|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
|
Back to top |
|
|
samuri25404 Grandmaster Cheater Reputation: 7
Joined: 04 May 2007 Posts: 955 Location: Why do you care?
|
Posted: Fri Mar 14, 2008 9:36 pm Post subject: |
|
|
1) Why do you have so many imports from kernel32?
2) WTF IS WINSOCK IMPORTED?
_________________
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Fri Mar 14, 2008 11:36 pm Post subject: |
|
|
It's because of what he used to code it. This is made with BlitzBasic. It imports all of that automatically as its part of the BB runtime which is all packed into the exe as well as his code.
EDIT::
Finding the script in Olly:
Start the program with Olly, let it load fully, analyze for double checking.
Look for string refs (oh dear god not string refs!) and find "Program has ended."
The call right above this should look something like:
CALL DWORD PTR SS:[EBP+C]
PTR SS:[EBP+C] holds the address the script is allocated to. Script thats running is:
Code: | 00A80000 53 56 57 55 89 E5 81 EC 0C 00 00 00 81 EC 04 00 SVWU‰åì....ì.
00A80010 00 00 B8 3C 02 A8 00 89 04 24 E8 E1 64 58 0F 81 ..¸<¨.‰$èádX
00A80020 EC 04 00 00 00 B8 38 02 A8 00 89 04 24 E8 BE 8F ì...¸8¨.‰$è¾
00A80030 58 0F E8 05 00 00 00 E9 A2 01 00 00 BB 00 00 00 Xè...é¢..»...
00A80040 00 89 5D FC 89 5D F8 89 5D F4 81 EC 10 00 00 00 .‰]ü‰]ø‰]ôì...
00A80050 C7 44 24 08 10 00 00 00 C7 44 24 0C 02 00 00 00 ÇD$...ÇD$....
00A80060 C7 44 24 04 B4 00 00 00 C7 04 24 90 01 00 00 E8 ÇD$´...Ç$..è
00A80070 3C 51 5A 0F 81 EC 04 00 00 00 E8 71 35 58 0F 89 <QZì...èq5X‰
00A80080 04 24 E8 49 8B 5B 0F C7 45 FC 05 00 00 00 C7 45 $èI‹[ÇEü...ÇE
00A80090 F8 67 6E 45 74 E9 8C 00 00 00 81 6D FC 01 00 00 øgnEtéŒ...mü..
00A800A0 00 81 EC 0C 00 00 00 B8 E7 01 A8 00 89 04 24 E8 .ì....¸ç¨.‰$è
00A800B0 FC 50 58 0F 89 04 24 E8 64 8E 5A 0F 89 04 24 E8 üPX‰$èdŽZ‰$è
00A800C0 CC 4D 58 0F 89 45 F4 8B 5D F8 39 5D F4 0F 8D 1B ÌMX‰Eô‹]ø9]ô
00A800D0 00 00 00 81 EC 08 00 00 00 B8 FB 01 A8 00 89 04 ...ì...¸û¨.‰
00A800E0 24 E8 CA 50 58 0F 89 04 24 E8 42 8D 5A 0F 8B 5D $èÊPX‰$èBZ‹]
00A800F0 F8 39 5D F4 0F 8E 1B 00 00 00 81 EC 08 00 00 00 ø9]ôŽ...ì...
00A80100 B8 02 02 A8 00 89 04 24 E8 A3 50 58 0F 89 04 24 ¸¨.‰$è£PX‰$
00A80110 E8 1B 8D 5A 0F 8B 5D F8 39 5D F4 0F 85 05 00 00 èZ‹]ø9]ô…..
00A80120 00 E9 0D 00 00 00 81 7D FC 00 00 00 00 0F 8F 67 .é....}ü....g
00A80130 FF FF FF 81 7D FC 00 00 00 00 0F 85 20 00 00 00 ÿÿÿ}ü....… ...
00A80140 81 EC 08 00 00 00 B8 09 02 A8 00 89 04 24 E8 5D ì...¸.¨.‰$è]
00A80150 50 58 0F 89 04 24 E8 D5 8C 5A 0F E9 1B 00 00 00 PX‰$èÕŒZé...
00A80160 81 EC 08 00 00 00 B8 19 02 A8 00 89 04 24 E8 3D ì...¸¨.‰$è=
00A80170 50 58 0F 89 04 24 E8 B5 8C 5A 0F 81 EC 08 00 00 PX‰$赌Zì..
00A80180 00 B8 22 02 A8 00 89 04 24 E8 22 50 58 0F 89 04 .¸"¨.‰$è"PX‰
00A80190 24 E8 9A 8C 5A 0F 81 EC 08 00 00 00 B8 23 02 A8 $蚌Zì...¸#¨
00A801A0 00 89 04 24 E8 07 50 58 0F 89 04 24 E8 7F 8C 5A .‰$èPX‰$èŒZ
00A801B0 0F 81 EC 04 00 00 00 C7 04 24 01 00 00 00 E8 FD ì...Ç$...èý
00A801C0 58 5A 0F 81 EC 04 00 00 00 C7 04 24 01 00 00 00 XZì...Ç$...
00A801D0 E8 DB 2B 5A 0F 21 C0 0F 84 D4 FF FF FF C3 89 EC èÛ+Z!À„ÔÿÿÿÉì
00A801E0 5D 5F 5E 5B C2 00 00 57 68 61 74 20 69 73 20 74 ]_^[Â..What is t
00A801F0 68 65 20 73 65 72 69 61 6C 3A 00 57 72 6F 6E 67 he serial:.Wrong
00A80200 21 00 57 72 6F 6E 67 21 00 53 6F 72 72 79 20 59 !.Wrong!.Sorry Y
00A80210 6F 75 20 66 61 69 6C 21 00 43 6F 72 72 65 63 74 ou fail!.Correct
00A80220 21 00 00 50 72 65 73 73 20 45 53 43 20 74 6F 20 !..Press ESC to
00A80230 45 78 69 74 00 90 90 90 00 90 90 90 00 00 00 00 Exit...... |
Follow the call to get to:
Code: | 00A8003C BB 00000000 MOV EBX,0
00A80041 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00A80044 895D F8 MOV DWORD PTR SS:[EBP-8],EBX
00A80047 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
00A8004A 81EC 10000000 SUB ESP,10
00A80050 C74424 08 10000>MOV DWORD PTR SS:[ESP+8],10
00A80058 C74424 0C 02000>MOV DWORD PTR SS:[ESP+C],2
00A80060 C74424 04 B4000>MOV DWORD PTR SS:[ESP+4],0B4
00A80068 C70424 90010000 MOV DWORD PTR SS:[ESP],190
00A8006F E8 3C515A0F CALL crackme.100251B0
00A80074 81EC 04000000 SUB ESP,4
00A8007A E8 7135580F CALL crackme.100035F0
00A8007F 890424 MOV DWORD PTR SS:[ESP],EAX
00A80082 E8 498B5B0F CALL crackme.10038BD0
00A80087 C745 FC 0500000>MOV DWORD PTR SS:[EBP-4],5
00A8008E C745 F8 676E457>MOV DWORD PTR SS:[EBP-8],74456E67
00A80095 E9 8C000000 JMP 00A80126
00A8009A 816D FC 0100000>SUB DWORD PTR SS:[EBP-4],1
00A800A1 81EC 0C000000 SUB ESP,0C
00A800A7 B8 E701A800 MOV EAX,0A801E7 ; ASCII "What is the serial:"
00A800AC 890424 MOV DWORD PTR SS:[ESP],EAX
00A800AF E8 FC50580F CALL crackme.100051B0
00A800B4 890424 MOV DWORD PTR SS:[ESP],EAX
00A800B7 E8 648E5A0F CALL crackme.10028F20
00A800BC 890424 MOV DWORD PTR SS:[ESP],EAX
00A800BF E8 CC4D580F CALL crackme.10004E90
00A800C4 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00A800C7 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
00A800CA 395D F4 CMP DWORD PTR SS:[EBP-C],EBX
00A800CD 0F8D 1B000000 JGE 00A800EE
00A800D3 81EC 08000000 SUB ESP,8
00A800D9 B8 FB01A800 MOV EAX,0A801FB ; ASCII "Wrong!"
00A800DE 890424 MOV DWORD PTR SS:[ESP],EAX
00A800E1 E8 CA50580F CALL crackme.100051B0
00A800E6 890424 MOV DWORD PTR SS:[ESP],EAX
00A800E9 E8 428D5A0F CALL crackme.10028E30
00A800EE 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
00A800F1 395D F4 CMP DWORD PTR SS:[EBP-C],EBX
00A800F4 0F8E 1B000000 JLE 00A80115
00A800FA 81EC 08000000 SUB ESP,8
00A80100 B8 0202A800 MOV EAX,0A80202 ; ASCII "Wrong!"
00A80105 890424 MOV DWORD PTR SS:[ESP],EAX
00A80108 E8 A350580F CALL crackme.100051B0
00A8010D 890424 MOV DWORD PTR SS:[ESP],EAX
00A80110 E8 1B8D5A0F CALL crackme.10028E30
00A80115 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
00A80118 395D F4 CMP DWORD PTR SS:[EBP-C],EBX
00A8011B 0F85 05000000 JNZ 00A80126
00A80121 E9 0D000000 JMP 00A80133
00A80126 817D FC 0000000>CMP DWORD PTR SS:[EBP-4],0
00A8012D ^ 0F8F 67FFFFFF JG 00A8009A
00A80133 817D FC 0000000>CMP DWORD PTR SS:[EBP-4],0
00A8013A 0F85 20000000 JNZ 00A80160
00A80140 81EC 08000000 SUB ESP,8
00A80146 B8 0902A800 MOV EAX,0A80209 ; ASCII "Sorry You fail!"
00A8014B 890424 MOV DWORD PTR SS:[ESP],EAX
00A8014E E8 5D50580F CALL crackme.100051B0
00A80153 890424 MOV DWORD PTR SS:[ESP],EAX
00A80156 E8 D58C5A0F CALL crackme.10028E30
00A8015B E9 1B000000 JMP 00A8017B
00A80160 81EC 08000000 SUB ESP,8
00A80166 B8 1902A800 MOV EAX,0A80219 ; ASCII "Correct!"
00A8016B 890424 MOV DWORD PTR SS:[ESP],EAX
00A8016E E8 3D50580F CALL crackme.100051B0
00A80173 890424 MOV DWORD PTR SS:[ESP],EAX
00A80176 E8 B58C5A0F CALL crackme.10028E30
00A8017B 81EC 08000000 SUB ESP,8
00A80181 B8 2202A800 MOV EAX,0A80222
00A80186 890424 MOV DWORD PTR SS:[ESP],EAX
00A80189 E8 2250580F CALL crackme.100051B0
00A8018E 890424 MOV DWORD PTR SS:[ESP],EAX
00A80191 E8 9A8C5A0F CALL crackme.10028E30
00A80196 81EC 08000000 SUB ESP,8
00A8019C B8 2302A800 MOV EAX,0A80223 ; ASCII "Press ESC to Exit"
00A801A1 890424 MOV DWORD PTR SS:[ESP],EAX
00A801A4 E8 0750580F CALL crackme.100051B0
00A801A9 890424 MOV DWORD PTR SS:[ESP],EAX
00A801AC E8 7F8C5A0F CALL crackme.10028E30
00A801B1 81EC 04000000 SUB ESP,4
00A801B7 C70424 01000000 MOV DWORD PTR SS:[ESP],1
00A801BE E8 FD585A0F CALL crackme.10025AC0
00A801C3 81EC 04000000 SUB ESP,4
00A801C9 C70424 01000000 MOV DWORD PTR SS:[ESP],1
00A801D0 E8 DB2B5A0F CALL crackme.10022DB0
00A801D5 21C0 AND EAX,EAX
00A801D7 ^ 0F84 D4FFFFFF JE 00A801B1
00A801DD C3 RET |
Cracking:
- Patch the jumps to remove the conditions and always jump to the good message.
Serial:
- Not sure, don't really feel like falling the 10 million calls into the checks and stuff not to mention dont really care how BlitzBasic handles strings nor want to >.> I'll talk to you on MSN about this Lab and find the password just to see how its handled later >.>
_________________
- Retired. |
|
Back to top |
|
|
samuri25404 Grandmaster Cheater Reputation: 7
Joined: 04 May 2007 Posts: 955 Location: Why do you care?
|
Posted: Sat Mar 15, 2008 6:55 am Post subject: |
|
|
Not that I don't trust Lab, but it seems a bit suspicious--all of the import names are masked, and I had to go to "intermodular calls" to figure out what there were. Among others,
Code: |
send
recv
opensocket
closesocket
|
And that's all I remember (just got up, and I was doing it last night)
_________________
|
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Sat Mar 15, 2008 9:16 am Post subject: |
|
|
Trust me it is safe,
Here is the complete code .bb
If you get a demo of blitz3d and copy this code to a text file and save it as .bb Then open the file in Blitz, then compile it you will see all of the imports are the same for you as it was for the file i posted.
The software is meant for game programming not this lol.
Base source is rewritten from a basic text based game.
Code: | ;Crackme Simple
Const width=400
Const height=180
;Graphics in window mode "2" is window mode.
Graphics3D width,height,16,2
SeedRnd MilliSecs()
turnsleft=5
pass=???????????????????????
While (turnsleft>0)
turnsleft=turnsleft-1
guess=Input("What is the serial:")
If guess<pass Then Print "Wrong!"
If guess>pass Then Print "Wrong!"
If guess=pass Then Exit
Wend
If turnsleft=0 Then Print "Sorry You fail!" Else Print "Correct!"
Print
Print "Press ESC to Exit"
Repeat
VWait
Until KeyHit(1)
|
Also check out this line shows you what it was coded in:
Code: | Address=100019FE
Disassembly=PUSH Crackme.1010D560
Text string=ASCII "Unable to run Blitz Basic module" |
_________________
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Mon Apr 07, 2008 3:48 pm Post subject: |
|
|
1950707303
How?
Set a breakpoint on VirtualAlloc to get the destination, the first call after it will reveal the 'program' code, analysing from there will show that the comparison is done with [ebp-8], which is being loaded earlier with 1950707303(0x74456E67)
Reference:
0x1016CB5C + 0x8E
0x1016CB5C + 0xC4
(will post pictures later, maybe)
EDIT: Code: | BlitzBasic seems to "compile" the program into a resource file, and the loader executes it on runtime.
10001888 |> \6A 0A PUSH 0A ; /ResourceType = RT_RCDATA
1000188A |. 68 57040000 PUSH 457 ; |ResourceName = 457 |The Id of our resource
1000188F |. 53 PUSH EBX ; |hModule
10001890 |. FF15 74001010 CALL DWORD PTR [<&KERNEL32.FindResourceA>; \FindResourceA |Returns the header - 0x1016CB48
10001896 |. 8BF0 MOV ESI,EAX
10001898 |. 3BF3 CMP ESI,EBX
1000189A |. 75 05 JNZ SHORT 100018A1
1000189C |. E8 59010000 CALL 100019FA
100018A1 |> 56 PUSH ESI ; /hResource
100018A2 |. 53 PUSH EBX ; |hModule
100018A3 |. FF15 70001010 CALL DWORD PTR [<&KERNEL32.LoadResource>>; \LoadResource | The actual resource - 0x1016CB58
100018A9 |. 8BF0 MOV ESI,EAX
100018AB |. 3BF3 CMP ESI,EBX
100018AD |. 75 05 JNZ SHORT 100018B4
100018AF |. E8 46010000 CALL 100019FA
100018B4 |> 56 PUSH ESI ; /nHandles
100018B5 |. FF15 B0001010 CALL DWORD PTR [<&KERNEL32.LockResource>>; \SetHandleCount |Locks the resource
100018BB |. 3BC3 CMP EAX,EBX
100018BD |. 8945 EC MOV [LOCAL.5],EAX |local5 << resource
100018C0 |. 75 05 JNZ SHORT 100018C7
100018C2 |. E8 33010000 CALL 100019FA
100018C7 |> 8B45 EC MOV EAX,[LOCAL.5] |resource {header:BYTE[0xF], size:DWORD, code:BYTE[size],...}
100018CA |. 8B30 MOV ESI,DWORD PTR [EAX] |ESI << 0x240
100018CC |. 8345 EC 04 ADD [LOCAL.5],4 |local5 << the actual code to process
100018D0 |. 6A 40 PUSH 40 ; /Protect = PAGE_EXECUTE_READWRITE
100018D2 |. 68 00300000 PUSH 3000 ; |AllocationType = MEM_COMMIT|MEM_RESERVE
100018D7 |. 56 PUSH ESI ; |Size |0x240
100018D8 |. 53 PUSH EBX ; |Address
100018D9 |. FF15 B4001010 CALL DWORD PTR [<&KERNEL32.VirtualAlloc>>; \VirtualAlloc
100018DF |. 56 PUSH ESI |0x240 <bytesToCopy>
100018E0 |. FF75 EC PUSH [LOCAL.5] |0x1016CB58 <baseAdress>
100018E3 |. A3 C0AB1210 MOV DWORD PTR [1012ABC0],EAX
100018E8 |. 50 PUSH EAX |0x???????? <destination>
100018E9 |. E8 32860900 CALL 10099F20 | <copyMemory>
100018EE |. 0175 EC ADD [LOCAL.5],ESI
100018F1 |. 8B45 EC MOV EAX,[LOCAL.5]
100018F4 |. 8B00 MOV EAX,DWORD PTR [EAX]
100018F6 |. 8345 EC 04 ADD [LOCAL.5],4
100018FA |. 83C4 0C ADD ESP,0C
100018FD |. 3BC3 CMP EAX,EBX
100018FF |. 7E 50 JLE SHORT 10001951
10001901 |. 8BF8 MOV EDI,EAX
10001903 |> 8D45 EC /LEA EAX,[LOCAL.5] |Manage strings and such
10001906 |. 50 |PUSH EAX |break after the first call in each
10001907 |. 8D45 84 |LEA EAX,[LOCAL.31] | of the loops and watch the stack
1000190A |. 50 |PUSH EAX | for more details ;)
1000190B |. E8 03010000 |CALL 10001A13
10001910 |. A1 C0AB1210 |MOV EAX,DWORD PTR [1012ABC0]
10001915 |. 3945 94 |CMP [LOCAL.27],EAX
10001918 |. C745 FC 06000>|MOV [LOCAL.1],6
1000191F |. 7C 07 |JL SHORT 10001928
10001921 |. 03C6 |ADD EAX,ESI
10001923 |. 3945 94 |CMP [LOCAL.27],EAX
10001926 |. 7C 05 |JL SHORT 1000192D
10001928 |> E8 CD000000 |CALL 100019FA
1000192D |> 8D45 84 |LEA EAX,[LOCAL.31]
10001930 |. 50 |PUSH EAX
10001931 |. B9 A0AB1210 |MOV ECX,1012ABA0
10001936 |. E8 B9030000 |CALL 10001CF4
1000193B |. 8B4D 94 |MOV ECX,[LOCAL.27]
1000193E |. 834D FC FF |OR [LOCAL.1],FFFFFFFF
10001942 |. 8908 |MOV DWORD PTR [EAX],ECX
10001944 |. 6A 01 |PUSH 1
10001946 |. 8D4D 84 |LEA ECX,[LOCAL.31]
10001949 |. E8 84060000 |CALL 10001FD2
1000194E |. 4F |DEC EDI
1000194F |.^ 75 B2 \JNZ SHORT 10001903
10001951 |> 8B45 EC MOV EAX,[LOCAL.5]
10001954 |. 8B00 MOV EAX,DWORD PTR [EAX]
10001956 |. 8345 EC 04 ADD [LOCAL.5],4
1000195A |. 3BC3 CMP EAX,EBX
1000195C |. 7E 37 JLE SHORT 10001995
1000195E |. 8BF8 MOV EDI,EAX
10001960 |> 8D45 EC /LEA EAX,[LOCAL.5]
10001963 |. 50 |PUSH EAX
10001964 |. 8D45 84 |LEA EAX,[LOCAL.31]
10001967 |. 50 |PUSH EAX
10001968 |. E8 A6000000 |CALL 10001A13
1000196D |. 8B75 94 |MOV ESI,[LOCAL.27]
10001970 |. 8D45 84 |LEA EAX,[LOCAL.31]
10001973 |. 50 |PUSH EAX
10001974 |. C745 FC 07000>|MOV [LOCAL.1],7
1000197B |. E8 1A010000 |CALL 10001A9A
10001980 |. 834D FC FF |OR [LOCAL.1],FFFFFFFF
10001984 |. 2BC6 |SUB EAX,ESI
10001986 |. 0106 |ADD DWORD PTR [ESI],EAX
10001988 |. 6A 01 |PUSH 1
1000198A |. 8D4D 84 |LEA ECX,[LOCAL.31]
1000198D |. E8 40060000 |CALL 10001FD2
10001992 |. 4F |DEC EDI
10001993 |.^ 75 CB \JNZ SHORT 10001960
10001995 |> 8B45 EC MOV EAX,[LOCAL.5]
10001998 |. 8B00 MOV EAX,DWORD PTR [EAX]
1000199A |. 8345 EC 04 ADD [LOCAL.5],4
1000199E |. 3BC3 CMP EAX,EBX
100019A0 |. 7E 35 JLE SHORT 100019D7
100019A2 |. 8BF8 MOV EDI,EAX
100019A4 |> 8D45 EC /LEA EAX,[LOCAL.5]
100019A7 |. 50 |PUSH EAX
100019A8 |. 8D45 A8 |LEA EAX,[LOCAL.22]
100019AB |. 50 |PUSH EAX
100019AC |. E8 62000000 |CALL 10001A13
100019B1 |. 8B75 B8 |MOV ESI,[LOCAL.18]
100019B4 |. 8D45 A8 |LEA EAX,[LOCAL.22]
100019B7 |. 50 |PUSH EAX
100019B8 |. C745 FC 08000>|MOV [LOCAL.1],8
100019BF |. E8 D6000000 |CALL 10001A9A
100019C4 |. 0106 |ADD DWORD PTR [ESI],EAX
100019C6 |. 834D FC FF |OR [LOCAL.1],FFFFFFFF
100019CA |. 6A 01 |PUSH 1
100019CC |. 8D4D A8 |LEA ECX,[LOCAL.22]
100019CF |. E8 FE050000 |CALL 10001FD2
100019D4 |. 4F |DEC EDI
100019D5 |.^ 75 CD \JNZ SHORT 100019A4
100019D7 |> B9 80AB1210 MOV ECX,1012AB80
100019DC |. E8 CA070000 CALL 100021AB
100019E1 |. B9 A0AB1210 MOV ECX,1012ABA0
100019E6 |. E8 C0070000 CALL 100021AB
100019EB |. 8B4D F4 MOV ECX,[LOCAL.3]
100019EE |. 5F POP EDI
100019EF |. 5E POP ESI
100019F0 |. 5B POP EBX
100019F1 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
100019F8 |. C9 LEAVE
100019F9 \. C3 RETN |
Last edited by DoomsDay on Tue Apr 08, 2008 7:04 am; edited 2 times in total |
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Mon Apr 07, 2008 8:25 pm Post subject: |
|
|
And we have 2 who arn't scared of all the imports .
_________________
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum
|
|