Princess' Tread Tuesday, 09-Feb-99 20:08:44
Here is what I have found so far, Its by no means finished but it may help others. The password in encrypted form is 12 characters long and can be found with a hex editor at the bottom of the file. There are two occurrences of Zipfile.txt and the password (encrypted is found directly after the first.) In the Zipfile it is 1D F6 F9 FB C9 6C DF 2B 3F 9C 92 CE The encryption is somewhat difficult but here is what I have found. Going to 405237 - 405247 This little loop includes a call to 4051AB where the individual characters of our password is being manipulated with 407FF8 This area runs from 4051ab to 40520E If we use the numbers 1,2,3 as our password (it will not work as it is wrong) we can see how 407FF8 is being manipulated It starts with 78 56 34 12 89 67 45 23 90 78 56 34 and becomes 5D 8D BE E0 40 31 BB 70 FF 3F 98 7E After our three characters are manipulated Going to 4052B5 At 4052BF the address of the real serial is pushed At 4052C3 The call to 401000 moves this to the location in esi. Next the loop from 4052CB - 4052E6 is run 12 times ( this has 2 calls) At 405192 the last 4 bytes from our generated serial is picked up giving us 40 in eax at 4051A7 which is xor'ed with the first hex byte of the real serial from file ( 1D becomes 5D) as it returns to 4052D5 then at the call at 4051AB 5D is again picked up and used for the manipulation of 407FF8 After 12 rounds 407FF8 will have 07 3E 1B B2 1F 09 70 06 1A AE 4B 63 From4052E8 to 405325 it seems to do the comparison ( I have not found out how yet) and returns to 405290 Eax is set next and it returns to 403BE6 where eax is tested If eax = 01 it is a god password and jumps to 403C2F If eax = 00 it is a bad pass word and it continues on and at the call 4011E2 goes to the invalid password screen. (it so some way down) This does not answer the question yet and the generated serials above will not work but it may help some one to work on the right area. Princess Princess |
Princess' Tread (Princess) (09-Feb-99 20:08:44) |