CrackMe® Practices for Newbies
PROJECT 6: caveman by Ghiribizzo

Looku-up Table
Saturday, 20-Feb-99 12:39:12

    I found that the program uses an internal array of data.. no idea for
    what but it's located at this address : 0xB1 till 0xCF

    It's null terminated, and used by the XLAT function. It loops through
    it using LODSB till it finds a NULL termination. When you open the COM
    file in a HEX editor you'll clearly see a pattern, as a lot of low HEX
    values are used in it.

    mov bx, 660h
    mov si, 1B1h
    mov di, 100h

    loc_0_19C:
    lodsb
    cmp al, 0
    jz loc_0_1D0
    mov cl, al
    and ax, 0F0h
    shr al, 4
    xlat
    and cl, 0Fh
    repe stosb
    jmp short loc_0_19C


    SI contains the address of the array in memory, 1B1h. It's 1B1h and not
    B1h (as in a HEX editor) , because the base address in memory is 100h.

    LODSB loads in 1 byte ( Load String Byte ) from the SI address, and places
    it in AL, after that the SI pointer is increased by 1.

    XLAT replaces the value in AL with the value stored in [BX+AL]. BX points
    to a readable string, some sort of combination "T.abcfw + your username".

    so it reads a byte from the lookup table, AND's and SHR's that, and uses
    the result + the base string address (660h). That result is then stored
    at the address DI is pointing to (100h).

    noos / DREAD

    noos


Message thread:

Noos's Thread (noos@noos.demon.nl) (20-Feb-99 10:58:02)

Back to main board