Jump to content
Hertz

[CrackMe]seven

By Hertz, in Challenges (CTF)

Recommended Posts

yulyul2004 Newbie

yulyul2004

Posted
Posted

User: Gregor

Pass: 1502754

Mai jos am comentat putin codul asm pentru cine vrea sa faca keygen:


.text:00401000 _main           proc near               
.text:00401000
.text:00401000 var_B0          = dword ptr -0B0h
.text:00401000 Dest            = byte ptr -0ACh
.text:00401000 Serial          = dword ptr -78h
.text:00401000 UserSerial      = dword ptr -40h
.text:00401000 UserNameLength  = dword ptr -3Ch
.text:00401000 Source          = byte ptr -38h
.text:00401000 var_37          = byte ptr -37h
.text:00401000 var_4           = dword ptr -4
.text:00401000 argc            = dword ptr  8
.text:00401000 argv            = dword ptr  0Ch
.text:00401000 envp            = dword ptr  10h
.text:00401000
.text:00401000                 push    ebp
.text:00401001                 mov     ebp, esp
.text:00401003                 sub     esp, 0B0h
.text:00401009                 push    offset aKeyme1ByHertz@ ; "************************\n* Keyme 1 by H"...
.text:0040100E                 call    _printf
.text:00401013                 add     esp, 4
.text:00401016                 push    offset aPleaseEnterYou ; "\nPlease enter your username: "
.text:0040101B                 call    _printf
.text:00401020                 add     esp, 4
.text:00401023                 lea     eax, [ebp+Source]
.text:00401026                 push    eax
.text:00401027                 push    offset Format   ; "%s"
.text:0040102C                 call    _scanf
.text:00401031                 add     esp, 8
.text:00401034                 lea     ecx, [ebp+Source]
.text:00401037                 push    ecx             ; Source
.text:00401038                 lea     edx, [ebp+Dest]
.text:0040103E                 push    edx             ; Dest
.text:0040103F                 call    _strcpy
.text:00401044                 add     esp, 8
.text:00401047                 push    offset unk_4070EC
.text:0040104C                 lea     eax, [ebp+Dest] ; Copy the username address in eax
.text:00401052                 push    eax             ; Str
.text:00401053                 call    _strstr         ; Search for 'e' in the username
.text:00401058                 add     esp, 8
.text:0040105B                 mov     [ebp+var_4], eax
.text:0040105E                 cmp     [ebp+var_4], 0
.text:00401062                 jnz     loc_401161      ; Go to wrong username message if Username contains 'e'
.text:00401068                 lea     ecx, [ebp+Dest] ; Copy the username address in ecx
.text:0040106E                 push    ecx             ; Str
.text:0040106F                 call    _strlen         ; Get username length
.text:00401074                 add     esp, 4
.text:00401077                 mov     [ebp+UserNameLength], eax
.text:0040107A                 cmp     [ebp+UserNameLength], 5
.text:0040107E                 jle     loc_40114D      ; Jump to wrong username if username.length < 5
.text:00401084                 cmp     [ebp+UserNameLength], 0Fh
.text:00401088                 jge     loc_40114D      ; Jump to wrong username if username.length > 0x0F
.text:0040108E                 mov     [ebp+Serial], 1
.text:00401095                 movsx   edx, [ebp+Source] ; edx = first char
.text:00401099                 movsx   eax, [ebp+var_37] ; eax = second char
.text:0040109D                 add     edx, eax        ; edx = first char + second char
.text:0040109F                 mov     ecx, [ebp+UserNameLength] ; Ecx = username length
.text:004010A2                 movsx   eax, byte ptr [ebp+ecx+UserNameLength+2] ; eax = Second last char
.text:004010A7                 mov     ecx, [ebp+UserNameLength] ; useless
.text:004010AA                 movsx   ecx, byte ptr [ebp+ecx+UserNameLength+3] ; ecx = last username char
.text:004010AF                 add     eax, ecx        ; eax = eax + ecx (last two chars)
.text:004010B1                 imul    edx, eax        ; edx = edx * eax
.text:004010B4                 mov     eax, [ebp+Serial] ; eax = 1
.text:004010B7                 imul    eax, edx        ; eax = eax * edx = edx
.text:004010BA                 mov     [ebp+Serial], eax
.text:004010BD                 mov     [ebp+var_B0], 2
.text:004010C7                 jmp     short loc_4010D8
.text:004010C9 ; ---------------------------------------------------------------------------
.text:004010C9
.text:004010C9 loc_4010C9:                             ; CODE XREF: _main+FDj
.text:004010C9                 mov     ecx, [ebp+var_B0]
.text:004010CF                 add     ecx, 1
.text:004010D2                 mov     [ebp+var_B0], ecx
.text:004010D8
.text:004010D8 loc_4010D8:                             ; CODE XREF: _main+C7j
.text:004010D8                 mov     edx, [ebp+UserNameLength]
.text:004010DB                 sub     edx, 2          ; without last 2 chars
.text:004010DE                 cmp     [ebp+var_B0], edx
.text:004010E4                 jge     short loc_4010FF ; check if we reached the end
.text:004010E6                 mov     eax, [ebp+var_B0]
.text:004010EC                 movsx   ecx, [ebp+eax+Source] ; ecx = current char
.text:004010F1                 mov     edx, [ebp+Serial] ; edx = serial
.text:004010F4                 add     edx, ecx        ; edx = serial + current char
.text:004010F6                 imul    edx, [ebp+UserNameLength] ; edx = edx *  UserNameLength
.text:004010FA                 mov     [ebp+Serial], edx ; save the serial
.text:004010FD                 jmp     short loc_4010C9
.text:004010FF ; ---------------------------------------------------------------------------
.text:004010FF
.text:004010FF loc_4010FF:                             ; CODE XREF: _main+E4j
.text:004010FF                 push    offset aPleaseEnterY_0 ; "\nPlease enter your key to verify: "
.text:00401104                 call    _printf
.text:00401109                 add     esp, 4
.text:0040110C                 lea     eax, [ebp+UserSerial]
.text:0040110F                 push    eax
.text:00401110                 push    offset aD       ; ; "%d" - read a decimal
.text:00401115                 call    _scanf
.text:0040111A                 add     esp, 8
.text:0040111D                 mov     ecx, [ebp+UserSerial] ; User serial
.text:00401120                 cmp     ecx, [ebp+Serial] ; compare with generated serial
.text:00401123                 jnz     short loc_401139
.text:00401125                 push    offset aKeyIsCorrect__ ; "\nKey is correct...\n"
.text:0040112A                 call    _printf
.text:0040112F                 add     esp, 4
.text:00401132                 call    __getch
.text:00401137                 jmp     short loc_40114B
.text:00401139 ; ---------------------------------------------------------------------------
.text:00401139
.text:00401139 loc_401139:                             ; CODE XREF: _main+123j
.text:00401139                 push    offset aSorryYourKeyIs ; "\nSorry, your key is wrong...\n"
.text:0040113E                 call    _printf
.text:00401143                 add     esp, 4
.text:00401146                 call    __getch
.text:0040114B
.text:0040114B loc_40114B:                             ; CODE XREF: _main+137j
.text:0040114B                 jmp     short loc_40115F
.text:0040114D ; ---------------------------------------------------------------------------
.text:0040114D
.text:0040114D loc_40114D:                             ; CODE XREF: _main+7Ej
.text:0040114D                                         ; _main+88j
.text:0040114D                 push    offset aOnlyUsernamesW ; "\nOnly usernames with length between 5 a"...
.text:00401152                 call    _printf
.text:00401157                 add     esp, 4
.text:0040115A                 call    __getch
.text:0040115F
.text:0040115F loc_40115F:                             ; CODE XREF: _main:loc_40114Bj
.text:0040115F                 jmp     short loc_401173
.text:00401161 ; ---------------------------------------------------------------------------
.text:00401161
.text:00401161 loc_401161:                             ; CODE XREF: _main+62j
.text:00401161                 push    offset aSorryThisUsern ; "\nSorry, this username is not supported."...
.text:00401166                 call    _printf
.text:0040116B                 add     esp, 4
.text:0040116E                 call    __getch
.text:00401173
.text:00401173 loc_401173:                             ; CODE XREF: _main:loc_40115Fj
.text:00401173                 mov     esp, ebp
.text:00401175                 pop     ebp
.text:00401176                 retn
.text:00401176 _main           endp

Link to comment
Share on other sites
yulyul2004 Newbie

yulyul2004

Posted
Posted (edited)

Primul crack-me de tipul asta pe care l-am facut. Mi-a luat 15 minute sa-l rezolv.

serial1:1234567890qwerty + 0xC3 + 0x10 + 0x74 (adresa 0x007410C3)

serial2:1234567890qwerty + 0x59 + 0x11 + 0x74 (adresa 0x00741159)

LE:

CarckMe output:



????????????????????????????????????????????????
???? RSTCenter Crackit #04 :: Enjoy 
????????????????????????????????????????????????
????
1??? Serial :1234567890qwerty?^Pt
????????????????????????????????????????????????
???? RSTCenter Crackit #04 :: Enjoy 
????????????????????????????????????????????????
????
1??? Serial :1234567890qwertyY^Qt
????
????
3??? You did it! Congrats;)
???? Concatenate the words in the serials
???? to get the pass!
????
????????????????????????????????????????????????

Edited by yulyul2004
Link to comment
Share on other sites
SunBeam Newbie

SunBeam

Posted
Posted (edited)
4016E9 MOV EBP,ESP

4016EB CALL 3.004018D4

4016F0 » size_to_decrypt

4016F4 » decrypt_DWORD

..

[code_to_decrypt_below]
..
4018D4 JMP SHORT 3.004018D7 // _emit _asm EB 01 0F
4018D6 DB 0F
..
4018D7 PUSH ESI // +4
4018D8 PUSH EAX // +4
4018D9 PUSH EDX // +4 -> SUM==0xC (see next line)
4018DA MOV ESI,DWORD PTR SS:[ESP+C] // get RET from CALL == [size_to_decrypt]
4018DE CLD // junk, can be ignored
4018DF LODS DWORD PTR DS:[ESI] // inc handler by 4; adjust ESI to addr_holding_decr_DWORD
4018E0 PUSH ECX
4018E1 MOV ECX,EAX // ECX becomes size_to_decrypt
4018E3 LODS DWORD PTR DS:[ESI] // inc handler by 4; load in EAX stored decr_DWORD
4018E4 PUSH ESI
4018E5 PUSH EDI
4018E6 MOV EDI,167531AF // hardcoded DWORD
4018EB JMP SHORT 3.004018EE // _emit _asm EB 01 0F
4018ED DB 0F
4018EE XOR DWORD PTR DS:[ESI],EAX // start_decrypt
4018F0 ADD ESI,4
4018F3 MUL EDI
4018F5 INC EAX
4018F6 SUB ECX,4
4018F9 JGE SHORT 3.004018EE
4018FB POP EDI
4018FC POP ESI
4018FD POP ECX
4018FE POP EDX
4018FF POP EAX
401900 XCHG DWORD PTR SS:[ESP],ESI // adjust landing point
401903 RETN

Solved it :-) Mai jos am postat script-ul cu care am facut curat prin cod (asta dupa ce il decriptez static).

Script:
http://pastebin.com/f39f22fbe

^ A se rula cu OllyDbg + ODbgScript 1.67.2

Programul decriptat/junk-free:

http://www.speedyshare.com/417217442.html

Pun si solutia imediat..

5dp4b6.png

Am folosit asa:

Kaka

RSTCENTER

K, A, k, a - dau valori bune la impartirea cu rest ;-)

Edited by SunBeam
Link to comment
Share on other sites
SunBeam Newbie

SunBeam

Posted
Posted (edited)

Nu am inteles cum merge MessageBoxA ala. Si ma refer la mesajul in sine - "The pass for username <x> of <y> is in/correct" - unde sa inteleg ca <x> e prima linie din clipboard ce contine username-ul. Dar ce-mi poti spune despre <y> (in afara de faptul ca e a doua linie din clipboard)? Sa inteleg ca <y> trebuie sa fie password?

EDIT:

Ok, POC:

username: Hertz

password: parola

SetClipboardData(Hertz\0D\0Aparola);

@init:

XOR ECX,ECX // clear counter reg

XOR EAX,EAX // clear accumulator reg

MOV DWORD PTR DS:[040217Ch],EAX // store it; store 00

XOR EDX,EDX // clear data reg

MOV DWORD PTR DS:[0402180h],EDX // store it; store 00

XOR EDX,EDX // clear it again?; ah, yes, FLAGS! ;-)

MOV EAX,0402184h ; ASCII "Hertz

parola" // get "user\0D\0Apassword" in acc_reg

JMP @init_checks // party time :-)

@compare:

MOV BL,BYTE PTR DS:[EAX] // get char

CMP BL,0Ah // test if NL

JE @null_me // if so, null char to separate user from pass

CMP BL,0Dh // test if CR

JNZ @set_buffer // if not, use ECX to set buffer (below)

@null_me:

MOV BYTE PTR DS:[EAX],0 // fill byte with 00

MOV EDX,1 // set BOOL to 1 in EDX

JMP @increment // and set regs for next iteration

@set_buffer:

TEST EDX,EDX // check if EDX is 0 (BOOL==0?)

JE @end_check // if so, extra check

MOV EBX,DWORD PTR DS:[0402180h] // get stored char

TEST EBX,EBX // test is null

JNZ @end_check

MOV DWORD PTR DS:[0402180h],ECX // save counter

XOR EDX,EDX // null data reg

JMP @increment // and loop on next

@end_check:

TEST EDX,EDX

JNZ @end

@increment:

INC ECX

INC EAX

@init_checks:

CMP ECX,064h // check max_size

JGE @break // if <= 64h, loop

MOV BL,BYTE PTR DS:[EAX] // else, start grabbing characters in base register (BL of EBX)

TEST BL,BL // check if null

JNZ @3_clean_0040168F // if not null, go to @compare

@break:

MOV AL,BYTE PTR DS:[ECX+0402184h] // get 0-BOOL

TEST AL,AL // check

JE @encrypt // removed it, since I nuked the func, so no code gets re-encrypted

XOR EDX,EDX // clean data reg

MOV DWORD PTR DS:[0402180h],EDX // and store it

..

@end:

POP EBX

POP EBP

RET

Deci, pentru "Hertz\0D\0A" -> [402180] devine 07. Apoi, cea de-a doua functie in care intram cu parametrii EAX si ECX (EAX = 07; ECX = 0D - size of whole string)..

Edited by SunBeam
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...