![]() | |
My Own Keyfile (well, almost!) Friday, 29-Jan-99 18:22:53
First of all I apologise for writing hard and fast and bringing in the 'level' from the beginning in previous posts. Anyway, here's part III: Another update (busy today!): Another keyfile: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 32 AD 9B ED 3A 20 03 AE FE 90 00 00 00 00 00 00 00 00 00 00 43 52 4F 4E 55 4F 53 00 00 00 00 00 If you try this then you will see that it registers to 'CRONUOS' - don't laugh, a couple of hours calculation and I've made a mistake somewhere... anyway it can be reversed. Basically, continuing from my previous notes: The second calculation routine seems to revolve around a multiply by 55555555h, provided you haven't been messing with the first string. So we reverse the calculation (if you find this difficult then make a copy of the program and change some of the instructions, like change the instruction following the mul to a div. Here: 004011EC mul ebx 004011EE mov eax, edx 004011F0 cld The nice thing is that we can change the mov eax,edx into div ebx quite easily, and then single step through in softice. Change the values of edx between the mul and the div and regain the original code,etc. Just mess about around here and we should be able to reverse it this far... The next part is reversing the previous routine (the 401116 routine). Just to recap: We started with our name (the result), traced it back through the multiply in the 4011c1 call, and this gives us an intermediate unencrypted code. Now we need to trace it back through the 401116 call, which gives us an 'unencrypted' string. In fact, it is string 2 which when encrypted will reveal our name, which will match with the centre of string 3 if we are lucky... OK. It seems that 401116 is some kind of lossy shift routine after some playing with softice and feeding it different values (try zeroes, all 1's (or ff's), different 1's in different places to see what happens). After some experimentation I found that I could generate parts of the code I wanted by feeding in shifted values (shifted gradually further and further right). There is still a lot of work to do around these two routines, and I'm pretty sure that we could rewrite some bits so that we could have a string passed in as string 2 and decrypted so that we would have a kind of semi key-generator for it..........hmmm. Anyway - notice I fed my name in capitals ? Well, as it turned out I couldn't get the lowercase multiply to reverse, it gave a result which was too big on the divide, so maybe thats something else to look at too, Later, Cronos. Cronos |
My Shiny New Thread (Cronos) (29-Jan-99 14:40:23) |
|
Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.