Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Thursday, December 14 2017 @ 11:34 PM CET

Crc32 Reversing

   

TutorialsHello,

well today I'm gonna teach you *censored*ers an easy way of 'reversing' crc32. CRC stands for Cyclic Redundancy Check and 32 the size of the result in bits, 32 bits = 1 dword = 4 bytes. Ok, enough of this crap. My method of finding out the values necessary for resulting in a given crc goes like this:

Let's suppose we need a sequence of bytes that results in the crc of 0xA02DD7CB. Analysing the crc32 routine:

lea esi, [message]
mov edx, -1
crcloop:
lodsb
mov ecx, edx
and eax, 0ffh
and ecx, 0ffh
xor eax, ecx ; let's call it X
shr edx, 8
xor edx, dword ptr [eax*4+crctable]
dec contagem
jnz crcloop

We can figure out which value was the last one in X by looking up in the crctable a dword with the highest byte equal to 0xA0, so. eg: 0xA0YYYYYY. Then we save the position of this dword and the rest of the dword, YYYYYY. Why save YYYYYY? because it's the value that has been XOR'd with another one to result in (A0)2DD7CB. Now we XOR YYYYYY with 2DD7CB. Now we do the mentioned operation till the last byte. Here goes a table of the operations:

__________ __________ __________ ___________
| VALUE | O.DWORD | Position | XOR'ing |
|----------|----------|----------|-----------|
| A02DD7CB | A00AE278 | E0 | 002735B3 |
| 2735B300 | 270241AA | 71 | 000037F2 |
| 37F20000 | 37D83BF0 | EB | 0000002A |
| 2A000000 | 2A6F2B94 | FB | 00000000 |
| | | | |
ŻŻŻŻŻŻŻŻŻŻ ŻŻŻŻŻŻŻŻŻŻ ŻŻŻŻŻŻŻŻŻŻ ŻŻŻŻŻŻŻŻŻŻŻ

Ok, so the values we got are the ones that must be the X's. And, as we did this process backwards, we need to put the result backwards as well, so our values are 0xFB, 0xEB, 0x71 and 0xE0 So, we just need to recode a crc32 routine to retrieve the chars to be xored with the current crc in order to result the X's and also replace them in execution so we can keep processing good values. Here it goes:

invoke lstrlen, addr message
mov contagem, eax
lea esi, [message]
lea edi, [temporary]
mov edx, -1
crcloop:
lodsb
mov ecx, edx
and eax, 0ffh
and ecx, 0ffh
xor eax, ecx
cmp contagem, 4
jg skipitt
stosb
mov al, byte ptr [esi-1]
skipitt:
shr edx, 8
xor edx, dword ptr [eax*4+crctable]
dec contagem
jnz crcloop

; Notes:
; message db 0FBh, 0EBh, 71h, 0E0h ; our precious values
; temporary dd 00 ; buffer for the last 4 bytes

After executing this routine we find out that the needed four bytes are 'fuss' (this is only when there's nothing before it. If there are bytes before it then it's probably gonna change ;).

So, as you can see it's rather easy to reverse crc32. If you didn't understand this tutorial, just cont... .. .no if you didn't, you're such a moronic dumbass...

See ya,
fusS




What's Related

Story Options

Crc32 Reversing | 1 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Crc32 Reversing
Authored by: Devoney on Friday, February 09 2007 @ 09:58 AM CET
Well I dont understand.... Is Crc32 always the same algo? or is just a name for a algo routine with specific characteristics. Winrar32 uses Crc32, is it the same as you explained?

---
--< Share Your Knowledge >---

 Copyright © 2017 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.05 seconds