Buggy Advanced Cheater Reputation: 0
Joined: 04 Jan 2008 Posts: 72 Location: Republic of Korea (South Korea)
|
Posted: Sun Feb 24, 2008 5:13 am Post subject: Let's crack crackme with Crackme3 (by CoSH) |
|
|
*I don't know who made exactly this but i think it is CoSH's crackme.*
Crackme 3 - http://buggy.ufree.kr/crackme3.exe
I felt fun when i solved it.
I think the maker of this crackme wanted to teach us about XOR Encryption.
well let's learn about XOR Encryption.
If there is a string , KOREA, how can we encrypt this to 1?
Like this :
xor K,1 -(1)
xor O,1 -(2)
xor R,1 -(3)
xor E,1 -(4)
xor A,1 -(5)
let's try (1)
First, you have to get ascii codes.
when we look at ascii codes, K is 4B in hexadecimal. and change it to binary-coded demical. then it will be 1001011. and we have to xor this.
so let's try!
1001011
xor 0000001 (in xor, when it will be one when one of two, but it will be 0 when two of two.)
---------
1001010 <----it will be like this. when we change in hexademical it will be 4A. when we find 4A in ascii codes, then it will be J, isn't it? then this string will be encrypted string, "K".
When we try to A then it will encrypted like JNQD@.
We have to decrypt it because we encrypted it.
so we can do like this : Xor JNQD@ with 1.
i think you have inkling, 1 will be a value of KEY. KEY needs when we encrypted and decrypt. Finally let's try decrypt.
xor J,1
xor N,1
xor Q,1
xor D,1
xor @,1
J will be 4A in hexademical when we find in ascii codes. and when we change to binary-coded demical it will be 1001010.
and let's xor it.
1001010
xor 0000001
--------
1001011 <----------when we change it to hexademical it will be 4B and when we find in ascii codes it will be K.
When we do it to @, it will be KOREA again. This was an algorithm of XOR Encryption.
I runned(?) or ran? OllyDbg to solve a crackme.
and you can find code like this
and i put my 2nd nickname "plus" and you have to put your name.
Code: |
0040156B |. E8 28030000 CALL <JMP.&MFC42.#858> <----I set break point here
00401570 |. 33C0 XOR EAX,EAX --|
00401572 |. 33DB XOR EBX,EBX | initialize to use registers
00401574 |. 33C9 XOR ECX,ECX --|
00401576 B9 01000000 MOV ECX,1 <---------- what will be this? think.
0040157B |. 33D2 XOR EDX,EDX --exactly initializing
0040157D |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] <--- This will save name in EAX.and Buggy will save in EAX.
00401580 |> 8A18 /MOV BL,BYTE PTR DS:[EAX] <----- IT commands "save eax in hexademical in BL.
00401582 |. 32D9 |XOR BL,CL <------------ THIS will encrypt and cl will be key.
00401584 |. 8818 |MOV BYTE PTR DS:[EAX],BL <--------- save encrypted string in EAX.
00401586 |. 41 |INC ECX <--------------- Point: increase key,ecx.
00401587 |. 40 |INC EAX <--------------- it increases to get name.
00401588 |. 8038 00 |CMP BYTE PTR DS:[EAX],0 it checks encryption status.
0040158B |.^75 F3 \JNZ SHORT crackme3.00401580 when it didn't finish it will encrypt again
|
let's see down, you know you've saw that.
but this part is decryption part.
it decrypts encrypted string.
it is really same as encryption except for MOV ECX,0A.
Code: | 0040158D |. 33C0 XOR EAX,EAX
0040158F |. 33DB XOR EBX,EBX
00401591 |. 33C9 XOR ECX,ECX
00401593 |. B9 0A000000 MOV ECX,0A
00401598 |. 33D2 XOR EDX,EDX
0040159A |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0040159D |> 8A18 /MOV BL,BYTE PTR DS:[EAX]
0040159F |. 32D9 |XOR BL,CL
004015A1 |. 8818 |MOV BYTE PTR DS:[EAX],BL
004015A3 |. 41 |INC ECX
004015A4 |. 40 |INC EAX
004015A5 |. 8038 00 |CMP BYTE PTR DS:[EAX],0
004015A8 |.^75 F3 \JNZ SHORT crackme3.0040159D |
This crackme adds encryption keys with name of chars. and plus will 4. and it increases from 1.
and exactly the serial number's encryption key will increases with serial number's chars. it increases from 0A.
and you can get serial of plus like this :
change hexademical plus and xor p to 1, l to 2 , u to 3, s to 4 and change hexademical to alphabets
you have to change hexdemical XORed plus and xor XORed p to 0A, XORed l to 0B, XORed u to 0C, XORed s to 0D and change XORed string hexademical to alphabets
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|