home *** CD-ROM | disk | FTP | other *** search
/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / nh-cipm.ZIP / nh-cipm.txt < prev   
Encoding:
Text File  |  2001-04-13  |  3.0 KB  |  73 lines
  1. CoDe_InSiDe's PassMe Crackme Tutorial...
  2.  
  3. E-Mail: nh666@mail.ru
  4.  
  5. Need tools: SoftIce v4.xx
  6.  
  7. Set breakpoint to GetDlgItemTextA and trace:
  8.  
  9. .00401049: 6800134000                   push      000401300 ;" @ "
  10. .0040104E: 68E8030000                   push      0000003E8 ;"  °"
  11. .00401053: FF7508                       push      d,[ebp][00008]
  12. .00401056: FF15701D4000                 call      GetDlgItemTextA ;USER32.DLL
  13. .0040105C: 3C08                         cmp       al,008 ;""
  14. .0040105E: 7590                         jne       000000FF0   -------- (1)
  15. .00401060: BFC2114000                   mov       edi,0004011C2 ;" @-"
  16. .00401065: 33C9                         xor       ecx,ecx
  17. .00401067: 33D2                         xor       edx,edx
  18. .00401069: 33F6                         xor       esi,esi
  19. .0040106B: 8A0F                         mov       cl,[edi]
  20. .0040106D: 8A5701                       mov       dl,[edi][00001]
  21. .00401070: 80FA00                       cmp       dl,000 ;" "
  22. .00401073: 7409                         je       .00040107E   -------- (2)
  23. .00401075: 01D1                         add       ecx,edx
  24. .00401077: 01CE                         add       esi,ecx
  25. .00401079: 83C702                       add       edi,002 ;""
  26. .0040107C: EBED                         jmps     .00040106B   -------- (3)
  27. .0040107E: 01CE                         add       esi,ecx
  28. .00401080: 0FAFF0                       imul      esi,eax
  29. .00401083: F7FE                         idiv      esi
  30. .00401085: 01F6                         add       esi,esi
  31. .00401087: 01D6                         add       esi,edx
  32. .00401089: 8BD6                         mov       edx,esi
  33. .0040108B: C1C210                       rol       edx,010 ;""
  34. .0040108E: 01D6                         add       esi,edx
  35. .00401090: 33D2                         xor       edx,edx
  36. .00401092: BF00134000                   mov       edi,000401300 ;" @ "
  37. .00401097: 33C0                         xor       eax,eax
  38.  
  39. ; in esi we have 455b455bh
  40.  
  41. .00401099: 8B07                         mov       eax,[edi] ; 4 chars of code
  42. .0040109B: 8B4F04                       mov       ecx,[edi][00004] ; other 4 chars of code
  43. .0040109E: 01C8                         add       eax,ecx ; summ them 
  44. .004010A0: 3BC6                         cmp       eax,esi ; and compare with 455b455bh
  45.  
  46. so, for example, valid password is '!!!!:$:$'.
  47.  
  48. this is brute-forcer for keys in Pascal:
  49.  
  50.  
  51. const chrs=[$21..$7a];
  52. var l:LongInt;
  53.     x1,x2,x3,x4,x5,x6,x7,x8:Byte;
  54. begin
  55.  asm mov ax,03h; int 10h; end;
  56.  for x1:=$21 to $41 do
  57.   for x2:=$22 to $41 do
  58.    for x3:=$23 to $41 do
  59.     for x4:=$24 to $41 do begin
  60.      l:=$455b455b-(x1+$100*x2+$10000*x3+$1000000*x4);
  61.      x5:=l and $ff;
  62.      x6:=(l shr $8) and $ff;
  63.      x7:=(l shr 16) and $ff;
  64.      x8:=(l shr 24) and $ff;
  65.      if (x5 in chrs) and (x6 in chrs) and (x7 in chrs) and (x8 in chrs) then begin
  66.       writeln(chr(x1)+chr(x2)+chr(x3)+chr(x4)+chr(x5)+chr(x6)+chr(x7)+chr(x8)); halt; end
  67.     end;
  68. end.
  69.  
  70. that's all
  71.  
  72. /nh
  73.