PDA

View Full Version : MD5 + some bit math


Donan
December 30th, 2003, 11:58
Hi all =] I got a program with a nice MD5 cripto. But I dont think its keygennable... It does some other stuff before MD5Init & MD5Update.
First the program is coded in C++ using VC 6 and I think it is a serial only protection. I think because it asks for more stuff, but I dont see it getting used yet. I also got a valid key. It came with the soft when I bought it

So... as you can see, there are a lot of SHL, SHR, AND in the code. And thats the part that makes a keymaker impossible, right?

Code:

.text:004CF26B mov al, [esp+0C0h+var_A7] ; 2nd char
.text:004CF26F mov cl, [esp+0C0h+var_A8] ; 1st char
.text:004CF273 mov dl, al
.text:004CF275 and al, 3
.text:004CF277 shr dl, 2
.text:004CF27A shl cl, 3
.text:004CF27D add dl, cl
.text:004CF27F mov cl, [esp+0C0h+var_A6] ; 3rd char
.text:004CF283 shl al, 5
.text:004CF286 add al, cl
.text:004CF288 mov cl, [esp+0C0h+var_A5] ; 4th char
.text:004CF28C mov [esp+0C0h+var_B4], dl
.text:004CF290 mov dl, cl
.text:004CF292 shr dl, 4
.text:004CF295 shl al, 1
.text:004CF297 and dl, 1
.text:004CF29A and cl, 0Fh
.text:004CF29D add al, dl
.text:004CF29F mov bl, [esp+0C0h+var_99]
.text:004CF2A3 mov [esp+0C0h+var_B3], al
.text:004CF2A7 mov al, [esp+0C0h+var_A4]
.text:004CF2AB mov dl, al
.text:004CF2AD and al, 1
.text:004CF2AF shl cl, 4
.text:004CF2B2 shr dl, 1
.text:004CF2B4 add cl, dl
.text:004CF2B6 mov dl, [esp+0C0h+var_A3]
.text:004CF2BA mov [esp+0C0h+var_B2], cl
.text:004CF2BE mov cl, [esp+0C0h+var_A2]
.text:004CF2C2 shl al, 5
.text:004CF2C5 add al, dl
.text:004CF2C7 mov dl, cl
.text:004CF2C9 shr dl, 3
.text:004CF2CC shl al, 2
.text:004CF2CF and dl, 3
.text:004CF2D2 and cl, 7
.text:004CF2D5 add al, dl
.text:004CF2D7 mov dl, [esp+0C0h+var_A0]
.text:004CF2DB mov [esp+0C0h+var_B1], al
.text:004CF2DF mov al, [esp+0C0h+var_A1]
.text:004CF2E3 shl cl, 5
.text:004CF2E6 add cl, al
.text:004CF2E8 mov al, [esp+0C0h+var_9F]
.text:004CF2EC mov [esp+0C0h+var_B0], cl
.text:004CF2F0 mov cl, al
.text:004CF2F2 shr cl, 2
.text:004CF2F5 shl dl, 3
.text:004CF2F8 add cl, dl
.text:004CF2FA and al, 3
.text:004CF2FC mov [esp+0C0h+var_AF], cl
.text:004CF300 mov cl, [esp+0C0h+var_9E]
.text:004CF304 shl al, 5
.text:004CF307 add al, cl
.text:004CF309 mov cl, [esp+0C0h+var_9D]
.text:004CF30D mov dl, cl
.text:004CF30F and cl, 0Fh
.text:004CF312 shr dl, 4
.text:004CF315 shl al, 1
.text:004CF317 and dl, 1
.text:004CF31A add al, dl
.text:004CF31C mov [esp+0C0h+var_AE], al
.text:004CF320 mov al, [esp+0C0h+var_9C]
.text:004CF324 mov dl, al
.text:004CF326 and al, 1
.text:004CF328 shl cl, 4
.text:004CF32B shr dl, 1
.text:004CF32D add cl, dl
.text:004CF32F mov [esp+0C0h+var_AD], cl
.text:004CF333 mov cl, [esp+0C0h+var_9B]
.text:004CF337 shl al, 5
.text:004CF33A add al, cl
.text:004CF33C mov cl, [esp+0C0h+var_9A]
.text:004CF340 mov dl, cl
.text:004CF342 and cl, 7
.text:004CF345 shr dl, 3
.text:004CF348 shl al, 2
.text:004CF34B and dl, 3
.text:004CF34E add al, dl
.text:004CF350 shl cl, 5
.text:004CF353 mov [esp+0C0h+var_AC], al
.text:004CF357 add cl, bl
.text:004CF359 lea eax, [esp+0C0h+var_68]
.text:004CF35D mov [esp+0C0h+var_AB], cl
.text:004CF361 push eax
.text:004CF362 call sub_4D0610 ; MD5Init !!!!!!!!

mike
December 30th, 2003, 17:50
Quote:
[Originally Posted by Donan]So... as you can see, there are a lot of SHL, SHR, AND in the code. And thats the part that makes a keymaker impossible, right?
Not necessarily; this part could very well be reversible. See if you can come up with a more concise way of representing the code--that will help you understand it.

What are the first thru 4th chars you're talking about above? And what are in the other variables? At a glance, it looks to me like it's doing some roll-your-own crypto on a string before hashing it.

In order to tell whether it can be keygenned, find out where the comparison is done--what is being compared?

ZaiRoN
December 30th, 2003, 17:56
Hi Donan,
Quote:
as you can see, there are a lot of SHL, SHR, AND in the code. And thats the part that makes a keymaker impossible, right?
There are lot of shl/shr/and instructions but I don't think they will stop you to write a keygen... it depends.
You have to tell us more details like:
- is it really a serial protection only?
- the md5 algo is applied to what? is it applied to a value obtained by the code between 4CF26B and 4CF35D? what is '[esp+0C0h+var_68]'?
- is the value returned by md5 algo compared with something?
and so on...

Best regards,
ZaiRoN

ZaiRoN
December 30th, 2003, 17:58
Ooops, sorry Mike. I did not see your post.

Donan
February 10th, 2004, 22:40
Thanks Mike and Zairon! I just got back from my vacation... Ill take a deeper look and post again =D