tdennist
March 21st, 2005, 21:04
So, I (hopefully!) successfully reversed using OllyDbg this crackme that asks for a name and then calculates the serial from the name. Here's what I discerned to be the algorithm:
With comments that I made to the side. So, I run the application in OllyDbg and try the string "tyler" as the name, and "280" as the serial, and lo and behold, it works! However, if I run the program from windows and try the same name/serial combination, it does not work.
(Also odd is that my keygen which I wrote in Perl generates the serial number "280" for the name "tyler", which apparently is correct, but when I try other generated serials, they don't work through OllyDbg OR Windows! Is it legal for me to post my Perl here, too, and have someone go over that?)
So you see, I've done my stuff...I found the algorithm (or what I believe to be it) and I made the keygen. In other words...don't go ballistic calling me a newbie and such ;-). I did what I think is right, and now I just have some questions.
Thanks!
Code:
004012BA /$ 53 PUSH EBX ; 0
004012BB |. 56 PUSH ESI ; our serial
004012BC |. 57 PUSH EDI ; our name
004012BD |. BF 88304000 MOV EDI,keygen_#.00403088
004012C2 |. 33C0 XOR EAX,EAX
004012C4 |. 33DB XOR EBX,EBX
004012C6 |. 33C9 XOR ECX,ECX ; zero out our counter register
004012C8 |> 8A1C39 /MOV BL,BYTE PTR DS:[ECX+EDI] ; this will move into BL the letters of the name individually, depending on ecx our counter
004012CB |. 84DB |TEST BL,BL ; test to see if we have a letter
004012CD |. 74 08 |JE SHORT keygen_#.004012D7 ; jump if there are no more letters
004012CF |. 03C3 |ADD EAX,EBX ; add ebx to the value of eax
004012D1 |. 83C0 10 |ADD EAX,10 ; increase the letter val by 10. i.e. 74 becomes 84
004012D4 |. 41 |INC ECX ; increment our counter
004012D5 |.^EB F1 \JMP SHORT keygen_#.004012C8
004012D7 |> 50 PUSH EAX ; /push final serial to stack
004012D8 |. 68 76304000 PUSH keygen_#.00403076 ; |Format = "%X"
004012DD |. 68 D0304000 PUSH keygen_#.004030D0 ; |s = keygen_#.004030D0
004012E2 |. E8 1F000000 CALL <JMP.&user32.wsprintfA> ; \call wsprintf, storing final serial in keygen_#.004030D0
004012E7 |. 83C4 0C ADD ESP,0C ; clean up stack
004012EA |. 5F POP EDI
004012EB |. 5E POP ESI
004012EC |. 5B POP EBX
004012ED \. C3 RETN
With comments that I made to the side. So, I run the application in OllyDbg and try the string "tyler" as the name, and "280" as the serial, and lo and behold, it works! However, if I run the program from windows and try the same name/serial combination, it does not work.
(Also odd is that my keygen which I wrote in Perl generates the serial number "280" for the name "tyler", which apparently is correct, but when I try other generated serials, they don't work through OllyDbg OR Windows! Is it legal for me to post my Perl here, too, and have someone go over that?)
So you see, I've done my stuff...I found the algorithm (or what I believe to be it) and I made the keygen. In other words...don't go ballistic calling me a newbie and such ;-). I did what I think is right, and now I just have some questions.
Thanks!