View previous topic :: View next topic |
Author |
Message |
Buggy Advanced Cheater Reputation: 0
Joined: 04 Jan 2008 Posts: 72 Location: Republic of Korea (South Korea)
|
Posted: Wed Mar 12, 2008 7:56 am Post subject: Strange Crackme |
|
|
I think this is a strange crackme -_-;;
just try to crackme!
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Wed Mar 12, 2008 1:00 pm Post subject: |
|
|
Aww I have to say, kinda cute for you to name a function for me lol.
'IsUserNameWiccaan'
But sorry to burst your bubble, my username on my system is not Wiccaan.
Ok to start: You call ZwQueryInformationProcess, you check the debug port of the program to test if its being debugged.
Code: | 00012F6D |. 52 PUSH EDX
00012F6E |. 6A 04 PUSH 4
00012F70 |. 50 PUSH EAX
00012F71 |. 6A 07 PUSH 7
00012F73 |. 897D E4 MOV DWORD PTR SS:[EBP-1C],EDI
00012F76 |. 6A FF PUSH -1
00012F78 |. 897D E8 MOV DWORD PTR SS:[EBP-18],EDI
00012F7B |. 897D E4 MOV DWORD PTR SS:[EBP-1C],EDI
00012F7E |. E8 EDF3FFFF CALL the13tho.00012370 |
That call goes to the function that VB creates to do DLL calls which calls that API. Anyway.. after that there is a conditional jump you can either patch, or reset the debug port while the program is paused, your choice. I prefer patching so I don't have to do it over and over each start. So..
Code: | 00012F8D |. /75 0B JNZ SHORT the13tho.00012F9A ; |
Change this to JMP instead of JNZ.
Next is another call to the same API here:
Code: | 00012FDE . 50 PUSH EAX
00012FDF . 6A 18 PUSH 18
00012FE1 . 51 PUSH ECX
00012FE2 . 6A 00 PUSH 0
00012FE4 . 6A FF PUSH -1
00012FE6 . C74424 1C 000>MOV DWORD PTR SS:[ESP+1C],0
00012FEE . E8 7DF3FFFF CALL x.00012370 |
This time it looks like you are grabbing the PBI, not 100% sure on it though.
Again another JNZ below that call:
Code: | 00012FFF . /75 2C JNZ SHORT x.0001302D |
Patch to JMP and continue.
Next we have a call to CheckRemoteDebuggerPresent here:
Code: | 000135B7 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
000135BA 897D E8 MOV DWORD PTR SS:[EBP-18],EDI
000135BD 52 PUSH EDX
000135BE 6A FF PUSH -1
000135C0 E8 1BEFFFFF CALL x1.000124E0 |
A plugin with Olly can fix this one, or you can patch the conditional jump after.
After that you have the typical things you have done in your past crackmes. You check for the Softice files and some other things. Theres a few new checks it seems not sure what they are I didn't look too deep into them. This block checks each string:
Code: | 00013CA5 . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00013CA8 . 83C4 10 ADD ESP,10
00013CAB . 52 PUSH EDX
00013CAC . 68 C8270100 PUSH x.000127C8 ; UNICODE "DebugObject"
00013CB1 . 6A 01 PUSH 1
00013CB3 . FF15 18110100 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrComp
00013CB9 . 66:85C0 TEST AX,AX
00013CBC . 75 1A JNZ SHORT x.00013CD8
00013CBE . 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
00013CC4 . 85C0 TEST EAX,EAX
00013CC6 . 7F 0A JG SHORT x.00013CD2
00013CC8 . 8B85 74FFFFFF MOV EAX,DWORD PTR SS:[EBP-8C]
00013CCE . 85C0 TEST EAX,EAX
00013CD0 . 7E 06 JLE SHORT x.00013CD8
00013CD2 > FF15 20100100 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEnd>] ; MSVBVM60.__vbaEnd |
I patched this by simply jumping over the whole check. Change the first conditional JNZ to JMP and it will skip it all.
Once those are done the exe should run. Fix the other checks for your specific needs though.
Continuing on..
EXE runs, I test a password and it closes the EXE when I click the button, but only when I'm hooked into the process with Olly, works fine else where. I didn't track down whats the cause fully yet but if you have HideOlly plugin, just turn everything on and restart the exe and you can debug the command press.
After that, break on the compare and the password is:
ShutUpMalfoyILoveYouHagrid
_________________
- Retired. |
|
Back to top |
|
|
Buggy Advanced Cheater Reputation: 0
Joined: 04 Jan 2008 Posts: 72 Location: Republic of Korea (South Korea)
|
Posted: Thu Mar 13, 2008 5:14 am Post subject: |
|
|
Wiccaan wrote: | Aww I have to say, kinda cute for you to name a function for me lol.
|
what i used to make :
use CheckRemoteDebuggerPresent
check \\.\SICE and \\.\NTICE
use ZwSetInformationThread
use a function that do like IsDebuggerPresent
Code: |
Private Function IsUserNameWiccaan() As Long
Dim pbi As PROCESS_BASIC_INFORMATION
Const CurrentProcess = -1&
If ZwQueryInformationProcess(CurrentProcess, ProcessBasicInformation, pbi, Len(pbi), 0&) = 0& Then
RtlMoveMemory IsUserNameHolyBlah, ByVal pbi.PebBaseAddress + 2, 1&
End If
End Function
|
Actually i couldn't use it well because it was Type of Long -_-
check DebugPort
check Hardware Breakpoints
use ZwQueryObject
check NtGlobalFlag
i can't remember other but anyway you cracked in very good way!
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
|
Back to top |
|
|
xMurtaghx I post too much Reputation: 1
Joined: 13 Apr 2008 Posts: 3611 Location: Gayville, South Dakota, 57031, United States of America
|
Posted: Mon Apr 14, 2008 5:52 pm Post subject: |
|
|
strange Crack me
_________________
Scania- Lvl 117 DK✔
WE WILL MISS GMS!
|
|
Back to top |
|
|
lurc Grandmaster Cheater Supreme Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Mon Apr 14, 2008 6:49 pm Post subject: |
|
|
xMurtaghx wrote: | strange Crack me |
I really hope that Wiccaan gives you a warning for spamming the General Programming + CrackMe section.
_________________
|
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Mon Apr 14, 2008 6:53 pm Post subject: |
|
|
he is doing this all over the place not just here, he joined yesterday and already at 41 posts.
_________________
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Tue Apr 15, 2008 3:40 am Post subject: |
|
|
DarkByte said he didn't need to give me access to moderating the CrackMe section so it's up to him to clean up the crap in here. I only have rights to GP and MP hacking.
_________________
- Retired. |
|
Back to top |
|
|
|