# Thread: Key generation

1. ## Key generation

Hey all! First post here and I've got a question. I recently cracked my very first crackme, well I didn't crack it but had to give it a correct username/password. However, I didn't get to the right result by the method I originally imagined I would have to go by. The algorithm that the username uses is simple,

Code:
```xor edi, edi
xor ebx, ebx
for each letter in the string:
mov ebx,[letter]
imul edi, 0a
add edi, [ebx-30]
once done:
xor edi,5678```
And the password algo is something very similar and simple as well. I imagined I would get an answer by backtracking through the equations, however this did not go well, and I basically had to try every letter combination to find a correct combination. And so my question, if backtracking was impossible (as in having to use a guess and check method) for such a simple algorithm, is the art of key generation really just the art of brute forcing? Is there a way I can find the input to equation 2 to give me the same output as equation 1, from the output of equation 1 without resorting to brute force?

Well, Cheers all and happy holidays.

2. Well, there is no need to brute-force this at all.

Assumed that the last operation (xor edi,5678) must yield zero, your pass/serial whatever would be 22136 (though there are others possible with so little information). The algorithm does the following: take numbers and concatenate them in the sequence they appear.
More mathematically it does it like this: (x1 * 10 + x2) * 10 + x3) * 10 + x4) * 10 + x5 aso.
If there are for instance eight numbers you can simplify this to: x1, x2x3x4x5x6x7x8 * 10^7 or more abstract: (x1,x2...xn) * 10^(n-1)
Example: 2,2136 * 10^4 = 22136 with x1 = 2, x2 = 2, x3 = 1, x4 = 3 and x5 = 6
So, now that you know your numbers are just concatenated you'll also see, that the result is xored with 0x5678 which is 22136(dec).
That's it.

Look at the algo:
xor edi, edi <- zero edi
xor ebx, ebx <- zero ebx

mov ebx,[letter] <-after that ebx holds the hexvalue of the letter (for numbers this is 30 to 39 (0 - 9))
imul edi, 0a <- result * 10(dec) - it's zero in the first run
add edi, [ebx-30] <- add the original number to the result - for the number 5 this is 35 - 30 = 5 again

xor edi,5678 <- xor the result with 0x5678 or 22136(dec)

That was easy wasn't it?!

Hope that helps.

To answer your question: sometimes brute-force is the only way, but that's rare.
There is no mightier weapon than pen and paper.

Regards
darkelf

3. To answer your question: sometimes brute-force is the only way, but that's rare.
There is no mightier weapon than pen and paper.
Indeed.

Know your code.

Woodmann

4. I am very thankful for your simple and clear answer.

5. You're welcome.
I'm glad I could help you a bit on your way into the realm of RCE.
Feel free to ask questions over and over again. It's the key for a better understanding.

Regards

#### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•