home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
E_bliss
/
cosh3.txt
< prev
next >
Wrap
Text File
|
2000-05-25
|
9KB
|
209 lines
*****************************************
* *
* RingZer0 Presents *
* *
* "CoSH Crackme3" by PUSILLUS *
* 23/2/99 *
*****************************************
Sorry for my bad english :(
Tools:
SoftIce.
Run the program, enter in SIce and type TASK:
Taskname SS:SP StackTop StackBot StackLow TaskDB hQueue Events
crackme3 0000:0000 005ED000 05F0000 11DE 0E47 0000
...
Type "HWND crackme3" to get handles of our program:
Window-Handle hQueue SZ QOwner Class_Name Window Procedure
03AC(1) OE47 32 CRACKME3 #32770 (Dialog) 1457:00000694
03CC(2) OE47 32 CRACKME3 Button ...
03A8(2) OE47 32 CRACKME3 Static ...
0400(2) OE47 32 CRACKME3 Static ...
03FC(2) OE47 32 CRACKME3 Edit ...
03E0(2) OE47 32 CRACKME3 Edit ...
...
Put a breakpoint at "BMSG 03fc WM_GETTEXT" and exit Sice.
Type some values in edit controls of the dialogbox, for example
"pusillus" and "00000000", and click on "OK" button. The debugger break in
Kernel.alloc with F12 we return from various calls and we can see the MFC42
calling at GetWindowTextA.
before this call there are some instructions:
....
PUSH EAX
PUSH DWORD PTR [ESI+20]
GetWindowTextA
....
we can put a break in PUSH EAX to get the address where the edit control text is
stored.
When I've executed the program for the first time I've pressed one more time F12
to go back in the crackme code, and I've explored the contents of registers,
ECX contain the location of stored text ;).
for the first call to MFC GetWindowTextA at address 00401533, ECX is 00760A7C (the address of
name), and for the second call at 00401548 ECX is 00760A9C (the address off password)
---------------------------
:00401521 8B45E0 mov eax, dword ptr [ebp-20]
:00401524 05E0000000 add eax, 000000E0
:00401529 50 push eax
:0040152A 8B4DE0 mov ecx, dword ptr [ebp-20]
:0040152D 81C1A0000000 add ecx, 000000A0
* Reference To: MFC42.Ordinal:0F22, Ord:0F22h
|
:00401533 E866030000 Call 0040189E <----- read the Name
:00401538 8B4DE0 mov ecx, dword ptr [ebp-20]
:0040153B 81C1E4000000 add ecx, 000000E4
:00401541 51 push ecx
:00401542 8B4DE0 mov ecx, dword ptr [ebp-20]
:00401545 83C160 add ecx, 00000060
* Reference To: MFC42.Ordinal:0F22, Ord:0F22h
|
:00401548 E851030000 Call 0040189E <---- read the Pwd
:0040154D 8B55E0 mov edx, dword ptr [ebp-20]
:00401550 81C2E0000000 add edx, 000000E0
:00401556 52 push edx
:00401557 8D4DE4 lea ecx, dword ptr [ebp-1C]
---------------------------
with F10 walk through the code, at address 00401570 the program resets all registers
and at 0040157D it move in EAX the address of the name:
---------------------------
:00401570 33C0 xor eax, eax
:00401572 33DB xor ebx, ebx
:00401574 33C9 xor ecx, ecx
:00401576 B901000000 mov ecx, 00000001 <-- cl=1
:0040157B 33D2 xor edx, edx
:0040157D 8B45E4 mov eax, dword ptr [ebp-1C] <-- EAX=00760A7C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040158B(C)
|
:00401580 8A18 mov bl, byte ptr [eax] <-- bl=byte pointed by EAX
:00401582 32D9 xor bl, cl <-- xor bl , cl
:00401584 8818 mov byte ptr [eax], bl <-- byte pointed by EAX is
replaced with bl
:00401586 41 inc ecx <-- ECX + 1
:00401587 40 inc eax <-- EAX + 1
:00401588 803800 cmp byte ptr [eax], 00
:0040158B 75F3 jne 00401580 <-- processing all values
in the string
---------------------------
in my example:
00760A7C = 70 75 73 69 6c 6c 75 73 (pusillus)
XOR cl 01 02 03 04 05 06 07 08
00760A7C = 71 77 70 6d 69 6a 72 7b
proceding with F10, we reach the code where the pwd is processed:
---------------------------
:0040158D 33C0 xor eax, eax
:0040158F 33DB xor ebx, ebx
:00401591 33C9 xor ecx, ecx
:00401593 B90A000000 mov ecx, 0000000A <-- ECX=0A
:00401598 33D2 xor edx, edx
:0040159A 8B45F0 mov eax, dword ptr [ebp-10] <-- EAX=00760A9C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015A8(C)
|
:0040159D 8A18 mov bl, byte ptr [eax] <-- bl= byte pointed by eax
:0040159F 32D9 xor bl, cl <-- xor bl , cl
:004015A1 8818 mov byte ptr [eax], bl <-- byte pointed by eax = bl
:004015A3 41 inc ecx
:004015A4 40 inc eax
:004015A5 803800 cmp byte ptr [eax], 00 <-- looping for all the string
:004015A8 75F3 jne 0040159D
---------------------------
password processing is the same but CL is initialized with 0A:
00760A9C = 30 30 30 30 30 30 30 30 (00000000)
XOR cl 0A 0B 0C 0D 0E 0F 10 11
00760A9C = 3A 3B 3C 3D 3E 3F 20 21
The two modified strings are compared:
---------------------------
:004015AA 8B45E4 mov eax, dword ptr [ebp-1C] <-- 00760A7C
:004015AD 8B55F0 mov edx, dword ptr [ebp-10] <-- 00760A9C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015BF(C)
|
:004015B0 33C9 xor ecx, ecx
:004015B2 8A18 mov bl, byte ptr [eax] <-- bl= byte pointed by eax
:004015B4 8A0A mov cl, byte ptr [edx] <-- cl= byte pointed by edx
:004015B6 3AD9 cmp bl, cl <-- comparison
:004015B8 7509 jne 004015C3 <-- not equals jump to "ERROR"
:004015BA 40 inc eax
:004015BB 42 inc edx
:004015BC 803800 cmp byte ptr [eax], 00 <-- end string control
:004015BF 75EF jne 004015B0 <-- cycling all the string
:004015C1 EB16 jmp 004015D9 <-- jump to "YOU DID IT"
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401503(U), :0040151C(U), :004015B8(C)
|
:004015C3 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"ERROR"
|
:004015C5 686C304000 push 0040306C
* Possible StringData Ref from Data Obj ->"One of the Details you entered "
->"was wrong"
|
:004015CA 6840304000 push 00403040
:004015CF 8B4DE0 mov ecx, dword ptr [ebp-20]
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004015D2 E8BB020000 Call 00401892
:004015D7 EB14 jmp 004015ED
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015C1(U)
|
:004015D9 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"YOU DID IT"
|
:004015DB 6834304000 push 00403034
* Possible StringData Ref from Data Obj ->"Well done,Cracker"
|
:004015E0 6820304000 push 00403020
---------------------------
Ok we can calculate a valid serial for name "pusillus":
71 77 70 6d 69 6a 72 7b <-- values calculated by the program for "pusillus"
0A 0B 0C 0D 0E 0F 10 11 <-- xoring
7B 7C 7C 60 67 65 62 6A <-- correct password: {||`gebj
Please visit our Italian cracking homepage at http://ringzer0.cjb.net
Pusillus.