Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / UCL-JMPC.TXT < prev next >

Wrap

Text File | 1998-01-05 | 4.1 KB | 134 lines

─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─- ■ JMP!CRACKME by |PSA| *crackyou* ─-─-─-─-─-─-─-─-[ Shaman ]─-─-─-─-─-─-─-─- ▄▄ ▄ ▄▄▄▄▄▄ ▄▄ ·──▄▄───█─▄▄─────▄▄────· ·──██▌──█─██▌────██▌───· ·──██▌──█─██▌────██▌───· ▀▀ ▀▀▀ ▀▀▀▀▀▀ ▀▀▀▀▀▀ ─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─- ■ United Crackers League ■ [WIN95]─-─-─-─-─-─-─-─-─-─-─-─-─-─[Jan 98] E-mail: whshaman@iname.com Fido : 2:5064/3.5@fidonet ─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─-─- How to crack this "crackme": 1. Find this code: 00000000: B409 mov ah,009 00000002: BA2A01 mov dx,0012A 00000005: CD21 int 021 ; write copyrights 00000007: B40A mov ah,00A 00000009: BAFF04 mov dx,004FF ; input 4-symbols password 0000000C: CD21 int 021 0000000E: 8B1E0305 mov bx,[00503] ; in [503] our password (2 last bytes) 00000012: BEE704 mov si,004E7 ; at this address some crypted data 00000015: 8BFE mov di,si 00000017: B90C00 mov cx,0000C ; counter, 12 words 0000001A: AD lodsw 0000001B: D3C0 rol ax,cl 0000001D: 33C3 xor ax,bx ; crypt code and store back, ; in bx _always_ 2 last symbols ; of our password hehe 0000001F: 02D0 add dl,al ; checksum 00000021: AB stosw ; store back decrypted word 00000022: E2F6 loop 00000001A 00000024: 80EA68 sub dl,068 ; checking checksum 00000027: 7431 je 00000005A ; all right, then going to 5a... 00000029: C3 retn 2. I write 1-st program (1.pas), to calculate all accessable passwords, password is xxYx, when y is one of following symbols: $10, $1c, $70, $7c, $90, $9c, $f0, $fc, ' ', ' ', 'p', '|', 'É', '£', '≡', 'ⁿ' but PSA say what all symbols in password is typeable (i think what it's from region $20-$ff ;-), then calculating this passwdords for one from $70...$fc we get 172032 combinations, for 6 first symbols we get finaly: 172032*6=1032192 combinations. Uuuuh bad :(, ok, next step... 3. Let's look at the crypter: 00000017: B90C00 mov cx,0000C ; counter, 12 words 0000001A: AD lodsw 0000001B: D3C0 rol ax,cl 0000001D: 33C3 xor ax,bx ; kill (nops) this command ; in the debugger and get 'clear' ; precrypted dump after loop... 0000001F: 02D0 add dl,al 00000021: AB stosw 00000022: E2F6 loop 00000001A Was: 000004E7: 46 F8 6B F0 D6 1E 29 41-3D 38 6E 24 7D 75 C3 DA 000004F7: 65 87 9F A5 32 76 22 C9 New: 000004E7: 84 6F 83 5F 7B 58 82 52-38 3D 12 37 5D 5F 7B 58 000004F7: 58 76 FD 2C C9 D8 45 92 I write 2-nd prog (2.pas) for decrypting this new block with all accesable symbols (5 ones, for every accasable symbols, i use cycle from 1 to 0ffh, then look into logfile...) In logfile i find this strings: ... °= ■Done! $$ü~╡è9└ ... ° -*■ DOnE!-*$ü^╡¬9α ... Hehe, first string look so good :), now we can calculate 2 last symbols of password: 4. I patch my 2-nd program and calc xorbyte (2 last symbols of password) it's: |R ok, i patch my 1-st prog and get 186 valid combinations, like: ---cut--- p|R q|R s|R !p|R !q|R !r|R "q|R "r|R "s|R ... ---cut--- 5. Run jmp!crk and... after ~20 min (with 'fuck', 'shit' etc) i get this password: .~|R 6. After debugging i get "jmp ax" ax=2D0h, and try to calculate another valid password - nope, only this one. All '■ Done!' :) p.s. Tnx to PSA for good time, IRC chatting and JMP!Crackme of couse. ┌─ ├│/┤┌┬╖/┤╓┐ -─═[IHC]=[UCL]=[SDM]═-─ E-mail: whshaman@iname.com ───╜ │ │ [PGP B1 38 25 90 72 89 E6 74 60 DD AD 1B 63 26 D1 1E]