Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Strange Crackme

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
Buggy
Advanced Cheater
Reputation: 0

Joined: 04 Jan 2008
Posts: 72
Location: Republic of Korea (South Korea)

PostPosted: Wed Mar 12, 2008 7:56 am    Post subject: Strange Crackme Reply with quote

I think this is a strange crackme -_-;;
just try to crackme!

_________________

[img]
<a><img></a>[/img]
iroo sooo hooooot
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Wed Mar 12, 2008 1:00 pm    Post subject: Reply with quote

Aww I have to say, kinda cute for you to name a function for me lol.

'IsUserNameWiccaan'

But sorry to burst your bubble, my username on my system is not Wiccaan. Wink

Ok to start: You call ZwQueryInformationProcess, you check the debug port of the program to test if its being debugged.

Code:
00012F6D  |.  52            PUSH EDX
00012F6E  |.  6A 04         PUSH 4
00012F70  |.  50            PUSH EAX
00012F71  |.  6A 07         PUSH 7
00012F73  |.  897D E4       MOV DWORD PTR SS:[EBP-1C],EDI
00012F76  |.  6A FF         PUSH -1
00012F78  |.  897D E8       MOV DWORD PTR SS:[EBP-18],EDI
00012F7B  |.  897D E4       MOV DWORD PTR SS:[EBP-1C],EDI
00012F7E  |.  E8 EDF3FFFF   CALL the13tho.00012370


That call goes to the function that VB creates to do DLL calls which calls that API. Anyway.. after that there is a conditional jump you can either patch, or reset the debug port while the program is paused, your choice. I prefer patching so I don't have to do it over and over each start. So..

Code:
00012F8D  |. /75 0B         JNZ SHORT the13tho.00012F9A              ;


Change this to JMP instead of JNZ.

Next is another call to the same API here:
Code:
00012FDE   .  50            PUSH EAX
00012FDF   .  6A 18         PUSH 18
00012FE1   .  51            PUSH ECX
00012FE2   .  6A 00         PUSH 0
00012FE4   .  6A FF         PUSH -1
00012FE6   .  C74424 1C 000>MOV DWORD PTR SS:[ESP+1C],0
00012FEE   .  E8 7DF3FFFF   CALL x.00012370


This time it looks like you are grabbing the PBI, not 100% sure on it though.

Again another JNZ below that call:
Code:
00012FFF   . /75 2C         JNZ SHORT x.0001302D


Patch to JMP and continue.

Next we have a call to CheckRemoteDebuggerPresent here:
Code:
000135B7    8D55 E8         LEA EDX,DWORD PTR SS:[EBP-18]
000135BA    897D E8         MOV DWORD PTR SS:[EBP-18],EDI
000135BD    52              PUSH EDX
000135BE    6A FF           PUSH -1
000135C0    E8 1BEFFFFF     CALL x1.000124E0


A plugin with Olly can fix this one, or you can patch the conditional jump after.

After that you have the typical things you have done in your past crackmes. You check for the Softice files and some other things. Theres a few new checks it seems not sure what they are I didn't look too deep into them. This block checks each string:

Code:
00013CA5   .  8B55 D8       MOV EDX,DWORD PTR SS:[EBP-28]
00013CA8   .  83C4 10       ADD ESP,10
00013CAB   .  52            PUSH EDX
00013CAC   .  68 C8270100   PUSH x.000127C8                          ;  UNICODE "DebugObject"
00013CB1   .  6A 01         PUSH 1
00013CB3   .  FF15 18110100 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>;  MSVBVM60.__vbaStrComp
00013CB9   .  66:85C0       TEST AX,AX
00013CBC   .  75 1A         JNZ SHORT x.00013CD8
00013CBE   .  8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
00013CC4   .  85C0          TEST EAX,EAX
00013CC6   .  7F 0A         JG SHORT x.00013CD2
00013CC8   .  8B85 74FFFFFF MOV EAX,DWORD PTR SS:[EBP-8C]
00013CCE   .  85C0          TEST EAX,EAX
00013CD0   .  7E 06         JLE SHORT x.00013CD8
00013CD2   >  FF15 20100100 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEnd>] ;  MSVBVM60.__vbaEnd


I patched this by simply jumping over the whole check. Change the first conditional JNZ to JMP and it will skip it all.

Once those are done the exe should run. Fix the other checks for your specific needs though.

Continuing on..

EXE runs, I test a password and it closes the EXE when I click the button, but only when I'm hooked into the process with Olly, works fine else where. I didn't track down whats the cause fully yet but if you have HideOlly plugin, just turn everything on and restart the exe and you can debug the command press.

After that, break on the compare and the password is:
ShutUpMalfoyILoveYouHagrid

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Buggy
Advanced Cheater
Reputation: 0

Joined: 04 Jan 2008
Posts: 72
Location: Republic of Korea (South Korea)

PostPosted: Thu Mar 13, 2008 5:14 am    Post subject: Reply with quote

Wiccaan wrote:
Aww I have to say, kinda cute for you to name a function for me lol.


what i used to make :

use CheckRemoteDebuggerPresent
check \\.\SICE and \\.\NTICE
use ZwSetInformationThread
use a function that do like IsDebuggerPresent
Code:
 
Private Function IsUserNameWiccaan() As Long 
Dim pbi As PROCESS_BASIC_INFORMATION
    Const CurrentProcess = -1&

    If ZwQueryInformationProcess(CurrentProcess, ProcessBasicInformation, pbi, Len(pbi), 0&) = 0& Then
        RtlMoveMemory IsUserNameHolyBlah, ByVal pbi.PebBaseAddress + 2, 1&
    End If
End Function

Actually i couldn't use it well because it was Type of Long -_-
check DebugPort
check Hardware Breakpoints
use ZwQueryObject
check NtGlobalFlag

i can't remember other but anyway you cracked in very good way!

_________________

[img]
<a><img></a>[/img]
iroo sooo hooooot
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Thu Mar 13, 2008 3:56 pm    Post subject: Reply with quote

The name type is a long probably because it is a pointer. I'd have to look into it to be sure but yea.. probably a pointer. Anyway, keep up the fun work, your crackme's usually pose a challenge to actually make me do stuff Very Happy
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
xMurtaghx
I post too much
Reputation: 1

Joined: 13 Apr 2008
Posts: 3611
Location: Gayville, South Dakota, 57031, United States of America

PostPosted: Mon Apr 14, 2008 5:52 pm    Post subject: Reply with quote

strange Crack me
_________________

Scania- Lvl 117 DK✔

WE WILL MISS GMS!
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
lurc
Grandmaster Cheater Supreme
Reputation: 2

Joined: 13 Nov 2006
Posts: 1900

PostPosted: Mon Apr 14, 2008 6:49 pm    Post subject: Reply with quote

xMurtaghx wrote:
strange Crack me


I really hope that Wiccaan gives you a warning for spamming the General Programming + CrackMe section.

_________________
Back to top
View user's profile Send private message
Labyrnth
Moderator
Reputation: 9

Joined: 28 Nov 2006
Posts: 6285

PostPosted: Mon Apr 14, 2008 6:53 pm    Post subject: Reply with quote

he is doing this all over the place not just here, he joined yesterday and already at 41 posts.
_________________

Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Tue Apr 15, 2008 3:40 am    Post subject: Reply with quote

DarkByte said he didn't need to give me access to moderating the CrackMe section so it's up to him to clean up the crap in here. I only have rights to GP and MP hacking.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites