:00401226 03D3 add edx, ebx ;add this value to edx
We know that we must end up with a value in edx that match 8DCAF368
Example, if we enter '1234567' as serial, we end up with this value :
edx=00000000
ebx=00000000
Pass 1: Add '1' = 31h
ebx=00000031 ;mov bl, byte ptr [eax]
ebx=00003100 ;rol ebx, 08
edx=00003100 ;add edx, ebx
Pass 2: Add '2' = 32h
ebx=00003132
ebx=00313200
edx=00316300
Pass 3: Add '3' = 33h
ebx=00313233
ebx=31323300
edx=31639600
Pass 4: Add '4' = 34h
ebx=31323334
ebx=32333431
edx=6396CA31
Pass 5: Add '5' = 35h
ebx=32333435
ebx=33343532
edx=96CAFF63
Pass 6: Add '6' = 36h
ebx=33343536
ebx=34353633
edx=CB003596
Pass 7: Add '7' = 37h
ebx=34353637
ebx=35363734
edx=00366CCA <- Final value
Our problem is now to go from 00366CCA to the original string from which this value was calculated (ie. reversing the protection scheme). With the knowledge that I have gathered so far (remember, I'm a newbie..) I cannot see how this can be done - If I should be wrong here I would like very much to hear from you, I can be reached via my email address: mrsquash0@hotmail.com.
Our problems are: When we load a new digit/letter in ebx we erase whatever value that was here before (ie. the lower 8 bits of ebx are changed - with no relation to what it was before). Another problem is that we go beyond the limit of edx, ie. ffffffff, and start over from 0.
But there is a solution to our problem, because this type of protection can have more than 1 valid s/n. For this crackme a valid s/n can be computed like this:
8D CA F3 68 <- the value found in the crackme
|__|_
__| |
| |
F3 - CA = 29 = ')'
***
Then I perform two logical operands on this value:
1) ror 8
2) and ffffffff00h (-100h)
After this I get:
68 8D CA 00
|__|_
__| |
| |
CA - 8D = 3D = '='
***
1) ror 8
2) and ffffffff00h (-100h)
00 68 8D 00
|__|_
__| |
| |
8D - 68 = 25 = '%'
***
1) ror 8
2) and ffffffff00h (-100h)
00 00 68 00
|__|_
__| |
| |
68 - 00 = 68 = 'h'
***
1) ror 8
2) and ffffffff00h (-100h)
00 00 00 00
DONE
So from this I get: ')=%h' - reverse this and it is a valid serial. This means that if you enter 'h%=)' (without quotes) as the s/n you'll get the goood messagebox saying that you're a goood cracker :)
Problem by solving the problem like this:
If the program had some disabled functions that would only be available in the registered version and the code within these functions were encrypted with a key from another s/n calculation routine (with the original s/n string as starting point) we would have a serious problem. Because the valid s/n we have calculated would NOT give the same result as the original s/n if it was to put through another algorithm.
I repeat: I am not 100% (only 99%) sure that you cannot (in some way) go from 8DCAF368 to the original string that this value was computed from. If you know of a way, you are MORE than welcome to send me a mail : mrsquash0@hotmail.com , thanks !