1. ## Key generation

Hey all! First post here and I've got a question. I recently cracked my very first crackme, well I didn't crack it but had to give it a correct username/password. However, I didn't get to the right result by the method I originally imagined I would have to go by. The algorithm that the username uses is simple,

Code:
```xor edi, edi
xor ebx, ebx
for each letter in the string:
mov ebx,[letter]
imul edi, 0a
once done:
xor edi,5678```
And the password algo is something very similar and simple as well. I imagined I would get an answer by backtracking through the equations, however this did not go well, and I basically had to try every letter combination to find a correct combination. And so my question, if backtracking was impossible (as in having to use a guess and check method) for such a simple algorithm, is the art of key generation really just the art of brute forcing? Is there a way I can find the input to equation 2 to give me the same output as equation 1, from the output of equation 1 without resorting to brute force?

Well, Cheers all and happy holidays. 2. Well, there is no need to brute-force this at all.

Assumed that the last operation (xor edi,5678) must yield zero, your pass/serial whatever would be 22136 (though there are others possible with so little information). The algorithm does the following: take numbers and concatenate them in the sequence they appear.
More mathematically it does it like this: (x1 * 10 + x2) * 10 + x3) * 10 + x4) * 10 + x5 aso.
If there are for instance eight numbers you can simplify this to: x1, x2x3x4x5x6x7x8 * 10^7 or more abstract: (x1,x2...xn) * 10^(n-1)
Example: 2,2136 * 10^4 = 22136 with x1 = 2, x2 = 2, x3 = 1, x4 = 3 and x5 = 6
So, now that you know your numbers are just concatenated you'll also see, that the result is xored with 0x5678 which is 22136(dec).
That's it.

Look at the algo:
xor edi, edi <- zero edi
xor ebx, ebx <- zero ebx

mov ebx,[letter] <-after that ebx holds the hexvalue of the letter (for numbers this is 30 to 39 (0 - 9))
imul edi, 0a <- result * 10(dec) - it's zero in the first run
add edi, [ebx-30] <- add the original number to the result - for the number 5 this is 35 - 30 = 5 again

xor edi,5678 <- xor the result with 0x5678 or 22136(dec)

That was easy wasn't it?!

Hope that helps.

To answer your question: sometimes brute-force is the only way, but that's rare.
There is no mightier weapon than pen and paper.

Regards
darkelf 3. To answer your question: sometimes brute-force is the only way, but that's rare.
There is no mightier weapon than pen and paper.
Indeed. Woodmann  5. You're welcome.
Feel free to ask questions over and over again. It's the key for a better understanding.

Regards #### Posting Permissions

• You may not post new threads
• You may not post replies
• You may not post attachments
• You may not edit your posts
•