Results 1 to 7 of 7

Thread: LoginBox

  1. #1
    kP^
    Guest

    Lightbulb LoginBox

    Hello !

    Using a tiny RTL for Borland's Delphi environment, a few Windows API's and some of my school-time, i wrote this Loginbox, for those who want to test their reversing skills.

    The username is very common, and the password not longer than 5 characters.
    Anyone ?
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    mark0x
    Guest
    I'm a relative 'noob' but am having a look - seems interesting thus far
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    kP^
    Guest

    Question no one killed this it?

    the solution is not hard to trace.
    login information isn't longer than 8 characters, so one callpatch and a few lines of backtracking code could do it.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi All,
    is mark0x the only one that is working on this nice target? I did take a glance at the target and I found that MD5 is used. Seems like MD5 is becoming very popular in this days
    Iirc is not proper the classical md5... kP^ has changed the initialization constants, here is the new values:
    Code:
    0040872D MOV DWORD PTR DS:[EBX],17452301
    00408733 MOV DWORD PTR DS:[EBX+4],2FCDAB89
    0040873A MOV DWORD PTR DS:[EBX+8],38BADCFE
    00408741 MOV DWORD PTR DS:[EBX+C],40325476
    It's not much but maybe could break the ice...

    Best regards,
    ZaiRoN

  5. #5
    mark0x
    Guest
    I've been sidetracked with other things recently but will have another look soon.. I recall the app did something like execute itself with some command line params depending on what you entered (or I could be going insane).. and yeah I noticed that it was using md5 from running peid on it (also said something about twofish).. IIRC this prompted me to download a load of crypto ebooks so I could look into how they worked

    Hopefully won't be too long before I can revisit it again
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Maybe it has MD5 because the net is full of scripts for writing login pages that use MD5 as part of their cookie construction for intersession surfing.

    Regards,
    JMI

  7. #7
    kP^
    Guest

    Thumbs up The solution is Bruteforce

    Indeed ZaiRoN, you got that right.
    Later on, i've also nonstandardly intialized Twofish.

    I'm not good at reversing, so i only used asm programming for protecting my code.
    I have chosed not to pack/scramble the PE in any way (although i have my own personal protector) because i think this tehneek aims to keep exe-snoopers away and it's useless against anyone persistent enough to find the original entry point and do a plain memory dump.

    Also, i've tryed to "escape" Ollydbg by creating another instance of my process and running external code; results are passed as exitcode to the exitprocess function. Thread's priority explains the delay.

    If a reverser understands that the password's edit-box has not been 'touched' (read) to this point, he could guess that until this phase, just the username is validated.

    The password is later (if username's hash corespunds) checked by initing new hashes to decrypt a block of code in Twofish (e.g the 'good boy' procedure). If the unlocked code turned good, the call is made. If he'd revers the jumps (invalid code ahead), the application would call junk code and crash.

    That's pretty much the esential information reversing could give him: password encrypted code.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •