Log in

View Full Version : floating point crackme challenge


ZaiRoN
August 7th, 2002, 19:17
hi all!

what about a floating point crackme?
i think this could be an interesting project and someone could learn something new

some info about the crackme:
the crackme is definitly easy and works with simple instructions in order to make you familiarize with this new *world*.
you should reverse the algo and find a valid name/serial combination; a keygen is gladly accepted
this is my first fpu based proggie so if you'll find bug(s) or something else let me know!

how to deal with floating point crackme?
basically there's no difference from other crackme...you have to step throught the code
it's important to take a look at the floating point stack.
for softice users:
enable the floating point stack window using the command 'wf' and switch the data window representation using shift-F3 for long real numbers.
for olly users:
the floating point stack is just in front of you, you only need to change the data representation (float - 64 bit double)

hmmm...fpu !?! what is this?
i'm not the right person in order to explain these things, so for those that had never seen (or heard) 'floating-point-unit' words before, i would like to suggest some nice readings:
- chapther 14 from 'art of assembly':
cs.smith.edu/~thiebaut/ArtOfAssembly/artofasm.html
- from intel:
intel.com/design/intarch/techinfo/Pentium/fpu.htm
- a couple of basic tutorials:
redbrick.dcu.ie/~eoin/fpu1.htm
redbrick.dcu.ie/~eoin/fpu2.htm

ok, that's all! i'm here for any question(s).

good luck,
ZaiRoN

GodsJiva
August 9th, 2002, 05:19
How bizarre, a program in the Newbies forum also uses fp in its routine. The guy's (gal?) trying to patch it, but take a look if you want a real-life routine (of similar complexity really, maybe even less, to ZaiRoN's crackme) using fp.

h**p://www.woodmann.net/forum/showthread.php?postid=19092 is the thread.

Then try my keygenme! Using floating point commands ages ago

nikolatesla20
August 9th, 2002, 16:50
GodsJiva, I was working on your keygenme for a while, ugh I got sick of it

I was able to rip your code and reproduce your routines using it, I tried to bruteforce some but it ( at least the first 8 serial chars) was taking forever so I forgot about it for now.

I do know this:

Serial is ALWAYS 16 chars, no matter what. This is because of one of the checks described below.

Copy name string
Scan name string, subtract 20h from each character in place.
Do calculations on every two characters, store results in ecx word ptrs.
Do floating point calculation, multiplying all three name calc blox together.

Once that is done, do similar with Serial text.

ONE BIG CHECK is : Calculated code serial block 6 ( last 3 chars of serial) must match calculated code name block 1 (first 3 chars of name). Piece of cake on that one. I even made a bruteforcer for 3 chars for it, it gets it right away, even tho the equation is:

4096x + 64y + z

for serial block 6. x, y, z are last three chars ascii code

name block 1 equation is

1024x + 16y + (z / 4)

This leaves you with 13 chars. There is some calcs being done on the first eight values of the calc serial.

After that I got bored and sick of it

----------------
Zairon, I have started to look at yours too but vacation is coming up soon for me and I am starting to get very annoyed at looking at code. Hmmm me feels sick now. Code is getting to me....
---------------


-nt20

GodsJiva
August 9th, 2002, 17:32
Hehe, you did the easy bit. You dun need to express it all as equations, if you think about what the equations actually do, you can express that bit in a sentence or two. Look at the bits

You didn't even see the md5 hash

Anyway, you shouldn't need to bruteforce it at all. It's not that type of keygenme (well it wasn't meant to be)...

Have another look, write things down, its simple once you understand whats going on.

Thanks for looking, its more than almost anyone else has

Maybe I made it too hard... or too long... I tried to make the code easy to follow :P Maybe time for a kgme number 2...

ZaiRoN
August 9th, 2002, 17:48
hi!
i'm happy to see that someone is working on GodsJiva's keygenme but this is not the right thread...
if anyone wants to continue the discussion can post message(s) in this thread:
http://www.woodmann.net/forum/showthread.php?threadid=2475

thx & good luck!!!
regards,
ZaiRoN

GodsJiva
August 9th, 2002, 18:38
Sorry ZaiRoN, kinda distracted the thread like u said

I think my thread is doomed, noone else ever posted there :P That's my excuse anyway

Bet you'd make a good manager/teacher, hehe.

Anyway, I've had a quick look at yr crackme, if I get the time over the next few days I'll report back, sir!

Btw to all, the IA-32 Intel® Architecture Software Developer’s Manual Volume 2: Instruction Set Reference contains a lot of good info on all Intel opcodes, including fp ones. A very valuable pdf 24547104.pdf is its name, its on the web somewhere (legally, its free).

ZaiRoN
August 9th, 2002, 19:05
hi GodsJiva,
no problem! you don't have to excuse yourself

ciao,
ZaiRoN