tdennist
June 22nd, 2005, 10:32
So I've put about 5 total hours of work into this crackme, and I finally came up with what seemed like a plausible solution, so I plugged it in, and it did not work. Part of this I'm sure is due to my ineptitude as a programmer, and the other part is due to my lack of understanding (yet!) of reversing this kind of crackme.
The task is to create a keyfile of the correct length and data. The length I was able to find right away (19 characters), and the data....well, that's where I ran into trouble.
I'll attach the crackme later for you wizards to take a look at, but for now I'll tell you what I deduced and the Java program I wrote to reverse the algorithm.
As near as I can tell, this is what happens in the crackme. The program reads in the string located in the keyfile, and goes through a loop 19 times: (EAX = 0 initially)
- take the next char in the sequence, store it in ECX
- add eax,ecx
- ror eax,8
- xor eax,7B
And the end result is a word. The "correct" solution, which is compared to the calculated solution, is "0xAAE23242". So, I figure, simple enough, I'll just take that solution and run it through the algorithm backwards. This is what I deduced the backwards algorithm to be:
- EAX = 0xAAE23242 initially
- xor eax,7B
- rol eax,8
- AL is the next byte in the "good" sequence.
So if I just concatenate (spelling?) AL each turn through the loop onto the beginning of a variable, at the end I'll end up with the good sequence of characters, right? So I thought.
Here is the Java program (I'm sorry, I would have written it in C, but I am terrible at C) I wrote to do this task:
This printed out the hex string of the correct sequence of letters. It comes up with "99d13932e2aa424999d13932e2aa424999d139" which is 38 chars, or 19 bytes, so it's the correct length. Now, I wrote a C program to print out the character equivalents of each of those bytes:
And this prints out (I don't know if this will copy/paste correctly) "™Ñ92âªBI™Ñ92âªBI™Ñ9". So, I paste this final string into the keyfile, and launch the crackme with fingers crossed and....nope.
As you can see I've put quite a large amount of thought and effort into this, and now any help you can offer will be greatly appreciated.
Thanks for your time and help!
-tdennist
(target crackme attached; I hope that's all right.)
The task is to create a keyfile of the correct length and data. The length I was able to find right away (19 characters), and the data....well, that's where I ran into trouble.
I'll attach the crackme later for you wizards to take a look at, but for now I'll tell you what I deduced and the Java program I wrote to reverse the algorithm.
As near as I can tell, this is what happens in the crackme. The program reads in the string located in the keyfile, and goes through a loop 19 times: (EAX = 0 initially)
- take the next char in the sequence, store it in ECX
- add eax,ecx
- ror eax,8
- xor eax,7B
And the end result is a word. The "correct" solution, which is compared to the calculated solution, is "0xAAE23242". So, I figure, simple enough, I'll just take that solution and run it through the algorithm backwards. This is what I deduced the backwards algorithm to be:
- EAX = 0xAAE23242 initially
- xor eax,7B
- rol eax,8
- AL is the next byte in the "good" sequence.
So if I just concatenate (spelling?) AL each turn through the loop onto the beginning of a variable, at the end I'll end up with the good sequence of characters, right? So I thought.
Here is the Java program (I'm sorry, I would have written it in C, but I am terrible at C) I wrote to do this task:
Code:
//created 6/21/05 to reverse a keyfile checksumming algorithm
//practice practice practice makes perfect perfect perfect!
class ReverseKeyfile
{
public static void main(String[] args)
{
int[] bytes = {0xAA, 0xE2, 0x32, 0x42};
int result;
String keyfile = "";
for (int i=1; i<=19; i++) {
bytes[3] ^= 0x7B;
result = bytes[3];
keyfile = Integer.toHexString(result) + keyfile;
//rotate left by one byte:
int[] temp = {0,0,0,0};
temp[0] = bytes[1];
temp[1] = bytes[2];
temp[2] = bytes[3];
temp[3] = bytes[0];
bytes = temp;
}
System.out.println("Keyfile should contain: " + keyfile);
System.out.println("keyfile length: " + keyfile.length());
}
}
This printed out the hex string of the correct sequence of letters. It comes up with "99d13932e2aa424999d13932e2aa424999d139" which is 38 chars, or 19 bytes, so it's the correct length. Now, I wrote a C program to print out the character equivalents of each of those bytes:
Code:
#include <stdio.h>
int main() {
char code[] = {0x99,0xd1,0x39,0x32,0xe2,0xaa,0x42,0x49,0x99,0xd1,0x39,0x32,0xe2,0xaa,0x42,0x49,0x99,0xd1,0x39};
int i=0;
for (i=0; i<=18; i++) {
printf("%c",code[I]);
}
return 0;
}
And this prints out (I don't know if this will copy/paste correctly) "™Ñ92âªBI™Ñ92âªBI™Ñ9". So, I paste this final string into the keyfile, and launch the crackme with fingers crossed and....nope.
As you can see I've put quite a large amount of thought and effort into this, and now any help you can offer will be greatly appreciated.
Thanks for your time and help!
-tdennist
(target crackme attached; I hope that's all right.)