Log in

View Full Version : Key generation

rebx
December 16th, 2011, 06:09
Hey all! First post here and I've got a question. I recently cracked my very first crackme, well I didn't crack it but had to give it a correct username/password. However, I didn't get to the right result by the method I originally imagined I would have to go by. The algorithm that the username uses is simple,

Code:


xor edi, edi

xor ebx, ebx

for each letter in the string:

mov ebx,[letter]

imul edi, 0a

add edi, [ebx-30]

once done:

xor edi,5678


And the password algo is something very similar and simple as well. I imagined I would get an answer by backtracking through the equations, however this did not go well, and I basically had to try every letter combination to find a correct combination. And so my question, if backtracking was impossible (as in having to use a guess and check method) for such a simple algorithm, is the art of key generation really just the art of brute forcing? Is there a way I can find the input to equation 2 to give me the same output as equation 1, from the output of equation 1 without resorting to brute force?

Well, Cheers all and happy holidays.
Darkelf
December 16th, 2011, 15:13
Well, there is no need to brute-force this at all.

Assumed that the last operation (xor edi,5678) must yield zero, your pass/serial whatever would be 22136 (though there are others possible with so little information). The algorithm does the following: take numbers and concatenate them in the sequence they appear.
More mathematically it does it like this: (x1 * 10 + x2) * 10 + x3) * 10 + x4) * 10 + x5 aso.
If there are for instance eight numbers you can simplify this to: x1, x2x3x4x5x6x7x8 * 10^7 or more abstract: (x1,x2...xn) * 10^(n-1)
Example: 2,2136 * 10^4 = 22136 with x1 = 2, x2 = 2, x3 = 1, x4 = 3 and x5 = 6
So, now that you know your numbers are just concatenated you'll also see, that the result is xored with 0x5678 which is 22136(dec).
That's it.

Look at the algo:
xor edi, edi <- zero edi
xor ebx, ebx <- zero ebx

mov ebx,[letter] <-after that ebx holds the hexvalue of the letter (for numbers this is 30 to 39 (0 - 9))
imul edi, 0a <- result * 10(dec) - it's zero in the first run
add edi, [ebx-30] <- add the original number to the result - for the number 5 this is 35 - 30 = 5 again

xor edi,5678 <- xor the result with 0x5678 or 22136(dec)

That was easy wasn't it?!

Hope that helps.

To answer your question: sometimes brute-force is the only way, but that's rare.
There is no mightier weapon than pen and paper.

Regards
darkelf
Woodmann
December 16th, 2011, 23:37
Quote:
To answer your question: sometimes brute-force is the only way, but that's rare.
There is no mightier weapon than pen and paper.


Indeed.

Know your code.

Woodmann
rebx
December 17th, 2011, 06:14
I am very thankful for your simple and clear answer.
Darkelf
December 17th, 2011, 12:46
You're welcome.
I'm glad I could help you a bit on your way into the realm of RCE.
Feel free to ask questions over and over again. It's the key for a better understanding.

Regards