Re: TASK 2 Woo Hoo
Friday, 19-Mar-99 08:08:26 It has everything to do with it! This battle uses a keyfile '1.123' . The 'OK' button is hardcoded with the fail message. The serial is actually checked when you press 'cancel'! After pressing 'cancel', CreateFileA is called which doesn't create a file but checks for file '1.123' then opens it. _lread is then called, which reads 14h bytes into :00403634. 401B05 PUSH 004031BF <--------FILENAME"1.123" 401B0A CALL 'CreateFileA' <----OPEN file 401B0F PUSH 0014 <---------LENGTH to read (hex) 401B11 PUSH 00403634 <-------LOC to read to 401B16 PUSH EAX <----------FILE handle 401B17 CALL '_lread' ECX, EDX and EBX are set to zero before some calculations are made using the contents of the keyfile(I think), that leaves a value in ECX, which is PUSHed for later use. :00401B2D add ecx, dword ptr [eax+00403634] :00401B33 add bl, byte ptr [eax+00403634] <---CAN someone explain exactly what these two adds do. Neither ecx, eax or bl seem to be affected?? :00401B39 shl ebx, 1 :00401B3B add ecx, ebx :00401B3D rol ecx, 1 :00401B3F sub eax, 00000004 <-------EAX starts as 14h, so 5 time thru will hit zero :00401B42 add ecx, 004D7245 :00401B48 add ecx, 00003B29 :00401B4E or eax, eax :00401B50 jne 00401B2D <-- do it again until eax is zero. :00401B52 push ecx <-----KEEP for later comparison. 'SendDlgItemMessageA' is then called twice, once to find out how long our serial is, then again it reads our serial + 1 blank byte(00) to :00403835. :00401B77 Call 'SendDlgItemMessageA' <-----THIS is the second one :00401B7C cmp eax, 00000000 :00401B7F jbe 00401BD7 :00401B81 push 00403634 <-----LOCN of keyfile contents :00401B86 push 00403835 <-----LOCN of typed serial :00401B8B Call 'lstrcmpA' <----THIS compare is a red herring. The result in EAX is wiped straight after. :00401B90 xor eax, eax :00401B92 xor ebx, ebx :00401B94 xor edx, edx :00401B96 jmp 00401BB1 <--NOW on to the real validation routine. The following routine reads each character of the entered serial, checks if it is a number between 0 and 9, if it's not it goes to the next character. If it is it uses it in a calculation. At the end it compares eax with the value of ecx that was pushed earlier. :00401B98 mov bl, byte ptr [edx+00403835] :00401B9E inc edx :00401B9F cmp bl, 2F :00401BA2 jbe 00401BB1 <------JMP if lower than '0' :00401BA4 cmp bl, 3A :00401BA7 jnb 00401BB1 <------JMP if higher than '9' :00401BA9 imul eax, 0000000A <---- multiply eax by A :00401BAC sub bl, 30 <----CONVERT ascii to decimal :00401BAF add eax, ebx :00401BB1 cmp byte ptr [edx+00403835], 00 <----IS next character null? :00401BB8 jne 00401B98 <---IF not, go thru calc again. This leaves a number in eax that was calculated from the serial you entered. :00401BBA pop ecx <---------POP the number that was calculated from the keyfile. :00401BBB cmp eax, ecx <-----COMPARE with number calculated from serial :00401BBD jne 00401BD7 <-----IF not equal, exit quietly. :00401BBF mov eax, 00403570 <---"orrect Serial" :00401BC4 dec eax <----------MOVES eax back to "Correct Serial", which is the title for the congratulations messagebox. :00401BC5 mov ebx, 0040354F <----"ou have conquered this crackme" :00401BCA dec ebx <----------MOVES ebx back to "You have......", text for message box. :00401BCB push 00000000 :00401BCD push eax :00401BCE push ebx :00401BCF push [ebp+08] :00401BD2 Call 'MessageBoxA' So if you had the time you could figure out a valid serial/keyfile combination, or you could patch :00401BBD jne to je. Tired now, must rest. Sherwood |
Sherwood's thread TASK 1 (Sherwood) (18-Mar-99 00:47:51) |