PDA

View Full Version : help with XOR

The Keeper
February 17th, 2002, 04:58
hello,

i've got a crackme in which the serial length is 16, the algo is as follow :

suppose i enter 1111222233334444 as serial, the program does :

31313131 ^ 32323232 = 3030303
33333333 ^ 3030303 = 30303030
34343434 ^ 30303030 = 4040404

^ = xor

then it compares 4040404h with 21730F1Eh
if differente serial is wrong else its right.

so i guess i need to "reverse" the xor ? how would i do that ?

any help is appreciated.

death
February 17th, 2002, 05:41
ascii values of 1111 = a
ascii values of 2222 = b
ascii values of 3333 = c
ascii values of 4444 = d

e = a ^ b
f = c ^ e
y = d ^ f

y must be 21730F1Eh so:

d ^ (c ^ (a ^ b)) = 21730F1E

this is the same as:
a ^ b ^ c ^ d = 21730F1E

now you just generate printable ascii values for a/b/c/d so that when xored they produce 21730F1E

The Keeper
February 17th, 2002, 13:08
Hello,

thanks for the reply but is it possible to do that without bruteforcing ? he said bruteforce isnt allowed.

thanks.

ZaiRoN
February 17th, 2002, 13:56
hi,
you can do this fixing (opportunely) some values

bye,
ZaiRoN

The Keeper
February 17th, 2002, 20:15
yo all

tried all day long with no luck

would anyone mind helping me a little more ? i cant find a way, i tried factoring 21730F1E but the result can't fit XXXX YYYY ZZZZ WWWW

any help is appreciated

if anyone find a way please post how.

JimmyClif
February 18th, 2002, 00:32
Quote:
 31313131 ^ 32323232 = 3030303 33333333 ^ 3030303 = 30303030 34343434 ^ 30303030 = 4040404

Let's define this into redable unknowns:

a xor b == R1
c xor R1 == R2
d xor R2 == 21730F1Eh

a xor b == c

and :

c xor b == a

We can assume that if we take:

a xor b == 21730F1Eh
c xor R1 == R2
c xor R2 == 21730F1Eh

Now our key has only 8 unknowns left:

???? ???? 0000 0000
(in Hex)
???? ???? 30303030 30303030

(It doesn't matter what number we choose for the last 8 digits as long as the last 4 are the same as the 4 before them.)

Ergo.. all we have to do is:
Find two numbers which if we xor them give exactly 21730F1Eh in readable ascii letters

a xor b == 21730F1Eh
21730F1Eh xor a == b

All you have to do is (imo) code a little bruteforce toy to unlock it.

Like :

.WHILE 1
mov eax, 21730F1Eh
inc ebx
xor eax,ebx
;Show me the money erm the values
.ENDIF
.ENDW

Hope this helps a bit. (and hope I didn't fsck up somewhere *g*)

JimmyClif

JimmyClif
February 18th, 2002, 01:14
I couldn't resist and coded it quick and dirty

Code:
```

push ebx
xor ebx,ebx
.WHILE TRUE
inc ebx
mov eax,021730F1Eh
xor eax,ebx
mov LP1,eax
mov LP2,ebx
xor edx,edx
mov dx,ax
shr eax,16
.IF ((al>="0" && al<="9" || (al>="a" && al<="z" || (al>="A" && al<="Z") && ((dl>="0" && dl<="9" || (dl>="a" && dl<="z" || (dl>="A" && dl<="Z")
.IF ((ah>="0" && ah<="9" || (ah>="a" && ah<="z" || (ah>="A" && ah<="Z") && ((dh>="0" && dh<="9" || (dh>="a" && dh<="z" || (dh>="A" && dh<="Z")
mov eax,LP2
xor edx,edx
mov dx,ax
shr eax,16
.IF ((al>="0" && al<="9" || (al>="a" && al<="z" || (al>="A" && al<="Z") && ((dl>="0" && dl<="9" || (dl>="a" && dl<="z" || (dl>="A" && dl<="Z")
.IF ((ah>="0" && ah<="9" || (ah>="a" && ah<="z" || (ah>="A" && ah<="Z") && ((dh>="0" && dh<="9" || (dh>="a" && dh<="z" || (dh>="A" && dh<="Z")
PrintHex LP1
PrintHex LP2
nop
.break
.ENDIF
.ENDIF
.ENDIF
.ENDIF
.IF ebx==0FFFFFFFFh
.break
.ENDIF
.ENDW
pop ebx
```

PrintHex and PrintText are Debug Macros..
Gives me for:
LP1 : c C 9 Z
LP2 : B 0 6 D

(it's a 0 (zero) not an O (letter) )

I guess the code could be : cC9Z-B06D-7777-7777

If not... bah... throw the CrackMe into the Recycle Bin.. (I would do it :P )

The Keeper
February 18th, 2002, 01:40
Hi jimmy, thanks for the help, still not valid and i still loking at it, if you wanna have a go check

www.geocities.com/boozeplace/serialme.zip

resitance is futile we gonna win

JimmyClif
February 18th, 2002, 01:57
I did a little error switching the DWORDs around...

With my old code I gave you result was Invalid Serial.
cC9Z-B06D-7777-7777

Switching the values around.. to:
Z9Cc D60B 7777 7777

gives me a weird MessageBox...

JimmyClif
February 18th, 2002, 01:59
Here's the Box:

JimmyClif
February 18th, 2002, 02:10
Hey alright... My answer is correct! It takes the good jump. But to make it go to the right OFFSET try to figure out what this line means in your little proggy:

.text:004010D1 sub eax, 292D2D36h

I'm outta here

; ----------------------- UPDATE --------------------------

Actually the sub eax,Nonsense is nonsense

He checks if the serial is correct doing a
xor edx,21tralalanumber
jmp [401031+edx]

Well, this will always be 401031 as edx is 0 after a succesfull xor

My opinion... There's a bug

; ----------------------- ENDOF UPDATE ------------------

The Keeper
February 19th, 2002, 23:29
i've mailed the author after u posted the last msg and asked him to post here something but no answer from him until now.

well maybe he'll appear

mrcrackbrain
February 20th, 2002, 06:44
It's no bug that it shows the "odd looking" msgbox.
It's just that there are several possible serials so that the "checksum" ends up to 21730F1Eh.

The rules said, no bruteforcing, if you bruteforce, you will get an odd looking msgbox. You could always of course bruteforce bit more far and get a good msgbox. But you should be able to manage without.

The thing is, read the readme once more. You can't reverse, if you don't know what the destination value should be. Read the readme file, and you'll know the destination value

I hope i didn't help too much, and i'm actually quite happy that this small serialme put up a nice discussion like this

LaptoniC
February 20th, 2002, 10:30
What we want is "serial accepted!" message if we write this message as series of dwords we will get
Set1
69726573 61206C61 70656363 21646574

program subs 292D2D36h from entered serial and xors with [edi-10h] if you look at this memory are you will see invalid serial.. if we represent as dwords we will get
Set2
61766E69 2064696Ch 69726573h 2E2E6C61h

What we shoould do is simple.Xor each element from set1 and set2 and add 292D2D36 to this result.lest calculate first 4 char of serial

69726573 ^ 61766E69 = 8040B1A
8040B1A+292D2D36=31313850 which is 118P as ascibut remember it is as dword correct order is P811

calculate in this way you will get

P811C2qjF3DBK6w8 as final serial

JimmyClif
February 20th, 2002, 12:46