edx, edx ; edi = 0
0040111B ; start loop 4
0040111B 8A D3 mov dl, bl ; char from serial s[i]
0040111D 03 FA add edi, edx ; edi += s[i]
0040111F 6B F6 03 imul esi, 3 ; esi *= 3
00401122 33 F7 xor esi, edi ; esi ^= edi
00401124 C1 E7 03 shl edi, 3 ; edi <<= 3
00401127 C1 EB 08 shr ebx, 8 ; next char from serial
0040112A 83 FB 00 cmp ebx, 0
0040112D 75 EC jnz short loc_40111B ; end loop 4
0040112F 41 inc ecx
00401130 83 F9 06 cmp ecx, 6 ; counter loop 3
00401133 75 D9 jnz short loc_40110E ; end loop 3
00401135 03 F7 add esi, edi ; esi += edi
00401137 03 F0 add esi, eax ; esi += a
00401139 81 FE D8 B6 F0 64 cmp esi, 64F0B6D8h ; esi == 64F0B6D8h ?
0040113F 75 15 jnz short loc_401156 ; bad cracker jump
00401141 6A 00 push 0
00401143 68 09 30 40 00 push offset aCrackme5 ; "Crackme 5"
00401148 68 13 30 40 00 push offset aThatSItGoodJob ; "That's it! Good job !!!"
0040114D 6A 00 push 0
0040114F E8 6C 00 00 00 call j_MessageBoxA

There are two separate calculations: one for the first 4 chars of the serial and the other for the next 4 chars. No further explanations are needed, you just have to trace it with softice...

My solution for the brute forcer in C:

/*------------------------------------------------------------------------
Procedure: CalculateSerial
Purpose: Calculate a valid serial
Input: hWnd: Handle of the Dialogbox
Output: None
Errors: None
------------------------------------------------------------------------*/
void CalculateSerial (HWND hWnd)
{
char szSerial[9] = "";
char i, j;
register long lEdi, lEsi;
unsigned long lSer1;

for (szSerial[0] = 'A'; szSerial[0] <= 'Z'; szSerial[0]++)
{
for (szSerial[1] = 'A'; szSerial[1] <= 'Z'; szSerial[1]++)
{
for (szSerial[2] = 'A'; szSerial[2] <= 'Z'; szSerial[2]++)
{
for (szSerial[3] = 'A'; szSerial[3] <= 'Z'; szSerial[3]++)
{
lEsi = 0;
for (j = 0; j < 6; j++)
{
lEdi = 0x4D2;
for (i = 0; i < 4; i++)
{
lEdi += szSerial[i];
lEsi *= 2;
lEsi ^= lEdi;
lEdi <<= 2;
}
}
lEsi += lEdi;
lSer1 = lEsi; // save esi
for (szSerial[4] = 'A'; szSerial[4] <= 'Z'; szSerial[4]++)
{
for (szSerial[5] = 'A'; szSerial[5] <= 'Z'; szSerial[5]++)
{
for (szSerial[6] = 'A'; szSerial[6] <= 'Z'; szSerial[6]++)
{
for (szSerial[7] = 'A'; szSerial[7] <= 'Z'; szSerial[7]++)
{
lEsi = lSer1; // restore esi
for (j = 0; j < 6; j++)
{
lEdi = 0x162E;
for (i = 4; i < 8; i++)
{
lEdi += szSerial[i];
lEsi *= 3;
lEsi ^= lEdi;
lEdi <<= 3;
}
}
lEsi += lEdi;
if ((lEsi + lSer1) == 0x64F0B6D8)
{
SetDlgItemTextA (hWnd, EDF_SERIAL, szSerial);
return;
}
}
}
}
}
}
}
}
}
SetDlgItemTextA (hWnd, EDF_SERIAL, NULL);
}


Serial: OVVXHNZN
*****************

or if you use only lowercase chars : bigjoint




What's Related

Story Options

Solution for Detten Crackme 5 | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.87 seconds