CiN1 Team - Cracking Is Number 1  

Cracking Is Number 1

Go Back   CiN1 Team - Cracking Is Number 1 >
~~ Learning Cracking ~~
> Free Talk About Cracking > CrackMe's

Nội qui diễn đn - Forum Rules Must Read

Search kỹ trước khi post bi


Reply
 
Thread Tools Display Modes
Old 04-07-2016, 09:30 AM   #11
User Profile
cachito

 
cachito's Avatar
 
Join Date: Wed Nov 2015
Posts: 35

Cấp bậc: 4 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 92
Hoạt động: 11 / 543
Kinh nghiệm: 68%


Thanks: 22
Thanked 39 Times in 24 Posts
Default

Someone ask me by pm if we should brute force unlock code. This is a little explanation on how to generate an unlock code, but I can only find it without bruteforcing if certain conditions are met. Will try to explain as best as I can and my english knowlegde allows

NOTE = I don't explain here how to know that desired value is 0x25 or that unlock code needs to be bigger than 9 chars. I am guessing you already know this.

Code:
004012DE  |> /8BC1          /MOV EAX,ECX
004012E0  |. |F6E1          |MUL CL
004012E2  |. |02C4          |ADD AL,AH
004012E4  |. |8AD8          |MOV BL,AL
004012E6  |. |8A06          |MOV AL,BYTE PTR DS:[ESI]
004012E8  |. |F6E3          |MUL BL
004012EA  |. |02C4          |ADD AL,AH
004012EC  |. |0005 18334000 |ADD BYTE PTR DS:[403318],AL
004012F2  |. |46            |INC ESI
004012F3  |. |49            |DEC ECX
004012F4  |.^\75 E8         \JNZ SHORT 004012DE
This is loop, it is being run 0x10 times. So we can generate first 0xF times random chars and use last char to reach the desired value 0x25.

ASCII TABLE


You can notice that the usable chars go from 0x20 to 0x7E
Above loop is always using AL, last byte. So desired value can be 0x25 or 0xXX25.

We do the loop 0xF times. What happens if count is at 0x50 and we need to reach 0x125 or if count is at 0x19 and we need to reach 0x25. Using only last char as corrector is NOT going to work.
0x125-0x50=0xD5 --> there is no ASCII value for 0xD5!!
0x25-0x19=0xC --> there is no ASCII value for 0xC!!

This way we can know that if count is between values 0x6 to 0x24 and from 0x26 to 0x7E, we cannot use only last char as corrector.

So we get 15 random chars and use the loop above, if count is outside above range, then we just do 0x25-0xX (if count is between 0x0 and 0x5) or 0x125-0xXX (if count is between 0x7F and 0xFF). We have our 16th and last char.
Chars can be null (if code is less than 16 chars), that won't change the count because it is multiplying and it will always add 0.
EDIT: We can use last char as corrector because it is multiplied by CL and in last loop CL = 1.

If count is inside the range:

If count is inside the range I mention above, we should use penultimate char to go out from that range, and last char to reach 0xXX25.
But the math for this is outside my knowledge, I don't think it is possible, too many unknowns.

CL = remaining loop count, starts on 0x10 and ends in 1
In the 15th loop, it does:
CL * CL = 2 * 2 = 4
ASCII * 4 = X
X is divided in hundreds and units and added.
Result is added to loop count and should give a value outside prohibited range.

It would be something like this:
4X = 100Y + Z // X is char, Y is hundreds as unit and Z is units
Y + Z + 50 = 100W + 25 // W is hundreds as unit, 50 is an example of total count till now

If someone can explain if this can be done without bruteforcing, I will be gratefull

[CROSS OUT]Can it be done reversing the loop and how would that be??[/CROSS OUT]
It would be the same if we do it backwards, we would need a specific char and the problem is still the same.

Last edited by cachito; 04-07-2016 at 08:31 PM.
  Reply With Quote
The Following 2 Users Say Thank You to cachito For This Useful Post:
Old 04-07-2016, 10:35 PM   #12
User Profile
Serial_Killer

 
Serial_Killer's Avatar
 
Join Date: Mon Jan 2011
Posts: 237

Cấp bậc: 14 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 334
Hoạt động: 79 / 6725
Kinh nghiệm: 39%


Thanks: 11
Thanked 718 Times in 231 Posts
Default



let me answer your last question, with a question.

as author is doing calculations by bytes
we know that a byte can only contain values from 0x00 to 0xFF

if i ask you know what happens if the byte reach 0XFF and we add 0x03

what value would now be in the byte (al) ?
would it contain 0x102 () or 0x02 ?

i hope you choosen 0x02 otherwise i would be disappointed

now we guess you see that value in al 0x02

what number was been calculated ?
0xFE + 0x04
or maybe 0x01 + 0x01
or maybe 0xEC + 0x16

see thats why it must be bruteforced!

Even your way is a bruteforce attack!

And who the hell says unlockcode must be 9 or more chars ?

yes i know this was intented by the author but hey its not our fault if he publish such app with bug!

at the end it is our business, how can we beat protection XYZ, thats our hobby













Chữ k c nhn của Serial_Killer CRACK REQUESTS in PM will land on shitlist!!

  Reply With Quote
The Following User Says Thank You to Serial_Killer For This Useful Post:
Old 04-07-2016, 10:56 PM   #13
User Profile
cachito

 
cachito's Avatar
 
Join Date: Wed Nov 2015
Posts: 35

Cấp bậc: 4 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 92
Hoạt động: 11 / 543
Kinh nghiệm: 68%


Thanks: 22
Thanked 39 Times in 24 Posts
Default

Quote:
Originally Posted by Serial_Killer View Post
what number was been calculated ?
0xFE + 0x04
or maybe 0x01 + 0x01
or maybe 0xEC + 0x16

see thats why it must be bruteforced!
That's what I thought, too many unknowns in the equation

Quote:
And who the hell says unlockcode must be 9 or more chars ?
I think I saw that when I first checked it (25/06), but maybe I am confusing it with another target :P

Thanks for your answer!
  Reply With Quote
Old 05-07-2016, 04:21 AM   #14
User Profile
Serial_Killer

 
Serial_Killer's Avatar
 
Join Date: Mon Jan 2011
Posts: 237

Cấp bậc: 14 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 334
Hoạt động: 79 / 6725
Kinh nghiệm: 39%


Thanks: 11
Thanked 718 Times in 231 Posts
Default

you welcome
so the answer to your last question is definitivly, NO
the loop can not be reversed!


br
SK













Chữ k c nhn của Serial_Killer CRACK REQUESTS in PM will land on shitlist!!

  Reply With Quote
Old 08-07-2016, 01:07 AM   #15
User Profile
ragdog

 
ragdog's Avatar
 
Join Date: Sun Mar 2010
Posts: 14

Cấp bậc: 2 [cin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1teamcin1team]
Sức sống: 0 / 37
Hoạt động: 4 / 842
Kinh nghiệm: 50%


Thanks: 1
Thanked 12 Times in 7 Posts
Default

Quote:
Originally Posted by Serial_Killer View Post


see thats why it must be bruteforced!

Even your way is a bruteforce attack!

Hehe Cachito
  Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +8. The time now is 06:13 AM.


Powered by vBulletin® Version 3.xx
Copyright ©2000 2017, Jelsoft Enterprises Ltd. Help
Licensed to: cin1team.biz