CrackMe® Practices for Newbies
Project 9: CrackMe 2 by Cronos

Re: The code
Thursday, 01-Apr-99 09:46:24


    At 110h there is this code:

    seg000:0110 mov bx, [si]
    seg000:0112 add si, 2
    seg000:0115 mov dx, bx
    seg000:0117 add dx, 2
    seg000:011A jmp word ptr [bx]

    What it does:loads in bx the value at [si] and increases si to point to the
    next word value.Then,the value in bx is used for a jmp instruction,so
    the values si ponts to are a set of dw values wich indicate what part
    of the code will be executed when si will point to them.

    Just before a new character of the username is read,si==383h.The data at
    383h:

    seg000:0383 dw 1F1h ;read a character (read below)
    seg000:0385 dw 15Fh
    seg000:0387 dw 148h ;push
    seg000:0389 dw 0Dh ;0dH
    seg000:038B dw 2E3h ;cmp

    So the first jump will be at 1F1h (the next character is read):

    seg000:01F1 dw 1F3h
    seg000:01F3 mov ah, 8
    seg000:01F5 int 21h ; DOS - KEYBOARD INPUT, NO ECHO
    seg000:01F5 ; Return: AL = character
    seg000:01F7 mov ah, 0
    seg000:01F9 push ax
    seg000:01FA jmp 110h ;<=notice it jumps back to 110h


    The next jump will be at 15fh,but it is not so interesting like the jump that
    follows (148h)

    seg000:0148 dw 14Ah
    seg000:014A mov ax, [si] ;si points to 0dh (RETURN)
    seg000:014C add si, 2 ;inc si,we don't want to jump at 0dh
    seg000:014F push ax ;we just want to use the 0d value for a comparation
    seg000:0150 jmp 110h ;<=

    So the read character was pushed onto the stack and 0d (RETURN) was pushed also.
    A compare routine must follow:

    seg000:02E3 dw 2E5h
    seg000:02E5 pop ax ;pop the character
    seg000:02E6 pop bx ;pop 0dh
    seg000:02E7 cmp ax, bx ;are they equal
    seg000:02E9 jnz loc_0_2F0
    seg000:02EB push 0 ;if yes,return 0
    seg000:02ED jmp 110h

    seg000:02F0 loc_0_2F0: ; CODE XREF: seg000:02E9
    seg000:02F0 push 1 ;they are not,so return 1
    seg000:02F2 jmp 110h

    The next piece of code executed:

    seg000:01D3 dw 1D5h
    seg000:01D5 add si, [si] ;add 64h to si (a jmp :)
    seg000:01D7 jmp 110h

    seg000:01DA dw 1DCh

    seg000:01DC pop ax ;<=we land here
    seg000:01DD or ax, ax ;were 0d & character equal?
    seg000:01DF jz 1d5h ;if yes,jump
    seg000:01E1 add si, 2 ;don't jump at 64h
    seg000:01E4 jmp 110h

    So,what the program did so far was:it read a character and compared it with 0dh.
    Next,it will compare the value with 08h,then ... .It's all there in my prev posting.
    Using IDA,anyone can follow how the program works.The part in wich the
    key is computed starts when si==38dh (I think:).
    Using SICE,a bpx 110 if si==383 or bpx 110 if si==383 can be used.

    l8r,Andy.
    <\pre>

    Andy


Message thread:

Andy's Thread (Andy) (29-Mar-99 07:03:39)

Back to main board