Any one see this Cryptographic? [Archive] - RCE Messageboard's Regroupment

View Full Version : Any one see this Cryptographic?

winndy

October 13th, 2005, 09:30

0041C249 . C74424 60 6>mov dword ptr ss:[esp+60],CD49046B
0041C251 . C74424 64 C>mov dword ptr ss:[esp+64],829A80CB
0041C259 . C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0
0041C261 . C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384
0041C269 . C74424 70 5>mov dword ptr ss:[esp+70],AA56D550
0041C271 . C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71
0041C279 . C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4
0041C281 . C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3

what's the Cryptographic?
any one knows?
thanks!

Admiral

October 13th, 2005, 11:06

Are we expected to work this out without knowing anything else?
It looks like a bunch of hash values or perhaps an encoded string to me (ASCII ".I.k....?QW...c..V.P.Z.q{.<....."

.
If they are hash values, they are either semi-random or pertain to a cipher that Google hasn't heard of.

Maybe you could tell us (preferably in pseudocode rather than a hung ASM listing) how this string is being used.

nikolatesla20

October 13th, 2005, 11:31

I've seen code similar to this in Armadillo - in that case it was just an encryption for the IAT redirection code - it was values used to decrypt the real code..

-nt20

SiGiNT

October 13th, 2005, 16:05

I don't think it's arma - the addresses involved indicate an unpacked portion of code - but it could be anything even a password.

SiGiNT

LLXX

October 13th, 2005, 16:07

Without being able to look at the surrounding code, I'd guess this is the initial state of a proprietary 256-bit hasher. Google doesn't turn up any results for all of the four dords above.

winndy

October 13th, 2005, 23:46

thanks all!
The target is I did not read the FAQ
The offical site is:I did not read the FAQ
It's easy to patch.But I try to make a keygen.

Code:



0041C220    > \6A FF       push -1

0041C222    .  68 191D4300 push _to_A.00431D19                  ;  SE handler installation

0041C227    .  64:A1 00000>mov eax,dword ptr fs:[0]

0041C22D    .  50          push eax

0041C22E    .  64:8925 000>mov dword ptr fs:[0],esp

0041C235    .  81EC 940000>sub esp,94

0041C23B    .  8B8424 A400>mov eax,dword ptr ss:[esp+A4]

0041C242    .  53          push ebx

0041C243    .  56          push esi

0041C244    .  50          push eax

0041C245    .  8D4C24 10   lea ecx,dword ptr ss:[esp+10]

0041C249    .  C74424 60 6>mov dword ptr ss:[esp+60],CD49046B

0041C251    .  C74424 64 C>mov dword ptr ss:[esp+64],829A80CB

0041C259    .  C74424 68 C>mov dword ptr ss:[esp+68],3F5157C0

0041C261    .  C74424 6C 8>mov dword ptr ss:[esp+6C],B50C6384

0041C269    .  C74424 70 5>mov dword ptr ss:[esp+70],AA56D550

0041C271    .  C74424 74 7>mov dword ptr ss:[esp+74],B05ADF71

0041C279    .  C74424 78 D>mov dword ptr ss:[esp+78],7B2E3CD4

0041C281    .  C74424 7C C>mov dword ptr ss:[esp+7C],CFB69AC3

0041C289    .  E8 E8280100 call <jmp.&MFC42.#537>                  ;  kernel32.lstrlenA;MSVCRT.memcpy

0041C28E    .  8B8C24 B000>mov ecx,dword ptr ss:[esp+B0]

0041C295    .  C78424 A400>mov dword ptr ss:[esp+A4],0

0041C2A0    .  51          push ecx

0041C2A1    .  8D4C24 0C   lea ecx,dword ptr ss:[esp+C]

0041C2A5    .  E8 CC280100 call <jmp.&MFC42.#537>

0041C2AA    .  8B5424 0C   mov edx,dword ptr ss:[esp+C]

0041C2AE    .  8B35 BC2544>mov esi,dword ptr ds:[<&MSVCRT._mbscmp>>;  msvcrt._mbscmp

0041C2B4    .  68 60FC4300 push _to_A.0043FC60                  ; /s2 = ""

0041C2B9    .  52          push edx                                ; |s1

0041C2BA    .  C68424 AC00>mov byte ptr ss:[esp+AC],1              ; |

0041C2C2    .  FFD6        call esi                                ; \_mbscmp

if(Decipher(Registrationcode)==username)
Registration successful.

It seems the initial value .
It should be symmetrical cipher .
cipher(username)=Registrationcode

LLXX

October 14th, 2005, 00:39

No target names are allowed here... read the FAQ!

Bra!NSHiT

October 14th, 2005, 04:13

Hey guys ... perhaps it could be 256-Bit RSA cause ...

CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B seems ok to factor with ppsiqs.

But on the other side :

There are only 2 Calls bevore Compare, 2x lstrlen. Where is the calculation of user/key ? I think, if you want to keygen this ... your are on the wrong place, imho.

Regards

winndy

October 14th, 2005, 08:59

Bra!NSHiT ,I appreciate your help.
I will try RSA.
But this is only a piece of the code,
there are several calls below .

Thanks!

Regards

winndy

October 17th, 2005, 05:48

Yeah!
It's RSA.
N=CFB69AC37B2E3CD4B05ADF71AA56D550B50C63843F5157C0829A80CBCD49046B is a big number.
ppsiqsv1.1 get p and q:
p=E4E7E39EE5E5C98788BF466DDCBAB2DF
q=E84C8EBF8D5AA6A5ACB2569542DBCBF5
E:10001
te's rsa tool get D:
D:3CE0C02B5B070A3D2C12F63A523A70FA57692AFC70FAE36480D0E33205F6B4C1

Thanks all!

Regards

Rummy

October 23rd, 2005, 08:51

Very, very nice Bra!NSHiT.

Very nice. Your brain is not full of your nickname.

winndy

October 23rd, 2005, 09:06

Quote:

[Originally Posted by Rummy]Very, very nice Bra!NSHiT. Very nice. Your brain is not full of your nickname.

But Rummy,you arenot a drinker like your nickname. you are full
of humour sense.