peterpunk, el crackme lo hice mitad/mitad. C/Asm
La parte del CRC la hice en asm (practicamente copypast de tu rutina original)
La parte del keygen en si, en C.
Para convertir un FLOAT a su representacion hex de 32 bit tambien tuve que usar asm inline. Usando un puntero y leyendo byte a byte me daba otro resultado.
Aqui el fuente:
#include <stdio.h>
#include <stdlib.h>
#include <math.h>
#include <windows.h>
unsigned int __stdcall crc_check(char *, unsigned int);
unsigned int __stdcall crc_table();
unsigned int __stdcall _rand(unsigned int);
extern unsigned int randseed;
int main(void)
{
int iCount, tCount;
char serial[]= "1111-";
char user[] = "0000000000000000";
unsigned int kx, k1, k2, k3, k4, k5, r;
float r1,a,b,c;
printf("User: ");
scanf("%s", &user);
randseed = GetTickCount();
crc_table();
kx = crc_check(user, strlen(user));
for(tCount=0; tCount<=10; tCount++){
for(iCount=0; iCount<=3; iCount++)
serial[iCount] = (char) _rand(26);
k1 = (serial[3] * 0x44A8) + (serial[2] * 0x2A4) + (serial[1] * 0x1A) + (serial[0]) ;
for(iCount=0; iCount<=3; iCount++)
serial[iCount] += 65;
k2 = (kx & 0xFF) + 1;
k3 = ((kx >> 0x10) & 0xFF) + 1;
a = k3; //180
b = k2; //146
c = k1; //33k
r1 = (-b + sqrt(b * b + 4 * a * c)) / (2 *a);
r1 = sqrt(r1);
printf("%s", serial);
__asm{
push eax
mov eax, r1
mov r, eax
pop eax
}
printf("%X", r);
printf("\n");
}
system("pause");
return 0;
}
include '%fasminc%\win32a.inc'
format MS COFF
public crc_table as '_crc_table@0'
public crc_check as '_crc_check@8'
public _rand as '__rand@4'
public randseed as '_randseed'
section '.text' code readable executable
proc _rand, range
mov eax,[range]
imul edx, [randseed], 0x08088405
inc edx
mov [randseed], edx
mul edx
mov eax, edx
ret
endp
proc crc_table
push esi edi ebx
mov edi, 0xEDB8832D
inc edi
xor ebx, ebx
mov ecx, table
.crc_start:
movzx eax, bx
add eax, eax
mov dx, 0xFFF7
.first:
test al, 1
je .next
shr eax, 1
xor eax, edi
jmp .over
.next:
shr eax, 1
.over:
inc dx
jnz .first
mov [ecx], eax
inc ebx
add ecx, 4
cmp bx, 0x100
jnz .crc_start
pop ebx edi esi
ret
endp
proc crc_check, user, len
push esi edi ebx
mov ebx, [user]
mov esi, [len]
mov edi, 0x50554E4B
.crc_start:
mov edx, edi
mov eax, [ebx]
and eax, 0xFF
xor al, dl
mov eax, [eax*4+table]
shr edx, 8
xor eax, edx
mov edi, eax
inc ebx
dec esi
jnz .crc_start
not edi
mov eax, edi
pop ebx edi esi
ret
endp
section '.data' data readable writeable
randseed dd 0
table dd 0xFF dup ?
pd: A... Diofanto, asi la bicuadratica tiene mas sentido con el nombre.
Gracias por el buen crackme, podria ahora hacerlo completamente en asm ya que el problema no era la fpu, sino la resolvente estaba buggeada.
Autor
En línea
