PDA

View Full Version : Any one see this Cryptographic?


winndy
October 13th, 2005, 09:30
0041C249 . C74424 60 6>mov dword ptr ss:[esp+60],CD49046B
0041C251 . C74424 64 C>mov dword ptr ss:[esp+64],829A80CB
0041C259 . C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0
0041C261 . C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384
0041C269 . C74424 70 5>mov dword ptr ss:[esp+70],AA56D550
0041C271 . C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71
0041C279 . C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4
0041C281 . C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3

what's the Cryptographic?
any one knows?
thanks!

Admiral
October 13th, 2005, 11:06
Are we expected to work this out without knowing anything else?
It looks like a bunch of hash values or perhaps an encoded string to me (ASCII ".I.k....?QW...c..V.P.Z.q{.<.....".
If they are hash values, they are either semi-random or pertain to a cipher that Google hasn't heard of.

Maybe you could tell us (preferably in pseudocode rather than a hung ASM listing) how this string is being used.

nikolatesla20
October 13th, 2005, 11:31
I've seen code similar to this in Armadillo - in that case it was just an encryption for the IAT redirection code - it was values used to decrypt the real code..

-nt20

SiGiNT
October 13th, 2005, 16:05
I don't think it's arma - the addresses involved indicate an unpacked portion of code - but it could be anything even a password.

SiGiNT

LLXX
October 13th, 2005, 16:07
Without being able to look at the surrounding code, I'd guess this is the initial state of a proprietary 256-bit hasher. Google doesn't turn up any results for all of the four dords above.

winndy
October 13th, 2005, 23:46
thanks all!
The target is I did not read the FAQ
The offical site is:I did not read the FAQ
It's easy to patch.But I try to make a keygen.
Code:

0041C220 > \6A FF push -1
0041C222 . 68 191D4300 push _to_A.00431D19 ; SE handler installation
0041C227 . 64:A1 00000>mov eax,dword ptr fs:[0]
0041C22D . 50 push eax
0041C22E . 64:8925 000>mov dword ptr fs:[0],esp
0041C235 . 81EC 940000>sub esp,94
0041C23B . 8B8424 A400>mov eax,dword ptr ss:[esp+A4]
0041C242 . 53 push ebx
0041C243 . 56 push esi
0041C244 . 50 push eax
0041C245 . 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0041C249 . C74424 60 6>mov dword ptr ss:[esp+60],CD49046B
0041C251 . C74424 64 C>mov dword ptr ss:[esp+64],829A80CB
0041C259 . C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0
0041C261 . C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384
0041C269 . C74424 70 5>mov dword ptr ss:[esp+70],AA56D550
0041C271 . C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71
0041C279 . C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4
0041C281 . C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3
0041C289 . E8 E8280100 call <jmp.&MFC42.#537> ; kernel32.lstrlenA;MSVCRT.memcpy
0041C28E . 8B8C24 B000>mov ecx,dword ptr ss:[esp+B0]
0041C295 . C78424 A400>mov dword ptr ss:[esp+A4],0
0041C2A0 . 51 push ecx
0041C2A1 . 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0041C2A5 . E8 CC280100 call <jmp.&MFC42.#537>
0041C2AA . 8B5424 0C mov edx,dword ptr ss:[esp+C]
0041C2AE . 8B35 BC2544>mov esi,dword ptr ds:[<&MSVCRT._mbscmp>>; msvcrt._mbscmp
0041C2B4 . 68 60FC4300 push _to_A.0043FC60 ; /s2 = ""
0041C2B9 . 52 push edx ; |s1
0041C2BA . C68424 AC00>mov byte ptr ss:[esp+AC],1 ; |
0041C2C2 . FFD6 call esi ; \_mbscmp




if(Decipher(Registrationcode)==username)
Registration successful.

It seems the initial value .
It should be symmetrical cipher .
cipher(username)=Registrationcode

LLXX
October 14th, 2005, 00:39
No target names are allowed here... read the FAQ!

Bra!NSHiT
October 14th, 2005, 04:13
Hey guys ... perhaps it could be 256-Bit RSA cause ...

CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B seems ok to factor with ppsiqs.

But on the other side :

There are only 2 Calls bevore Compare, 2x lstrlen. Where is the calculation of user/key ? I think, if you want to keygen this ... your are on the wrong place, imho.

Regards

winndy
October 14th, 2005, 08:59
Bra!NSHiT ,I appreciate your help.
I will try RSA.
But this is only a piece of the code,
there are several calls below .

Thanks!

Regards

winndy
October 17th, 2005, 05:48
Yeah!
It's RSA.
N=CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B is a big number.
ppsiqsv1.1 get p and q:
p=E4E7E39EE5E5C98788BF466DDCBAB2DF
q=E84C8EBF8D5AA6A5ACB2569542DBCBF5
E:10001
te's rsa tool get D:
D:3CE0C02B5B070A3D2C12F63A523A70FA57692AFC70FAE36480D0E33205F6B4C1

Thanks all!


Regards

Rummy
October 23rd, 2005, 08:51
Very, very nice Bra!NSHiT. Very nice. Your brain is not full of your nickname.

winndy
October 23rd, 2005, 09:06
Quote:
[Originally Posted by Rummy]Very, very nice Bra!NSHiT. Very nice. Your brain is not full of your nickname.


But Rummy,you arenot a drinker like your nickname. you are full
of humour sense.