Noos's Thread Saturday, 20-Feb-99 10:58:02 Ok, this is what I've found out so far : the crackme requires a file called caveman.dat in it's directory. First it opens the file and reads 2 bytes from it, these 2 bytes contain the length of the username. mov cx, 2 mov bx, FileHandle mov ah, 3Fh mov dx, 658h int 21h ; DOS - 2+ - READ FROM FILE WITH HANDLE ; BX = file handle, CX = number of bytes to read ; DS:DX -> buffer The 2 bytes are stored in 658h for the next read function, which uses it as the bytes_to_read parameter. mov cx, 658h mov ah, 3Fh mov bx, FileHandle mov dx, 667h int 21h After this the username is stored in 667h with a size of [658h]. Next the program reads in a 2 byte check number, which is generated by rotating the bits in the username. mov cx, 2 mov ah, 3Fh mov bx, FileHandle mov dx, 65Ah int 21h These bytes are stored in 65Ah. Now the program will generate the check number based on the username, and compares it with the check number read in. The username is looped through byte by byte, everytime adding the lower bits to the higher bits, and rotating them to the left 3 times. mov si, 667h ; User name in SI Loop: ; CODE XREF: start+75j lodsb ; Load namebyte into AL add ah, al ; AH += AL rol ax, 1 rol ax, 1 rol ax, 1 loop Loop ; Loop through username cmp ax, CheckNumber After that some functions are performed on the username which I'm not quite sure about yet. So I'll write about that later. At first I was having some troubles with IDA and the COM file.. IDA wouldn't properly decode the 32bit opcodes. I'm not sure if everyone is having the problems but here is the solution : Edit the ida.cfg and scroll down a bit till you see a list with extension types and their corresponding processors. change the "com" line to : "com" : "80386r" This solves the problem, and IDA will load all 32bits opcodes correctly. noos / DREAD noos@noos.demon.nl |
Noos's Thread (noos@noos.demon.nl) (20-Feb-99 10:58:02) |