CrackMe® Practices for Newbies ~ Moderated

Second Offering and Progress
Friday, 29-Jan-99 16:02:20
    212.211.8.45 writes:

    OK, the news:

    Good news:I have generated a file which registers this program.
    Bad news:It doesn't get registered in your name, which I deduce must be the correct way forward since it is too easy otherwise.

    OK. Serious time: Recall the two routines which are being used. I had a closer look through the code and realised that the file is divided into three strings, we'll call them string 1, string 2 and string 3, each of which is 16 bytes from the data file.

    string 1 is encrypted (for want of a better word) by the first routine call, it is routine 401116 called with the parameters string 1, string 1 and the number 4 (4 loops).

    string 2 is now encrypted in the same way, but this time with 5 loops.

    Now the final routine is called, the encrypted string 2 has some more encryption done to it, and is then compared to parts of string 3.

    Phew, following this ?

    Right. I decided to go ahead with all zeroes, which appears to be checked for in the code, and it although it passed the comparisons it doesn't get through all the checks. So, I had a look around the code. I noticed that it seems that String 2 is used on the screen in the 'Cracked by' box. So I put my name in for string 2. Next I ran the code up to the middle of the second routine, this bit to be precise:

    004011FF loc_4011FF: ; CODE XREF: sub_4011C1+4C j
    004011FF lodsd
    00401200 mov ebx, [edi]
    00401202 add edi, 4
    00401205 cmp eax, ebx
    00401207 jnz short loc_401215
    00401209 nop
    0040120A nop
    0040120B nop
    0040120C nop
    0040120D loop loc_4011FF

    This is where the encrypted string 2 gets checked against parts of string 3. I then changed string 3 as I went along so that the checks were passed. Hence one keyfile which passes the test. Here it is in hex:

    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    43 72 6F 6E 6F 73 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 AF 13 FA 3F 0F 00 00 00 00 00 00 00

    All seems to be done.
    BUT, and this is one big BUT:

    The program uses the encrypted string2 (which currently is 'Cronos' but encrypted is on the line below and looks like '-|u?\' or something like that) as the name which the program is registered to.

    Hence to fully crack this little proggie I will now be trying to take the program backwards from 'Cronos' to whatever I need to put in to get the encrypted string2 right. Phew.

    So next I will be looking at the reversibility of the code in the second routine (before 4011ff) and I will be looking at the algorithm of the few lines above.

    Later,

    Cronos.






    Cronos


Message thread:

My Shiny New Thread (Cronos) (29-Jan-99 14:40:23)

Back to main board


Message subject:

Name: (optional)

Email address: (optional)

Type your message here:




Back to main board

Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.