ISG 2014 reverse question analysis

Source: Internet
Author: User

Article crack_qs [4st] [PDG]

Tools used: VS 2013 and ollydbg 1.10

Test Platform: Windows 7x64

//////////////////////////////////////// //////////////////////////////////////// /////////////////////

Verify call:

013c1050/$55 push EBP; Verify call
013c1051 |. 8bec mov EBP, ESP
013c1053 |. 51 push ECx
013c1054 |. c745 FC 00000> mov dword ptr ss: [EBP-0x4], 0x0; clear loop counter 0
013c105b |. EB 09 JMP short test1_13c1066
013c105d |> 8b45 FC/mov eax, dword ptr ss: [EBP-0x4]
013c1060 |. 83c0 01 | add eax, 0x1
013c1063 |. 8945 FC | mov dword ptr ss: [EBP-0x4], eax
013c1066 |> 837d FC 07 cmp dword ptr ss: [EBP-0x4], 0x7; 7 cycles
013c106a |. 73 3A | JNB short test1_13c10a6
013c0000c |. 6a 04 | push 0x4; int ncount;
013c0000e |. 8b4d FC | mov ECx, dword ptr ss: [EBP-0x4]
013c1071 |. 8b55 0C | mov edX, dword ptr ss: [EBP + 0xc]
013c1074 |. 8d048a | Lea eax, dword ptr ds: [edX + ECx * 4]
013c1077 |. 50 | push eax
013c1078 |. E8 83 ffffff | call test1000013c1000; void encryption (char * pinputbuf, int ncount );
013c107d |. 83c4 08 | add ESP, 0x8
013c1080 |. 8b4d FC | mov ECx, dword ptr ss: [EBP-0x4]
013c1083 |. 39048d 18303c> | cmp dword ptr ds: [ECx * 4 + 0x13c3018],>
013c108a |. 74 18 | je short test1_13c10a4
013c0000c |. 6a 00 | push 0x0;/style = mb_ OK | mb_applmodal
013c108e |. 68 e8203c01 | push test1_13c20e8; | Title = "ISG 2014"
013c1093 |. 68 f4203c01 | push test1_13c20f4; | text = "wrong"
013c1098 |. 8b55 08 | mov edX, dword ptr ss: [EBP + 0x8]; |
013c0000b |. 52 | push edX; | howner
013c0000c |. ff15 bc203c01 | call near dword ptr ds: [<& user32.mes>; \ messageboxa
013c10a2 |. EB 18 | JMP short test1_13c10bc
013c10a4 |> ^ EB B7 \ JMP short test1_13c105d
013c10a6 |> 6a 00 push 0x0;/style = mb_ OK | mb_applmodal
013c10a8 |. 68 fc203c01 push test1_13c20fc; | Title = "ISG 2014"
013c10ad |. 68 08366c01 push test%13c2108; | text = "Correct !! "
013c10b2 |. 8b45 08 mov eax, dword ptr ss: [EBP + 0x8]; |
013c10b5 |. 50 push eax; | howner
013c10b6 |. ff15 bc203c01 call near dword ptr ds: [<& user32.mess>; \ messageboxa
013c10bc |> 8be5 mov ESP, EBP
013c10be |. 5D pop EBP
013c10bf \. C3 retn

Algorithm call:

013c1000/$55 push EBP void encryption (char * pinputbuf, int ncount ):
013c1001 |. 8bec mov EBP, ESP
013c1003 |. 83ec 0C sub ESP, 0xc
013c1006 |. c745 F8 83000> mov dword ptr ss: [EBP-0x8], 0x83; nnum = 0x83
013c100d |. c745 FC 00000> mov dword ptr ss: [EBP-0x4], 0x0; nkey = 0
013c1014 |. c745 F4 00000> mov dword ptr ss: [EBP-0xC], 0x0; int I loop counter
013c101b |. EB 09 JMP short test1_13c1026
013c101d |> 8b45 F4/mov eax, dword ptr ss: [EBP-0xC]
013c1020 |. 83c0 01 | add eax, 0x1
013c1023 |. 8945 F4 | mov dword ptr ss: [EBP-0xC], eax
013c1026 |> 8b4d F4 mov ECx, dword ptr ss: [EBP-0xC]
013c1029 |. 3b4d 0C | CMP ECx, dword ptr ss: [EBP + 0xc]
013c102c |. 73 17 | JNB short test1_13c1045
013c102e |. 8b55 FC | mov edX, dword ptr ss: [EBP-0x4]
013c1031 |. 0faf55 F8 | imul edX, dword ptr ss: [EBP-0x8]; nkey * nnum
013c1035 |. 8b45 08 | mov eax, dword ptr ss: [EBP + 0x8]
013c1038 |. 0345 F4 | add eax, dword ptr ss: [EBP-0xC]
013c103b |. 0fb608 | movzx ECx, byte ptr ds: [eax]
013c103e |. 03d1 | add edX, ECx; nkey * nnum + pinputbuf [I]
013c1040 |. 8955 FC | mov dword ptr ss: [EBP-0x4], EDX; nkey = nkey * nnum + pinputbuf [I];
013c1043 |. ^ EB D8 \ JMP short test1_13c101d
013c1045 |> 8b45 FC mov eax, dword ptr ss: [EBP-0x4]
013c1048 |. 8be5 mov ESP, EBP
013c104a |. 5D pop EBP
013c104b \. C3 retn

After its encryption algorithm is reversed, we know that:

Void encryption1 (char * pinputbuf, int ncount)
{
Int nkey = 0;

For (INT I = 0; I <ncount; I ++)
{
Nkey = (0x83 * nkey) + pinputbuf [I];
}
}

 

That is to say:

 

Nkey = (0x83 * nkey) + pinputbuf [0]

Nkey = (0x83 * nkey) + pinputbuf [1]

Nkey = (0x83 * nkey) + pinputbuf [2]

Nkey = (0x83 * nkey) + pinputbuf [3]

After four cycles, the value of one verification is calculated, that is:

Nkey = 0x83*0x83*0x83 * pinputbuf [1] + 0x83*0x83 * pinputbuf [1] + 0x83 * pinputbuf [2] + pinputbuf [3]

 

01361083 |. 39048d 183036> | cmp dword ptr ds: [ECx * 4 + 0x1363018],>

Data_0x1363018:

01363018 E5 ad 50 0d 89 27 30 0e 1f 6f D6 0e FF 63 D4 0C 127p .? 0o? C?
01363028 dd 94 0d 0e 1f 46 A4 0f A2 1D D9 0C partition. f ???....

 

Through analysis, it is known that this question is divided into seven verification values: 0x0d50ade5, 0x0e302789, 0x0ed66f1f, 0x0cd463ff, 0x0e0d94dd, 0x0fa4461f, 0x0cd91da2

The decryption algorithm is as follows (the following code is definitely not the optimal solution ):

Void decryption ()
{
Int szkeynum [] = {
0x0d50ade5, 0x0e302789, 0x0ed66f1f, 0x0cd463ff,
0x0e0d94dd, 0x0fa4461f, 0x0cd91da2
};
Char szbuf [40] = {0 };

For (INT I = 0, ncount = 0; I <7; I ++, ncount + = 4)
{
For (INT nbuf1 = 0; nbuf1 <127; nbuf1 ++)
{
For (INT nbuf2 = 0; nbuf2 <127; nbuf2 ++)
{
For (INT nbuf3 = 0; nbuf3 <127; nbuf3 ++)
{
For (INT nbuf4 = 0; nbuf4 <127; nbuf4 ++)
{
If (szkeynum [I] = 0x83*0x83*0x83 * nbuf1
+ 0x83*0x83 * nbuf2
+ 0x83 * nbuf3 + nbuf4)
{
Szbuf [ncount + 0] = nbuf1;
Szbuf [ncount + 1] = nbuf2;
Szbuf [ncount + 2] = nbuf3;
Szbuf [ncount + 3] = nbuf4;
}
}
}
}
}
}
Printf ("key: % s \ r \ n", szbuf );
}

Program output key: c011isi0n_is_a_thre4t_t0_sec

 

Crackme attachment:

Link: http://pan.baidu.com/s/1o61CIq2 password: xkmn

 

ISG 2014 reverse question analysis

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.