|
A tip about the value at 065A Friday, 26-Feb-99 05:58:09 In the posts I have read,everyone searches for the value at [65a] to put after the username,or they have a program that computes it for them. This is a sollution that allows to concentrate on solving the problem with the extra 100 bytes at the end of the keyfile,no mather what the username is.It also lets you choose the starting posittion in on the table at 100h. Here goes: Add 4 binary 0's after the username (suppose the name is "username",your string will be ("username$\0x00\0x00\0x00\0x00"-\0x00==binary 0).Why?See what happens: After processing the string "username$" the value in ax will look like this in binary: xxxx xxxx xxxx xxxx (x can be anything ;) after the lodsb (the first 0 )and the 3 rool's: ax== xxxx x000 0000 0xxx after the processing of the second 0: ax==xx00 0000 0000 0xxx then: ax==0000 0000 0000 00xx afte the last 0: ax==0 regardless of the username :) Now how you can choose your starting position in the table at 100h: the position in the table is 10b+X (X=the value in ah after div instruction),the maximum value for X is 4D. For example let's make X==24h. the final value,after the rol's in ax should be: AX==00 24 (so after the div instruction,ah contains 24h) this is the value in ax after rol ax,3 so let's revers this: ror ax,3: AX==80 04 where: 04-is the second value we must write in the caveman.dat file after "username$0000". 80-is obtained by adding 04 to the value in ah after the processing of the first value after "username$0000" (<-here comes the first than the second,only 2 needed). So this is the value that was in ah before adding 04: 80h-04h==7Ch The value in ax after the 3 rol's must be: AX==7C 7C Before the rol's (ror ax,3): AX==8f8f end :) so,by adding to "username$" the following bytes: 00 00 00 00 8f 04 The value at [65a] will be always 24 00. Hope this helps,Andy. Andy |
| Joseph's Thread (Joseph) (25-Feb-99 04:47:28) |