Monday,14 of May,2000
Tutorial written by Falcon
Target:
Pusillus crackme 1.0
Where:
http://www.crackmes2.cjb.net
Tools
: SoftIce, Math knowledge
Level of
difficulty: 2-3
Essay: { The tutorial is best viewed using 800x600...}
Contact Me: falcon_geno@mail.ruToday I wanted to share with the algorithm that I have created for registering this program. Firstly, I wanted to say that it was first crackme where I saw so much XORing.
The only commands for getting serial are XOR,also you will see how program check every char you got according to your serial with real ones.
Let's exectute the program and make the dialong box say that we have reversed this ....1:-Execute it and enter something as Serial.
2:-Activate SoftIce and set Getwindowtexta.
3:-Press Enter and Then F5 and you're back in Windows. Press the BUTTON..
4:-Let's assume that Serial you entered X1X2X3X4X5X6X7X8 {Why 8 char?You will see}
5:-You should be here:004010B0 CALL 004010C9 {This is our main CALL.Press F8 to go there.}
004010C9 PUSH ESI {Load to stack the value of ESI}
004010CA PUSH EDI {Load to stack the value of EDI}
004010CB PUSH ECX {Load to stack the value of ECX}
004010CC XOR ESI, ESI {ESI=(ESI xor ESI)=0}
004010CE XOR EDI, EDI {EDI=(EDI xor EDI)=0}
004010D0 MOV ECX, 00000008 {Here the program tells us what should be the length of the serial.As it was mentioned it should be 8.ECX=8-loop counter}
004010D5 MOV ESI, 00403044 {Loads the address,where our serial is located,to ESI.}
004010DA XOR BYTE PTR [ESI], 32 {As we pass this point,the program makes XOR of the char of your serial with 32h.It will happend with all your chars.}
004010DD INC ESI {Shifts to the next char.}
004010DE LOOP 004010DA {As I said,this command will jump to the beginning of this loop and will make XOR operation with next char,until ECX register=0}Result of the previous LOOP:
X1:=X1 xor 32=A1 {I denoted the result as A..,to make it easier to understand.}
X2:=X2 xor 32=A2
X3:=X3 xor 32=A3
X4:=X4 xor 32=A4
X5:=X5 xor 32=A5
X6:=X6 xor 32=A6
X7:=X7 xor 32=A7
X8:=X8 xor 32=A8004010E0 MOV ESI, 00403044 {The address of the changed serial is in ESI, by typing d 00403044,in window data,you can see the numbers after first loop}
004010E5 MOV ECX, 00000004 {ECX=4}
004010EA MOV AL, [ESI] {Takes a new value that you got after first loop and MOVes it to AL register.}
004010EC MOV BL, [ESI+1] {Takes next number and MOVes it to BL}
004010EF XOR AL, BL {XORing of 2 numbers. AL=AL xor BL}
004010F1 MOV [EDI+0040304C], AL {Stores the value of AL right after 8th position of the serial,it will be stored near the numbers(that you got after first loop)
004010F7 ADD ESI, 02 {Shifts to the next 2 numbers.}
004010FA INC EDI {Increase EDI..EDI=EDI+1}
004010FB LOOP 004010EA {Jump to the given address to repeat the same procedure,till the ECX register is equal to 0}Result of the previous LOOP:
A1 xor A2=B1 {These are the values that will be stored}
A3 xor A4=B2
A5 xor A6=B3
A7 xor A8=B4004010FD MOV ESI, 0040304C {Here is the address where the stored numbers are located.Type d 0040304c and you'll see the same numbers that you got after last loop}
00401102 MOV AL, [ESI] {Takes first stored number and MOVes it to AL}
00401104 MOV BL, [ESI+01] {Takes second stored number and MOVes it to BL}
00401107 XOR AL, BL {XORing of these numbers. AL=AL xor BL}
00401109 MOV BL, [ESI+02] {Takes 3rd stored number and MOVes it to BL}
0040110C MOV CL, [ESI+03] {Takes last stored number and it is in CL}
0040110F XOR BL, CL {XORing of these numbers. BL=BL xor CL}
00401111 XOR AL, BL {XORing of 2 numbers. AL=AL xor BL}Result of the previous Piece of Code:
C1=B1 xor B2 {Let me repeat.I am choosing this notation for making it easier for you}
C2=B3 xor B4
M=C1 xor C2 {This is very important Number (M).The value of it is stored in AL.}00401113 MOV ECX, 00000008 {ECX register takes value of 8}
00401118 MOV ESI, 00403044 {By this address,the numbers after first loop are located.Type d 00403044 to see them}
0040111D XOR [ESI], AL {Here's the final operation under the serial.XORing of numbers (that you have after first loop) with M.}
0040111F INC ESI {ESI=ESI+1..Shifting to the next number to XOR}
00401120 LOOP 0040111D {Repeat the operation until ECX=0}Result of the previous LOOP:
F1=A1 xor M {F(i) represents our Final value that you have to get in order to crack it}
F2=A2 xor M
F3=A3 xor M
F4=A4 xor M
F5=A5 xor M
F6=A6 xor M
F7=A7 xor M
F8=A8 xor M00401122 MOV ECX, 00000008 {ECX=8-our loop counter}
00401127 MOV ESI, 00403044 {MOVes address with our Final results to ESI}
0040112C MOV EDI, 00403008 {MOVes address where real numbers're located.You can see them by typeing d00403008,in the data window you will see that our final values should be: 71 18 59 1B 79 42 45 4C}
00401131 MOV AL, [ESI] {CoMPare our Final with
00401133 CMP AL, [EDI] {real number,that you can see typing d EDX}
00401135 JNZ 00401154 {Jump to 'Bad' if any of these 2 values are not equal each other}
00401137 INC ESI {Shifts Address to next our Final.ESI=ESI+1}
00401138 INC EDI {Shifts Address to next Real number.EDI=EDI+1}
00401139 LOOP 00401131 {Jumps to indicated address as long as ECX<>0}LET'S REVERSE THE CODE,USING MATH KNOWLEDGE...
Let's write in this section whole information that we have received after tracing program code:
X1 xor 32=A1 A1 xor A2=B1 C1=B1 xor B2 F1=A1 xor M
X2 xor 32=A2 A3 xor A4=B2 C2=B3 xor B4 F2=A2 xor M
X3 xor 32=A3 A5 xor A6=B3 F3=A3 xor M
X4 xor 32=A4 A7 xor A8=B4 M=C1 xor C2 F4=A4 xor M
X5 xor 32=A5 F5=A5 xor M
X6 xor 32=A6 F6=A6 xor M
X7 xor 32=A7 F7=A7 xor M
X8 xor 32=A8 F8=A8 xor MFrom previous loop we understood that our final values must be equal to the real ones that you could see by the address 00403008.So,we can conclude that:
F1=71 F2=18 F3=59 F4=1B F5=79 F6=42 F7=45 F8=4C
So,if you want a good message,you should enter a serial with length 8 and after all these XORing you should get these values.As you see here (F1=A1 xor M) we know only F1,so let's start to think.Using above information we have to find,firstly,(M), and then all the chars that will be in our serial.Let's find it.
1)For this we will use information from first 3 columns of the table I made.So,instead of A,B and C let's insert their real values,and then we'll put it in F1=A1 xor M.
a) (X1 xor 32) xor (X2 xor 32)=B1
b) (X3 xor 32) xor (X4 xor 32)=B1B1 xor B2=C1=[(X1 xor 32) xor (X2 xor 32)] xor [(X3 xor 32) xor (X4 xor 32)]
c) (X5 xor 32) xor (X6 xor 32)=B3
d) (X7 xor 32) xor (X8 xor 32)=B4B3 xor B4=C2=[(X5 xor 32) xor (X6 xor 32)] xor [(X7 xor 32) xor (X8 xor 32)]
M=C1 xor C2=[[(X1 xor 32) xor (X2 xor 32)] xor [(X3 xor 32) xor (X4 xor 32)]] xor
[[(X5 xor 32) xor (X6 xor 32)] xor [(X7 xor 32) xor (X8 xor 32)]]First thing to do is to simplify this equation a little bit.
Do you remember that 32 xor 32=0,so
M=(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8) {Here is M in terms of chars of the serial.We are going to use it a little bit later.Now,let's deal with 4th column}F1=A1 xor M {Let's put the values for this equations,F1=71,A1=X1 xor 32}
F2=A2 xor M {Let's put the values for this equations,F2=18,A2=X3 xor 32}
F3=A3 xor M .
F4=A4 xor M .
F5=A5 xor M .
F6=A6 xor M .
F7=A7 xor M .
F8=A8 xor M .a) 71=(X1 xor 32) xor [(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)]
Note: Do you see how 1st and 3rd terms are simplified.The same principle.X xor X=0;
71=32 xor [(X2 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)] {71 xor 32=43,so:}
43=[(X2 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)]b) 18=(X2 xor 32) xor [(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)]
Note: Again we have cancelation,1st and 4th terms are canceled.
18=32 xor [(X1 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)] {18 xor 32=2A,so;}
2A=[(X1 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)]c) 59=(X3 xor 32) xor [(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)]
Note: Again,1st and 5th terms are canceled.
59=32 xor [(X1 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)] {59 xor 32=6B,so;}
6B=[(X1 xor X2 xor X4 xor X5 xor X6 xor X7 xor X8)]d) 1B=(X4 xor 32) xor [(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)]
Note: Again,1st and 6th terms are canceled.
1B=32 xor [(X1 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)] {1B xor 32=29,so;}
29=[(X1 xor X2 xor X3 xor X5 xor X6 xor X7 xor X8)]e) 79=(X5 xor 32) xor [(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)]
Note: Again,1st and 7th terms are canceled.
79=32 xor [(X1 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)] {79 xor 32=4B,so;}
4B=[(X1 xor X2 xor X3 xor X4 xor X6 xor X7 xor X8)]f) 42=(X6 xor 32) xor [(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)]
Note: Again,1st and 8th terms are canceled.
42=32 xor [(X1 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)] {42 xor 32=70,so;}
70=[(X1 xor X2 xor X3 xor X4 xor X5 xor X7 xor X8)]g) 45=(X7 xor 32) xor [(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)]
Note: Again,1st and 9th terms are canceled.
45=32 xor [(X1 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)] {45 xor 32=77,so;}
77=[(X1 xor X2 xor X3 xor X4 xor X5 xor X6 xor X8)]h) 4C=(X8 xor 32) xor [(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)]
Note: Again,1st and 10th terms are canceled.
4C=32 xor [(X1 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)] {4C xor 32=7E,so;}
7E=[(X1 xor X2 xor X3 xor X4 xor X5 xor X6 xor X7)]Let's see all the final results that you have obtained after these operations.I am going to group them 2 by 2,so you will easier understand the next step I'll do.
43=[(X2 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)]
2A=[(X1 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)]6B=[(X1 xor X2 xor X4 xor X5 xor X6 xor X7 xor X8)]
29=[(X1 xor X2 xor X3 xor X5 xor X6 xor X7 xor X8)]4B=[(X1 xor X2 xor X3 xor X4 xor X6 xor X7 xor X8)]
70=[(X1 xor X2 xor X3 xor X4 xor X5 xor X7 xor X8)]77=[(X1 xor X2 xor X3 xor X4 xor X5 xor X6 xor X8)]
7E=[(X1 xor X2 xor X3 xor X4 xor X5 xor X6 xor X7)]Let's examine these groups:
1) Let's make a XOR of left terms of first equation with left terms of second,and the same we will do with right parts.Do you see how many terms are simplifies from left part.You should get this:
43 xor 2A=X1 xor X2
2) The same do for the second group and you will get:
6B xor 29=X3 xor X4
3) The same operation for third group and you see:
4B xor 70=X5 xor X6
4) The last same operation and you get this:
77 xor 7E=X7 xor X8Do you remember what was our equation for M?
Was it equal to M=(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)?
Look again at the equalities we got a little bit later.I would say look just at the right parts of these equations.Interesting?
Let's do the same operation that we did couple of minutes ago.XOR right parts with right and left with left:You should get:(43 xor 2A)xor(6B xor 29)xor(4B xor 70)xor(77 xor 7E)=(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)
Do you know what is right part??Yeah, it is our M.So, the first goal is achieved.Using a hex calculator XOR numbers that are in the left part,and check it with mine.I have M=19.
19=(X1 xor X2) xor (X3 xor X4) xor (X5 xor X6) xor (X7 xor X8)LAST STEP:
43=[(00 xor X2 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)]
2A=[(X1 xor 00 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)]
6B=[(X1 xor X2 xor 00 xor X4 xor X5 xor X6 xor X7 xor X8)]
29=[(X1 xor X2 xor X3 xor 00 xor X5 xor X6 xor X7 xor X8)]
4B=[(X1 xor X2 xor X3 xor X4 xor 00 xor X6 xor X7 xor X8)]
70=[(X1 xor X2 xor X3 xor X4 xor X5 xor 00 xor X7 xor X8)]
77=[(X1 xor X2 xor X3 xor X4 xor X5 xor X6 xor 00 xor X8)]
7E=[(X1 xor X2 xor X3 xor X4 xor X5 xor X6 xor X7 xor 00)]19=[(X1 xor X2 xor X3 xor X4 xor X5 xor X6 xor X7 xor X8)]=M
You also have to know that 00 xor X=X.So, let's do again XORing from both sides.We take first equation and M.Make XOR in the same manner as we did before and you will get:
1) 43 xor 19=X1=5A (Z)
2) 2A xor 19=X2=33 (3)
3) 6B xor 19=X3=72 (r)
4) 29 xor 19=X4=30 (0)
5) 4B xor 19=X5=52 (R)
6) 70 xor 19=X6=69 (i)
7) 77 xor 19=X7=6E (n)
8) 7E xor 19=X8=67 (g)Serial: Z3r0Ring
I hope this tutorial gave you good informatin how to deal with XOR.If you have anythink to say...
Greetz:
Genocide Crew members (Gandalf { author of the .gif}, czDrillard {
coding}, WilSE,CeyCey, HyaCintH)
Hellforge members {Acid_Cool_178, Mercution-for logos;LaZaRuS-for help
in coding,cracking,and everybody else}
THe CrEaM members {My respect
to everybody}
SiFLyiNG, mIST,Marton, Crudd, zvem,
WilSE, and to everybody who have ever cracked GC crackmes.
The +Q, Chafe, Terminal Cilla, AntiXrist-for
great coding {You gave me enormous amont of experience while cracking your
little programs, Thanks}
Everybody who writes tutorials, { what a hard job}