cyclops's NTS-Crackme6
| Download NTS-Crackme6.zip, 8 kb (password: crackmes.de) Browse contents of NTS-Crackme6.zip NTS(Newbie Cracking Series)-Crackme6
Difficulty: 2 - Needs a little brain (or luck) | Send a message to cyclops » View profile of cyclops » |
Solutions
Solution by hound, published 18. jan, 2007; download (36 kb), password: crackmes.de or browse.
hound has rated this crackme as awesome.
Discussion and comments
| boof 08. Jan 2007 | i need some help with this crack me..so if anyone wanna try to help me please PM me..thank you guys |
|---|---|
| hound 09. Jan 2007 | I'l write up all my working once Ive finished. Im kind of stuck on some little bits but I think I should get it knocked out at some stage soon :<. Anyway Im loving all these crackmes so far! Thanks very much cyclops! |
| hound 09. Jan 2007 | Hmm ok Ive re-written the algo that generates the 1st bytes from the 2nd bytes, but Cyclops I can't get this to work due to the movsx instruction when the program checks! Is this intentional? 0040145C MOV EAX,EBX 0040145E CDQ 0040145F IDIV ESI 00401461 MOVSX ECX,BYTE PTR DS:[EDX+EBP] 00401465 XOR EDX,EDX 00401467 MOV DL,BYTE PTR SS:[ESP+EBX+10] 0040146B CMP EDX,ECX 0040146D JNZ SHORT Crackme6.00401475 0040146F INC EBX 00401470 CMP EBX,1E 00401473 JL SHORT Crackme6.0040145C The problem is that, any byte generated from the algo that is greater than 7x, the movsx causes this above comparison to fail :<. If it was MOVSZ, the comparison would be fine. I originally overcame this by finding an input that generated only bytes less than 7x. However, as the input string is limited to only 1E bytes long, but the generated bytes is less (for every 4 input, 3 output bytes), the comparison actually runs PAST the calculated bytes (Cmp EBX, 1E). Please get back to me on this. Cheers. |
| hound 09. Jan 2007 | Sorry for the triple post! !Anyway I think the problem is the MOVSX instruction, and the final statement (CMP EBX, 1E). As the movsx 'corrupts' input, and the bottom statement actually checks past the information loaded from Key.cyc. |
| cyclops Moderator 09. Jan 2007 | Itz a little tricky. Experianced crackers can figure out the algo easily(from the 4 bytes to 3 byte ). Gud luck! |
| hound 09. Jan 2007 | Ive figured out the algo, and re-written in C and it matches up fine. The problem is that the comparing function reads further past the algo it generates...... |
| hound 09. Jan 2007 | Oh hang I think Ive figured it out now.....Didn' realise that the gets function read 1F bytes. Thought it read 1E...... |
| boof 09. Jan 2007 | baaaaaaaaah ! i cant figure it out i need help |
| hound 09. Jan 2007 | Yay! I finally finished..... man that was a mission. Ill post up my solution later today with all my working. |
| boof 10. Jan 2007 | i must be missing something cuz i cant figure it out :( |
| Zaphod 13. Jan 2007 | Got it! Finally! And I think it's more than a little tricky. I have a working keyfile, but I don't think I can make a keyfile-generator... |
| hound 14. Jan 2007 | I wrote up all my working, and the source to my keyfilegen is in my solution. Just have to wait till it is posted. |
| Zaphod 14. Jan 2007 | As far as I can see there must be an infinite number of correct keyfiles, so how can you make a generator that eventually lists them all? |
| cyclops Moderator 14. Jan 2007 | Think like a keygen... For each name therz a key. |
| Zaphod 14. Jan 2007 | But in CrackMe6 you don't enter a name. So the valid keyfiles are valid for all names - and there are LOTS of valid keyfiles... |
| hound 14. Jan 2007 | You know how the algo makes a hash from the 2nd part of the keyfile? Just make a random string generating function to make the 2nd part of the keyfile, then copy the algo to make the first part. You then have to check it wraps around correctly. You then have the keyfile. |
| Zaphod 14. Jan 2007 | Yes, that's how I made the keyfile I have - and I could make a lot of keyfiles that way. Random keyfiles among the infinite number there are. But I have probably just misunderstood what cyclops meant when he asked for a keyfilegen...:) |
| hound 14. Jan 2007 | Its just a generator that generates a random keyfile for each user. |
| cyclops Moderator 15. Jan 2007 | So u guyz are generating the second part first? Try this way, read a string frm user-first part of keyfile.......then generate second part of keyfile. For that u hav to reverse the algo.itz not a hash, itz a famous encoding.(4 byte to 3 byte..) |
| hound 15. Jan 2007 | Hmm, thought of doing that but sounded like too much work ;). Also, wouldn't reversing the algo be going from 3 byte to 4 byte? Anyway, Im interesting in seeing other approaches and getting feedback once the solutions come up :D. |
| boof 15. Jan 2007 | is the encoding base64? |
| cyclops Moderator 15. Jan 2007 | Yeah....Base64....Well done. |
| HMX0101 15. Jan 2007 | Easy... i didn't see it read two values from keyfile... that was my fault :) Anyway, nice one :) |
| boof 17. Jan 2007 | hehe i'm so retarted :) finally got it figured out hehehe |
| kilobyte.asm 29. Jun 2009 | hmm...i have the same problem as hound initially had, the comparison runs past the calculated bytes. Now reading his solution to that part, i still don't get it, i understand that it wraps round but...i guess i'm going to have to step through it more or ask some one for some direction. |
| kilobyte.asm 05. Jul 2009 | right got it! hash has to be 1E length, so how do we get that? I'll leave you to figure that out ;P |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.