The +O Selftest for Crackers
LordByte Cracking Challange version 1.0
Tutorial (v1.0) by Lucifer48 [Immortal Descendants]
(August 12th, 1999)
Contents:
Introduction
Very Very Easy
Very Easy
Easy
Not Entirely Easy
Somewhat Harder
Hard
Introduction:
I have only solved 5 tests on 7, (Not Entirely Easy & Very Hard). This last one is really crazy,
it is enormous, i gave up (i doubt that anybody could be enough courageous to solve this !). For
the Not Entirely Easy test, it is a brute force attack of 9 chars, it takes time... If you
have infos: others combinations (for Hard), the word (for Not Entirely Easy), or
pass-phrase (for Very Hard), or something else which can help me; mail me at
lucifer48@yahoo.com. I will be pleased to update this essay.
Very Very Easy:
It is a simple comparison...
XXXX:0043B032 LEA EDX,[EBP-04] ;[EBP-04] will contain the adress of the serial
XXXX:0043B035 MOV EAX,[EBX+00000258]
XXXX:0043B03B CALL 0041AED4 ;read the serial
XXXX:0043B040 MOV EAX,[EBP-04] ;our serial
XXXX:0043B043 MOV EDX,0043B09C ;button
XXXX:0043B048 CALL 00403A44 ;comparison
XXXX:0043B04D JNZ 0043B05B ;jump = bad cracker!
What word am I thinking of ? button
Very Easy:
Let's go...
XXXX:0043B1D7 CALL 0041AED4 ;read the name
XXXX:0043B1DC MOV EAX,[EBP-08] ;my name
XXXX:0043B1DF CALL 00403934
XXXX:0043B1E4 MOV EBX,EAX ;size of my name
XXXX:0043B1E6 TEST EBX,EBX ;is name entered ?
XXXX:0043B1E8 JLE 043B20E
XXXX:0043B1EA MOV ESI,00000001
XXXX:0043B1EF LEA EDX,[EBP-08] ;will contain the adress of the name
XXXX:0043B1F2 MOV EAX,[EBP-04] ;it is already here (in EAX..)
XXXX:0043B1F5 MOV EAX,[EAX+00000280] ;stupid delphi ;)
XXXX:0043B1FB CALL 0041AED4 ;read the name (again...)
XXXX:0043B200 MOV EAX,[EBP-08] ;d EAX: my name
XXXX:0043B203 MOVZX EAX,BYTE PTR [ESI+EAX-01] ;load the ESIth char of the name
XXXX:0043B208 ADD EDI,EAX ;initialy, EDI= 031422DD
XXXX:0043B20A INC ESI ;next char
XXXX:0043B20B DEC EBX
XXXX:0043B20C JNZ 0043B1EF ;loop
This little loop add each ascii value of each character of the name, and also add 031422DD, we
have a checksum on 32 bits. Further...
XXXX:0043B228 CALL 00406870 ;read the serial
XXXX:0043B22D MOV EAX,[EBP-08] ;d EAX: my serial
XXXX:0043B230 CALL 00406870 ;hexadecimal conversion (result in EAX)
XXXX:0043B235 CMP EDI,EAX ;comparison
XXXX:0043B237 JNZ 0043B245 ;must be equal!
For my name, i get:
31422DDh + 4Ch + 75h + 63h + 69h + 66h + 65h + 72h + 34h + 38h = 3142613h
and, 3142613h = 51652115d so...
Name/ Lucifer48
Serial/ 51652115
This sort of proctection scheme is pretty common in sharewares.
Easy:
Patching is allowed, but i won't do it... At the end of the loop, we have two comparisons:
XXXX:0043B3FA CMP ESI,00003810
XXXX:0043B400 JNZ 0043B40A
XXXX:0043B402 CMP EBX,402A4FE7
XXXX:0043B408 JZ 0043B424
...
XXXX:0043B424 MOV EAX,EBX ;we are sure that EBX=402A4FE7
XXXX:0043B426 SUB EAX,ESI ;and that ESI=00003810 so...
XXXX:0043B428 CMP EAX,402A17D7 ;the test is checked, all the time!
XXXX:0043B42D JZ 0043B449 ;so here JZ = JMP
...
XXXX:0043B449 MOV EAX,EBX ;one more time, we are sure that EBX=402A4FE7
XXXX:0043B44B ADD EAX,EAX ;402A4FE7 + 402A4FE7 = 80549FEC
XXXX:0043B44D LEA EDX,[ESI*2+ESI] ;ESI=00003810 so 3*ESI=00007020
XXXX:0043B450 ADD EAX,EDX ;80549FEC + 00007020 = 805547FE
XXXX:0043B452 CMP EAX,805547FE
XXXX:0043B457 JZ 0043B473 ;still here, JZ = JMP
We does the loop ? The internal loop makes the following things:
Assuming Xk is the k_th char of the serial, at the beginning of the loop EDI=1, and is incremented
until the length of the serial.
ESI= Xk + ESI + EDI
EBX= (2*EBX XOR ESI) + ESI MOD EDI + 1
Assuming the serial is n chars long, i note X1, X2, ..., Xk, ..., Xn the chars of the serial.
At the end of the (internal) loop:
ESI = (1 + 2 + ... + n ) + X1 + X2 + ... + Xn
= n*(n+1)/2 + Sigma(1,n,k) Xk (k is the index, from 0 to n)
The second loop (the external loop), repeat 10h times the internal loop. So we can compute
the final value for ESI.
ESI (final)= 8*n*(n+1) + 16*Sigma(1,n,k) Xk
And we know that ESI must be equal to 00003810, and 00003810 / 10h = 381
so, conclusion: 381h = n*(n+1)/2 + Sigma(1,n,k) Xk (*)
(*) This formula will help us in the brute force attack (the only solution i found, to solve
this) because it will remove lots of combinations.
XXXX:0043B3F0 DEC DWORD PTR [EBP-0C]
XXXX:0043B3F3 JNZ 0043B3C3 ;internal loop
XXXX:0043B3F5 DEC DWORD PTR [EBP-08]
XXXX:0043B3F8 JNZ 0043B39E ;external loop
Remark: By doing a fast calculation, we can feel, that the serial (the word) is 8 chars long.
Indeed:
7 chars: 381h-1Ch = 365h et 365h / 7 = 7Ch (average of ascii values)
8 chars: 381h-24h = 35Dh et 35Dh / 8 = 6Bh
9 chars: 381h-2Dh = 354h et 354h / 9 = 5Eh
We guess that the word is ended by a e letter, with some brute force attack (see my
source in asm), we get:
What word am I thinking of ? firmware
Not Entirely Easy:
This test is nearly the same as the previous test.
XXXX:0043B593 MOV EAX,ESI
XXXX:0043B595 CDQ
XXXX:0043B596 IDIV EDI ;EDI index from 1 to serial-length
XXXX:0043B598 ADD EDX,03
XXXX:0043B59B SUB EBX,EDX
XXXX:0043B59D INC EDI
XXXX:0043B59E DEC DWORD PTR [EBP-0C] ;internal loop
XXXX:0043B5A1 JNZ 0043B56F
XXXX:0043B5A3 DEC DWORD PTR [EBP-08] ;16 loops (as the above test)
XXXX:0043B5A6 JNZ 0043B54A
XXXX:0043B5A8 CMP ESI,00004100
XXXX:0043B5AE JNZ 0043B5B8
XXXX:0043B5B0 CMP EBX,F61D4A8F
XXXX:0043B5B6 JZ 0043B5D2 ;jmp = good cracker!
This the two formulas:
ESI= Xk + ESI + EDI
EBX= (2*EBX XOR ESI) - ESI MOD EDI - 3
It's not very different for the previous test.
410h = n*(n+1)/2 + Sigma(1,n,k) Xk to avoid few possibilities.
We guess (i hope...) that is word is in lower-case letters.
7 chars: 410h-1Ch = 3F4h et 3F4h / 7 = 90h (it's to big...)
8 chars: 410h-24h = 3ECh et 3ECh / 8 = 7Dh (still big too)
9 chars: 410h-2Dh = 3E3h et 3E3h / 9 = 6Eh <--- it should work
A chars: 410h-37h = 3D9h et 3D9h / A = 62h (too smal for lower-case letters)
Hope that the serial is rightly 9 chars long...
I don't see other ways to solve this, except brute force attack, (see source).
Somewhat Harder:
With W32Dasm referenced strings, (especially to "Correct Key ! ..."), we can put a bpx at a good
place.
XXXX:0043B8CF CALL 00403B38
XXXX:0043B8D4 MOV EAX,[EBP-04]
XXXX:0043B8D7 CALL 00406870 ;EAX contain the value of a slide
XXXX:0043B8DC IMUL EBX,EAX,000DEAAD
...
Let's note X1, X2, ..., X8 the values for the 8 slides. What is doing this test:
- For EBX: (X6*DEAAD + X3*4EF8F) XOR (X4*C94CD) XOR (X7*43421h) == 620D34h
- For ESI: ( ((X2*8AF) XOR (X8*8A040)) + (X1*674E8) ) XOR (X5*97AC5) == C366F9h
Twice times, four unknown values, too easy...
See source in pascal, which gives the solution:
86257479
Key Status: Valid !!!!!
Hard:
Like the previous test, W32Dasm will help us to find a good bpx.
XXXX:0043BB7F MOV EDI,39F51B20
XXXX:0043BB84 MOV DWORD PTR [ESP],118DF6E7
XXXX:0043BB8B MOV ESI,202937CD
XXXX:0043BB90 MOV EBP,6FB25085
XXXX:0043BB95 MOV EAX,[EBX+00000398] ;A1
XXXX:0043BB9B CALL 00430398 ;is check box checked ? (al=01=checked)
XXXX:0043BBA0 TEST AL,AL
XXXX:0043BBA2 JZ 0043BBC3 ;jump to the next test (another check box)
In fact, the crackme browse every check box, if they are checked, values (EDI, ESI, EBP, DWORD PTR [ESP) are modified
(+, -, div, sar, ...), and at the end, the verification is performed in this way:
XXXX:0043C260 SUB EDI,[ESP]
XXXX:0043C263 ADD ESI,EDI
XXXX:0043C265 ADD EBP,ESI
XXXX:0043C267 CMP EBP,76651C4D
XXXX:0043C26D JNZ 0043C2D0 ;no jump = good cracker!
Very original ! One more time, brute force attack will help us !
(fortunately, the checks of the check boxes are done in the right order). There are 39 check boxes,
it makes 2^39 possibilities (it is very big). Each sequence which follow the tests of check boxes
are very similar, except three: A4, C4 and C13.
With my source in asm (hope there is no errors in it....), this is the
first good combination found:
X X X O X O O O O X O O X
O O X X X O X O X X O X O
X X O X X O O O O O O O O
Remark: I have tested every combinaison from A1 to C7 (C8, C9, ...,C13 unchecked), there is
only one good solution.
Greetings: All ID members (Volatility, Torn@do, ...), Eternal Bliss, ACiD BuRN, LaZaRuS, Duelist, ...
(c) Lucifer48. All rights reversed