p0wnBox Cracking Challenge#2

O H_T_P read me:

Welcome to the second challenge of pownBox....similar to the first one +
something more... :o)
. documentation ,
1 crackme
serial.
document
serial, ( p0wnBox Cracking Challenge#1
) :
02280000
02280002
02280004
02280009
0228000B
0228000D
0228000F
02280011
02280012
02280013
02280019
0228001B
0228001D
0228001F
02280020
02280021
02280026
0228002C
0228002E
02280030
02280033
02280035
02280037
02280038
02280039
0228003B
0228003D
02280040
02280043
02280049
0228004B
0228004D
0228004F
02280052
02280055
0228005B
0228005D
02280063
02280068
0228006A
0228006C
0228006E
02280071
02280074
02280076
02280078

33F6
XOR ESI,ESI
33FF
XOR EDI,EDI
B8 78002802
MOV EAX,2280078
8BD8
MOV EBX,EAX
8A08
MOV CL,BYTE PTR DS:[EAX]
8A13
MOV DL,BYTE PTR DS:[EBX]
32CA
XOR CL,DL
43
INC EBX
47
INC EDI
81FF 84000000
CMP EDI,84
^ 7C F0
JL SHORT 0228000B
8808
MOV BYTE PTR DS:[EAX],CL
33FF
XOR EDI,EDI
40
INC EAX
46
INC ESI
BB 78002802
MOV EBX,2280078
81FE 84000000
CMP ESI,84
^ 7C DD
JL SHORT 0228000B
8BC3
MOV EAX,EBX
83EA 79
SUB EDX,79
8A08
MOV CL,BYTE PTR DS:[EAX]
03D1
ADD EDX,ECX
40
INC EAX
4E
DEC ESI
85F6
TEST ESI,ESI
^ 75 F6
JNZ SHORT 02280033
C1E2 10
SHL EDX,10
66:09C2
OR DX,AX
81F2 00ED5284
XOR EDX,8452ED00
8B03
MOV EAX,DWORD PTR DS:[EBX]
33C2
XOR EAX,EDX
8903
MOV DWORD PTR DS:[EBX],EAX
83C7 04
ADD EDI,4
83C3 04
ADD EBX,4
81FF 84000000
CMP EDI,84
^ 7C EC
JL SHORT 02280049
81F2 8594A2C3
XOR EDX,C3A29485
2D 012606B8
SUB EAX,B8062601
8B18
MOV EBX,DWORD PTR DS:[EAX]
33DA
XOR EBX,EDX
8918
MOV DWORD PTR DS:[EAX],EBX
83EF 04
SUB EDI,4
83C0 04
ADD EAX,4
85FF
TEST EDI,EDI
^ 75 F0
JNZ SHORT 02280068
CD 2D
INT 2D

0228007A
EA 61CD3F62 4503 JMP FAR 0345:623FCD61
02280081
12248B
ADC AH,BYTE PTR DS:[EBX+ECX*4]
02280084
03D3
ADD EDX,EBX
02280086
50
PUSH EAX
02280087
EE
OUT DX,AL
02280088
D351 E5
RCL DWORD PTR DS:[ECX-1B],CL
0228008B
31EE
XOR ESI,EBP
0228008D
D350 FE
RCL DWORD PTR DS:[EAX-2],CL
02280090
D32D E530E4EC
SHR DWORD PTR DS:[ECE430E5],CL
02280096
01FA
ADD EDX,EDI
02280098
7C 16
JL SHORT 022800B0
0228009A
DBCF
FCMOVNE ST,ST(7)
0228009C
09648E 7E
OR DWORD PTR DS:[ESI+ECX*4+7E],ESP
022800A0 ^ 7D 90
JGE SHORT 02280032
022800A2
1F
POP DS
022800A3
FC
CLD
022800A4
F6ED
IMUL CH
022800A6
DBCF
FCMOVNE ST,ST(7)
022800A8
D866 8E
FSUB DWORD PTR DS:[ESI-72]
022800AB
6E
OUTS DX,BYTE PTR ES:[EDI]
022800AC
75 78
JNZ SHORT 02280126
022800AE
9B
WAIT
022800AF
45
INC EBP
022800B0
0312
ADD EDX,DWORD PTR DS:[EDX]
022800B2
50
PUSH EAX
022800B3
F72C64
IMUL DWORD PTR SS:[ESP]
pownBox_.00401CB9
022800B6
56
PUSH ESI
022800B7
8603
XCHG BYTE PTR DS:[EBX],AL
022800B9
1224D0
ADC AH,BYTE PTR DS:[EAX+EDX*8]
022800BC
CC
INT3
022800BD
12AE 6A03980F
ADC CH,BYTE PTR DS:[ESI+F98036A]
022800C3
D0FC
SAR AH,1
022800C5
12CE
ADC CL,DH
022800C7
BA 70A4DB51
MOV EDX,51DBA470
022800CC
DE66 9E
FISUB WORD PTR DS:[ESI-62]
022800CF
76 75
JBE SHORT 02280146
022800D1
68 E3450312
PUSH 120345E3
022800D6
50
PUSH EAX
022800D7
EF
OUT DX,EAX
022800D8
34 64
XOR AL,64
022800DA
4E
DEC ESI
022800DB
8E03
MOV ES,WORD PTR DS:[EBX]
022800DD
1224D0
ADC AH,BYTE PTR DS:[EAX+EDX*8]
022800E0
EC
IN AL,DX
022800E1
12AE 72039817
ADC CH,BYTE PTR DS:[ESI+17980372]
022800E7
D0FC
SAR AH,1
022800E9
12CE
ADC CL,DH
022800EB
BA 70A4DB31
MOV EDX,31DBA470
022800F0
B1 35
MOV CL,35
022800F2
BF 33F1EDDB
MOV EDI,DBEDF133
022800F7
BA FCB28C79
MOV EDX,798CB2FC
Highlight .
.
02280000
02280002
02280004
2280078

33F6
XOR ESI,ESI ; ESI
33FF
XOR EDI,EDI ; EDI
B8 78002802
MOV EAX,2280078 ;

02280009
8BD8
MOV EBX,EAX ;
=2280078
0228000B
8A08
MOV CL,BYTE PTR DS:[EAX] ; byte
CL
0228000D
8A13
MOV DL,BYTE PTR DS:[EBX] ; byte
DL
0228000F
32CA
XOR CL,DL ; XOR
CL DL CL
02280011
43
INC EBX ;
02280012
47
INC EDI ; DI DI
counter
02280013
81FF 84000000
CMP EDI,84 ; EDI 84h
02280019 ^ 7C F0
JL SHORT 0228000B ;
0228000B
0228001B
8808
MOV BYTE PTR DS:[EAX],CL ; CL
VA
0228001D
33FF
XOR EDI,EDI ; EDI
0228001F
40
INC EAX ;
02280020
46
INC ESI
; . ESI
counter
02280021
BB 78002802
MOV EBX,2280078 ;
2280078
02280026
81FE 84000000
CMP ESI,84 ; EDI 84h
0228002C ^ 7C DD
JL SHORT 0228000B ;

;
byte VA 2280078.
byte VA 2280078 xor
. CL. 1
VA 2280079. . r
bytes VA po
CL. 83h . 83h=131dec
byte VA 2280078 xor
byte VA 22800FB
79h. CL .To JL
CL byte VA 2280078.
VA 2280079, 0220078
. byte
VA 2280079 xor byte
VA 2280078 VA 22800FB ( xor 79h
byte VA 22800FB) byte VA
2280079. bytes o VA 02280078 VA
22800FB.
0228002 Highlight
:
02280078
0228007A
0228007B
02280082
02280083
02280084
02280086
0228008C
0228008D
0228008E
02280094
02280095

B4 54
MOV AH,54
93
XCHG EAX,EBX
18B446 1B3C7A6B SBB BYTE PTR DS:[ESI+EAX*2+6B7A3C1B],DH
5D
POP EBP
F2:
PREFIX REPNE:
7A AA
JPE SHORT 02280030
2997 AA289C48
SUB DWORD PTR DS:[EDI+489C28AA],EDX
97
XCHG EAX,EDI
AA
STOS BYTE PTR ES:[EDI]
2987 AA549C49
SUB DWORD PTR DS:[EDI+499C54AA],EAX
9D
POPFD
95
XCHG EAX,EBP

02280096
02280098
0228009D
022800A2
022800A9
022800AA
022800AC
022800AE
022800B0
022800B2
022800B8
022800BA
022800BB
022800C0
022800C2
022800C4
022800C7
022800C8
022800CA
022800CF
022800D1
022800D7
022800D8
022800D9
022800DE
022800DF
022800E4
022800E6
022800E7
022800EC
022800EE
022800F3
022800F4
022800FB

^ 78 83
JS SHORT 0228001B
05 6FA2B670
ADD EAX,70B6A26F
1D F70704E9
SBB EAX,E90407F7
66:858F 94A2B6A1 TEST WORD PTR DS:[EDI+A1B6A294],CX
1F
POP DS
F717
NOT DWORD PTR DS:[EDI]
0C 01
OR AL,1
E2 3C
LOOPD SHORT 022800EC
7A 6B
JPE SHORT 0228011D
298E 551D2FFF
SUB DWORD PTR DS:[ESI+FF2F1D55],ECX
7A 6B
JPE SHORT 02280125
5D
POP EBP
A9 B56BD713
TEST EAX,13D76BB5
7A E1
JPE SHORT 022800A3
^ 76 A9
JBE SHORT 0228006D
856B B7
TEST DWORD PTR DS:[EBX-49],EBP
C3
RETN
09DD
OR EBP,EBX
A2 28A71FE7
MOV BYTE PTR DS:[E71FA728],AL
0F0C
???
119A 3C7A6B29
ADC DWORD PTR DS:[EDX+296B7A3C],EBX
96
XCHG EAX,ESI
4D
DEC EBP
1D 37F77A6B
SBB EAX,6B7AF737
5D
POP EBP
A9 956BD70B
TEST EAX,0BD76B95
7A E1
JPE SHORT 022800C7
6E
OUTS DX,BYTE PTR ES:[EDI]
A9 856BB7C3
TEST EAX,C3B76B85
09DD
OR EBP,EBX
A2 48C84CC6
MOV BYTE PTR DS:[C64CC848],AL
4A
DEC EDX
8894A2 C385CBF5 MOV BYTE PTR DS:[EDX+F5CB85C3],DL
0000
ADD BYTE PTR DS:[EAX],AL

LOOP:
0228002E
8BC3
MOV EAX,EBX ; A
B=2280078
02280030
83EA 79
SUB EDX,79 ; o EDX 79h.
EDX=7979=0
02280033
8A08
MOV CL,BYTE PTR DS:[EAX] ; byte
CL
02280035
03D1
ADD EDX,ECX ; ECX
EDX DX.
02280037
40
INC EAX ;
02280038
4E
DEC ESI ;M ESI . SI
counter
02280039
85F6
TEST ESI,ESI ; ESI
0228003B ^ 75 F6
JNZ SHORT 02280033 ; 0.
Loop bytes VA 2280078 VA
22800F 389h EDX.

.
LOOP:
0228003D
C1E2 10
SHL EDX,10 ; bit EDX 10
. EDX=3E890000
02280040
66:09C2
OR DX,AX ; OR DX,AX, DX=3E8900FC

02280043
81F2 00ED5284
XOR EDX,8452ED00 ;xorare EDX 8452ED00h
EDX=3A8900FC XOR 8452ED00 = BADBEDFC
02280049
8B03
MOV EAX,DWORD PTR DS:[EBX] ;T 4 bytes
VA ( !!!)
0228004B
33C2
XOR EAX,EDX ;xorare EX BADBEDFC
0228004D
8903
MOV DWORD PTR DS:[EBX],EAX ;
VA ( bytes).
.
0228004F
83C7 04
ADD EDI,4 ; EDI 4
02280052
83C3 04
ADD EBX,4 ; EBX 4
02280055
81FF 84000000
CMP EDI,84 ; EDI 84h EDI
counter
0228005B ^ 7C EC
JL SHORT 02280049 ;

Loop anticracking.
. Bytes
VA 2280078 VA 22800FB xor . Bytes
3E89h
OR 3E8900FC xor
8452ED00h BADBEDFCh.
4 bytes VA 02280078 VA
022800FB, xor BADBEDFCh
VA .
0228005D Highlight :
02280078
02280079
0228007E
02280085
02280086
02280087
0228008C
02280090
02280091
02280096
0228009B
0228009D
022800A0
022800A1
022800A3
022800A4
022800A6
022800A8
022800A9
022800AA
022800AC
022800AE
022800B4
022800B9
022800BF
022800C4
022800C6
022800C7
022800C9
022800CC
022800CD
022800CE
022800D0
022800D2
022800D3

48
DEC EAX
B9 48A248AB
MOV ECX,AB48A248
C086 86868648 86 ROL BYTE PTR DS:[ESI+48868686],86
47
INC EDI
F2:
PREFIX REPNE:
2D 56C547F2
SUB EAX,F247C556
6B47 F2 3D
IMUL EAX,DWORD PTR DS:[EDI-E],3D
56
PUSH ESI
B9 47F36178
MOV ECX,7861F347
A3 39F98279
MOV DWORD PTR DS:[7982F939],EAX
0C 8C
OR AL,8C
F0:2C BD
LOCK SUB AL,0BD
F8
CLC
04 BD
ADD AL,0BD
3F
AAS
73 79
JNB SHORT 0228011F
79 0C
JNS SHORT 022800B4
5D
POP EBP
F2:
PREFIX REPNE:
2C AD
SUB AL,0AD
F0:EC
LOCK IN AL,DX
3986 8686F234
CMP DWORD PTR DS:[ESI+34F28686],EAX
A9 F0F44586
TEST EAX,8645F4F0
8686 1349860C
XCHG BYTE PTR DS:[ESI+C864913],AL
A9 860CAD13
TEST EAX,13AD0C86
^ 79 86
JNS SHORT 0228004C
6C
INS BYTE PTR ES:[EDI],DX
^ 79 F5
JNS SHORT 022800BE
3079 92
XOR BYTE PTR DS:[ECX-6E],BH
5B
POP EBX
F2:
PREFIX REPNE:
3C B5
CMP AL,0B5
F0:FC
LOCK CLD
41
INC ECX
8686 86F22CB1
XCHG BYTE PTR DS:[ESI+B12CF286],AL

022800D9
022800DB
022800DC
022800E2
022800E4
022800EB
022800ED
022800F0
022800F2
022800F7
022800F9
022800FA

F0:EC
LOCK IN AL,DX
4D
DEC EBP
8686 86136986
XCHG BYTE PTR DS:[ESI+86691386],AL
0C B1
OR AL,0B1
860CB5 1379866C XCHG BYTE PTR DS:[ESI*4+6C867913],CL
^ 79 F5
JNS SHORT 022800E2
3079 F2
XOR BYTE PTR DS:[ECX-E],BH
34 A1
XOR AL,0A1
1D F0747979
SBB EAX,797974F0
79 79
JNS SHORT 02280172
26:
PREFIX ES:
2E:BA 00000000
MOV EDX,0

Loop
serial.
0228005D
81F2 8594A2C3
XOR EDX,C3A29485 ;o EDX BADBEDFC
. R C3A29485 79797979
02280063
2D 012606B8
SUB EAX,B8062601 ;
C5CA94FD 2280078
02280068
8B18
MOV EBX,DWORD PTR DS:[EAX] ; T 4 bytes
VA ( !!!)
0228006A
33DA
XOR EBX,EDX ;xorare EX 79797979
0228006C
8918
MOV DWORD PTR DS:[EAX],EBX ;
VA ( bytes).
.
0228006E
83EF 04
SUB EDI,4 ; EDI 4h
02280071
83C0 04
ADD EAX,4 ; E 4h
02280074
85FF
TEST EDI,EDI ; EDI
02280076 ^ 75 F0
JNZ SHORT 02280068 ; 0.
T 4 bytes VA 02280078
VA 022800FB, xor 79797979h
VA .
0228005D Highlight :
02280078
0228007A
0228007C
0228007E
02280083
02280085
0228008A
0228008D
02280092
02280095
02280097
02280098
0228009B
0228009D
022800A0
022800A7
022800A9
022800AC
022800B2
022800B5
022800BB
022800BD
022800C0
022800C3
022800C5

31C0
XOR EAX,EAX
31DB
XOR EBX,EBX
31D2
XOR EDX,EDX
B9 FFFFFFFF
MOV ECX,-1
31FF
XOR EDI,EDI
3E:8B542F BC
MOV EDX,DWORD PTR DS:[EDI+EBP-44]
3E:8B12
MOV EDX,DWORD PTR DS:[EDX]
3E:8B442F C0
MOV EAX,DWORD PTR DS:[EDI+EBP-40]
3E:8A18
MOV BL,BYTE PTR DS:[EAX]
01DA
ADD EDX,EBX
40
INC EAX
80FB 00
CMP BL,0
^ 75 F5
JNZ SHORT 02280092
8955 C4
MOV DWORD PTR SS:[EBP-3C],EDX
817D C4 460A0000 CMP DWORD PTR SS:[EBP-3C],0A46
75 24
JNZ SHORT 022800CD
8B55 D4
MOV EDX,DWORD PTR SS:[EBP-2C
8995 40FFFFFF
MOV DWORD PTR SS:[EBP-C0],EDX
8B4D D0
MOV ECX,DWORD PTR SS:[EBP-30]
898D 3CFFFFFF
MOV DWORD PTR SS:[EBP-C4],ECX
6A 30
PUSH 30
FF75 D0
PUSH DWORD PTR SS:[EBP-30]
FF75 D4
PUSH DWORD PTR SS:[EBP-2C]
6A 00
PUSH 0
FF15 008C4900
CALL DWORD PTR DS:[498C00]

022800CB
022800CD
022800D0
022800D6
022800D9
022800DF
022800E1
022800E4
022800E7
022800E9
022800EF
022800F2
022800F9
022800FA
022800FB

EB 22
JMP SHORT 022800EF
8B45 CC
MOV EAX,DWORD PTR SS:[EBP-34]
8985 38FFFFFF
MOV DWORD PTR SS:[EBP-C8],EAX
8B55 C8
MOV EDX,DWORD PTR SS:[EBP-38]
8995 34FFFFFF
MOV DWORD PTR SS:[EBP-CC],EDX
6A 10
PUSH 10
FF75 C8
PUSH DWORD PTR SS:[EBP-38]
FF75 CC
PUSH DWORD PTR SS:[EBP-34]
6A 00
PUSH 0
FF15 008C4900
CALL DWORD PTR DS:[498C00]
8B4D D8
MOV ECX,DWORD PTR SS:[EBP-28]
64:890D 00000000 MOV DWORD PTR FS:[0],ECX
5F
POP EDI
57
PUSH EDI
C3
RETN

;
p0wnBox Cracking Challenge#1.
solution p0wnBox Cracking Challenge#1
, :

022800A7
75 24
JNZ SHORT 022800CD
75 00 90 90
. , decryption
? . .

decription:

31C031DB
31D2B9FF
FFFFFF31
FF3E8B54
2FBC3E8B
123E8B44
2FC03E8A
1801DA40
80FB0075
F58955C4
817DC446
0A000075
248B55D4
899540FF
FFFF8B4D
D0898D3C
FFFFFF6A
30FF75D0
FF75D46A
00FF1500
8C4900EB
228B45CC
898538FF
FFFF8B55
C8899534

CD2DEA61
CD3F6245
0312248B
03D350EE
D351E531
EED350FE
D32DE530
E4EC01FA
7C16DBCF
09648E7E
7D901FFC
F6EDDBCF
D8668E6E
75789B45
031250F7
2C645686
031224D0
CC12AE6A
03980FD0
FC12CEBA
70A4DB51
DE669E76
7568E345
031250EF
34644E8E

FFFFFF6A 031224D0
10FF75C8 EC12AE72
FF75CC6A 039817D0
00FF1500 FC12CEBA
8C49008B 70A4DB31
4DD86489 B135BF33
0D000000 F1EDDBBA
005F57C3 FCB28C79
.
decryption.
byte 02280078 xored byte
022800F.
st
131x131 = 17.161 xor operations ( 1 Decryption Layer).
bytes range xor BADBEDFCh (
2nd Decryption Layer).
T xor 79797979h (3rd Decryption Layer).
, A xor B xor C xor B A xor C. xor 79
.
xor , BADBEDFCh, 4 bytes (
) :
F6 ED DB CF
FC ED DB BA xor

D8 66 8E 6E
FC ED DB BA xor

0A 00 00 75

24 8B 55 D4

xor :
xor B = C => C xor B = A => xor C = B
xor BA = 90 => BA xor 90 = 2A => = 2
xor FC = 90 => FC xor 90 = 6C => YY = 6C
CF 2 D8 6C ??
. decryption
BADBEDFCh xor ,
( xor ,
xor 79h byte
VA 22800FB) 3E89 .
CF 2 D8 6C
3E89. :

:
CF xor 79 = B6
D8 xor 79 = A1
+
157h

:
2 xor 79 = 53
6C xor 79 = 15
+
68h

157h - 68h = EFh

3E89.
DX bytes ,
79h :
02280030
83EA 79
SUB EDX,79

 . Fh
:
02280030
83C2 76
ADD EDX,76
(EF-79=76h)
3E89
.

,
offset , Patch
allocated range process image
. offset
allocated
.
solution p0wnBox Cracking Challenge#1
allocated, VA :

004911CC

83C2 76

00491242

DB2A

00491244

6C

ADD EDX,76
FLD TBYTE PTR DS:[EDX]
INS BYTE PTR ES:[EDI],DX

H_T_P !!!
Solution by tazoulinis
tazoulinis@yahoo.gr