Cracking Projects For Newbies

Task 3
Sunday, 07-Feb-99 19:21:01
    194.211.95.129 writes:

    Greetings crackers,

    Task 3

    Question 1. Explain as best you can, what the below code fragment does.

    :0040B73A call 0040CCC0 <---- compares the serials
    :0040B73F add esp, 00000008 <---- ???? (stack correction, but why?)
    :0040B742 test eax, eax <--- are you a good guy?
    :0040B744 jne 0040B9BC <---- no? Beggar off cracker...

    The call at 40CCC0 viene chiamata con questi parametri ecx= ptr fake serial, ebp-16= ptr real serial eax=1
    Se i seriali sono uguali:
    eax = 0
    ecx= 0
    edx= 6a0700 ?
    esp= ptr real serial
    Se i seriali sono diversi:
    eax=-1 (FFFFFFFF)
    ecx = fake serial
    edx= real serial
    esp= ptr fake serial

    a) il valore importante ritornato dalla chiamata è EAX
    b) Non capisco il significato di esp+8......:|
    c) I due valori di EAX sono 0 (good guy) e -1 (bad cracker)
    d) Il JNE ci porta ad un ulteriore controllo e al Beggar Off msg

    Question 2. Explain how this program compares our *fake* serial number
    against the *real* one.

    :0040CCC0 83EC04 sub esp, 00000004
    :0040CCC3 833D24F1420000 cmp dword ptr [0042F124], 00000000
    :0040CCCA 53 push ebx
    :0040CCCB 56 push esi
    :0040CCCC 7537 jne 0040CD05
    :0040CCCE 8B4C2410 mov ecx, dword ptr [esp+10] <---- fake serial
    :0040CCD2 8B542414 mov edx, dword ptr [esp+14] <---- real serial

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0040CCF0(C)
    |
    :0040CCD6 8A01 mov al, byte ptr [ecx] <--- al= 1 char of fake serial
    :0040CCD8 3A02 cmp al, byte ptr [edx] <---- al = 1 char real serial?
    :0040CCDA 751E jne 0040CCFA <---- no? jump
    :0040CCDC 0AC0 or al, al <--- al = 0 only if the serial check is terminated
    :0040CCDE 7412 je 0040CCF2 <--- this only jumps if all the 'AL chars' was good and the string
    in ecx has no more chars. !You jump only if the Serial is good!
    :0040CCE0 8A4101 mov al, byte ptr [ecx+01] al = aother char of fake serial
    :0040CCE3 3A4201 cmp al, byte ptr [edx+01] al = another char of good serial?
    :0040CCE6 7512 jne 0040CCFA no? jump
    :0040CCE8 83C102 add ecx, 00000002 <--- move the pointers of the fake and real serials
    :0040CCEB 83C202 add edx, 00000002 2 bytes forward
    :0040CCEE 0AC0 or al, al
    :0040CCF0 75E4 jne 0040CCD6 <---- jump above and make other two compares

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0040CCDE(C)
    |
    :0040CCF2 33C0 xor eax, eax <-----eax= 0
    :0040CCF4 5E pop esi
    :0040CCF5 5B pop ebx
    :0040CCF6 83C404 add esp, 00000004
    :0040CCF9 C3 ret <------ yeah! go ahead good guy ;)

    * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
    |:0040CCDA(C), :0040CCE6(C)
    |
    :0040CCFA 1BC0 sbb eax, eax <---- eax = -1
    :0040CCFC 5E pop esi
    :0040CCFD 83D8FF sbb eax, FFFFFFFF
    :0040CD00 5B pop ebx
    :0040CD01 83C404 add esp, 00000004
    :0040CD04 C3 ret <--- bye bye bad boy ;)

    This is a simple routine that checks for one byte at time, if the first char of the fake serial is equal to the real
    then checks for the second char. If this is equal too, move the pointer in the serials of two bytes and repeat
    the checks for the 3rd and the 4th chars. And so on for the 5th up to the 16th chars.
    If one of the chars aren't equal, eax=-1 and RET. To check the end of the string to compare, al is set to 0
    and the Jump at :0040CCDE force the routine to set eax=0 and RET

    Question 3. Explain how our User Name: Pirate Copy is converted into a 16
    character hex code.

    I placed a bpx on every call above the :0040B73A call 0040CCC0 'till i found the calculation routine
    The routine is very hard to follow, i tried, but i didn't understand how it manages its tables...
    At first the string 'Memory game' is manipulated for generating a strange string of 00 and 01,
    but only these chars are involved in the checks M,m,r,,a,e, and some empty loops that
    increased the EDI ptr
    After that 'Pirate copy' is moved char by char in a location, but after the 'Pirate C' the loops overwrite
    the string with the remaining chars 'opy'. This is the result (3f,19,0b,61='a',74='t',65='e',20=' ',43='C')
    From this point I only understand a lot of calls at some predefinited tables (one of these is a strings like
    this '!"#$%&...01234567890:;<=>?...' and one is a series of spaces) every call goes to a loop or a nested
    loop that generates a string of 00 and 01.
    From the call:
    :004094D5 E879FCFFFF call 00409153
    i wasn't able and very tired :( and I didn't understand the core of the routine: how it converts my name
    in my serial...

    Peace Kali


    Kali


Message thread:

KALI: Project 6 (03-Feb-99 19:05:56)

Back to main board


Message subject:

Name: (optional)

Email address: (optional)

Type your message here:




Back to main board

Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.