Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Tuesday, September 28 2021 @ 04:12 AM CEST

Bruteforcing Zeph's crackme


TutorialsLevel : beginner

Writing a bruter for the Ancient One Crackme.
(MASM source code for the bruter included)

TARGET: Bruteforcing Ancient One crackme by Zephyrous : here

Well, I have to send some credits to bluffer for trying to solve this bruteforcer
and giving me some help actually, hello there bud ;)

Zephy: For giving me an idea of how to bruteforce another (faster) way, thank you ;)

Detten: Hello! :-)

Ok, lets debug the application and quickly set a breakpoint on GetWindowText()
type some serial (e.g. "BoR0")

Ollydbg breaks on our first letter.

0040112E |. 83F8 08 CMP EAX,8
00401131 |. 75 3D JNZ SHORT ch01.00401170
00401133 |. E8 58FFFFFF CALL ch01.00401090
00401138 |. 85C0 TEST EAX,EAX
0040113A |. 0F84 08010000 JE ch01.00401248
00401140 |. E8 7BFFFFFF CALL ch01.004010C0

compare length of chars with 8
if not equal, jump to 00401170 which is NOT where we need to be at.

Ok, let's enter some serial that contains 8 chars (e.g. "BoR0BoR0")

Jump is not taken, COOL! :p

I didn't see anything interesting in the call that is on address 00401133,
so lets see whats in the call that is on address 00401140.

004010C0 /$ 68 90124000 PUSH ch01.00401290 ; /Arg1 = 00401290 ASCII "BOR0BOR0"
004010C5 |. E8 66FFFFFF CALL ch01.00401030 ; ch01.00401030
004010CA |. 35 5587BAA7 XOR EAX,A7BA8755
004010CF |. F7D8 NEG EAX
004010D1 |. 1BC0 SBB EAX,EAX
004010D3 |. 40 INC EAX
004010D4 . C3 RETN

Mmm, looks like this is what we needed. Enter this call for more information :-)

00401030 /$ 55 PUSH EBP
00401031 |. 8BEC MOV EBP,ESP
00401033 |. 56 PUSH ESI
00401034 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00401037 |. B8 C59D1C81 MOV EAX,811C9DC5
0040103C |. 33C9 XOR ECX,ECX
0040103E |> 33D2 /XOR EDX,EDX
00401040 |. 8A1431 |MOV DL,BYTE PTR DS:[ECX+ESI]
00401043 |. 33C2 |XOR EAX,EDX
00401045 |. 41 |INC ECX
00401046 |. 69C0 93010001 |IMUL EAX,EAX,1000193
0040104C |. 83F9 08 |CMP ECX,8
0040104F |.^72 ED JB SHORT ch01.0040103E
00401051 |. 5E POP ESI
00401052 |. 5D POP EBP
00401053 . C2 0400 RETN 4

As you can see by the algo, it xors every char into eax and multiplies the same with 0x1000193.
Don't forget that EAX is initialized as 0x811C9DC5.

We're back to 004010CA. Xors final eax with 0xA7BA8755, NEGs it, substract with borrow
and then increases eax. Looks pretty tough to be solved by pen & paper huh? ;)

Here's our solution:

.model flat, stdcall
option casemap :none

include masm32/include/
include masm32/include/
include masm32/include/

includelib masm32/lib/user32.lib
includelib masm32/lib/kernel32.lib

MYLOOP dd 0 ;you maybe ask why a variable? our registers are not safe :(
PREFIX db "%8X", 0
BUFFER db 9 dup(0) ;buffer contained of 8 chars and one terminator

MOV EAX, 811C9DC5h ;starting code of zephy's algo

PUSHAD ;save all registers
INC MYLOOP ;increase loop

;convert our serial into a string

POPAD ;bum!

;Main loop that xors our chars with eax and then multiplies the same
IMUL EAX, EAX, 1000193h

;The final eax modifying
XOR EAX, 0A7BA8755h

TEST EAX, EAX ; if eax == 0
JZ START ; back to start

;if eax != 0, a valid serial has been found

invoke MessageBox, 0, 0, ADDR BUFFER, 0 ;notify the user
invoke ExitProcess, 0 ;thanks ;-)

Should take around 20 mins or so (1.6GHz). That'd be all for now. :)

(no) copyright (c) BoR0
April, 2005

What's Related

Story Options

Bruteforcing Zeph's crackme | 1 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Bruteforcing Zeph's crackme
Authored by: bluffer on Tuesday, April 19 2005 @ 07:02 PM CEST

ah thanks for mention Boro :)

hope i could add a few comments to this tut as you know i was loooking for a sppedier way that eliminates the twenty minutes :)

i removed the wsprintf and coded an inline convertor which reduced the time to about 10 minutes
and i came to #win32asm on efnet to bug some of them to find some more improvements :) parabytes there suggested some improvements in the convertor like stosd instead of stosb which were marginal improvemnts then scali took an interest in the code and coded a c++ and applied pentium optimization switches and it drastically reduced the time to about one minute :) iam pasting below the c++ code that was from scali :)

#include <stdio.h>

int main(void)
    char* table = "0123456789ABCDEF";
    char key[] = "F000FFF0";

    for (unsigned int a = 0; a < 16; a++)
        key[0] = table[a];

        for (unsigned int b = 0; b < 16; b++)
            key[1] = table[b];

            for (unsigned int c = 0; c < 16; c++)
                key[2] = table[c];

                for (unsigned int d = 0; d < 16; d++)
                    key[3] = table[d];

                    for (unsigned int e = 0; e < 16; e++)
                        key[4] = table[e];

                        for (unsigned int f = 0; f < 16; f++)
                            key[5] = table[f];

                            for (unsigned int g = 0; g < 16; g++)
                                key[6] = table[g];

                                for (unsigned int h = 0; h < 16; h++)
                                    key[7] = table[h];

                                    unsigned int hash = 0x811C9DC5;

                                    for (unsigned int i = 0; i < 8; i++)
                                        hash ^= (unsigned char)key[i];
                                        hash *= 0x1000193;

                                    if (hash == 0xA7BA8755)
                                        goto end;
    printf( "%s\n", key );

    return 0;
commadline for gpp
g++ -Wall -O3 bruter.c -o bruter
[bluffer@]$ ./bruter F000FFF0 Bruting time ->69sec

it was fun doing the brute and speed optimizing it :)
and hey detten nice site layout :)
greets to all

 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.86 seconds