1. Open KeyGenMe#3 use ollydbg.
2. Type username and password as you like.
3. Place Breakpoint at BPX GetDlgItemTextA
4. Push Test button.
5. You will stop at address 004011CF, just press F8 again and again till you at address 00401270.
00401270 > 8A1E MOV BL,BYTE PTR DS:[ESI] ; the key generator starts here
00401272 . FEC3 INC BL
00401274 . 83C3 14 ADD EBX,14 ;
00401277 . 83C3 03 ADD EBX,3 ;
0040127A . FECB DEC BL
0040127C . 83EB 05 SUB EBX,5
0040127F . FEC3 INC BL
00401281 . 83EB 07 SUB EBX,7
00401284 . 83EB 05 SUB EBX,5
00401287 . 83EB 0A SUB EBX,0A
0040128A . 83C3 0A ADD EBX,0A
0040128D . 881F MOV BYTE PTR DS:[EDI],BL
0040128F . 46 INC ESI
00401290 . 47 INC EDI
00401291 . 48 DEC EAX
00401292 > 0BC0 OR EAX,EAX
00401294 .^ 75 DA JNZ SHORT KeyGenMe.00401270 ; the key generator ends here
6. Our password are being compared here.
004012A5 . 56 PUSH ESI ; /String2 => ""
004012A6 . 57 PUSH EDI ; |String1 => ""
004012A7 . E8 1A2E0>CALL
004012AC . 74 15 JE SHORT KeyGenMe.004012C3
7. ^ our password are placed at string 2, tthe result of calculation are placed at string 1, lstrcmpA will compare strting 1 and string 2.
8. below this is a BURN methode to erase all the calculation.
004012D2 . EB 00 JMP SHORT KeyGenMe.004012D4
004012D4 > 68 00020>PUSH 200 ; /Length = 200 (512.)
004012D9 . 68 60644>PUSH KeyGenMe.00406460 ; |Destination = KeyGenMe.00406460
004012DE . E8 D72D0>CALL
004012E3 . 68 00020>PUSH 200 ; /Length = 200 (512.)
004012E8 . 68 60624>PUSH KeyGenMe.00406260 ; |Destination = KeyGenMe.00406260
004012ED . E8 C82D0>CALL
004012F2 . 68 00020>PUSH 200 ; /Length = 200 (512.)
004012F7 . 68 60684>PUSH KeyGenMe.00406860 ; |Destination = KeyGenMe.00406860
004012FC . E8 B92D0>CALL
00401301 . 61 POPAD
00401302 . C9 LEAVE
00401303 . C2 0400 RETN 4
the key generator take character one by one and calculate it's value.
to know the calculation you can follow it trace and write down every calculation, for example a=h
example of result is
"-:CodeMakeR:-"
"4AJvklThrlYA4"
No comments:
Post a Comment