Log in

View Full Version : LoginBox


kP^
December 21st, 2003, 05:45
Hello !

Using a tiny RTL for Borland's Delphi environment, a few Windows API's and some of my school-time, i wrote this Loginbox, for those who want to test their reversing skills.

The username is very common, and the password not longer than 5 characters.
Anyone ?

mark0x
December 21st, 2003, 10:37
I'm a relative 'noob' but am having a look - seems interesting thus far

kP^
December 29th, 2003, 21:01
the solution is not hard to trace.
login information isn't longer than 8 characters, so one callpatch and a few lines of backtracking code could do it.

ZaiRoN
December 30th, 2003, 18:13
Hi All,
is mark0x the only one that is working on this nice target? I did take a glance at the target and I found that MD5 is used. Seems like MD5 is becoming very popular in this days
Iirc is not proper the classical md5... kP^ has changed the initialization constants, here is the new values:
Code:
0040872D MOV DWORD PTR DS:[EBX],17452301
00408733 MOV DWORD PTR DS:[EBX+4],2FCDAB89
0040873A MOV DWORD PTR DS:[EBX+8],38BADCFE
00408741 MOV DWORD PTR DS:[EBX+C],40325476
It's not much but maybe could break the ice...

Best regards,
ZaiRoN

mark0x
December 30th, 2003, 21:34
I've been sidetracked with other things recently but will have another look soon.. I recall the app did something like execute itself with some command line params depending on what you entered (or I could be going insane).. and yeah I noticed that it was using md5 from running peid on it (also said something about twofish).. IIRC this prompted me to download a load of crypto ebooks so I could look into how they worked

Hopefully won't be too long before I can revisit it again

JMI
December 31st, 2003, 02:33
Maybe it has MD5 because the net is full of scripts for writing login pages that use MD5 as part of their cookie construction for intersession surfing.

Regards,

kP^
December 31st, 2003, 09:47
Indeed ZaiRoN, you got that right.
Later on, i've also nonstandardly intialized Twofish.

I'm not good at reversing, so i only used asm programming for protecting my code.
I have chosed not to pack/scramble the PE in any way (although i have my own personal protector) because i think this tehneek aims to keep exe-snoopers away and it's useless against anyone persistent enough to find the original entry point and do a plain memory dump.

Also, i've tryed to "escape" Ollydbg by creating another instance of my process and running external code; results are passed as exitcode to the exitprocess function. Thread's priority explains the delay.

If a reverser understands that the password's edit-box has not been 'touched' (read) to this point, he could guess that until this phase, just the username is validated.

The password is later (if username's hash corespunds) checked by initing new hashes to decrypt a block of code in Twofish (e.g the 'good boy' procedure). If the unlocked code turned good, the call is made. If he'd revers the jumps (invalid code ahead), the application would call junk code and crash.

That's pretty much the esential information reversing could give him: password encrypted code.