The MD5 CrackFAST program is designed to crack MD5 hashes. The cracking is performed with brute force, without using tables, so for large strings you can forget about positive result at once. But even without it in unregistered version of the program there is a compulsory restriction that strings not more than 3 symbols in length will be recovered.
For some reason all mentions of this program were removed from the offsite and there are no download links either. I found mirrors on various FTP sites, but some broken installers can be found there too. Here is a link to the correct distribution kit.
The main executable is packed with standard UPX, which is used to unpack it. Or you can use any other depacker, if you prefer to use them. Send the unpacked file to the disassembler. The file is not big so the process will not take long. After start the program reports in the log window that it is not registered. If you try to enter any left-handed data, an incorrect registration message will appear:
The message string is easily detected in the executable file:
Now let’s take a look in the disassembler listing at the conditions under which the messages about correct or incorrect registration appear:
.text:0040C20F call sub_40BA80 .text:0040C214 mov eax, [esp 6Ch var_14] .text:0040C218 mov [esp 6Ch var_68], eax ; char * .text:0040C21C mov eax, [esp 6Ch var_18] .text:0040C220 mov [esp 6Ch var_6C], eax ; char * ; Проверка введенных данных .text:0040C223 call sub_40CAA0 ; EAX=1, регистрация успешна .text:0040C228 cmp eax, 1 .text:0040C22B mov edi, eax .text:0040C22D jz loc_40C3DB ; Регистрационные данные введены неправильно .text:0040C233 mov eax, [esp 6Ch var_18] .text:0040C237 test eax, eax .text:0040C239 jnz loc_40C5C7 .text:0040C23F mov eax, [esp 6Ch var_14] .text:0040C243 xor esi, esi .text:0040C245 mov [esp 6Ch var_18], esi .text:0040C249 test eax, eax .text:0040C24B jnz loc_40C5E1 .text:0040C251 loc_40C251: .text:0040C251 xor ebx, ebx .text:0040C253 mov [esp 6Ch var_14], ebx .text:0040C257 loc_40C257: .text:0040C257 test edi, edi .text:0040C259 jnz loc_40C2E7 .text:0040C25F mov [esp 6Ch var_6C], offset aInvalidNameKey ; Invalid name/key. Please try again. .text:0040C266 call g_strdup_printf .text:0040C26B loc_40C26B: .text:0040C26B mov ebx, eax .text:0040C26D call gtk_window_get_type .text:0040C272 mov [esp 6Ch var_68], eax .text:0040C276 mov esi, 2 .text:0040C27B mov [esp 6Ch var_6C], ebp .text:0040C27E call g_type_check_instance_cast .text:0040C283 mov [esp 6Ch var_6C], eax .text:0040C286 cmp edi, 1 .text:0040C289 mov edx, 1
Now let’s have a look at the function that checks the registration name and serial number. It is small, I will give its full text and comment out the most important parts of the code:
The first thing we learn from the check function is that the length of the serial number is at least 24 characters. Perfect. Let’s restart the program under the debugger again and try to register it with the ManHunter / PCL pair and left serial of proper length, for example, something like 123456789012345678901234. In step-by-step mode we pass the length check, but on address 0040CAE7 the next check function is called, which receives a registration name, and on its results the debugger jumps to the output with an incorrect registration code. What is it? We go into it by tracing and find out that the entered registration name is compared to the internal blacklist. As you can easily see, ManHunter / PCL is at the top of this list. The thing is, I already released this program to the public a few years ago.
Next in the list is the name of the domestic team REVENGE CREW, which also posted their release MD5 CrackFAST. The blacklist is a natural reaction to warez, but there is no practical sense in it. I’m not proud, I won’t balk at registering to another name
Restart the program again, repeat the registration with the left serial number, but this time we will use Perm Crack Laboratory as the registration name. In the step-by-step mode, we reach the function of string comparison at address 0040CB59, and before its execution in the registers observe the following picture:
This is the entered left serial number and the string of the same length with which it is compared. As you have already guessed, this is the correct serial number. We would like to save it somewhere in our notepad, then restart the program and open the registration window again. This time, the registration pair will be Perm Crack Laboratory and 8RBX4T5S8CCYC9DA4890123A.
The program thanks you for your purchase (ha ha three times), so the registration data were correct. To be sure, let’s restart the program and try to recover some simple hash, for example, from a string 4 characters long.
In the unregistered version such a string wouldn’t work, but it was found here, and rather quickly, in less than a second. Thus, the protection was neutralized. Well, thank you for the blacklist – it gave me a good laugh.
Author: ManHunter Source: manhunter.ru
valid cc shop free