ESET Crackme 2015

Yes its indeed sha1, but i think its just an obfuscation..

< here is encoding routine> somebody can help to decipher it..

0402510 55 PUSH EBP 00402511 8BEC MOV EBP,ESP 00402513 83EC 1C SUB ESP,1C 00402516 53 PUSH EBX 00402517 56 PUSH ESI 00402518 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 0040251B 57 PUSH EDI 0040251C B9 10000000 MOV ECX,10 00402521 8D78 74 LEA EDI,DWORD PTR DS:[EAX+74] 00402524 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00402526 8B7A 0C MOV EDI,DWORD PTR DS:[EDX+C] 00402529 337A 08 XOR EDI,DWORD PTR DS:[EDX+8] 0040252C 8B72 04 MOV ESI,DWORD PTR DS:[EDX+4] 0040252F 8B0A MOV ECX,DWORD PTR DS:[EDX] 00402531 23FE AND EDI,ESI 00402533 337A 0C XOR EDI,DWORD PTR DS:[EDX+C] 00402536 8BD9 MOV EBX,ECX 00402538 C1C3 05 ROL EBX,5 0040253B 03DF ADD EBX,EDI 0040253D 035A 10 ADD EBX,DWORD PTR DS:[EDX+10] 00402540 8975 FC MOV DWORD PTR SS:[EBP-4],ESI 00402543 8B70 74 MOV ESI,DWORD PTR DS:[EAX+74] 00402546 8DBC33 9979825A LEA EDI,DWORD PTR DS:[EBX+ESI+5A827999] 0040254D 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] 00402550 8B5A 08 MOV EBX,DWORD PTR DS:[EDX+8] 00402553 C1CE 02 ROR ESI,2 00402556 33DE XOR EBX,ESI 00402558 23D9 AND EBX,ECX 0040255A 335A 08 XOR EBX,DWORD PTR DS:[EDX+8] 0040255D 897D 08 MOV DWORD PTR SS:[EBP+8],EDI 00402560 C1C7 05 ROL EDI,5 00402563 0378 78 ADD EDI,DWORD PTR DS:[EAX+78] 00402566 8975 FC MOV DWORD PTR SS:[EBP-4],ESI 00402569 03DF ADD EBX,EDI 0040256B 8B72 0C MOV ESI,DWORD PTR DS:[EDX+C]

I verified by changing string bytes to produce same hash for different strings..

additionally it converts the user entered string to base64, and use it with following constant string. it suspected it to key and IV, but still unable to decipher it :( 00413008 52 46 56 31 61 56 34 66 51 31 46 79 64 46 78 6B RFV1aV4fQ1FydFxk EBP+8 >|00502D20 -P. ASCII "QTFAQP=<" actual string "AAAA" EBP+C >|00413008 0A. ASCII "RFV1aV4fQ1FydFxk"

/r/ReverseEngineering Thread Parent Link - joineset.com