Jump to content
Hertz

[CrackMe]seven

Recommended Posts

Posted

User: Gregor

Pass: 1502754

Mai jos am comentat putin codul asm pentru cine vrea sa faca keygen:


.text:00401000 _main proc near
.text:00401000
.text:00401000 var_B0 = dword ptr -0B0h
.text:00401000 Dest = byte ptr -0ACh
.text:00401000 Serial = dword ptr -78h
.text:00401000 UserSerial = dword ptr -40h
.text:00401000 UserNameLength = dword ptr -3Ch
.text:00401000 Source = byte ptr -38h
.text:00401000 var_37 = byte ptr -37h
.text:00401000 var_4 = dword ptr -4
.text:00401000 argc = dword ptr 8
.text:00401000 argv = dword ptr 0Ch
.text:00401000 envp = dword ptr 10h
.text:00401000
.text:00401000 push ebp
.text:00401001 mov ebp, esp
.text:00401003 sub esp, 0B0h
.text:00401009 push offset aKeyme1ByHertz@ ; "************************\n* Keyme 1 by H"...
.text:0040100E call _printf
.text:00401013 add esp, 4
.text:00401016 push offset aPleaseEnterYou ; "\nPlease enter your username: "
.text:0040101B call _printf
.text:00401020 add esp, 4
.text:00401023 lea eax, [ebp+Source]
.text:00401026 push eax
.text:00401027 push offset Format ; "%s"
.text:0040102C call _scanf
.text:00401031 add esp, 8
.text:00401034 lea ecx, [ebp+Source]
.text:00401037 push ecx ; Source
.text:00401038 lea edx, [ebp+Dest]
.text:0040103E push edx ; Dest
.text:0040103F call _strcpy
.text:00401044 add esp, 8
.text:00401047 push offset unk_4070EC
.text:0040104C lea eax, [ebp+Dest] ; Copy the username address in eax
.text:00401052 push eax ; Str
.text:00401053 call _strstr ; Search for 'e' in the username
.text:00401058 add esp, 8
.text:0040105B mov [ebp+var_4], eax
.text:0040105E cmp [ebp+var_4], 0
.text:00401062 jnz loc_401161 ; Go to wrong username message if Username contains 'e'
.text:00401068 lea ecx, [ebp+Dest] ; Copy the username address in ecx
.text:0040106E push ecx ; Str
.text:0040106F call _strlen ; Get username length
.text:00401074 add esp, 4
.text:00401077 mov [ebp+UserNameLength], eax
.text:0040107A cmp [ebp+UserNameLength], 5
.text:0040107E jle loc_40114D ; Jump to wrong username if username.length < 5
.text:00401084 cmp [ebp+UserNameLength], 0Fh
.text:00401088 jge loc_40114D ; Jump to wrong username if username.length > 0x0F
.text:0040108E mov [ebp+Serial], 1
.text:00401095 movsx edx, [ebp+Source] ; edx = first char
.text:00401099 movsx eax, [ebp+var_37] ; eax = second char
.text:0040109D add edx, eax ; edx = first char + second char
.text:0040109F mov ecx, [ebp+UserNameLength] ; Ecx = username length
.text:004010A2 movsx eax, byte ptr [ebp+ecx+UserNameLength+2] ; eax = Second last char
.text:004010A7 mov ecx, [ebp+UserNameLength] ; useless
.text:004010AA movsx ecx, byte ptr [ebp+ecx+UserNameLength+3] ; ecx = last username char
.text:004010AF add eax, ecx ; eax = eax + ecx (last two chars)
.text:004010B1 imul edx, eax ; edx = edx * eax
.text:004010B4 mov eax, [ebp+Serial] ; eax = 1
.text:004010B7 imul eax, edx ; eax = eax * edx = edx
.text:004010BA mov [ebp+Serial], eax
.text:004010BD mov [ebp+var_B0], 2
.text:004010C7 jmp short loc_4010D8
.text:004010C9 ; ---------------------------------------------------------------------------
.text:004010C9
.text:004010C9 loc_4010C9: ; CODE XREF: _main+FDj
.text:004010C9 mov ecx, [ebp+var_B0]
.text:004010CF add ecx, 1
.text:004010D2 mov [ebp+var_B0], ecx
.text:004010D8
.text:004010D8 loc_4010D8: ; CODE XREF: _main+C7j
.text:004010D8 mov edx, [ebp+UserNameLength]
.text:004010DB sub edx, 2 ; without last 2 chars
.text:004010DE cmp [ebp+var_B0], edx
.text:004010E4 jge short loc_4010FF ; check if we reached the end
.text:004010E6 mov eax, [ebp+var_B0]
.text:004010EC movsx ecx, [ebp+eax+Source] ; ecx = current char
.text:004010F1 mov edx, [ebp+Serial] ; edx = serial
.text:004010F4 add edx, ecx ; edx = serial + current char
.text:004010F6 imul edx, [ebp+UserNameLength] ; edx = edx * UserNameLength
.text:004010FA mov [ebp+Serial], edx ; save the serial
.text:004010FD jmp short loc_4010C9
.text:004010FF ; ---------------------------------------------------------------------------
.text:004010FF
.text:004010FF loc_4010FF: ; CODE XREF: _main+E4j
.text:004010FF push offset aPleaseEnterY_0 ; "\nPlease enter your key to verify: "
.text:00401104 call _printf
.text:00401109 add esp, 4
.text:0040110C lea eax, [ebp+UserSerial]
.text:0040110F push eax
.text:00401110 push offset aD ; ; "%d" - read a decimal
.text:00401115 call _scanf
.text:0040111A add esp, 8
.text:0040111D mov ecx, [ebp+UserSerial] ; User serial
.text:00401120 cmp ecx, [ebp+Serial] ; compare with generated serial
.text:00401123 jnz short loc_401139
.text:00401125 push offset aKeyIsCorrect__ ; "\nKey is correct...\n"
.text:0040112A call _printf
.text:0040112F add esp, 4
.text:00401132 call __getch
.text:00401137 jmp short loc_40114B
.text:00401139 ; ---------------------------------------------------------------------------
.text:00401139
.text:00401139 loc_401139: ; CODE XREF: _main+123j
.text:00401139 push offset aSorryYourKeyIs ; "\nSorry, your key is wrong...\n"
.text:0040113E call _printf
.text:00401143 add esp, 4
.text:00401146 call __getch
.text:0040114B
.text:0040114B loc_40114B: ; CODE XREF: _main+137j
.text:0040114B jmp short loc_40115F
.text:0040114D ; ---------------------------------------------------------------------------
.text:0040114D
.text:0040114D loc_40114D: ; CODE XREF: _main+7Ej
.text:0040114D ; _main+88j
.text:0040114D push offset aOnlyUsernamesW ; "\nOnly usernames with length between 5 a"...
.text:00401152 call _printf
.text:00401157 add esp, 4
.text:0040115A call __getch
.text:0040115F
.text:0040115F loc_40115F: ; CODE XREF: _main:loc_40114Bj
.text:0040115F jmp short loc_401173
.text:00401161 ; ---------------------------------------------------------------------------
.text:00401161
.text:00401161 loc_401161: ; CODE XREF: _main+62j
.text:00401161 push offset aSorryThisUsern ; "\nSorry, this username is not supported."...
.text:00401166 call _printf
.text:0040116B add esp, 4
.text:0040116E call __getch
.text:00401173
.text:00401173 loc_401173: ; CODE XREF: _main:loc_40115Fj
.text:00401173 mov esp, ebp
.text:00401175 pop ebp
.text:00401176 retn
.text:00401176 _main endp

Posted (edited)

Primul crack-me de tipul asta pe care l-am facut. Mi-a luat 15 minute sa-l rezolv.

serial1:1234567890qwerty + 0xC3 + 0x10 + 0x74 (adresa 0x007410C3)

serial2:1234567890qwerty + 0x59 + 0x11 + 0x74 (adresa 0x00741159)

LE:

CarckMe output:



????????????????????????????????????????????????
???? RSTCenter Crackit #04 :: Enjoy
????????????????????????????????????????????????
????
1??? Serial :1234567890qwerty?^Pt
????????????????????????????????????????????????
???? RSTCenter Crackit #04 :: Enjoy
????????????????????????????????????????????????
????
1??? Serial :1234567890qwertyY^Qt
????
????
3??? You did it! Congrats;)
???? Concatenate the words in the serials
???? to get the pass!
????
????????????????????????????????????????????????

Edited by yulyul2004
Posted (edited)
4016E9 MOV EBP,ESP

4016EB CALL 3.004018D4

4016F0 » size_to_decrypt

4016F4 » decrypt_DWORD

..

[code_to_decrypt_below]
..
4018D4 JMP SHORT 3.004018D7 // _emit _asm EB 01 0F
4018D6 DB 0F
..
4018D7 PUSH ESI // +4
4018D8 PUSH EAX // +4
4018D9 PUSH EDX // +4 -> SUM==0xC (see next line)
4018DA MOV ESI,DWORD PTR SS:[ESP+C] // get RET from CALL == [size_to_decrypt]
4018DE CLD // junk, can be ignored
4018DF LODS DWORD PTR DS:[ESI] // inc handler by 4; adjust ESI to addr_holding_decr_DWORD
4018E0 PUSH ECX
4018E1 MOV ECX,EAX // ECX becomes size_to_decrypt
4018E3 LODS DWORD PTR DS:[ESI] // inc handler by 4; load in EAX stored decr_DWORD
4018E4 PUSH ESI
4018E5 PUSH EDI
4018E6 MOV EDI,167531AF // hardcoded DWORD
4018EB JMP SHORT 3.004018EE // _emit _asm EB 01 0F
4018ED DB 0F
4018EE XOR DWORD PTR DS:[ESI],EAX // start_decrypt
4018F0 ADD ESI,4
4018F3 MUL EDI
4018F5 INC EAX
4018F6 SUB ECX,4
4018F9 JGE SHORT 3.004018EE
4018FB POP EDI
4018FC POP ESI
4018FD POP ECX
4018FE POP EDX
4018FF POP EAX
401900 XCHG DWORD PTR SS:[ESP],ESI // adjust landing point
401903 RETN

Solved it :-) Mai jos am postat script-ul cu care am facut curat prin cod (asta dupa ce il decriptez static).

Script:
http://pastebin.com/f39f22fbe

^ A se rula cu OllyDbg + ODbgScript 1.67.2

Programul decriptat/junk-free:

http://www.speedyshare.com/417217442.html

Pun si solutia imediat..

5dp4b6.png

Am folosit asa:

Kaka

RSTCENTER

K, A, k, a - dau valori bune la impartirea cu rest ;-)

Edited by SunBeam
Posted (edited)

Nu am inteles cum merge MessageBoxA ala. Si ma refer la mesajul in sine - "The pass for username <x> of <y> is in/correct" - unde sa inteleg ca <x> e prima linie din clipboard ce contine username-ul. Dar ce-mi poti spune despre <y> (in afara de faptul ca e a doua linie din clipboard)? Sa inteleg ca <y> trebuie sa fie password?

EDIT:

Ok, POC:

username: Hertz

password: parola

SetClipboardData(Hertz\0D\0Aparola);

@init:

XOR ECX,ECX // clear counter reg

XOR EAX,EAX // clear accumulator reg

MOV DWORD PTR DS:[040217Ch],EAX // store it; store 00

XOR EDX,EDX // clear data reg

MOV DWORD PTR DS:[0402180h],EDX // store it; store 00

XOR EDX,EDX // clear it again?; ah, yes, FLAGS! ;-)

MOV EAX,0402184h ; ASCII "Hertz

parola" // get "user\0D\0Apassword" in acc_reg

JMP @init_checks // party time :-)

@compare:

MOV BL,BYTE PTR DS:[EAX] // get char

CMP BL,0Ah // test if NL

JE @null_me // if so, null char to separate user from pass

CMP BL,0Dh // test if CR

JNZ @set_buffer // if not, use ECX to set buffer (below)

@null_me:

MOV BYTE PTR DS:[EAX],0 // fill byte with 00

MOV EDX,1 // set BOOL to 1 in EDX

JMP @increment // and set regs for next iteration

@set_buffer:

TEST EDX,EDX // check if EDX is 0 (BOOL==0?)

JE @end_check // if so, extra check

MOV EBX,DWORD PTR DS:[0402180h] // get stored char

TEST EBX,EBX // test is null

JNZ @end_check

MOV DWORD PTR DS:[0402180h],ECX // save counter

XOR EDX,EDX // null data reg

JMP @increment // and loop on next

@end_check:

TEST EDX,EDX

JNZ @end

@increment:

INC ECX

INC EAX

@init_checks:

CMP ECX,064h // check max_size

JGE @break // if <= 64h, loop

MOV BL,BYTE PTR DS:[EAX] // else, start grabbing characters in base register (BL of EBX)

TEST BL,BL // check if null

JNZ @3_clean_0040168F // if not null, go to @compare

@break:

MOV AL,BYTE PTR DS:[ECX+0402184h] // get 0-BOOL

TEST AL,AL // check

JE @encrypt // removed it, since I nuked the func, so no code gets re-encrypted

XOR EDX,EDX // clean data reg

MOV DWORD PTR DS:[0402180h],EDX // and store it

..

@end:

POP EBX

POP EBP

RET

Deci, pentru "Hertz\0D\0A" -> [402180] devine 07. Apoi, cea de-a doua functie in care intram cu parametrii EAX si ECX (EAX = 07; ECX = 0D - size of whole string)..

Edited by SunBeam

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...