Results 1 to 12 of 12

Thread: Any one see this Cryptographic?

  1. #1

    Any one see this Cryptographic?

    0041C249 . C74424 60 6>mov dword ptr ss:[esp+60],CD49046B
    0041C251 . C74424 64 C>mov dword ptr ss:[esp+64],829A80CB
    0041C259 . C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0
    0041C261 . C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384
    0041C269 . C74424 70 5>mov dword ptr ss:[esp+70],AA56D550
    0041C271 . C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71
    0041C279 . C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4
    0041C281 . C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3

    what's the Cryptographic?
    any one knows?
    thanks!
    Crack and unpack is a way to enjoy life.

  2. #2
    Are we expected to work this out without knowing anything else?
    It looks like a bunch of hash values or perhaps an encoded string to me (ASCII ".I.k....?QW...c..V.P.Z.q{.<.....").
    If they are hash values, they are either semi-random or pertain to a cipher that Google hasn't heard of.

    Maybe you could tell us (preferably in pseudocode rather than a hung ASM listing) how this string is being used.

  3. #3
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    I've seen code similar to this in Armadillo - in that case it was just an encryption for the IAT redirection code - it was values used to decrypt the real code..

    -nt20

  4. #4
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I don't think it's arma - the addresses involved indicate an unpacked portion of code - but it could be anything even a password.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  5. #5
    Without being able to look at the surrounding code, I'd guess this is the initial state of a proprietary 256-bit hasher. Google doesn't turn up any results for all of the four dords above.

  6. #6
    thanks all!
    The target is I did not read the FAQ
    The offical site is:I did not read the FAQ
    It's easy to patch.But I try to make a keygen.
    Code:
    0041C220    > \6A FF       push -1
    0041C222    .  68 191D4300 push _to_A.00431D19                  ;  SE handler installation
    0041C227    .  64:A1 00000>mov eax,dword ptr fs:[0]
    0041C22D    .  50          push eax
    0041C22E    .  64:8925 000>mov dword ptr fs:[0],esp
    0041C235    .  81EC 940000>sub esp,94
    0041C23B    .  8B8424 A400>mov eax,dword ptr ss:[esp+A4]
    0041C242    .  53          push ebx
    0041C243    .  56          push esi
    0041C244    .  50          push eax
    0041C245    .  8D4C24 10   lea ecx,dword ptr ss:[esp+10]
    0041C249    .  C74424 60 6>mov dword ptr ss:[esp+60],CD49046B
    0041C251    .  C74424 64 C>mov dword ptr ss:[esp+64],829A80CB
    0041C259    .  C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0
    0041C261    .  C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384
    0041C269    .  C74424 70 5>mov dword ptr ss:[esp+70],AA56D550
    0041C271    .  C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71
    0041C279    .  C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4
    0041C281    .  C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3
    0041C289    .  E8 E8280100 call <jmp.&MFC42.#537>                  ;  kernel32.lstrlenA;MSVCRT.memcpy
    0041C28E    .  8B8C24 B000>mov ecx,dword ptr ss:[esp+B0]
    0041C295    .  C78424 A400>mov dword ptr ss:[esp+A4],0
    0041C2A0    .  51          push ecx
    0041C2A1    .  8D4C24 0C   lea ecx,dword ptr ss:[esp+C]
    0041C2A5    .  E8 CC280100 call <jmp.&MFC42.#537>
    0041C2AA    .  8B5424 0C   mov edx,dword ptr ss:[esp+C]
    0041C2AE    .  8B35 BC2544>mov esi,dword ptr ds:[<&MSVCRT._mbscmp>>;  msvcrt._mbscmp
    0041C2B4    .  68 60FC4300 push _to_A.0043FC60                  ; /s2 = ""
    0041C2B9    .  52          push edx                                ; |s1
    0041C2BA    .  C68424 AC00>mov byte ptr ss:[esp+AC],1              ; |
    0041C2C2    .  FFD6        call esi                                ; \_mbscmp
    if(Decipher(Registrationcode)==username)
    Registration successful.

    It seems the initial value .
    It should be symmetrical cipher .
    cipher(username)=Registrationcode
    Crack and unpack is a way to enjoy life.

  7. #7
    No target names are allowed here... read the FAQ!

  8. #8
    Hey guys ... perhaps it could be 256-Bit RSA cause ...

    CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B seems ok to factor with ppsiqs.

    But on the other side :

    There are only 2 Calls bevore Compare, 2x lstrlen. Where is the calculation of user/key ? I think, if you want to keygen this ... your are on the wrong place, imho.

    Regards

  9. #9
    Bra!NSHiT ,I appreciate your help.
    I will try RSA.
    But this is only a piece of the code,
    there are several calls below .

    Thanks!

    Regards
    Crack and unpack is a way to enjoy life.

  10. #10
    Yeah!
    It's RSA.
    N=CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B is a big number.
    ppsiqsv1.1 get p and q:
    p=E4E7E39EE5E5C98788BF466DDCBAB2DF
    q=E84C8EBF8D5AA6A5ACB2569542DBCBF5
    E:10001
    te's rsa tool get D:
    D:3CE0C02B5B070A3D2C12F63A523A70FA57692AFC70FAE36480D0E33205F6B4C1

    Thanks all!


    Regards
    Crack and unpack is a way to enjoy life.

  11. #11

    Thumbs up

    Very, very nice Bra!NSHiT. Very nice. Your brain is not full of your nickname.

  12. #12
    Quote Originally Posted by Rummy
    Very, very nice Bra!NSHiT. Very nice. Your brain is not full of your nickname.
    But Rummy,you arenot a drinker like your nickname. you are full
    of humour sense.
    Crack and unpack is a way to enjoy life.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •