OsandaMalith/keygen.nasm

## keygen.nasm
%if 0
 * Title: Rootme ELF - No software breakpoints Cracking Challenge
 * Author: Osanda Malith (@OsandaMalith)
 * Website: http://osandamalith.wordpress.com
%endif

extern printf
extern exit

	global main

section .bss

	password resb 26

section .data

	fmt_checksum	db	"[+] Checksum: %x",0xa,0xa,0
	fmt_serial	db	"[+] Serial is: %s",0xa,0xa,0

	banner:
	db 0x9,"------------------------------------------------------------",0xa
	db 0x9,"[~] Rootme No software breakpoints Cracking Challenge",0xa
	db 0x9,"[~] Author: Osanda Malith (@OsandaMalith)",0xa
	db 0x9,"[~] Website: http://osandamalith.wordpress.com",0xa
	db 0x9,"------------------------------------------------------------",0xa,0xa,0

	shellcode:

	db       0xb8,0x04,0x00,0x00,0x00,0xbb,0x01,0x00,0x00,0x00
	db       0xb9,0xa1,0x91,0x04,0x08,0xba,0x26,0x00,0x00,0x00
	db       0xcd,0x80,0xb8,0x03,0x00,0x00,0x00,0x31,0xdb,0xb9
	db       0x88,0x91,0x04,0x08,0xba,0x33,0x00,0x00,0x00,0xcd
	db       0x80,0x31,0xc9,0xb8,0x80,0x80,0x04,0x08,0xbb,0x23
	db       0x81,0x04,0x08,0xe8,0x5b,0x00,0x00,0x00,0x89,0xca
	db       0xb9,0x19,0x00,0x00,0x00,0xb8,0x55,0x91,0x04,0x08
	db       0xbb,0x88,0x91,0x04,0x08,0xd1,0xca,0x8a,0x44,0x08
	db       0xff,0x8a,0x5c,0x0b,0xff,0x30,0xd8,0x30,0xd0,0x75
	db       0x1b,0x49,0x75,0xe3,0xb8,0x04,0x00,0x00,0x00,0xbb
	db       0x01,0x00,0x00,0x00,0xb9,0x24,0x91,0x04,0x08,0xba
	db       0x26,0x00,0x00,0x00,0xcd,0x80,0xeb,0x16,0xb8,0x04
	db       0x00,0x00,0x00,0xbb,0x01,0x00,0x00,0x00,0xb9,0x4a
	db       0x91,0x04,0x08,0xba,0x0b,0x00,0x00,0x00,0xcd,0x80
	db       0xb8,0x01,0x00,0x00,0x00,0x31,0xdb,0xcd,0x80,0x29
	db       0xc3,0x31,0xc9,0x02,0x08,0xc1,0xc1,0x03,0x40,0x4b
	db       0x75,0xf7,0xc3

	shellcode_len equ $-shellcode

	key_bytes:

	db		0x1e, 0xcd, 0x2a, 0xd5, 0x34, 0x87, 0xfc, 0x78
	db		0x64, 0x35, 0x9d, 0xec, 0xde, 0x15, 0xac, 0x97
	db		0x99, 0xaf, 0x96, 0xda, 0x79, 0x26, 0x4f, 0x32
	db		0xe0

	keybytes_len equ $-key_bytes


section .text

main:
		push banner	; push the banner label
		call printf	; display banner
		add esp, 0x4 	; realign the stack

		lea esi, [shellcode]  		; load offset of shellcode
		mov ebx, shellcode_len		; mov the len of shellcode
		xor ecx, ecx		       	; Zero out ecx

;--------------------------------------------------------
; Calculate the Checksum
;--------------------------------------------------------

	_loop:
		add cl, [esi]	; add opcode to cl
		rol ecx, 0x3    ; Rotate left ecx by 3
		inc esi		; incremenet esi
		dec ebx		; decrement ebx
		jnz _loop    	; if ebx != 0 loop

		push ecx                ; push the result to stack
		push fmt_checksum       ; push the format string
		call printf             ; print it
		mov ebx, [esp+4]        ; mov the result from stack to ebx
		add esp, 0x8            ; Clear the stack

;--------------------------------------------------------
; Serial Routine
;--------------------------------------------------------

		xor eax, eax	        ; Zero out eax
		mov ecx, keybytes_len	; len of key bytes

	__loop:
		ror ebx, 1		        ; rotate right by 1 the checksum
		mov al, [key_bytes+ecx*1-0x1]	; mov byte by byte from keybyte to al in descending order

		xor al, bl		        ; XOR al by bl and store in al
		mov [password+ecx*1-0x1], al	; mov the result into our password array in descending order
		dec ecx			        ; decrement ecx
		jnz __Loop		        ; if (ecx != 0) loop

		push password			; push serial to stack
		push fmt_serial			; push the format string
		call printf			; Display serial
		add esp, 0x8 			; clear stack

;--------------------------------------------------------
; Exit gracefully
;--------------------------------------------------------

		push 1	  ; Push 1
		call exit ; Exit returning 1
	%if 0
	* Title: Rootme ELF - No software breakpoints Cracking Challenge
	* Author: Osanda Malith (@OsandaMalith)
	* Website: http://osandamalith.wordpress.com
	%endif

	extern printf
	extern exit

	global main

	section .bss

	password resb 26

	section .data

	fmt_checksum db "[+] Checksum: %x",0xa,0xa,0
	fmt_serial db "[+] Serial is: %s",0xa,0xa,0

	banner:
	db 0x9,"------------------------------------------------------------",0xa
	db 0x9,"[~] Rootme No software breakpoints Cracking Challenge",0xa
	db 0x9,"[~] Author: Osanda Malith (@OsandaMalith)",0xa
	db 0x9,"[~] Website: http://osandamalith.wordpress.com",0xa
	db 0x9,"------------------------------------------------------------",0xa,0xa,0

	shellcode:

	db 0xb8,0x04,0x00,0x00,0x00,0xbb,0x01,0x00,0x00,0x00
	db 0xb9,0xa1,0x91,0x04,0x08,0xba,0x26,0x00,0x00,0x00
	db 0xcd,0x80,0xb8,0x03,0x00,0x00,0x00,0x31,0xdb,0xb9
	db 0x88,0x91,0x04,0x08,0xba,0x33,0x00,0x00,0x00,0xcd
	db 0x80,0x31,0xc9,0xb8,0x80,0x80,0x04,0x08,0xbb,0x23
	db 0x81,0x04,0x08,0xe8,0x5b,0x00,0x00,0x00,0x89,0xca
	db 0xb9,0x19,0x00,0x00,0x00,0xb8,0x55,0x91,0x04,0x08
	db 0xbb,0x88,0x91,0x04,0x08,0xd1,0xca,0x8a,0x44,0x08
	db 0xff,0x8a,0x5c,0x0b,0xff,0x30,0xd8,0x30,0xd0,0x75
	db 0x1b,0x49,0x75,0xe3,0xb8,0x04,0x00,0x00,0x00,0xbb
	db 0x01,0x00,0x00,0x00,0xb9,0x24,0x91,0x04,0x08,0xba
	db 0x26,0x00,0x00,0x00,0xcd,0x80,0xeb,0x16,0xb8,0x04
	db 0x00,0x00,0x00,0xbb,0x01,0x00,0x00,0x00,0xb9,0x4a
	db 0x91,0x04,0x08,0xba,0x0b,0x00,0x00,0x00,0xcd,0x80
	db 0xb8,0x01,0x00,0x00,0x00,0x31,0xdb,0xcd,0x80,0x29
	db 0xc3,0x31,0xc9,0x02,0x08,0xc1,0xc1,0x03,0x40,0x4b
	db 0x75,0xf7,0xc3

	shellcode_len equ $-shellcode

	key_bytes:

	db 0x1e, 0xcd, 0x2a, 0xd5, 0x34, 0x87, 0xfc, 0x78
	db 0x64, 0x35, 0x9d, 0xec, 0xde, 0x15, 0xac, 0x97
	db 0x99, 0xaf, 0x96, 0xda, 0x79, 0x26, 0x4f, 0x32
	db 0xe0

	keybytes_len equ $-key_bytes


	section .text

	main:
	push banner ; push the banner label
	call printf ; display banner
	add esp, 0x4 ; realign the stack

	lea esi, [shellcode] ; load offset of shellcode
	mov ebx, shellcode_len ; mov the len of shellcode
	xor ecx, ecx ; Zero out ecx

	;--------------------------------------------------------
	; Calculate the Checksum
	;--------------------------------------------------------

	_loop:
	add cl, [esi] ; add opcode to cl
	rol ecx, 0x3 ; Rotate left ecx by 3
	inc esi ; incremenet esi
	dec ebx ; decrement ebx
	jnz _loop ; if ebx != 0 loop

	push ecx ; push the result to stack
	push fmt_checksum ; push the format string
	call printf ; print it
	mov ebx, [esp+4] ; mov the result from stack to ebx
	add esp, 0x8 ; Clear the stack

	;--------------------------------------------------------
	; Serial Routine
	;--------------------------------------------------------

	xor eax, eax ; Zero out eax
	mov ecx, keybytes_len ; len of key bytes

	__loop:
	ror ebx, 1 ; rotate right by 1 the checksum
	mov al, [key_bytes+ecx*1-0x1] ; mov byte by byte from keybyte to al in descending order

	xor al, bl ; XOR al by bl and store in al
	mov [password+ecx*1-0x1], al ; mov the result into our password array in descending order
	dec ecx ; decrement ecx
	jnz __Loop ; if (ecx != 0) loop

	push password ; push serial to stack
	push fmt_serial ; push the format string
	call printf ; Display serial
	add esp, 0x8 ; clear stack

	;--------------------------------------------------------
	; Exit gracefully
	;--------------------------------------------------------

	push 1 ; Push 1
	call exit ; Exit returning 1