[Article Title]: Let's talk about the mathematical principle of a CrackMe decryption algorithm.
[Author]: kaien
[Author mailbox]: kkaien@hotmail.com
[Software name]: echapcmd.exe
[Shelling method]: No shell
[Use tools]: OllyDbg, calculator and VC (for writing Registration) provided by winxp)
[Operating platform]: winxp
--------------------------------------------------------------------------------
[Detailed process]
Yesterday, I saw a Cracked article titled "A CrackMe attack on the <encryption and decryption version 2> disc" written by WAKU. I directly cracked CrackMe before reading the article. Although the findings are simple, they are wonderful !!!
Therefore, I cannot help writing a cracking article by using the light of WAKU. Good things don't bother talking about them. You don't need to wear them for a hundred times!
In this article, I will focus on the mathematical principles and evolution of this decryption algorithm, which greatly simplifies the decryption process.
This is the second article I am reading about snow. I hope this article will help new users.
The algorithm code is as follows, which is easy to understand. refer to the comments below:
004010CE |. 33FF xor edi, edi; edi cleared
004010D0 |. B9 08000000 mov ecx, 8; the number of cycles below is 8 (the estimated password is 8 digits)
004010D5 |. BE 44304000 mov esi, echap511.00403044; get the password to esi
004010DA |> 8036 32/xor byte ptr ds: [esi], 32; each letter and 32 xor
004010DD |. 46 | inc esi
004010DE |. ^ E2 FA loopd short echap511.004010DA
004010E0 |. BE 44304000 mov esi, echap511.00403044; change the password address to esi
004010E5 |. B9 04000000 mov ecx, 4; ecx = 4 here, This is to say, the following loops 4 times
004010EA |> 8A06/mov al, byte ptr ds: [esi]; first
004010EC |. 8A5E 01 | mov bl, byte ptr ds: [esi + 1]; second
004010EF |. 32C3 | xor al, bl; al = al ^ bl
004010F1 |. 8887 4C304000 | mov byte ptr ds: [edi + 40304C], al; because edi has been cleared (see the first line ). So in the first loop, the address is 40304c.
004010F7 |. 83C6 02 | add esi, 2; address jump two
004010FA |. 47 | inc edi; edi ++
004010FB |. ^ E2 ED loopd short echap511.004010EA
004010FD |. BE 4C304000 mov esi, echap511.0040304C; after calculation, give the address to esi. In fact, 40304c is in the memory, right behind the first 8-bit password
00401102 |. 8A06 mov al, byte ptr ds: [esi]; In the four calculation results, the first digit is given to al
00401104 |. 8A5E 01 mov bl, byte ptr ds: [esi + 1]; get the second digit to bl
00401107 |. 32C3 xor al, bl; al = al ^ bl
00401109 |. 8A5E 02 mov bl, byte ptr ds: [esi + 2]; Third-> bl
0040110C |. 8A4E 03 mov cl, byte ptr ds: [esi + 3]; Fourth-> cl
0040110F |. 32D9 xor bl, cl; bl = bl ^ cl
00401111 |. 32C3 xor al, bl