Page 3 of 3 FirstFirst 123
Results 31 to 40 of 40

Thread: Crack me help

  1. #31
    Quote Originally Posted by blabberer View Post
    if you want to test the generation and try your hand at bruteforcing till you can keygen

    put this in a txt file and run windbg like this
    Code:
    windbg -c "$$>a< setuppw.txt" Setup.exe
    here are the commands

    Code:
    bp /1 KERNEL32!VirtualAlloc;
    g;
    gu;
    r $t1= @eax+26b0;
    ba w1 /1 @$t1;
    g;
    r $t2 = @eax;
    db @$t2;
    ba r1 @$t1-8;
    g;
    g;
    bs 0 "db /c 20 @esi L20;db /c 20 @$t2 L20;.echo ================;gc";
    g;
    Hi blabberer, if I run windbg with the setuppw.txt script file in the command line windbg does not break when I enter anything into the password edit box. After pressing next and entering something into the edit box windbg does not break. I think the problem is that BP ba r1 @$t1-8; does not get hit (I tried to follow the procedure manually). It is strange that after entering a string of length 23 and with the first 10 chars valid it does still not break

    Name:  setuppw.jpg
Views: 3978
Size:  139.5 KB

  2. #32
    Quote Originally Posted by TB10 View Post
    But it intrests me how the encryption works and is there a way to decrypt that thing in ollydbg(or other) it seems that the encryption algorythm is not randomize, that means, for example 123 results always in same encrypted letters, but it depends on the whole combination of the Password, not on single letters.
    Hi TB10, technically it may not be regarded as encryption in that the keygen process is irreversible, information is lost, you can't come up with a decryption algo that restores the original password (unless for specific cases). Try to understand what is going on in that function crackz pointed out and I'm sure you will understand much better. The function is not very long or hard to understand/reverse. You also have some hints in this thread about what is going on in that function if need input

  3. #33
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Pardon me if you already did, but did you modify the script to use the offset that *you* are getting (269C)?

    The offset will change a bit depending, as I found out, on the length of the full pathname of the exe. For example, if I run setup.exe from the folders
    C:\, C:\a or C:\ab - the password key is copied to offset 2678
    the slightly longer pathname C:\abc - offset is shifted to 267C
    an even longer pathname - offset 2680

    Apparently something related to the pathname is stored in the virtual memory block before the password string and that shifts everything depending on the length.

  4. #34
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    yes it doesnt look like any encryption but some pseudo random generator based on some original password i guessed so when i first saw the second and third charecters are replaced on addition of every charecter to the password because it is generated based on the lenght of the pw
    (generated from backwards) so obviously every thing would depend on the lenght of the pw

    yes as kayaker pointed out the offsets do change based on various factors like path name , password lenght etc the algo keeps on copy pasting data to different places in the allocated 0x28000 block.

    in your screen shot i see the 2 bps hit so you may need to view memory a bit up and down and see where the generated hash is stored
    my script wont let windbg break it will simply print the output and keep on continuing and you can watch the passowrd generated as you enter charecters in the edit box (if you loose focus of edit box it will be quiet some time to see them again till WM_PAINT WM_MOUXEXXXX msgs are processed by the windowing system ) keep windbg in background and crackme in top of Z order and enter password to view output in windbg below

    i trivially bruteforced it in ollydbg with the ripped algo from sub crackZ hinted but there are further checks and from a fleet glance at comparison algo next to the sub i think you need a password that is of certain length and 23 is not the right size either add eax,eax or cmp ch.bh should set the zer0 flag ) so that dl is set in sete dl
    here is a full password for your test

    Code:
    CX2g!F%q2FP]$f,B+7,&@G.000000000000
    Press any key to continue . . .

    here is the shabby shitty bruteforcer for the above password
    Code:
    // setuppw.cpp : Defines the entry point for the console application.
    //
    
    #include "stdafx.h"
    #define HARDCODED_HASH_LENGHT 0x17
    #define CRYPTED_HASH_LENGTH HARDCODED_HASH_LENGHT + 0xc
    
    BYTE HARDCODED_HASH[HARDCODED_HASH_LENGHT] = //009926A8  PX1QGTTEU<S7?<9T43387M3
    {
        0x50, 0x58, 0x31, 0x51, 0x47, 0x54, 0x54, 0x45,
        0x55, 0x3C, 0x53, 0x37, 0x3F, 0x3C, 0x39, 0x54, 
        0x34, 0x33, 0x33, 0x38, 0x37, 0x4D, 0x33 
    };
    
    BYTE CRYPTED_HASH[CRYPTED_HASH_LENGTH] = {0};
    BYTE PASSWORD_HASH[CRYPTED_HASH_LENGTH] = {0};
    DWORD count = 0;
    
    int _tmain(int argc, _TCHAR* argv[])
    {
        //  i started with '!' filled buffer to brute force but i saw it generating non printable bytes
        // so ripped correct printable bytes from ollydbg to the array which made the generation of all printable
        // charecters possible the array below generates a correct HARDCODED_HASH but few more checks need to be 
        // passed in the comaprison algo (add eax,eax or cmp ch.bh one of this should set the zero flag)
        // have fun finding how to do it :)
    
        memset(&CRYPTED_HASH,0x21,sizeof(CRYPTED_HASH));
    
        CRYPTED_HASH[0] = 'C';
        CRYPTED_HASH[1] = 'X';
        CRYPTED_HASH[2] = '2';
        CRYPTED_HASH[3] = 'g';
        CRYPTED_HASH[4] = '!';
        CRYPTED_HASH[5] = 'F';
        CRYPTED_HASH[6] =  '%';
        CRYPTED_HASH[7] = 'q';
        CRYPTED_HASH[8] = '2';
        CRYPTED_HASH[9] = 'F';
        CRYPTED_HASH[10] = 'P';
        CRYPTED_HASH[11] = ']';
        CRYPTED_HASH[12] = '$';
        CRYPTED_HASH[13] = 'f';
        CRYPTED_HASH[14] = ',';
        CRYPTED_HASH[15] = 'B';
        CRYPTED_HASH[16] = '+';
        CRYPTED_HASH[17] = '7';
        CRYPTED_HASH[18] = ',';
        CRYPTED_HASH[19] = '&';
        CRYPTED_HASH[20] = '@';
        CRYPTED_HASH[21] = 'G';
        CRYPTED_HASH[22] = '.';
    
    
        __asm
        {
            pushad
    redo:
            xor edi,edi
                mov ebp,CRYPTED_HASH_LENGTH
                mov esi,1
    looper:
            mov eax, offset CRYPTED_HASH[0]
            movzx eax,byte ptr [eax+esi-1]
            mov edx,eax
                mov ecx,CRYPTED_HASH_LENGTH
                sub ecx,esi
                imul ecx,edi
                add edx,ecx
                add edi,edx
                mov ebx,eax
                imul ebx,edi
                add ebx,esi
    BACK:
            mov eax,ebx
                mov ecx,5ah
                xor edx,edx
                div ecx
                imul eax,eax,5ah
                sub ebx,eax
                cmp ebx,30h
                jnb FORWARD
                add ebx,30h
    FORWARD:
            cmp ebx,2fh
                jbe BACK
                cmp ebx,5bh
                jnb BACK
                mov eax,offset PASSWORD_HASH[0]
            mov byte ptr [eax+esi-1],bl
                inc esi
                dec ebp
                jnz looper
                push ebx
                mov ebx,offset HARDCODED_HASH[0]
            add ebx,count
                movzx ebx,byte ptr [ebx]
            push eax
                add eax,count
                cmp byte ptr [eax] , bl
                pop eax
                pop ebx
                je ARGH
                push ebx
                mov ebx,offset CRYPTED_HASH[0]
            add ebx,count
                inc Byte ptr [ebx]
            pop ebx
                jmp redo
    ARGH:
            cmp count,0x16
                je finished
                inc count
                jmp redo
    finished:
            popad
        }
        printf("%s\n",&CRYPTED_HASH);
        return 0;
    }

    the windbg output from script take a look at last output it shows full comaprison


    Code:
    ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\apphelp.dll
    ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
    Breakpoint 0 hit
    Breakpoint 0 hit
    ModLoad: 4b400000 4b486000   C:\WINDOWS\system32\msftedit.dll
    Breakpoint 0 hit
    009b40c4  50 00 00 00 f8 b5 41 00-f8 b5 41 00 34 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  P.....A...A.4?..................
    009926a8  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00 12 00 00 00 01 00 00 00  PX1QGTTEU<S7?<9T43387M3.........
    009b40c4  50 34 00 00 f8 b5 41 00-f8 b5 41 00 34 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  P4....A...A.4?..................
    009926a8  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00 12 00 00 00 01 00 00 00  PX1QGTTEU<S7?<9T43387M3.........
    ================
    009b40c4  50 38 42 00 f8 b5 41 00-f8 b5 41 00 34 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  P8B...A...A.4?..................
    009926a8  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00 12 00 00 00 01 00 00 00  PX1QGTTEU<S7?<9T43387M3.........
    ================
    ================
    009b40f4  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 50 3b 4a 3f 46 4f 36 37 50  PX1QGTTEU<S7?<9T43387M3P;J?FO67P
    009926a8  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00 12 00 00 00 01 00 00 00  PX1QGTTEU<S7?<9T43387M3.........
    ================
    since this post developed a bit more than the usual google and poster disappearing after that without making effort or if he made effort without sharing the results
    i took a loook again to complete the brute forcing again in ollydbg with the code above with only one modification that of making both hash length equal viz 0x17
    because add eax eax can set the zero flag only if eax is 0 and eax can be zero only when both lengths are equal

    this password solves the mystery
    Code:
    wbd584e'!P"/AX6$s/!L>1+
    anyone want to post a neat and clean keygen for this ??

    the concept should be the buffer must be filled with say 0x20 (first printable charecter <space> for 0x17 characters
    increased one at a time upto 0x7f (last printable charecter viz ~ tilde) till the first character of the hardcoded hash is found viz 'P'.

    then second X (if no valid second increase first by one and reset count back to zero so the next valid charecter for P is found

    in my case above 'C' produced 'P' with certain sequnce of charecters in first brute session

    in the second brute session 'w' produces 'P' with another sequence

    and remember to reset the rest of characters back to what it was viz 0x20 before relooping to find the next character

    it is fs$%%% easy to brute in this manner in ollydbg manually with the ripped algo no need to even pause the app can be done with just binary edit in dump window
    while the exe is running need just one breakpoint at inc count line

    i modified the code above a little bit to check for minimum acceptable charecter as PASSWORD for runnning brute session in ollydbg

    Code:
    // setuppw.cpp : Defines the entry point for the console application.
    //
    
    #include "stdafx.h"
    #define HARDCODED_HASH_LENGHT 0x17
    #define CRYPTED_HASH_LENGTH HARDCODED_HASH_LENGHT
    
    BYTE HARDCODED_HASH[HARDCODED_HASH_LENGHT] = //009926A8  PX1QGTTEU<S7?<9T43387M3
    {
        0x50, 0x58, 0x31, 0x51, 0x47, 0x54, 0x54, 0x45,
        0x55, 0x3C, 0x53, 0x37, 0x3F, 0x3C, 0x39, 0x54, 
        0x34, 0x33, 0x33, 0x38, 0x37, 0x4D, 0x33 
    };
    
    BYTE CRYPTED_HASH[CRYPTED_HASH_LENGTH] = {0};
    BYTE PASSWORD_HASH[CRYPTED_HASH_LENGTH] = {0};
    DWORD count = 0;
    
    int _tmain(int argc, _TCHAR* argv[])
    {
        //  i started with '!' filled buffer to brute force but i saw it generating non printable bytes
        // so ripped correct printable bytes from ollydbg to the array which made the generation of all printable
        // charecters possible the array below generates a correct HARDCODED_HASH but few more checks need to be 
        // passed in the comaprison algo (add eax,eax or cmp ch.bh one of this should set the zero flag)
        // have fun finding how to do it :)
    
        memset(&CRYPTED_HASH,0x20,sizeof(CRYPTED_HASH));
    
        //CRYPTED_HASH[0] = 'C';
        //CRYPTED_HASH[1] = 'X';
        //CRYPTED_HASH[2] = '2';
        //CRYPTED_HASH[3] = 'I';
        //CRYPTED_HASH[4] = 't';
        //CRYPTED_HASH[5] = '\\';
        //CRYPTED_HASH[6] =  '-';
        //CRYPTED_HASH[7] = 'i';
        //CRYPTED_HASH[8] = '5';
        //CRYPTED_HASH[9] = 'X';
        //CRYPTED_HASH[10] = 'h';
        //CRYPTED_HASH[11] = '9';
        //CRYPTED_HASH[12] = '\\';
        //CRYPTED_HASH[13] = '@';
        //CRYPTED_HASH[14] = '6';
        //CRYPTED_HASH[15] = 'z';
        //CRYPTED_HASH[16] = '5';
        //CRYPTED_HASH[17] = 'A';
        //CRYPTED_HASH[18] = '7';
        //CRYPTED_HASH[19] = '^';
        //CRYPTED_HASH[20] = '>';
        //CRYPTED_HASH[21] = '-';
        //CRYPTED_HASH[22] = ':';
    
        // wbd584e'!P"/AX6$s/!L>1+
    
    
        __asm
        {
            pushad
    redo:
            xor edi,edi
                mov ebp,CRYPTED_HASH_LENGTH
                mov esi,1
    looper:
            mov eax, offset CRYPTED_HASH[0]
            movzx eax,byte ptr [eax+esi-1]
            mov edx,eax
                mov ecx,CRYPTED_HASH_LENGTH
                sub ecx,esi
                imul ecx,edi
                add edx,ecx
                add edi,edx
                mov ebx,eax
                imul ebx,edi
                add ebx,esi
    BACK:
            mov eax,ebx
                mov ecx,5ah
                xor edx,edx
                div ecx
                imul eax,eax,5ah
                sub ebx,eax
                cmp ebx,30h
                jnb FORWARD
                add ebx,30h
    FORWARD:
            cmp ebx,2fh
                jbe BACK
                cmp ebx,5bh
                jnb BACK
                mov eax,offset PASSWORD_HASH[0]
            mov byte ptr [eax+esi-1],bl
                inc esi
                dec ebp
                jnz looper
                push ebx
                mov ebx,offset HARDCODED_HASH[0]
            add ebx,count
                movzx ebx,byte ptr [ebx]
            push eax
                add eax,count
                cmp byte ptr [eax] , bl
                pop eax
                pop ebx
                je ARGH
    adder:
            push ebx
                mov ebx,offset CRYPTED_HASH[0]
            add ebx,count
                inc Byte ptr [ebx]
            pop ebx
                jmp redo
    ARGH:
            push ebx
                mov ebx,offset CRYPTED_HASH[0]
            add ebx,count
                movzx ebx,byte ptr [ebx]
            cmp bl, 0x21
                pop ebx
                jl adder
                cmp count,0x16
                je finished
                inc count
                jmp redo
    finished:
            popad
        }
        printf("%s\n",&CRYPTED_HASH);
        return 0;
    }
    Last edited by blabberer; December 31st, 2013 at 13:42.

  5. #35
    Hi blabberer, I'm impressed how quickly you dig up this info and to be honest the amount of info is a bit overwhelming

    yes as kayaker pointed out the offsets do change based on various factors like path name , password lenght etc the algo keeps on copy pasting data to different places in the allocated 0x28000 block.
    Thanks to both of you for pointing that out. I was not aware of this. I admit I was also a bit confused about exactly what byte the ba BP should be targeting. My string is indeed stored at offset 0x269c, therefore I was slightly confused that the target byte seems to be offset 0x269c-8. That seems be some kind of ID field...

    Code:
    struct DelphiString
    {
      int ID;
      int Length;
      char array[Length];
    };
    And this ID field is obviously being read every time a char is appended. After fixing the offset windbg now spits out a bunch of lines like this

    Code:
    ================
    00992090  a4 4c 40 00 00 00 00 00-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 20 99 00 b8 74 40 00  .L@...................... ...t@.
    00992694  01 00 00 00 17 00 00 00-50 58 31 51 47 54 54 45 55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00  ........PX1QGTTEU<S7?<9T43387M3.
    ================


    in your screen shot i see the 2 bps hit so you may need to view memory a bit up and down and see where the generated hash is stored
    my script wont let windbg break it will simply print the output and keep on continuing and you can watch the passowrd generated as you enter charecters in the edit box (if you loose focus of edit box it will be quiet some time to see them again till WM_PAINT WM_MOUXEXXXX msgs are processed by the windowing system ) keep windbg in background and crackme in top of Z order and enter password to view output in windbg below
    Isn't it correctly understood that the windbg script is only supposed to break during build up of the target hash? I get the impression that windbg also should dump info (that the ba BP triggers) when entering chars into the edit box. That is not happening

    I will have to wait until tomorrow to look into those additional checks you mention and also your very neat keygen

  6. #36
    Quote Originally Posted by blabberer View Post
    i trivially bruteforced it in ollydbg with the ripped algo from sub crackZ hinted but there are further checks and from a fleet glance at comparison algo next to the sub i think you need a password that is of certain length and 23 is not the right size either add eax,eax or cmp ch.bh should set the zer0 flag ) so that dl is set in sete dl
    here is a full password for your test

    Code:
    CX2g!F%q2FP]$f,B+7,&@G.000000000000
    Press any key to continue . . .
    That password looks like one of your 'encrypted' windbg commands
    You may be right, there could be further checks in that there are many xrefs to the function at 0040C5A8 that updates the enable state of a window (including the next button).
    I have now taken a quite detailed look at the comparison algo and I'm pretty sure that the password/key must be of length 23. If this is not the case the comparison does not set the zero flag.
    The comparison algo computes the minimum string length between the two strings. Eax contains the difference in lengths between the two strings. Therefore in the end "add eax,eax" will clear the zero flag if the lengths are not equal.
    If I paste CX2g!F%q2FP]$f,B+7,&@G.000000000000 into the password field the next button is not enabled but I'm sure if you mean that this should be the case..

    Edit. Sorry I can see further down in your post that you already found out about the add eax,eax. So if I understand your keygen algo correct (I have to compile it later, need to install visual studio) then you start with an initial guess and then you process one char at a time until you find the 'closest' valid password/key. One thing that could be interesting to know is if the creator of the crackme used a password that had some meaning like 'ShaniaTwainsSecondLover' or something but that seems very difficult considering the vast number of valid passwords that can be generated.
    Last edited by niaren; January 2nd, 2014 at 15:49.

  7. #37
    Hi blabberer,

    I found this link for demystifying the $$>a< part of the windbg command line.
    http://msdn.microsoft.com/en-us/library/windows/hardware/ff566261%28v=vs.85%29.aspx

    But I'm still not done with the line
    bs 0 "db /c 20 @esi L20;db /c 20 @$t2 L20;.echo ================;gc";

    I understand that the line executes the commands when the 0th BP is reached instead of breaking. But I'm unsure about the gc part. It seems to turn the BP into a conditional BP but what is the condition?

    If I put the following lines into setuppw.txt

    Code:
    bp 416c4e;
    g;
    bs 0 "db /c 20 @eax L20;db /c 20 @edx L20;.echo ================;gc";
    g;
    I get sort of what I think you also intended, namely that the target hash and the input hash is shown right above each other. However, it is annoying that the BP is hit so many times.

  8. #38
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    bs does not execute any commands
    it updates the existing breakpoint

    in this context ba r1 breakpoint is hit two times and run two times to avoid spurious breaks
    on the second break the break point is updated to print esi and @$t2 and continue without breaking
    gc is continue from conditional breakpoint command it is equivalent to pressing g in windbg command window but
    satisfies certain internal varibales set in windbg while it broke on a condition g alone instead of gc should work without problems
    but gc is recommended to be used in conditional breaks instead of g


    omg you still havent found why it breaks so many time step away and start from start

    hint indirectly uses a driver in ring 0 go search


    well to compile the algo you dont need vs even old 9 mb bcc if you substitute unsigned long to DWORD byte gcc should be able to compile that
    strip the stdafx crap
    #include stdio , windows .hhh
    compiler foo.cpp


    yes it is manual brute forcing and can be done quiet fast (15 20 minutes max )inspite of 17 character and full printable set of possibilities.

  9. #39
    Quote Originally Posted by blabberer View Post
    omg you still havent found why it breaks so many time step away and start from start
    hehe, I do know its a timer callback and placing a BP in it explains why the there is so many breaks!


    yes it is manual brute forcing and can be done quiet fast (15 20 minutes max )inspite of 17 character and full printable set of possibilities.
    Then I definitely have to try it because Matlab seemed to be faster! (and that cannot be true of course).

    Thanks for all your patience on the windbg explanations its been quite fun to play with it

  10. #40
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    yes it is a TimerCallback so once the clock ticked it is bound to break

    btw when i wrote 15 20 minutes i was not sure of exact time just to be sure i ran it again this time in windbg from start and all it takes is 7 iterations in windbg to retrieve a password the breaks are manual breaks with ctrl+break due to infinte looping caused by invalid charecter

    Code:
    =4PC1HSM&2t/=J2Ruo..&s)
    src code converted to masm below also attached is an assembled binary

    Code:
    .386
    .model flat, stdcall
    option casemap:none
    include f:\masm32\include\windows.inc
    include f:\masm32\include\KERNEL32.inc
    include f:\masm32\include\masm32.inc
    includelib f:\masm32\lib\KERNEL32.lib
    includelib f:\masm32\lib\masm32.lib
    
    .data 
        HARDCODED_HASH db 50h,58h,31h,51h,47h,54h,54h,45h,55h,3Ch,53h,37h,3Fh,3Ch,39h,54h,34h,33h,33h,38h,37h,4Dh,33h,00h
        CRYPTED_HASH   db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
        PASSWORD_HASH  db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
        count dd 0;
    	FormatStr db "%s\n",0
    
    .data?
    buffer db 512 dup(?)
    
    .code 
    start:
    	pushad
    redo:
    	xor edi,edi
    	mov ebp,17h
    	mov esi,1
    looper:
    	mov eax, offset CRYPTED_HASH[0]
    	movzx eax,byte ptr [eax+esi-1]
    	mov edx,eax
    	mov ecx,17h
    	sub ecx,esi
    	imul ecx,edi
    	add edx,ecx
    	add edi,edx
    	mov ebx,eax
    	imul ebx,edi
    	add ebx,esi
    BACK:
    	mov eax,ebx
    	mov ecx,5ah
    	xor edx,edx
    	div ecx
    	imul eax,eax,5ah
    	sub ebx,eax
    	cmp ebx,30h
    	jnb FORWARD
    	add ebx,30h
    FORWARD:
    	cmp ebx,2fh
    	jbe BACK
    	cmp ebx,5bh
    	jnb BACK
    	mov eax,offset PASSWORD_HASH[0]
    	mov byte ptr [eax+esi-1],bl
    	inc esi
    	dec ebp
    	jnz looper
    	push ebx
    	mov ebx,offset HARDCODED_HASH[0]
    	add ebx,count
    	movzx ebx,byte ptr [ebx]
    	push eax
    	add eax,count
    	cmp byte ptr [eax] , bl
    	pop eax
    	pop ebx
    	je ARGH
    adder:
    	push ebx
    	mov ebx,offset CRYPTED_HASH[0]
    	add ebx,count
    	inc Byte ptr [ebx]
    	pop ebx
    	jmp redo
    ARGH:
    	push ebx
    	mov ebx,offset CRYPTED_HASH[0]
    	add ebx,count
    	movzx ebx,byte ptr [ebx]
    	cmp bl, 021h
    	pop ebx
    	jl adder
    	cmp count,016h
    	je finished
    	inc count
    	jmp redo
    finished:
    	popad
    	mov eax, offset CRYPTED_HASH[0] 
    	invoke StdOut , eax
    	retn
    end start

    run in windbg
    set this break
    fill the buffer and run the exe
    reset buffer and count few times until you get a password like below

    Code:
    0:000> bp 4010a2 "db /c 18 403018  l18;gc"  
    0:000> eb 403018 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g
    
    00403018  3d 2e 26 20 20 20 20 20-20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00  =.&                    .
    (f1c.19c): Break instruction exception - code 80000003 (first chance)
    0:001> eb 403018 3d 2f 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g
    
    00403018  3d 34 28 20 20 20 20 20-20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00  =4(                    .
    (f1c.ac4): Break instruction exception - code 80000003 (first chance)
    0:001> eb 403018 3d 2f 29 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g
    
    00403018  3d 34 44 20 20 20 20 20-20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00  =4D                    .
    (f1c.e70): Break instruction exception - code 80000003 (first chance)
    0:001> eb 403018 3d 2f 45 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g
    
    00403018  3d 34 4c 20 20 20 20 20-20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00  =4L                    .
    (f1c.b68): Break instruction exception - code 80000003 (first chance)
    0:001> eb 403018 3d 2f 4d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g
    
    00403018  3d 34 50 25 22 48 53 35-26 3c 28 20 20 20 20 20 20 20 20 20 20 20 20 00  =4P%"HS5&<(            .
    (f1c.e78): Break instruction exception - code 80000003 (first chance)
    0:001> eb 403018 3d 2f 4d 26 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g
    
    00403018  3d 34 50 2b 24 4e 31 29-32 28 3e 27 4c 20 20 20 20 20 20 20 20 20 20 00  =4P+$N1)2(>'L          .
    (f1c.ac0): Break instruction exception - code 80000003 (first chance)
    0:001> eb 403018 3d 2f 4d 2c 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g
    
    00403018  3d 34 50 43 31 48 53 4d-26 32 74 2f 3d 4a 32 52 75 6f 2e 2e 26 73 29 00  =4PC1HSM&2t/=J2Ruo..&s).
    Attached Files Attached Files
    Last edited by blabberer; January 3rd, 2014 at 17:58.

Similar Threads

  1. bengaly Crack me
    By wunder in forum The Newbie Forum
    Replies: 15
    Last Post: December 19th, 2010, 23:12
  2. Crack Request
    By Thats Me in forum The Newbie Forum
    Replies: 11
    Last Post: April 1st, 2010, 21:19
  3. Crack for $
    By mike in forum Off Topic
    Replies: 1
    Last Post: October 7th, 2003, 23:32
  4. Serial Crack
    By wonderwoman in forum Malware Analysis and Unpacking Forum
    Replies: 16
    Last Post: November 1st, 2001, 11:36
  5. Lingoware 3 Crack
    By Andhy in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 22nd, 2001, 20:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •