//---------------------------------------------------------------------------
// the code published under Creative Commons (CC-BY-NC) license
// author: hasherezade (http://hshrzd.wordpress.com)
// the keygenerator for ESET CrackMe, CONfidence2012 (http://2012.confidence.org.pl)
// remarks: compile with DEP disabled
//---------------------------------------------------------------------------
#include <windows.h>
#include <iostream>
using namespace std;
BYTE hsh[16];
BYTE hashes[4][16];
BYTE output[16];
/*
maxBlock =
6 instructions total:
instruction[1,2,5,6] -> 3 bytes
instruction[3,4] -> 3 or 4 bytes -> max 4 bytes
+ 1 byte -> NOP at the end of 6-th instruction (padding)
*/
const DWORD maxBlock = 4 * 3 + 2 * 4 + 1;
const DWORD bufMax = maxBlock * 256;
BYTE buffer[bufMax];
DWORD bufIndex = bufMax - maxBlock;
DWORD blockStart = bufMax;
//----------------------------------------
typedef struct {
ULONG i[2];
ULONG buf[4];
unsigned char in[64];
unsigned char digest[16];
} MD5_CTX;
typedef void (WINAPI *t_MD5Init)(
MD5_CTX *context
);
t_MD5Init MD5Init;
typedef void (WINAPI *t_MD5Update)(
MD5_CTX *context,
const unsigned char *input,
unsigned int inlen
);
t_MD5Update MD5Update;
typedef void (WINAPI *t_MD5Final)
(
MD5_CTX *context
);
t_MD5Final MD5Final;
char revrs(int a)
{
a += 0x41;
if (a >= 'A' && a <= 'Z')
return a;
a += 6;
return a;
}
void decode_chunks()
{
int V = 0x29, i = 0;
WORD* out = (WORD*)output;
while (i < 8) {
WORD chunk = out[i];
i++;
//printf("\n%4X",chunk);
int x,y,z;
int a;
z = chunk % V;
a = chunk / V;
y = a % V;
x = a / V;
printf("%c%c%c", revrs(x), revrs(y), revrs(z));
}
}
//----------------------------------------
void call_generated()
{
memset(output,0,16);
void* generated = (void*)buffer;
_asm {
EMMS
MOVQ MM0,QWORD PTR hashes[0]
MOVQ MM1,QWORD PTR hashes[8]
MOVQ MM2,QWORD PTR hashes[0x10]
MOVQ MM3,QWORD PTR hashes[0x18]
MOVQ MM4,QWORD PTR hashes[0x20]
MOVQ MM5,QWORD PTR hashes[0x28]
call generated
MOVQ QWORD PTR output[0], MM0
MOVQ QWORD PTR output[8], MM1
};
}
void genetrateReversed()
{
memset(buffer, 0x90, bufMax);
__asm {
push ebp
mov EBX, 0x42
mov ECX, 0x100
jmp start
process_hsh:
PUSH ESI
PUSH EDX
MOV EDX, dword ptr hsh[0]
AND EDX,0x87
SETPO DL
XOR EAX,EAX
SHL dword ptr hsh[0],1
RCL DWORD PTR hsh[4],1
RCL DWORD PTR hsh[8],1
RCL DWORD PTR hsh[0xC],1
ADC EAX,EAX
XOR EAX,EDX
OR DWORD PTR hsh[0],EAX
POP EDX
POP ESI
RET
get_cmd_base:
PUSH EDX
PUSH ESI
bgn1:
call process_hsh
MOV EDX,EAX
call process_hsh
LEA EAX,DWORD PTR DS:[EAX+EDX*2]
TEST EAX,EAX
JE bgn1
POP ESI
POP EDX
RET
Instruction1:
call get_cmd_base
SHR EAX,1
NEG EAX
AND EAX,1
MOV EBP,EBX
AND EBP,0x700
SHR EBP,5
OR EBP,0xC6
XOR EBP,EAX
MOV EAX,EBP
SHL EAX,0x18
OR EAX,0x7F0FCC
ROR EAX,8
MOV EDI, bufIndex
MOV DWORD PTR buffer[EDI], EAX
ADD bufIndex,3
MOV EAX,EBX
SHR EAX,0x1F
XOR EBX,EAX
RET
Instruction2:
OR EBX,0x80000000
MOV EAX,EBX
AND EAX,7
SHL EAX,3
AND EBP,0xC7
OR EBP,EAX
XOR EBP,1
MOV EAX,EBP
SHL EAX,0x18
OR EAX,0x7F0FCC
ROR EAX,8
MOV EDI, bufIndex
MOV DWORD PTR buffer[EDI], EAX
ADD bufIndex,3
MOV EAX,EBX
SHR EAX,0x1F
XOR EBX,EAX
RET
case1:
call get_cmd_base
MOV AH,AL
AND AH,1
SHL AH,4
OR AH,0xEF
MOV DL,AL
AND DL,2
SHL DL,1
OR DL,0xFB
AND DL,AH
MOV DH,AL
AND DH,1
NEG DH
call get_cmd_base
AND DH,AL
XOR DL,DH
MOV EAX,EBP
MOVZX EDX,DL
MOVZX EAX,AL
SHL EAX,0x10
SHL EDX,8
XOR EAX,EDX
XOR EAX,0xCC00000F
MOV EDI, bufIndex
MOV DWORD PTR buffer[EDI], EAX
ADD bufIndex,3
MOV EAX,EBX
SHR EAX,0x1F
XOR EBX,EAX
RET
case2:
PUSH ECX
call get_cmd_base
MOV CL,AL
AND CL,1
MOV AH,1
SHL AH,CL
NOT AH
ROL AH,4
AND AL,2
NOT AL
ROL AL,1
AND AH,AL
MOV ECX,EBP
AND EAX,0xFF00
MOVZX ECX,CL
SHL ECX,0x10
OR EAX,ECX
XOR EAX,0xCC00000F
MOV EDI, bufIndex
MOV DWORD PTR buffer[EDI], EAX
ADD bufIndex,3
MOV EAX,EBX
SHR EAX,0x1F
XOR EBX,EAX
POP ECX
RET
case3:
call get_cmd_base
SHR AL,1
MOV DL,AL
SHL DL,5
call get_cmd_base
MOV DH,AL
MOV EAX,EBP
SHR AL,3
AND AL,7
OR AL,0xF0
XOR DL,AL
call get_cmd_base
OR AL,0x70
SHL EAX,8
OR AL,0x0F
SHL EDX,0x10
XOR EAX,EDX
MOV EDI, bufIndex
MOV DWORD PTR buffer[EDI], EAX
ADD bufIndex,4
RET
Instruction3:
call get_cmd_base
MOV EBP,EBX
AND EBP,7
OR EBP,0x0F0
the_switch:
cmp eax, 1
jne c2
jmp case1
c2:
cmp eax, 2
jne c3
jmp case2
c3:
cmp eax, 3
jne c4
jmp case3
c4:
RET
Instruction4:
call get_cmd_base
MOV EBP,EBX
AND EBP,7
OR EBP,0x0F8
jmp the_switch
RET
Instruction5:
AND EBX,0x7FFFFFFF
call get_cmd_base
SHR EAX,1
NEG EAX
AND EAX,9
MOV EBP,0xF7
XOR EBP,EAX
call get_cmd_base
MOV AH,AL
AND AH,1
SHL AH,4
OR AH,0xEF
MOV DL,AL
AND DL,2
SHL DL,1
OR DL,0xFB
AND DL,AH
MOV DH,AL
AND DH,1
NEG DH
call get_cmd_base
AND DH,AL
XOR DL,DH
MOV EAX,EBP
MOVZX EDX,DL
MOVZX EAX,AL
SHL EAX,0x10
SHL EDX,8
XOR EAX,EDX
XOR EAX,0xCC00000F
MOV EDI, bufIndex
MOV DWORD PTR buffer[EDI], EAX
ADD bufIndex,3
MOV EAX,EBX
SHR EAX,0x1F
XOR EBX,EAX
RET
Instruction6:
MOV EAX,EBX
SHR EAX,5
XOR EAX,8
AND EAX,0x38
SHR EBP,3
AND EBP,7
OR EBP,EAX
OR EBP,0xC0
call get_cmd_base
MOV AH,AL
AND AH,1
SHL AH,4
OR AH,0xEF
MOV DL,AL
AND DL,2
SHL DL,1
OR DL,0xFB
AND DL,AH
MOV DH,AL
AND DH,1
NEG DH
call get_cmd_base
AND DH,AL
XOR DL,DH
MOV EAX,EBP
MOVZX EDX,DL
MOVZX EAX,AL
SHL EAX,0x10
call reverseInstruction6
SHL EDX,8
XOR EAX,EDX
XOR EAX,0x9000000F ;// i want NOP at the end of the last instruction (instead of INT 3: XOR EAX,0xCC00000F)
MOV EDI, bufIndex
MOV DWORD PTR buffer[EDI], EAX
ADD bufIndex,3
MOV EAX,EBX
SHR EAX,0x1F
XOR EBX,EAX
RET
reverseInstruction6:
;/*
; 0xfc -> 0xf8 (PADDB -> PSUBB)
; 0xfd -> 0xf9 (PADDW -> PSUBW)
; 0xfe -> 0xfa (PADDD -> PSUBD)
;
; 0xf8 -> 0xfc (PSUBB -> PADDB)
; 0xf9 -> 0xfd (PSUBW -> PADDW)
; 0xfa -> 0xfe (PSUBD -> PADDD)
;
; 0xef -> 0xef (reversed XOR is XOR)
;*/
cmp EDX, 0xef
je revEnd
cmp EDX, 0xfc
jb r1
SUB EDX,4
jmp revEnd
r1:
ADD EDX,4
revEnd:
RET
start:
push ebx
mov ebx,blockStart
sub ebx, maxBlock
mov blockStart, ebx
mov bufIndex, ebx
pop ebx
call Instruction1
call Instruction2
call Instruction3
call Instruction4
call Instruction5
call Instruction6
ROL BL,4
XOR EBX,0x100
DEC ECX
JNZ start
pop ebp
};
BYTE ret = 0xc3;
buffer[bufMax-1] = ret;
}
int main(){
//load
int i;
HMODULE hCryptdll = LoadLibraryA("Cryptdll.dll");
if (hCryptdll==NULL) return (-1);
MD5Init = (t_MD5Init)GetProcAddress(hCryptdll, "MD5Init");
MD5Update = (t_MD5Update)GetProcAddress(hCryptdll, "MD5Update");
MD5Final = (t_MD5Final)GetProcAddress(hCryptdll, "MD5Final");
//Get input
const int MAX = 33;
char input[MAX];
printf("Name:\n");
scanf("%[ A-Za-z]s", input); //including space
int len = strlen(input);
MD5_CTX md5;
MD5Init(&md5);
MD5Update(&md5,(const unsigned char *)input, len);
MD5Final(&md5);
memcpy(hsh, md5.digest, 16);
//other hashes
memcpy(hashes[0], md5.digest, 16);
char backup[16];
memcpy(backup, md5.digest, 16);
int x;
for (x = 1; x < 3; x++) {
MD5Init(&md5);
MD5Update(&md5,(const unsigned char *)backup, 16);
MD5Final(&md5);
memcpy(hashes[x], md5.digest, 16);
memcpy(backup, md5.digest, 16);
}
//---
genetrateReversed();
call_generated();
printf("\nRegistration key:\n");
decode_chunks();
printf("\n\n---\n");
system("pause");
return 0;
}