Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ;
- ; Crackme Writeup : http://rce4fun.blogspot.com/
- ;
- .386
- .model flat,stdcall
- option casemap:none
- include windows.inc
- include kernel32.inc
- includelib kernel32.lib
- include user32.inc
- includelib user32.lib
- include masm32.inc
- includelib masm32.lib
- .data
- count dw 1
- first dd NULL
- sec dd NULL
- arg1 dd NULL
- arg2 dd NULL
- .data?
- inpuut db 1024 dup(?)
- .code
- start :
- invoke StdOut,addr ppoint
- inc word ptr ds:[count]
- cmp word ptr ds:[count],2
- ja above_1
- mov [arg1],0A8276BFAh
- mov [arg2],092F837EDh
- ; generates the 2 values.
- above_1 :
- mov eax,[arg1]
- xor eax,0B72AF098h
- mov [first],eax
- mov ecx, [arg2]
- imul ecx,eax
- xor ecx,[arg2]
- mov [sec],ecx
- ;jmp generate
- generate :
- xor edi,edi
- push edi
- push 2
- mov eax,[first]
- push eax
- call routine_1
- add esp,8
- imul eax,eax,7
- mov ecx,[first]
- imul ecx,ecx,1Dh
- add eax,ecx
- mov [arg1],eax
- xor edx,edx
- mov ecx,2
- div ecx
- add edx,5
- push edx
- mov edx,[sec]
- xor edx,[arg1]
- push edx
- call routine_1
- mov [arg2],eax
- invoke StdIn,addr inpuut,200h ; Check manually from debugger each of the 2 values stored at arg1 and arg2
- jmp start
- routine_1 :
- push ebp
- mov ebp,esp
- sub esp,8
- mov dword ptr ss:[EBP-4],1
- mov dword ptr ss:[EBP-8],0
- jmp middle
- sub_1:
- mov eax,dword ptr ss:[EBP-8]
- add eax,1
- mov dword ptr ss:[ebp-8],eax
- middle :
- mov ecx, dword ptr ss:[EBP-8]
- cmp ecx,dword ptr ss:[EBP+0Ch]
- jnb get_out
- mov edx,dword ptr ss:[ebp-4]
- imul edx,dword ptr ss:[ebp+8]
- mov dword ptr ss:[ebp-4],edx
- jmp sub_1
- get_out :
- mov eax,dword ptr ss:[ebp-4]
- mov esp,ebp
- pop ebp
- ret
- end start
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
