Level : beginner
A guide for grabbing the valid password of TDC crackme #6.
Tools: Ollydbg, wincalc
The program starts by taking the password you input and making sure each char is 0-9 as seen below.
00401170 /$ BA E0314000 MOV EDX,pass.004031E0
00401175 |> 8A0A /MOV CL,BYTE PTR DS:[EDX] ; move next char of pass into cl
00401177 |. 84C9 |TEST CL,CL
00401179 |. 74 0D |JE SHORT pass.00401188
0040117B |. 80F9 30 |CMP CL,30 ; compare to 0 , 0x30 and jump if less then
0040117E |. 7C 63 |JL SHORT pass.004011E3
00401180 |. 80F9 39 |CMP CL,39 ; compare to 9 , 0x39 and jump if above
00401183 |. 77 5E |JA SHORT pass.004011E3
00401185 |. 42 |INC EDX
00401186 |.^EB ED JMP SHORT pass.00401175
Next it encrypts each character of the entered password but reversing this algorithim wasnt necesary as we will see later.
00401188 |> BA E0314000 MOV EDX,pass.004031E0 ; move entered pass into edx
0040118D |> 8A0A /MOV CL,BYTE PTR DS:[EDX] ; the encryption loop
0040118F |. 84C9 |TEST CL,CL ; encrypt each character
00401191 74 21 JE SHORT pass.004011B4
00401193 |. F6D1 |NOT CL
00401195 |. 66:C1E1 08 |SHL CX,8
00401199 |. 80F5 FA |XOR CH,0FA
0040119C |. 80F5 34 |XOR CH,34
0040119F |. F6D5 |NOT CH
004011A1 |. 80F5 21 |XOR CH,21
004011A4 |. F6D5 |NOT CH
004011A6 |. 80F5 FA |XOR CH,0FA
004011A9 |. 66:C1E9 08 |SHR CX,8
004011AD |. F6D1 |NOT CL
004011AF |. 880A |MOV BYTE PTR DS:[EDX],CL
004011B1 |. 42 |INC EDX
004011B2 |.^EB D9 JMP SHORT pass.0040118D
Here comes the important part. From this we determine the proper size of the password ( 10 numbers ) and the the keys we need to decrypt the final hash.
First we have a comparison to the first four numbers ( in reverse order 4th-3rd-2nd-1st ).
004011C3 |. 813A 2621242C CMP DWORD PTR DS:[EDX],2C242126 ; comp edx to first 4 characters of password
004011C9 75 18 JNZ SHORT pass.004011E3
We see the string "2C242126" and these our hex values we must convert to get the first 4 numbers of the password. Using our handy dandy wincalc or printf("%c%c%c%cn",0x26,0x21,0x24,0x2C); ( remember reverse order) We get the string "&!$," (without quotes). So we go to the next set
004011CB |. 817A 04 242D22>CMP DWORD PTR DS:[EDX+4],20222D24 ; compare characters 5-8
printf("%c%c%c%cn",0x24,0x2D,0x22,0x20); gives up $-" (with a space at the end).
Now for the final two characters.
004011D4 |. 66:817A 08 242>CMP WORD PTR DS:[EDX+8],2724 ; compare characters 9 and 10
printf 24,27 gives us $'
Now we have our string so all thats left to do is figure out what each number of 1-9 will convert to when they are encrypted.
Lucky for us this program doesnt terminate after a wrong pass and the encrypted text is sitting in memory for us to look and at compare.
So we send 1234567890 through the app and see what the final string is. After running through we see the string visible in a few places like so:
004011B4 |> 68 E0314000 PUSH pass.004031E0 ; /String = "$'&! #"-,%"
From ; /String = "$'&! #"-,%" we can make our conversion table remembering we entered 1234567890 as our password.
So we take our obtained string &!$,$-" $' and convert it.
& ! $ , $ - " $ '
3 4 1 9 1 8 7 5 1 2
Enter 3419187512 and we get the good job message. Nice crackme TDC was fun :)