999®999999999999999999999999999999999999999999999999999999999999 8888 ##88888## 88888888888888888888:L 888888:L 88888888888888888 77777###7777## 7777777777777777777:L 777777:L 777777777777777777 6666## #666## 6666666666666666666:L 666666:L 6666 zZzZzZ 666666 5555## 5#55## 555 u|555|u 55555:L 555555:L 555555555 zZ 55555555 444## 44#4## 4444 u|444|u 4444:L 444444:L 444444444 zZ 444444444 333## 333### 3333 u|333|u 333:L 333333:L 333333333 zZ 3333333333 22## 2222## 22222 \UuuuU/ 222:LLLL 222:LLLL 22222 ZzZzZz... ©222 1111111111111111111111111111111111111111111111111111111111111111 ================================================================ Revise Engineered version of Crypto v3.1 Cracked on April 7, 1998 E-mail: crackz@hehe.com By: « Nullz » First of all I mean absolutely no harm towards anyone in producing this program. It is solely for the knowledge that I'm interested in. Thank you for your understanding! Background Information about Crypto: Name: Crypto for Windows 95/NT v3.1 Download URL: http://www.execpc.com/~sbd/Crypto.html Software Date: April 6, 1998 Company: Software Design =------------------------------------------------------------------= Crack INFO: The file "CrackMe.(=txt=)" is provided by the author, Gregory, as a challenge to crackers. It is an encrypted file, encrypted using his improved algorithm in Crypto v3.1. Unfortunately, I've cracked it the next day the software was released. You'll experience how it is done by following the instructions here. If you are looking for the encryption algorithm, it's included in the zip package under the file name "Crypto31.cpp". The instructions found in this Readme file is not about the encryption algorithm, it is about hacking the key signature. The point here is to crack the file provide by the author, "CrackMe.(=txt=)". This file is included in the Shareware package, which you will find once you've ran the setup program. If you haven't downloaded the program Crypto v3.1 yet, don't worry. I've provided the "CrackMe.(=txt=)" file here for you to crack. -------------===------------- Now, fire up CryptoRE.exe, and look around at the buttons & controls. Note that while you entered text into the password field, the ID text field gets updated with different values. The ID is generated is equivalent to the password. And that ID value is very important. In order to decode a file, you'll need either the password or an ID for the password. And the point of this instruction assumes that you don't know neither one of them. So you'll need to generate the ID. First select the file "CrackMe.(=txt=)" into the input field. You can ignore anything in the output field. You can also ignore the password field, since you don't know it. Now is time to hack the signature! Go down to the area "Brute force key signature cracking..." This part allows you to search for the ID from the Signature. First you need to select a resonable starting value to test. The default starting value is 9FFFFFFF. And the testing will end when the value reaches 00000000. Enter 0F000000 into the start value. You can adjust the update increment value if you want, it's optional. This is the value to allow CryptoRE to give you an update, so you know it is not halting the computer. As brute force key serching takes time! Now click on the button [Generate Password ID]. A messagebox will pop up (only once) to tell you that the key hacking will take a while. In about 27 seconds or less, CryptoRE should come up with a possible ID. Notice at this time, the password ID field is updated with this newly found ID. That means when you click on the decode button, this value will be used to decode the currently selected file. Do that, and see what happens. You should have the encrypted file cracked! And it should be the poem "Jabberwocky" by Lewis Carroll. More on the Key Hacking algorithm: Now that you've just cracked an encrypted file. You might wonder how all that works. Here's the algorithm... BOOL GetPassID(DWORD key, DWORD start, DWORD &retval) { register DWORD i = 0, j = 0, tmp = 0; DWORD val = 0; BOOL found = FALSE; for (i = start; i != 0; i--) // loop exits at 0 { val = i; // save the current test key value tmp = ((((((i*4 + i)*4) + (i*4 + i) + i) * 8) + i) << 8) - i; i = (tmp * 4) + i + 0x269EC3; // i is reuse next j = (i & 0x7FFF0000); // store newval in j j >>= 0x10; // j is moved to lower 16 bits tmp = ((((((i*4 + i)*4) + (i*4 + i) + i) * 8) + i) << 8) - i; i = (tmp * 4) + i + 0x269EC3; i &= 0x7FFF0000; // clear out lower 16 bits i += j; if ((i + val) == key) // if key is found { found = TRUE; break; // break out of loop now } i = val; // restore current test key } retval = val; // return with the new ID return (found); } void OnGetsignature() { CFile infp; CFileException err; DWORD key = 0; unsigned char buff[17] = "\0"; char tmp[10] = "\0"; BOOL found = FALSE; if (infp.Open(infile, CFile::modeRead | CFile::typeBinary, &err)) { key = infp.Read(buff, 16); // read file into buffer infp.Close(); key = buff[15]; key <<= 8; // get signature from buffer key |= buff[14]; key <<= 8; key |= buff[13]; key <<= 8; key |= buff[12]; // key now contains the signature! found = GetPassID(key, start, key); if (found) { // key is returned with the new ID ultoa(key, tmp, 10); SetDlgItemText(IDC_KEYSIG, tmp); // print to text field } } What you've done is you've chosen the start value to be 0F000000 And then the signature is retrieved from the select file. GetPassID() is called with the appropriate parameter. Then each value starting from 0F000000 all the way down to 0 is tested, decrementing by 1 each time. If the value after feeding into the algorithm matches the signature value, then the GetPassID() function returned with the new ID value. This value is then printed out. Notice that you can choose the starting value, that is remember that not all IDs have a unique signature value. So certain ID value might not decode the file correctly as a result. Therefore you'll be able to run the algorihtm again at a different range of values to test. For example, the password "hello world" has two ID that'll give the same signature. Key1: 0B5C4EDB Key2: 07B75FFC If you start testing from 0F000000, you're first stop would be at value 0B5C4EDB. Now say, this is the incorrect ID value because it doensn't decode the file correctly. What you would do now is enter a different starting value to continue the search. You would enter 0B5C4EDA, 1 less than the previous value! Your search will then begin until it reaches another possible ID value or 0. And of course, it'll stopped at 07B75FFC. This is another possible ID, which you'll use to attempt to decode the file. As you can see, the search can go on an on until you come up with a decoded file that make sense. If you perform this testing on the file "CrackMe.(=txt=)" file, you will come up with these values... Value | ID -------------------- 07BBAFFA - 129740794 0416C11B - 68600091 0071D23C - 7459388 How fast is the searches? Well on my P133, it'll test about 4 million values in 1 second. So a range of FFFFFFFF to 0 is about 4 billion values. At a rate of 4 million values per second, it'll be done in about 20 minutes. Of course if you have a faster, the searches would be much faster! Theoretically, on a P266, it would be twice as fast. To further lower the key hacking time, it would be best to choose the most probable starting value. Because most IDs fall within a range of values. So the number of possibilities is lowered. That is why at the beginning, I have you entered the value 0F000000 as the staring value when you crack the file "CrackMe.(=txt=)" file, instead of starting from FFFFFFFF or 9FFFFFFF. =------------------------------------------------------------------= Send me comments to my E-mail address: crackz@hehe.com By the way, this reEngineered program requires MFC42.DLL and MSVCRT.DLL to run: MFC42 file version - 4.21.7303 MSVCRT file version - 5.00.7303