Hello there,

i am a newbee, having the experience of cracking some hardwired (serial,reg) crackme tut's and also some xor one's.
It was this chess program (chess partner 4.3) i was trying to crack.
i traced and bpm'd the dummy name (pwd,serial.no) and then i came to this
section of the program:-

ret 0008
push ebp
mov ebp,esp
push ecx
push edi
mov edi,[ebp+08]
or ecx,-01
xor eax,eax
cld
016f:bbf7117e repnez scasb -> bpm'd and got kicked here
or eax,-02 sub eax,ecx
pop edi
pop ecx
leave
ret 0004
phew!

i am unable to trace my dummy name, after the renez scasb loop;
please help me out.

signing out
MaTRiX_2k

repnez scasb scans each byte in the string pointed by the pair ES:EDI with the byte contained in al. it automatically increments EDI, to point the next byte, and ECX, to keep the count. It looks like a convoluted way to find the end of the string (a zero ended string and find its length. look at the comnents:

ret 0008 ;Previous call returns
push ebp ; Standard begining of a call
mov ebp,esp ; save the ebp and move esp in
;its place to access the local
;variables in the stack

push ecx ; Preserve the value of ecx
push edi ; Preserve the value of edi
mov edi,[ebp+08] ; edi has the adress of your
;string. Type in Sice
; d ES:EDI and you will
;see your serial or whatever in the data area
or ecx,-01 ;ECX now contains FFFFFFFF (-1)
xor eax,eax ;EAX is equal to 0. that is
;the null terminator of a string

cld ;make the direction flag zero so the scan proceeds
;forward, if it is set to one, the scan would be ;bacwards
repnez scasb ;repeat until the byte in al(now zero) and the byte
;pointed by ES:EDI are equal
;scan for the end of the string in other words
; ECX increases after eachcompare. it contains the
;length of the string. as we started from -1 it does not ;count the null character at the end
or eax,-02 ;eax should be FFFFFFFE
sub eax,ecx ;and we substract the length of the string in ecx.
;eax now contains the negative of the length of the string ; minus 1
pop edi ; restore the saved EDI
pop ecx ; restore the saved ecx
leave ; restores esp and ebp to their original values
ret 0004 ; return discarding 4 bytes in the stack
phew! ; Not that hard. Look up the opcodes in ;webster.cs.ucr.edu/Page_asm/Doc386/
or any ASM reference page.
The encoded length of the string is returned in EAX. String in question was in the stack at ebp-08. you need to trace more, this call only checked the size of the key.

Hope this helps.

Bratsch

Here's the code, commented :

push ebp ; store ebp
mov ebp,esp ; take stack pointer
push ecx ; store ecx
push edi ; store edit
mov edi,[ebp+08] ; get stack variable
or ecx,-01 ; ecx = 0ffffffffh
xor eax,eax ; eax = 0
cld ; clear direction flag
016f:bbf7117e repnez scasb -> bpm'd and got kicked here
or eax,-02 sub eax,ecx
pop edi
pop ecx
leave
ret 0004

Well my friend, you stumbled accross the simplest of string length algorithms.
Or so it SEEMS
EDI is loaded IMO with the address of the string, the direction flag is cleared, eax is set to 0, ecx is set to max (4g), and then it scans for a null terminator (00h byte).
The value in AL is the value the scasb is scanning for. Each time scasb is used, it will compare the byte pointed to by edi with AL. if they are equal, the loop will exit.
In any case, edi is always incremented by 1 (because this is scan-string-byte) if the direction flag is cleared (or decremented if set).
Then comes a weird part. OR with -2 (FFFFFFFEh) will cause all bits in EAX except the least significant bit to be set.
Then they substract ECX from EAX.
This is an equivalent way of having to NOT ECX and then add 1 (i'm almost certain hehe..)

You shouldn't be concerned with this particular code because it doesn't move your string data anywhere and it doesn't calculate any special things from it.

LS