Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Crack me help

First timers and new learners, this forum is for you. Please use the search function to see if your question has already been answered.
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

blabberer wrote: if you want to test the generation and try your hand at bruteforcing till you can keygen

put this in a txt file and run windbg like this

Code: Select all

windbg -c "$$>a< setuppw.txt" Setup.exe
here are the commands

Code: Select all

bp /1 KERNEL32!VirtualAlloc;
g;
gu;
r $t1= @eax+26b0;
ba w1 /1 @$t1;
g;
r $t2 = @eax;
db @$t2;
ba r1 @$t1-8;
g;
g;
bs 0 "db /c 20 @esi L20;db /c 20 @$t2 L20;.echo ================;gc";
g;
Hi blabberer, if I run windbg with the setuppw.txt script file in the command line windbg does not break when I enter anything into the password edit box. After pressing next and entering something into the edit box windbg does not break. I think the problem is that BP ba r1 @$t1-8; does not get hit (I tried to follow the procedure manually). It is strange that after entering a string of length 23 and with the first 10 chars valid it does still not break :sneaky:

[ATTACH]2894[/ATTACH]
Attachments
setuppw.jpg
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

TB10 wrote: But it intrests me how the encryption works and is there a way to decrypt that thing in ollydbg(or other) it seems that the encryption algorythm is not randomize, that means, for example 123 results always in same encrypted letters, but it depends on the whole combination of the Password, not on single letters.
Hi TB10, technically it may not be regarded as encryption in that the keygen process is irreversible, information is lost, you can't come up with a decryption algo that restores the original password (unless for specific cases). Try to understand what is going on in that function crackz pointed out and I'm sure you will understand much better. The function is not very long or hard to understand/reverse. You also have some hints in this thread about what is going on in that function if need input :)
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Pardon me if you already did, but did you modify the script to use the offset that *you* are getting (269C)?

The offset will change a bit depending, as I found out, on the length of the full pathname of the exe. For example, if I run setup.exe from the folders
C:\, C:\a or C:\ab - the password key is copied to offset 2678
the slightly longer pathname C:\abc - offset is shifted to 267C
an even longer pathname - offset 2680

Apparently something related to the pathname is stored in the virtual memory block before the password string and that shifts everything depending on the length.
blabberer
Senior Member
Posts: 1536
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

yes it doesnt look like any encryption but some pseudo random generator based on some original password i guessed so when i first saw the second and third charecters are replaced on addition of every charecter to the password because it is generated based on the lenght of the pw
(generated from backwards) so obviously every thing would depend on the lenght of the pw

yes as kayaker pointed out the offsets do change based on various factors like path name , password lenght etc the algo keeps on copy pasting data to different places in the allocated 0x28000 block.

in your screen shot i see the 2 bps hit so you may need to view memory a bit up and down and see where the generated hash is stored
my script wont let windbg break it will simply print the output and keep on continuing and you can watch the passowrd generated as you enter charecters in the edit box (if you loose focus of edit box it will be quiet some time to see them again till WM_PAINT WM_MOUXEXXXX msgs are processed by the windowing system ) keep windbg in background and crackme in top of Z order and enter password to view output in windbg below

i trivially bruteforced it in ollydbg with the ripped algo from sub crackZ hinted but there are further checks and from a fleet glance at comparison algo next to the sub i think you need a password that is of certain length and 23 is not the right size either add eax,eax or cmp ch.bh should set the zer0 flag ) so that dl is set in sete dl
here is a full password for your test :)

Code: Select all

CX2g!F%q2FP]$f,B+7,&@G.000000000000
Press any key to continue . . .

here is the shabby shitty bruteforcer for the above password

Code: Select all

// setuppw.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#define HARDCODED_HASH_LENGHT 0x17
#define CRYPTED_HASH_LENGTH HARDCODED_HASH_LENGHT + 0xc

BYTE HARDCODED_HASH[HARDCODED_HASH_LENGHT] = //009926A8  PX1QGTTEU<S7?<9T43387M3
{
    0x50, 0x58, 0x31, 0x51, 0x47, 0x54, 0x54, 0x45,
    0x55, 0x3C, 0x53, 0x37, 0x3F, 0x3C, 0x39, 0x54, 
    0x34, 0x33, 0x33, 0x38, 0x37, 0x4D, 0x33 
};

BYTE CRYPTED_HASH[CRYPTED_HASH_LENGTH] = {0};
BYTE PASSWORD_HASH[CRYPTED_HASH_LENGTH] = {0};
DWORD count = 0;

int _tmain(int argc, _TCHAR* argv[])
{
    //  i started with '!' filled buffer to brute force but i saw it generating non printable bytes
    // so ripped correct printable bytes from ollydbg to the array which made the generation of all printable
    // charecters possible the array below generates a correct HARDCODED_HASH but few more checks need to be 
    // passed in the comaprison algo (add eax,eax or cmp ch.bh one of this should set the zero flag)
    // have fun finding how to do it :)

    memset(&CRYPTED_HASH,0x21,sizeof(CRYPTED_HASH));

    CRYPTED_HASH[0] = 'C';
    CRYPTED_HASH[1] = 'X';
    CRYPTED_HASH[2] = '2';
    CRYPTED_HASH[3] = 'g';
    CRYPTED_HASH[4] = '!';
    CRYPTED_HASH[5] = 'F';
    CRYPTED_HASH[6] =  '%';
    CRYPTED_HASH[7] = 'q';
    CRYPTED_HASH[8] = '2';
    CRYPTED_HASH[9] = 'F';
    CRYPTED_HASH[10] = 'P';
    CRYPTED_HASH[11] = ']';
    CRYPTED_HASH[12] = '$';
    CRYPTED_HASH[13] = 'f';
    CRYPTED_HASH[14] = ',';
    CRYPTED_HASH[15] = 'B';
    CRYPTED_HASH[16] = '+';
    CRYPTED_HASH[17] = '7';
    CRYPTED_HASH[18] = ',';
    CRYPTED_HASH[19] = '&';
    CRYPTED_HASH[20] = '@';
    CRYPTED_HASH[21] = 'G';
    CRYPTED_HASH[22] = '.';


    __asm
    {
        pushad
redo:
        xor edi,edi
            mov ebp,CRYPTED_HASH_LENGTH
            mov esi,1
looper:
        mov eax, offset CRYPTED_HASH[0]
        movzx eax,byte ptr [eax+esi-1]
        mov edx,eax
            mov ecx,CRYPTED_HASH_LENGTH
            sub ecx,esi
            imul ecx,edi
            add edx,ecx
            add edi,edx
            mov ebx,eax
            imul ebx,edi
            add ebx,esi
BACK:
        mov eax,ebx
            mov ecx,5ah
            xor edx,edx
            div ecx
            imul eax,eax,5ah
            sub ebx,eax
            cmp ebx,30h
            jnb FORWARD
            add ebx,30h
FORWARD:
        cmp ebx,2fh
            jbe BACK
            cmp ebx,5bh
            jnb BACK
            mov eax,offset PASSWORD_HASH[0]
        mov byte ptr [eax+esi-1],bl
            inc esi
            dec ebp
            jnz looper
            push ebx
            mov ebx,offset HARDCODED_HASH[0]
        add ebx,count
            movzx ebx,byte ptr [ebx]
        push eax
            add eax,count
            cmp byte ptr [eax] , bl
            pop eax
            pop ebx
            je ARGH
            push ebx
            mov ebx,offset CRYPTED_HASH[0]
        add ebx,count
            inc Byte ptr [ebx]
        pop ebx
            jmp redo
ARGH:
        cmp count,0x16
            je finished
            inc count
            jmp redo
finished:
        popad
    }
    printf("%s\n",&CRYPTED_HASH);
    return 0;
}

the windbg output from script take a look at last output it shows full comaprison

Code: Select all

ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\apphelp.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
Breakpoint 0 hit
Breakpoint 0 hit
ModLoad: 4b400000 4b486000   C:\WINDOWS\system32\msftedit.dll
Breakpoint 0 hit
009b40c4  50 00 00 00 f8 b5 41 00-f8 b5 41 00 34 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  P.....A...A.4?..................
009926a8  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00 12 00 00 00 01 00 00 00  PX1QGTTEU<S7?<9T43387M3.........
009b40c4  50 34 00 00 f8 b5 41 00-f8 b5 41 00 34 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  P4....A...A.4?..................
009926a8  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00 12 00 00 00 01 00 00 00  PX1QGTTEU<S7?<9T43387M3.........
================
009b40c4  50 38 42 00 f8 b5 41 00-f8 b5 41 00 34 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  P8B...A...A.4?..................
009926a8  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00 12 00 00 00 01 00 00 00  PX1QGTTEU<S7?<9T43387M3.........
================
================
009b40f4  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 50 3b 4a 3f 46 4f 36 37 50  PX1QGTTEU<S7?<9T43387M3P;J?FO67P
009926a8  50 58 31 51 47 54 54 45-55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00 12 00 00 00 01 00 00 00  PX1QGTTEU<S7?<9T43387M3.........
================

since this post developed a bit more than the usual google and poster disappearing after that without making effort or if he made effort without sharing the results
i took a loook again to complete the brute forcing again in ollydbg with the code above with only one modification that of making both hash length equal viz 0x17
because add eax eax can set the zero flag only if eax is 0 and eax can be zero only when both lengths are equal

this password solves the mystery

Code: Select all

wbd584e'!P"/AX6$s/!L>1+
anyone want to post a neat and clean keygen for this ?? :)

the concept should be the buffer must be filled with say 0x20 (first printable charecter <space> for 0x17 characters
increased one at a time upto 0x7f (last printable charecter viz ~ tilde) till the first character of the hardcoded hash is found viz 'P'.

then second X (if no valid second increase first by one and reset count back to zero so the next valid charecter for P is found

in my case above 'C' produced 'P' with certain sequnce of charecters in first brute session

in the second brute session 'w' produces 'P' with another sequence

and remember to reset the rest of characters back to what it was viz 0x20 before relooping to find the next character

it is fs$%%% easy to brute in this manner in ollydbg manually with the ripped algo no need to even pause the app can be done with just binary edit in dump window
while the exe is running need just one breakpoint at inc count line

i modified the code above a little bit to check for minimum acceptable charecter as PASSWORD for runnning brute session in ollydbg

Code: Select all

// setuppw.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#define HARDCODED_HASH_LENGHT 0x17
#define CRYPTED_HASH_LENGTH HARDCODED_HASH_LENGHT

BYTE HARDCODED_HASH[HARDCODED_HASH_LENGHT] = //009926A8  PX1QGTTEU<S7?<9T43387M3
{
    0x50, 0x58, 0x31, 0x51, 0x47, 0x54, 0x54, 0x45,
    0x55, 0x3C, 0x53, 0x37, 0x3F, 0x3C, 0x39, 0x54, 
    0x34, 0x33, 0x33, 0x38, 0x37, 0x4D, 0x33 
};

BYTE CRYPTED_HASH[CRYPTED_HASH_LENGTH] = {0};
BYTE PASSWORD_HASH[CRYPTED_HASH_LENGTH] = {0};
DWORD count = 0;

int _tmain(int argc, _TCHAR* argv[])
{
    //  i started with '!' filled buffer to brute force but i saw it generating non printable bytes
    // so ripped correct printable bytes from ollydbg to the array which made the generation of all printable
    // charecters possible the array below generates a correct HARDCODED_HASH but few more checks need to be 
    // passed in the comaprison algo (add eax,eax or cmp ch.bh one of this should set the zero flag)
    // have fun finding how to do it :)

    memset(&CRYPTED_HASH,0x20,sizeof(CRYPTED_HASH));

    //CRYPTED_HASH[0] = 'C';
    //CRYPTED_HASH[1] = 'X';
    //CRYPTED_HASH[2] = '2';
    //CRYPTED_HASH[3] = 'I';
    //CRYPTED_HASH[4] = 't';
    //CRYPTED_HASH[5] = '\\';
    //CRYPTED_HASH[6] =  '-';
    //CRYPTED_HASH[7] = 'i';
    //CRYPTED_HASH[8] = '5';
    //CRYPTED_HASH[9] = 'X';
    //CRYPTED_HASH[10] = 'h';
    //CRYPTED_HASH[11] = '9';
    //CRYPTED_HASH[12] = '\\';
    //CRYPTED_HASH[13] = '@';
    //CRYPTED_HASH[14] = '6';
    //CRYPTED_HASH[15] = 'z';
    //CRYPTED_HASH[16] = '5';
    //CRYPTED_HASH[17] = 'A';
    //CRYPTED_HASH[18] = '7';
    //CRYPTED_HASH[19] = '^';
    //CRYPTED_HASH[20] = '>';
    //CRYPTED_HASH[21] = '-';
    //CRYPTED_HASH[22] = ':';

    // wbd584e'!P"/AX6$s/!L>1+


    __asm
    {
        pushad
redo:
        xor edi,edi
            mov ebp,CRYPTED_HASH_LENGTH
            mov esi,1
looper:
        mov eax, offset CRYPTED_HASH[0]
        movzx eax,byte ptr [eax+esi-1]
        mov edx,eax
            mov ecx,CRYPTED_HASH_LENGTH
            sub ecx,esi
            imul ecx,edi
            add edx,ecx
            add edi,edx
            mov ebx,eax
            imul ebx,edi
            add ebx,esi
BACK:
        mov eax,ebx
            mov ecx,5ah
            xor edx,edx
            div ecx
            imul eax,eax,5ah
            sub ebx,eax
            cmp ebx,30h
            jnb FORWARD
            add ebx,30h
FORWARD:
        cmp ebx,2fh
            jbe BACK
            cmp ebx,5bh
            jnb BACK
            mov eax,offset PASSWORD_HASH[0]
        mov byte ptr [eax+esi-1],bl
            inc esi
            dec ebp
            jnz looper
            push ebx
            mov ebx,offset HARDCODED_HASH[0]
        add ebx,count
            movzx ebx,byte ptr [ebx]
        push eax
            add eax,count
            cmp byte ptr [eax] , bl
            pop eax
            pop ebx
            je ARGH
adder:
        push ebx
            mov ebx,offset CRYPTED_HASH[0]
        add ebx,count
            inc Byte ptr [ebx]
        pop ebx
            jmp redo
ARGH:
        push ebx
            mov ebx,offset CRYPTED_HASH[0]
        add ebx,count
            movzx ebx,byte ptr [ebx]
        cmp bl, 0x21
            pop ebx
            jl adder
            cmp count,0x16
            je finished
            inc count
            jmp redo
finished:
        popad
    }
    printf("%s\n",&CRYPTED_HASH);
    return 0;
}

niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Hi blabberer, I'm impressed how quickly you dig up this info and to be honest the amount of info is a bit overwhelming :p
yes as kayaker pointed out the offsets do change based on various factors like path name , password lenght etc the algo keeps on copy pasting data to different places in the allocated 0x28000 block.
Thanks to both of you for pointing that out. I was not aware of this. I admit I was also a bit confused about exactly what byte the ba BP should be targeting. My string is indeed stored at offset 0x269c, therefore I was slightly confused that the target byte seems to be offset 0x269c-8. That seems be some kind of ID field...

Code: Select all

struct DelphiString
{
  int ID;
  int Length;
  char array[Length];
};  
And this ID field is obviously being read every time a char is appended. After fixing the offset windbg now spits out a bunch of lines like this

Code: Select all

================
00992090  a4 4c 40 00 00 00 00 00-00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 20 99 00 b8 74 40 00  [email protected] [email protected]
00992694  01 00 00 00 17 00 00 00-50 58 31 51 47 54 54 45 55 3c 53 37 3f 3c 39 54 34 33 33 38 37 4d 33 00  ........PX1QGTTEU<S7?<9T43387M3.
================

in your screen shot i see the 2 bps hit so you may need to view memory a bit up and down and see where the generated hash is stored
my script wont let windbg break it will simply print the output and keep on continuing and you can watch the passowrd generated as you enter charecters in the edit box (if you loose focus of edit box it will be quiet some time to see them again till WM_PAINT WM_MOUXEXXXX msgs are processed by the windowing system ) keep windbg in background and crackme in top of Z order and enter password to view output in windbg below
Isn't it correctly understood that the windbg script is only supposed to break during build up of the target hash? I get the impression that windbg also should dump info (that the ba BP triggers) when entering chars into the edit box. That is not happening :sneaky:

I will have to wait until tomorrow to look into those additional checks you mention and also your very neat keygen :)
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

blabberer wrote: i trivially bruteforced it in ollydbg with the ripped algo from sub crackZ hinted but there are further checks and from a fleet glance at comparison algo next to the sub i think you need a password that is of certain length and 23 is not the right size either add eax,eax or cmp ch.bh should set the zer0 flag ) so that dl is set in sete dl
here is a full password for your test :)

Code: Select all

CX2g!F%q2FP]$f,B+7,&@G.000000000000
Press any key to continue . . .
That password looks like one of your 'encrypted' windbg commands :)
You may be right, there could be further checks in that there are many xrefs to the function at 0040C5A8 that updates the enable state of a window (including the next button).
I have now taken a quite detailed look at the comparison algo and I'm pretty sure that the password/key must be of length 23. If this is not the case the comparison does not set the zero flag.
The comparison algo computes the minimum string length between the two strings. Eax contains the difference in lengths between the two strings. Therefore in the end "add eax,eax" will clear the zero flag if the lengths are not equal.
If I paste CX2g!F%q2FP]$f,B+7,&@G.000000000000 into the password field the next button is not enabled but I'm sure if you mean that this should be the case..

Edit. Sorry I can see further down in your post that you already found out about the add eax,eax. So if I understand your keygen algo correct (I have to compile it later, need to install visual studio) then you start with an initial guess and then you process one char at a time until you find the 'closest' valid password/key. One thing that could be interesting to know is if the creator of the crackme used a password that had some meaning like 'ShaniaTwainsSecondLover' or something :) but that seems very difficult considering the vast number of valid passwords that can be generated.
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Hi blabberer,

I found this link for demystifying the $$>a< part of the windbg command line.
http://msdn.microsoft.com/en-us/library ... 85%29.aspx

But I'm still not done with the line
bs 0 "db /c 20 @esi L20;db /c 20 @$t2 L20;.echo ================;gc";

I understand that the line executes the commands when the 0th BP is reached instead of breaking. But I'm unsure about the gc part. It seems to turn the BP into a conditional BP but what is the condition?

If I put the following lines into setuppw.txt

Code: Select all

bp 416c4e;
g;
bs 0 "db /c 20 @eax L20;db /c 20 @edx L20;.echo ================;gc";
g;
I get sort of what I think you also intended, namely that the target hash and the input hash is shown right above each other. However, it is annoying that the BP is hit so many times.
blabberer
Senior Member
Posts: 1536
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

bs does not execute any commands
it updates the existing breakpoint

in this context ba r1 breakpoint is hit two times and run two times to avoid spurious breaks
on the second break the break point is updated to print esi and @$t2 and continue without breaking
gc is continue from conditional breakpoint command it is equivalent to pressing g in windbg command window but
satisfies certain internal varibales set in windbg while it broke on a condition g alone instead of gc should work without problems
but gc is recommended to be used in conditional breaks instead of g


omg you still havent found why it breaks so many time step away and start from start

hint indirectly uses a driver in ring 0 :) go search


well to compile the algo you dont need vs even old 9 mb bcc if you substitute unsigned long to DWORD byte gcc should be able to compile that
strip the stdafx crap
#include stdio , windows .hhh
compiler foo.cpp


yes it is manual brute forcing and can be done quiet fast (15 20 minutes max )inspite of 17 character and full printable set of possibilities.
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

blabberer wrote: omg you still havent found why it breaks so many time step away and start from start
hehe, I do know its a timer callback and placing a BP in it explains why the there is so many breaks!

yes it is manual brute forcing and can be done quiet fast (15 20 minutes max )inspite of 17 character and full printable set of possibilities.
Then I definitely have to try it because Matlab seemed to be faster! (and that cannot be true of course).

Thanks for all your patience on the windbg explanations its been quite fun to play with it :)
blabberer
Senior Member
Posts: 1536
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

yes it is a TimerCallback so once the clock ticked it is bound to break

btw when i wrote 15 20 minutes i was not sure of exact time just to be sure i ran it again this time in windbg from start and all it takes is 7 iterations in windbg to retrieve a password the breaks are manual breaks with ctrl+break due to infinte looping caused by invalid charecter

Code: Select all

=4PC1HSM&2t/=J2Ruo..&s)
src code converted to masm below also attached is an assembled binary

Code: Select all

.386
.model flat, stdcall
option casemap:none
include f:\masm32\include\windows.inc
include f:\masm32\include\KERNEL32.inc
include f:\masm32\include\masm32.inc
includelib f:\masm32\lib\KERNEL32.lib
includelib f:\masm32\lib\masm32.lib

.data 
    HARDCODED_HASH db 50h,58h,31h,51h,47h,54h,54h,45h,55h,3Ch,53h,37h,3Fh,3Ch,39h,54h,34h,33h,33h,38h,37h,4Dh,33h,00h
    CRYPTED_HASH   db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
    PASSWORD_HASH  db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
    count dd 0;
	FormatStr db "%s\n",0

.data?
buffer db 512 dup(?)

.code 
start:
	pushad
redo:
	xor edi,edi
	mov ebp,17h
	mov esi,1
looper:
	mov eax, offset CRYPTED_HASH[0]
	movzx eax,byte ptr [eax+esi-1]
	mov edx,eax
	mov ecx,17h
	sub ecx,esi
	imul ecx,edi
	add edx,ecx
	add edi,edx
	mov ebx,eax
	imul ebx,edi
	add ebx,esi
BACK:
	mov eax,ebx
	mov ecx,5ah
	xor edx,edx
	div ecx
	imul eax,eax,5ah
	sub ebx,eax
	cmp ebx,30h
	jnb FORWARD
	add ebx,30h
FORWARD:
	cmp ebx,2fh
	jbe BACK
	cmp ebx,5bh
	jnb BACK
	mov eax,offset PASSWORD_HASH[0]
	mov byte ptr [eax+esi-1],bl
	inc esi
	dec ebp
	jnz looper
	push ebx
	mov ebx,offset HARDCODED_HASH[0]
	add ebx,count
	movzx ebx,byte ptr [ebx]
	push eax
	add eax,count
	cmp byte ptr [eax] , bl
	pop eax
	pop ebx
	je ARGH
adder:
	push ebx
	mov ebx,offset CRYPTED_HASH[0]
	add ebx,count
	inc Byte ptr [ebx]
	pop ebx
	jmp redo
ARGH:
	push ebx
	mov ebx,offset CRYPTED_HASH[0]
	add ebx,count
	movzx ebx,byte ptr [ebx]
	cmp bl, 021h
	pop ebx
	jl adder
	cmp count,016h
	je finished
	inc count
	jmp redo
finished:
	popad
	mov eax, offset CRYPTED_HASH[0] 
	invoke StdOut , eax
	retn
end start

run in windbg
set this break
fill the buffer and run the exe
reset buffer and count few times until you get a password like below

Code: Select all

0:000> [B]bp 4010a2 "db /c 18 403018  l18;gc"  [/B]
0:000>[B] eb 403018 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g[/B]

00403018  [B]3d 2e 26 [/B]20 20 20 20 20-20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00  =.&                    .
(f1c.19c): Break instruction exception - code 80000003 (first chance)
0:001> [B]eb 403018 3d 2f 20 [/B]20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g

00403018  [B]3d 34 28 [/B]20 20 20 20 20-20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00  =4(                    .
(f1c.ac4): Break instruction exception - code 80000003 (first chance)
0:001> [B]eb 403018 3d 2f 29 [/B]20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g

00403018  [B]3d 34 44 [/B]20 20 20 20 20-20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00  =4D                    .
(f1c.e70): Break instruction exception - code 80000003 (first chance)
0:001> [B]eb 403018 3d 2f 45 [/B]20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g

00403018  [B]3d 34 4c [/B]20 20 20 20 20-20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 00  =4L                    .
(f1c.b68): Break instruction exception - code 80000003 (first chance)
0:001> [B]eb 403018 3d 2f 4d [/B]20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g

00403018  [B]3d 34 50 25 22 48 53 35-26 3c 28 [/B]20 20 20 20 20 20 20 20 20 20 20 20 00  =4P%"HS5&<(            .
(f1c.e78): Break instruction exception - code 80000003 (first chance)
0:001> [B]eb 403018 3d 2f 4d 26 [/B]20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g

00403018  [B]3d 34 50 2b 24 4e 31 29-32 28 3e 27 4c[/B] 20 20 20 20 20 20 20 20 20 20 00  =4P+$N1)2(>'L          .
(f1c.ac0): Break instruction exception - code 80000003 (first chance)
0:001> [B]eb 403018 3d 2f 4d 2c [/B]20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ;ed 403048 0;g

00403018  3d 34 50 43 31 48 53 4d-26 32 74 2f 3d 4a 32 52 75 6f 2e 2e 26 73 29 00  [B]=4PC1HSM&2t/=J2Ruo..&s).[/B]


Attachments
setuppw.rar
(1.41 KiB) Downloaded 174 times
Locked