Results 1 to 5 of 5

Thread: MD5 + some bit math

  1. #1
    Donan
    Guest

    Thumbs up MD5 + some bit math

    Hi all =] I got a program with a nice MD5 cripto. But I dont think its keygennable... It does some other stuff before MD5Init & MD5Update.
    First the program is coded in C++ using VC 6 and I think it is a serial only protection. I think because it asks for more stuff, but I dont see it getting used yet. I also got a valid key. It came with the soft when I bought it

    So... as you can see, there are a lot of SHL, SHR, AND in the code. And thats the part that makes a keymaker impossible, right?

    Code:
    .text:004CF26B                 mov     al, [esp+0C0h+var_A7] ; 2nd char
    .text:004CF26F                 mov     cl, [esp+0C0h+var_A8] ; 1st char
    .text:004CF273                 mov     dl, al
    .text:004CF275                 and     al, 3
    .text:004CF277                 shr     dl, 2
    .text:004CF27A                 shl     cl, 3
    .text:004CF27D                 add     dl, cl
    .text:004CF27F                 mov     cl, [esp+0C0h+var_A6] ; 3rd char
    .text:004CF283                 shl     al, 5
    .text:004CF286                 add     al, cl
    .text:004CF288                 mov     cl, [esp+0C0h+var_A5] ; 4th char
    .text:004CF28C                 mov     [esp+0C0h+var_B4], dl
    .text:004CF290                 mov     dl, cl
    .text:004CF292                 shr     dl, 4
    .text:004CF295                 shl     al, 1
    .text:004CF297                 and     dl, 1
    .text:004CF29A                 and     cl, 0Fh
    .text:004CF29D                 add     al, dl
    .text:004CF29F                 mov     bl, [esp+0C0h+var_99]
    .text:004CF2A3                 mov     [esp+0C0h+var_B3], al
    .text:004CF2A7                 mov     al, [esp+0C0h+var_A4]
    .text:004CF2AB                 mov     dl, al
    .text:004CF2AD                 and     al, 1
    .text:004CF2AF                 shl     cl, 4
    .text:004CF2B2                 shr     dl, 1
    .text:004CF2B4                 add     cl, dl
    .text:004CF2B6                 mov     dl, [esp+0C0h+var_A3]
    .text:004CF2BA                 mov     [esp+0C0h+var_B2], cl
    .text:004CF2BE                 mov     cl, [esp+0C0h+var_A2]
    .text:004CF2C2                 shl     al, 5
    .text:004CF2C5                 add     al, dl
    .text:004CF2C7                 mov     dl, cl
    .text:004CF2C9                 shr     dl, 3
    .text:004CF2CC                 shl     al, 2
    .text:004CF2CF                 and     dl, 3
    .text:004CF2D2                 and     cl, 7
    .text:004CF2D5                 add     al, dl
    .text:004CF2D7                 mov     dl, [esp+0C0h+var_A0]
    .text:004CF2DB                 mov     [esp+0C0h+var_B1], al
    .text:004CF2DF                 mov     al, [esp+0C0h+var_A1]
    .text:004CF2E3                 shl     cl, 5
    .text:004CF2E6                 add     cl, al
    .text:004CF2E8                 mov     al, [esp+0C0h+var_9F]
    .text:004CF2EC                 mov     [esp+0C0h+var_B0], cl
    .text:004CF2F0                 mov     cl, al
    .text:004CF2F2                 shr     cl, 2
    .text:004CF2F5                 shl     dl, 3
    .text:004CF2F8                 add     cl, dl
    .text:004CF2FA                 and     al, 3
    .text:004CF2FC                 mov     [esp+0C0h+var_AF], cl
    .text:004CF300                 mov     cl, [esp+0C0h+var_9E]
    .text:004CF304                 shl     al, 5
    .text:004CF307                 add     al, cl
    .text:004CF309                 mov     cl, [esp+0C0h+var_9D]
    .text:004CF30D                 mov     dl, cl
    .text:004CF30F                 and     cl, 0Fh
    .text:004CF312                 shr     dl, 4
    .text:004CF315                 shl     al, 1
    .text:004CF317                 and     dl, 1
    .text:004CF31A                 add     al, dl
    .text:004CF31C                 mov     [esp+0C0h+var_AE], al
    .text:004CF320                 mov     al, [esp+0C0h+var_9C]
    .text:004CF324                 mov     dl, al
    .text:004CF326                 and     al, 1
    .text:004CF328                 shl     cl, 4
    .text:004CF32B                 shr     dl, 1
    .text:004CF32D                 add     cl, dl
    .text:004CF32F                 mov     [esp+0C0h+var_AD], cl
    .text:004CF333                 mov     cl, [esp+0C0h+var_9B]
    .text:004CF337                 shl     al, 5
    .text:004CF33A                 add     al, cl
    .text:004CF33C                 mov     cl, [esp+0C0h+var_9A]
    .text:004CF340                 mov     dl, cl
    .text:004CF342                 and     cl, 7
    .text:004CF345                 shr     dl, 3
    .text:004CF348                 shl     al, 2
    .text:004CF34B                 and     dl, 3
    .text:004CF34E                 add     al, dl
    .text:004CF350                 shl     cl, 5
    .text:004CF353                 mov     [esp+0C0h+var_AC], al
    .text:004CF357                 add     cl, bl
    .text:004CF359                 lea     eax, [esp+0C0h+var_68]
    .text:004CF35D                 mov     [esp+0C0h+var_AB], cl
    .text:004CF361                 push    eax
    .text:004CF362                 call    sub_4D0610      ; MD5Init !!!!!!!!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    הבּרוּ נשׂאי כּלי יהוה mike's Avatar
    Join Date
    Mar 2001
    Posts
    491
    Quote Originally Posted by Donan
    So... as you can see, there are a lot of SHL, SHR, AND in the code. And thats the part that makes a keymaker impossible, right?
    Not necessarily; this part could very well be reversible. See if you can come up with a more concise way of representing the code--that will help you understand it.

    What are the first thru 4th chars you're talking about above? And what are in the other variables? At a glance, it looks to me like it's doing some roll-your-own crypto on a string before hashing it.

    In order to tell whether it can be keygenned, find out where the comparison is done--what is being compared?

  3. #3
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi Donan,
    as you can see, there are a lot of SHL, SHR, AND in the code. And thats the part that makes a keymaker impossible, right?
    There are lot of shl/shr/and instructions but I don't think they will stop you to write a keygen... it depends.
    You have to tell us more details like:
    - is it really a serial protection only?
    - the md5 algo is applied to what? is it applied to a value obtained by the code between 4CF26B and 4CF35D? what is '[esp+0C0h+var_68]'?
    - is the value returned by md5 algo compared with something?
    and so on...

    Best regards,
    ZaiRoN

  4. #4
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Ooops, sorry Mike. I did not see your post.

  5. #5
    Donan
    Guest
    Thanks Mike and Zairon! I just got back from my vacation... Ill take a deeper look and post again =D
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •