Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / exec.asm < prev next >

Wrap

Assembly Source File | 1999-06-26 | 10.1 KB | 442 lines

; R!SC's dodgy win32asm keygen for deaths execution trial crackme.. ; probably not possible without Duelist giving me a serial for his name.. ; (deffinatly not possible, as i had given up.. heh..) .386P Locals jumps include tiny_win32.inc .Model Flat, StdCall .Data caption db "http://csir.cjb.net http://beam.to/evc",0 ; about box box_1_text db "R!SC",0 blank2 db " enter more characters ",0 buffer1 db 82h dup (0) about db ' Execution 1999 Trial Crackme ** kEYGEN #7 bY R!SC ** risc@notme.com **',10,13 db ' special greetings to the best cracker i know, Duelist, who could reverse',10,13 db ' a bubble car if he wanted. without him and his cryptic clues, this would',10,13 db ' have remained half a keygen, but when he showed me the "dash" i saw the light',0 ;) msg MSGSTRUCT <?> wc WNDCLASS <?> hIce dd 0 _one dd 100h dup (0) _two dd 100h dup (0) regcode db 25 dup (0) regend db 0 tempreg db 40h dup (0) tempregend db 0 my_table dd 80h dup (0) my_counter dd 0 signed_ db 0 ;---------------------------------------------------------------------------------------------- .Code main: jmp boring ; do all the windows stuff getit: ; begin keygen code :) hahaha ; this bit is executed when ; cmp word ptr [wparam],IDD_BOX1 ; box 1 iD ; is equal...(and when dialog is initialised) lea ecx, buffer1 ; [ebp-84h] push 080 ; size of buffer push ecx ; offset buffer1 ; buffer push IDD_BOX1 ; what box to snatch the text from push hwnd ; our dialog handle call GetDlgItemTextA ; do it setit: cmp eax, 02 ; eax=length of text jl blank_box2 ; less than 1 character, put a message in box 2 mov ebx,eax mov edi,ebx mov dword ptr [my_counter],0 PUSH 00313373h LEA EDX, _one ; addr of lookup table #1 PUSH EDX CALL magictable ; int 03 TEST EBX,EBX ; ebx=name length ;JZ 00401209 blagit: DEC EBX MOVSX ECX,BYTE PTR [EBX+_one] ; get magic number IMUL ECX,EBX PUSH ECX LEA EAX,_two ;[EBP-0204h] ; use it to create another kewl lookup table PUSH EAX CALL magictable MOVSX EDX,BYTE PTR [EBX+buffer1] ; ebp-84 = name max length 80h MOVSX ECX,BYTE PTR [EDX+_two] ;EBP-0204h] ; more magic numbers IMUL EDI,ECX ; multiply ascii value of name, with magic number MOV ECX,EBX AND ECX,03 INC ECX MOV EAX,EDI XOR EDX,EDX DIV ECX MOV EDI,EAX LEA EAX, buffer1 ; name PUSH EAX CALL getlength ; get length POP ECX SUB EAX,EBX MOVSX EDX,BYTE PTR [EAX+buffer1-1] MOVSX ECX,BYTE PTR [EDX+_two] ;EBP-0204h] SUB EDI,ECX push esi push eax lea esi, my_table mov eax, dword ptr [my_counter] imul eax, 4 add esi,eax mov [esi],edi inc dword ptr [my_counter] pop eax pop esi ;XOR [EBP-04],EDI ; our value TEST EBX,EBX JNZ blagit xor ecx,ecx dec dword ptr [my_counter] mov ebx, dword ptr [my_counter] dec ebx ;jz fuckitsdone ; REMOVED THIS TO FIX '2' CHARACTER SERIAL VALUES workbaby: mov eax,ebx imul eax, 4 lea esi, my_table add esi,eax mov eax, dword ptr [esi] xor ecx,eax dec ebx jns workbaby mov eax,ecx mov byte ptr [signed_],0 ; NEW test eax,eax jns fuckitsdone ; MODIFIED neg eax ; IF ITS NEGATIVE, REVERSE IT, AND SET A FLAG inc byte ptr [signed_] ; SO AFTER ASCII CONVERSION, I KNOW TO ADD A '-' fuckitsdone: jmp convertit magictable: loc00AB112C: PUSH EBP MOV EBP,ESP PUSH EBX PUSH ESI PUSH EDI MOV ESI,[EBP+0Ch] MOV EBX,[EBP+08] XOR ECX,ECX loc00AB113A: MOV EAX,ESI XOR EAX,0BADC0DEh TEST ECX,ECX JNZ loc00AB114C MOV EDX,00000100h JMP loc00AB114E loc00AB114C: MOV EDX,ECX loc00AB114E: MOV EDI,EDX XOR EDX,EDX DIV EDI MOV [ECX+EBX],DL MOV AL,[ECX+EBX] ADD EAX,EAX AND AL,0FFh MOV [ECX+EBX],AL MOVSX EDX,BYTE PTR [ECX+EBX] IMUL EDX,ECX XOR ESI,EDX INC ECX CMP ECX,00000100h JB loc00AB113A MOV EAX,00000001 POP EDI POP ESI POP EBX POP EBP RET ; 0008 convertit: convert_values: lea esi, tempregend-1 ; temp storing place, starting from the end mov edx, 4 ; 4 bytes to convert loopy_hex: xor ebx,ebx mov bl, al movzx ebx, bl and bl, 0fh ; clear high 4 bits.. add bl, 030h ; add 30h cmp bl, 39h ; compare with ascii '9' jle oki1 add bl, 7 ; if its > 9, add 7 to make it a ascii letter (A..F/41h..46h) mov byte ptr [esi], bl dec esi jmp hmmm oki1: mov byte ptr [esi], bl ; save it dec esi ; ready esi for next one hmmm: mov bl, al movzx ebx, bl shr bl, 04 ; get high 4 bits.. add bl, 030h cmp bl, 39h ; is it > '9' jle oki2 add bl, 7 ; make it a letter mov byte ptr [esi], bl dec esi jmp hmmm2 oki2: mov byte ptr [esi], bl ; save it dec esi ; ready esi for next one hmmm2: shr eax, 08 ; ready al with next byte.. dec edx jnz loopy_hex cmp byte ptr [signed_],0 ; CHECK IF ITS/WAS NEGATIVE je conversion_done mov byte ptr [esi],'-' ; ADD DASH dec esi conversion_done: inc esi ; point to first digit..(of ascii serial) lea edi, regcode ; where to copy it to copy_number: movsb ; copy it, byte by byte cmp byte ptr [esi],0 ; see if we have finished jnz copy_number ; if not, loop movsb print_code_into_box_2: push offset regcode ; ASCii serial push 0 push WM_SETTEXT ; command push IDD_BOX2 ; what box? push hwnd ; dialog handle call SendDlgItemMessageA mov eax, 1 jmp main_finish ; DONE! getlength: push esi mov esi,eax push esi cmp byte ptr [esi],0 je _null@ length1: inc esi cmp byte ptr [esi],0 jnz length1 _null@: lea eax, dword ptr [esi] pop esi sub eax,esi pop esi ret convert_eax_to_ascii_dec: pushad xor ebx,ebx mov cx,10 dec_loop: shl ebx, 8 xor dx,dx div cx add dl,030h mov bl,dl test ax,ax jne dec_loop lea esi, tempreg call getlength add esi,eax fix_@1: mov byte ptr [esi],bl inc esi ror ebx,08 test bl,bl jne fix_@1 mov byte ptr [esi],0 popad ret blank_box2: push offset blank2 ; oh, less than 1 character push 0 push WM_SETTEXT push IDD_BOX2 push hwnd call SendDlgItemMessageA mov eax, 1 jmp main_finish ;---------------------------------------------------------------------------------------------- boring: ; boring code, windows stuff push 0 call GetModuleHandleA mov [hIce], eax mov [wc.clsStyle], CS_HREDRAW + CS_VREDRAW + CS_GLOBALCLASS mov [wc.clsLpfnWndProc], offset WndProc mov [wc.clsCbClsExtra], 0 mov [wc.clsCbWndExtra], 0 mov eax, [hIce] mov [wc.clsHInstance], eax push 0 push offset Main_DlgProc push 0 push IDD_DLG push [hIce] call DialogBoxParamA jmp finish Main_DlgProc proc hwnd:DWORD, wmsg:DWORD, wparam:DWORD, lparam:DWORD push ebx push esi push edi cmp [wmsg], WM_COMMAND ; is the message a command? jz main_command cmp [wmsg], WM_INITDIALOG ; has the box been initialised? jz main_init cmp [wmsg], WM_CLOSE ; was close pressed? jz main_dlgdestroy mov eax, 0 main_finish: pop edi pop esi pop ebx ret msg_loop: push 0 push 0 push 0 push offset msg call GetMessageA cmp ax, 0 jz end_loop push offset msg call TranslateMessage push offset msg call DispatchMessageA jmp msg_loop end_loop: push [msg.msWPARAM] call ExitProcess Main_DlgProc endp WndProc proc hwnd:DWORD, wmsg:DWORD, wparam:DWORD, lparam:DWORD push esi push edi push ebx defwndproc: push [lparam] push [wparam] push [wmsg] push [hwnd] call DefWindowProcA finish: pop ebx pop edi pop esi ret WndProc endp main_abt: ; about messagebox... push 0 push offset caption push offset about push 0 call MessageBoxA mov eax, 1 jmp main_finish main_init: ; initialise dialog text push offset box_1_text push 0 push WM_SETTEXT push IDD_BOX1 push hwnd call SendDlgItemMessageA jmp getit ; getit, get text in box 1, and creates serial from it main_command: cmp [wparam], IDD_ABT ; about button iD jz main_abt cmp word ptr [wparam],IDD_BOX1 ; box 1 iD jz getit cmp [wparam], IDD_EXIT ; quit button iD jz main_dlgdestroy mov eax, 0 jmp main_finish main_dlgdestroy: call ExitProcess End main