CrackMe« Practices for Newbies
PROJECT 5: zipfile.exe
SV thread
Tuesday, 09-Feb-99 10:21:56
    193.252.216.182 writes:

    Hi everybody.

    i found this part of code:

    :004052A2 55 push ebp
    :004052A3 A110794000 mov eax, dword ptr [00407910]
    :004052A8 8BEC mov ebp, esp
    :004052AA 83EC0C sub esp, 0000000C
    :004052AD 56 push esi
    :004052AE 57 push edi < file name of zip file
    :004052AF 50 push eax < password entered
    :004052B0 E85AFFFFFF call 0040520F < a unsigned int is
    calculated with each char
    of password.
    :004052B5 83C404 add esp, 00000004
    :004052B8 8D4DF4 lea ecx, dword ptr [ebp-0C]
    :004052BB 33FF xor edi, edi
    :004052BD 6A0C push 0000000C
    :004052BF FF7508 push [ebp+08] < 0C bytes in, used
    to calculate somes things!!
    is it a key ??
    :004052C2 51 push ecx
    :004052C3 E838BDFFFF call 00401000 < this 0C bytes are copied
    in another location.
    :004052C8 83C40C add esp, 0000000C

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004052E6(C)
    |
    :004052CB 8D743DF4 lea esi, dword ptr [ebp+edi-0C]
    :004052CF E8BEFEFFFF call 00405192 < another part of calcul
    whith the result of the
    unsigned int calculated
    and each bytes of the famous
    0C bytes.
    :004052D4 47 inc edi
    :004052D5 3006 xor byte ptr [esi], al
    :004052D7 0FB606 movzx eax, byte ptr [esi]
    :004052DA 50 push eax
    :004052DB E8CBFEFFFF call 004051AB
    :004052E0 83C404 add esp, 00000004
    :004052E3 83FF0C cmp edi, 0000000C
    :004052E6 7CE3 jl 004052CB < do this for each byte.

    :004052E8 833D0C79400000 cmp dword ptr [0040790C], 00000000
    :004052EF 660FB64DFF movzx cx, byte ptr [ebp-01]
    :004052F4 7416 je 0040530C
    :004052F6 66A156854000 mov ax, word ptr [00408556]
    :004052FC 66C1E808 shr ax, 08
    :00405300 663BC1 cmp ax, cx
    :00405303 7419 je 0040531E
    :00405305 B8FFFFFFFF mov eax, FFFFFFFF
    :0040530A EB14 jmp 00405320

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004052F4(C)
    |
    :0040530C A15A854000 mov eax, dword ptr [0040855A]
    :00405311 C1E818 shr eax, 18
    :00405314 663BC1 cmp ax, cx
    :00405317 B8FFFFFFFF mov eax, FFFFFFFF
    :0040531C 7502 jne 00405320

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00405303(C)
    |
    :0040531E 33C0 xor eax, eax < right password ???

    * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
    |:0040530A(U), :0040531C(C)
    |
    :00405320 5F pop edi
    :00405321 5E pop esi
    :00405322 8BE5 mov esp, ebp
    :00405324 5D pop ebp
    :00405325 C3 ret


    i think you can force to do the xor eax,eax but the right password is
    needed to decompress the file.Then you must know the password
    to complete the task.
    example: try the number 3 as password with the zip.
    It execute the xor but after you have a message bad crc !!!

    Salut.

    SV


    SV

Message thread:

SV thread (SV) (09-Feb-99 10:21:56)

Back to main board