CrackMe® Practices for Newbies
PROJECT 5: zipfile.exe

Princess' Tread
Tuesday, 09-Feb-99 20:08:44
    206.248.47.198 writes:

    Here is what I have found so far, Its by no means finished but it may help others.
    The password in encrypted form is 12 characters long and can be found with a hex editor at the bottom of the file. There are two occurrences of Zipfile.txt and the password (encrypted is found directly after the first.) In the Zipfile it is 1D F6 F9 FB C9 6C DF 2B 3F 9C 92 CE

    The encryption is somewhat difficult but here is what I have found.

    Going to 405237 - 405247
    This little loop includes a call to 4051AB where the individual characters of our password is being manipulated with 407FF8
    This area runs from 4051ab to 40520E

    If we use the numbers 1,2,3 as our password (it will not work as it is wrong) we can see how 407FF8 is being manipulated
    It starts with 78 56 34 12 89 67 45 23 90 78 56 34 and becomes 5D 8D BE E0 40 31 BB 70 FF 3F 98 7E
    After our three characters are manipulated

    Going to 4052B5
    At 4052BF the address of the real serial is pushed
    At 4052C3 The call to 401000 moves this to the location in esi.

    Next the loop from 4052CB - 4052E6 is run 12 times ( this has 2 calls)
    At 405192 the last 4 bytes from our generated serial is picked up giving us 40 in eax at 4051A7 which is xor'ed with the first hex byte of the real serial from file ( 1D becomes 5D) as it returns to 4052D5 then at the call at 4051AB 5D is again picked up and used for the manipulation of 407FF8

    After 12 rounds 407FF8 will have 07 3E 1B B2 1F 09 70 06 1A AE 4B 63

    From4052E8 to 405325 it seems to do the comparison ( I have not found out how yet) and returns to 405290

    Eax is set next and it returns to 403BE6 where eax is tested
    If eax = 01 it is a god password and jumps to 403C2F
    If eax = 00 it is a bad pass word and it continues on and at the call 4011E2 goes to the invalid password screen. (it so some way down)

    This does not answer the question yet and the generated serials above will not work but it may help some one to work on the right area.



    Princess




    Princess


Message thread:

Princess' Tread (Princess) (09-Feb-99 20:08:44)

Back to main board