Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Friday, July 10 2020 @ 05:49 AM CEST

Reversing algorithm in TDC #4 crackme

   

TutorialsLevel : beginner
Solution for TDC's crackme #4



Name: Encrypted Password Crackme #4
Coder: TDC
Difficulty: 4/10 (easier, 2-3/10)
Cracker: Knight

Tools used: OllyDbg, PEiD, windows calculator.

First step allways the same, load it in PEiD and it sais 'Nothing found *'.
Look at linker version: '5.12'. It's masm, though it's no use to identity asm compiler. So load it Olly, put bp on GetDlgItemTextA, enter something in crackme and hit "Check". Olly breaks here:


	00401258   > 6A 0C         PUSH    0C                               ; /Count = C (12.)
	0040125A   .  68 5D304000   PUSH    OFFSET <serial[0]>               ; |Buffer = OFFSET <password.serial[0]>
	0040125F   .  6A 6B         PUSH    6B                               ; |ControlID = 6B (107.)
	00401261   .  FF75 08       PUSH    DWORD PTR [EBP+8]                ; |hWnd
	00401264   .  E8 EF020000   CALL    <JMP.&user32.GetDlgItemTextA>    ; GetDlgItemTextA
	00401269   .  83F8 0B       CMP     EAX, 0B
	0040126C   .  72 10         JB      SHORT 0040127E
	0040126E   .  68 00304000   PUSH    00403000                         ; /Text = "ACCESS DENIED!"
	00401273   .  FF35 80304000 PUSH    DWORD PTR [403080]               ; |hWnd = 000C022C (class='Edit',parent=000A0236)
	00401279   .  E8 FE020000   CALL    <JMP.&user32.SetWindowTextA>     ; SetWindowTextA
(That "OFFSET " is there because i use Labeler plugin, nice plugin).
As we see our serial must be 10 characters long (or less). Then we meet this:

	00401292   > 50            PUSH    EAX                              ;  length
	00401293   .  68 5D304000   PUSH    OFFSET <serial[0]>               ;  serial
	00401298   .  E8 84010000   CALL    <MainCheck>
	0040129D   .  0BC0          OR      EAX, EAX
	0040129F   .  75 1F         JNZ     SHORT 004012C0
	004012A1   .  68 0F304000   PUSH    0040300F                         ; /Text = "ACCESS GRANTED!"
	004012A6   .  FF35 80304000 PUSH    DWORD PTR [403080]               ; |hWnd = 000C022C (class='Edit',parent=000A0236)
	004012AC   .  E8 CB020000   CALL    <JMP.&user32.SetWindowTextA>     ; SetWindowTextA
So main check must return 0 if we want to register it. Follow in MainCheck.

	0040142A  |.  8B45 08       MOV     EAX, [ARG.1]                     ;  eax = serial
	0040142D  |>  813401 674523>/XOR     DWORD PTR [ECX+EAX], 1234567
	00401434  |.  802401 0E     |AND     BYTE PTR [ECX+EAX], 0E
	00401438  |.  83C1 04       |ADD     ECX, 4
	0040143B  |.  83F9 08       |CMP     ECX, 8
	0040143E  |.^ 75 ED         JNZ     SHORT 0040142D                  ;  first 2 dwords xored with 1234567h, and first byte of each of them anded with 0Eh
	00401440  |.  33C9          XOR     ECX, ECX
	00401442  |>  8A1401        /MOV     DL, BYTE PTR [ECX+EAX]
	00401445  |.  0050 08       |ADD     BYTE PTR [EAX+8], DL            ;  counts sum of all chars to serial[8]
	00401448  |.  41            |INC     ECX
	00401449  |.  3B4D 0C       |CMP     ECX, [ARG.2]
	0040144C  |.^ 75 F4         JNZ     SHORT 00401442
	0040144E  |.  33C9          XOR     ECX, ECX
	00401450  |> /813401 DEBC9A>/XOR     DWORD PTR [ECX+EAX], 89ABCDE
	00401457  |. |802401 0E     |AND     BYTE PTR [ECX+EAX], 0E
	0040145B  |. |83C1 04       |ADD     ECX, 4
	0040145E  |. |83F9 08       |CMP     ECX, 8
	00401461  |.^75 ED         JNZ     SHORT 00401450                  ;  same as before, only xor with 89ABCDEh
	00401463  |.  33C9          XOR     ECX, ECX
	00401465  |>  8A1401        /MOV     DL, BYTE PTR [ECX+EAX]
	00401468  |.  0050 09       |ADD     BYTE PTR [EAX+9], DL            ;  again sum all char, this time in serial[9]
	0040146B  |.  41            |INC     ECX
	0040146C  |.  3B4D 0C       |CMP     ECX, [ARG.2]
	0040146F  |.^ 75 F4         JNZ     SHORT 00401465
	00401471  |.  8A50 09       MOV     DL, BYTE PTR [EAX+9]
	00401474  |.  8A70 08       MOV     DH, BYTE PTR [EAX+8]
	00401477  |.  66:81FA DE42  CMP     DX, 42DE
	0040147C  |.  0F85 8E000000 JNZ     <BadBoy>
So we see that first sum (serial[8]; [eax+8]) must be 42h, and second (serial[9]; [eax+9]) must be 0DEh.
Then we meet loop which does nothing and one more check these sums (the same).

	004014A3  |.  8A08          MOV     CL, BYTE PTR [EAX]               ;  cl = 08
	004014A5  |.  8A68 01       MOV     CH, BYTE PTR [EAX+1]             ;  ch = B0
	004014A8  |.  66:81C1 9235  ADD     CX, 3592                         ;  cx = B008
	004014AD  |.  66:81F9 9AE5  CMP     CX, 0E59A
	004014B2  |.  75 49         JNZ     SHORT <BadBoy>
	004014B4  |.  8138 08B0817A CMP     DWORD PTR [EAX], 7A81B008
	004014BA  |.  75 4B         JNZ     SHORT <BadBoy>
As we see it checks first dword from encrypted serial. And it must be 7A81B008h.
Then follows useless loop and we see last important to us thing:

	004014CA  |.  8178 04 02BF8>CMP     DWORD PTR [EAX+4], 388DBF02
	004014D1  |.  75 3D         JNZ     SHORT <BadBoy>
So second encrypted dword must be 388DBF02h. The rest in crackme is checks already done or useless junk. So lets start reversing it. First is and'ing.

First dword(byte from first dword): x & 0Eh = 08; x = ?8/?9
Second dword(byte from second dword): x & 0Eh = 02; x = ?2/?3

We can't get the exact values. Then is xoring:

First: 7A81B0?8/7A81B0?9 ^ 89ABCDE = 721B0C?6/721B0C?7
Second: 388DBF?2/388DBF?3 ^ 89ABCDE = 301703?C/301703?D

So we passed first loop. If we look now to first we see that here we from above result valid are 721B0C06 and 3017030C, because their least significant byte was and'ed with 0Eh, u can't get 07/0D, nor something like 47. So the first loop:

First: x & 0E = 06; x = ?6/?7
Second: x & 0E = 0C; x = ?C/?D

Xor'ing:

First: 721B0C?6/721B0C?7 ^ 1234567 = 733849?1/733849?0
Second: 301703?C/301703?D ^ 1234567 = 313446?B/313446?A

So convert it to chars we get (don't forget inverse byte order! little endian!):

First: ?I8s
Second: ?F41

In place of "?" we can enter anything what maches our pattern (?1/?0, ?B/?A).
So patern for our serial should be (only alphanumeric chars):

{0, 1, A, a, P, p, Q, q}I8s{J,j K, k, Z, z}F41

Try something lik 0I8sJF41. WTF? It doesn't works. If u haven't forgotten there are checked encrypted serial byte sums. First one is F5h (must be 42h) and second is 39h (must be DEh). Where's the problem? Serial length is not 8, but 10. So last char is (the one which holds second sum):

2*(39h + 42h + x) = DE; x = 74h ('t')

39h is sum of first 8 bytes, 42h is first sum, multiply by 2 because this byte is also added. Then we can count next to last:

2*(F5h + x) + 74h = 42h; x = 72h ('r')

So now we got real pattern:

{0, 1, A, a, P, p, Q, q}I8s{J,j K, k, Z, z}F41rt

Try 0I8sJF41rt. It works.

Knight, knight@d2sector.net
2005 08 29
attachment




What's Related

Story Options

Reversing algorithm in TDC #4 crackme | 3 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Reversing algorithm in TDC #4 crackme
Authored by: TDC on Tuesday, August 30 2005 @ 11:33 PM CEST
Yeah good tut Knight, by the way some of the serials do not work, it's not your fault, probably a little bug in my crackme with the length check :-)

---
[img]http://www35.tok2.com/home/jellard23/sig-reverse.jpg[/img]
:: The world is yours! ::

Reversing algorithm in TDC #4 crackme
Authored by: Knight on Wednesday, August 31 2005 @ 06:48 AM CEST
If u are using the keygen i've sent u, then i must say that there's a bug (more of a typo). In this attachment it's fixed.
Reversing algorithm in TDC #4 crackme
Authored by: TDC on Wednesday, August 31 2005 @ 09:42 AM CEST
ah, okay :)

---
[img]http://www35.tok2.com/home/jellard23/sig-reverse.jpg[/img]
:: The world is yours! ::

 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.71 seconds