Shadow's tutorial to HF crackme II
==================================


Part I - code calculation
=========================

Protection routine. use bpx 0042668d2 to test it ... I didn't find
it using softice, but then I found it from wdasm deadlisting..
this crackme is coded using delphy so, it's not so easy to track.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004268A4(C)
|
:004268D2 0FB600                  movzx eax, byte ptr [eax]

copy 1st character to eax

:004268D5 8BF0                    mov esi, eax

copy it to esi

:004268D7 C1E602                  shl esi, 02

shift left 2 bytes

:004268DA 8D3476                  lea esi, dword ptr [esi+2*esi]

esi = esi+2*esi

next 3 lines are not "important"

:004268DD 8D55F8                  lea edx, dword ptr [ebp-08]
:004268E0 8B83B0010000            mov eax, dword ptr [ebx+000001B0]
:004268E6 E865B3FEFF              call 00411C50

:004268EB 8B45F8                  mov eax, dword ptr [ebp-08]
:004268EE 0FB64001                movzx eax, byte ptr [eax+01]

copy next char to eax

:004268F2 8D0480                  lea eax, dword ptr [eax+4*eax]

eax = eax+4*eax

:004268F5 8D0480                  lea eax, dword ptr [eax+4*eax]

eax = eax+4*eax

:004268F8 03F0                    add esi, eax

add it to esi

:004268FA 8D55F4                  lea edx, dword ptr [ebp-0C]
:004268FD 8B83B0010000            mov eax, dword ptr [ebx+000001B0]
:00426903 E848B3FEFF              call 00411C50
:00426908 8B45F4                  mov eax, dword ptr [ebp-0C]

copy next char to eax

:0042690B 0FB64002                movzx eax, byte ptr [eax+02]

:0042690F 03C0                    add eax, eax

eax = eax+eax

:00426911 03F0                    add esi, eax

esi = esi+eax

:00426913 8D55F0                  lea edx, dword ptr [ebp-10]
:00426916 8B83B0010000            mov eax, dword ptr [ebx+000001B0]
:0042691C E82FB3FEFF              call 00411C50
:00426921 8B45F0                  mov eax, dword ptr [ebp-10]

copy next char to eax

:00426924 0FB64003                movzx eax, byte ptr [eax+03]

signed multiply

eax = eax * 0bh

:00426928 6BC00B                  imul eax, 0000000B

esi = esi+eax

:0042692B 03F0                    add esi, eax

store esi to memory.

:0042692D 893590864200            mov dword ptr [00428690], esi

eax = first char of string..

:00426933 A194864200              mov eax, dword ptr [00428694]

this function calculates lenght of username

:00426938 E8D3ECFDFF              call 00405610

eax = lenght of username

:0042693D 8B1590864200            mov edx, dword ptr [00428690]

edx = esi from "memory"

:00426943 0FAF1590864200          imul edx, dword ptr [00428690]

eax = edx * eax

:0042694A F7EA                    imul edx

eax = edx * eax

:0042694C A390864200              mov dword ptr [00428690], eax

store it to memory.

now we can code keygenerator to this crackme and generate some keys
to test if we have understand routine.... there is also check if
usernamelen is < 4 chars.. before calculating routine..

Part II - keygenerator
======================

#include <string.h>
#include <stdlib.h>
#include <stdio.h>

void main(void)
{
        unsigned char user[30];
	unsigned long char1 = 0;
	unsigned long char2 = 0;
	unsigned long char3 = 0;
	unsigned long char4 = 0;
	unsigned long keycode = 0;
	unsigned long temp = 0;

        memset(user,0,sizeof(user));
        printf("Keygenerator for HF crackme by Shadow/hf\n");
        printf("Name: ");
        gets(user);
        if(strlen(user) < 5) {
                printf("Usernamelen must be > 4\n");
                exit(1);
        }
	// number 1
	char1 = (user[0] << 2) * 2 + (user[0] << 2);
	// number 2
	char2 = (user[1]+4*user[1]);
        char2 = char2+4*char2;
	// number 3
	char3 = user[2]+user[2];
	// number 4
	char4 = user[3] * 0xb;
	keycode = char1 + char2 + char3 + char4;
	temp = keycode * strlen(user);
	temp = keycode * temp;
        printf("Your code is: %lu",temp);
}

Part III win32 assembly keygenerator
====================================

I still decided to code this using pure w32 assembler...

key.rc
key.asm
makefile
key.def
w32.inc

and tasm5 needed to compile it..

[in key.asm]

;
; this prodecure calculates correct key value
;
Calculate proc pstr1:DWORD
        mov     esi,pstr1
        xor     eax,eax
        mov     number,0

;
; 1 char
;
        lodsb
        shl     eax,2
        lea     eax,[eax+2*eax]
        add     number,eax

;
; 2 char
;

        xor     eax,eax
        lodsb
        lea     eax,[eax+4*eax]
        lea     eax,[eax+4*eax]
        add     number,eax

;
; 3 char
;
        xor     eax,eax
        lodsb
        add     eax,eax
        add     number,eax

;
; 4 char
;

        xor     eax,eax
        lodsb
        imul    eax,eax,0bh
        add     number,eax
;
; final stage
;
        call    lstrlen,pstr1
; strlen  = eax

        mov     edx,number 
        imul    edx,number  
        imul    edx
        ret
Calculate endp

