Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


The crackme I made in 15 minutes

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
YoungDragon
Grandmaster Cheater Supreme
Reputation: 36

Joined: 23 Sep 2009
Posts: 1104
Location: 192.168.1.1

PostPosted: Fri Jan 02, 2015 1:11 pm    Post subject: The crackme I made in 15 minutes Reply with quote

I was bored and wanted to learn how to reverse engineer. Didn't feel like using other people's programs so I created this. Took me a little over an hour to find my key, probably because I literally went through every freaking bit of assembly in Olly.


Anyways, here it is: Download

If you're paranoid as fuck if it has a virus: Jotti Scan


    So your name must be at least 15 characters.
    Each name will have a different code.
    Name will not change with code.
    To see if you get it, post your name and code, then I'll check if it works on my computer.


Good luck, crackers.

_________________
I'm a dirty Riven main stuck in Gold.
Back to top
View user's profile Send private message Send e-mail MSN Messenger
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7059
Location: 127.0.0.1

PostPosted: Fri Jan 02, 2015 11:53 pm    Post subject: Reply with quote

Name: ThisIsMySuperLongName
Key: GsrhRhNbHfkviOlmtMznv

To find any key for any name, set a breakpoint here:
Code:

004043DC  |.  FFD3          CALL EBX ; MSVBVM60.__vbaStrCmp


First value on the stack is the real password, second is the one entered by the user.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
YoungDragon
Grandmaster Cheater Supreme
Reputation: 36

Joined: 23 Sep 2009
Posts: 1104
Location: 192.168.1.1

PostPosted: Sat Jan 03, 2015 2:20 am    Post subject: Reply with quote

We have a winner!!

Do you mind explaining how exactly you got that?? I'm a noob at this and I'd like to learn more about it. My process takes about 15 minutes.

_________________
I'm a dirty Riven main stuck in Gold.
Back to top
View user's profile Send private message Send e-mail MSN Messenger
atom0s
Moderator
Reputation: 133

Joined: 25 Jan 2006
Posts: 7059
Location: 127.0.0.1

PostPosted: Sat Jan 03, 2015 3:02 am    Post subject: Reply with quote

This is basically my process of looking at a crackme:

1. Determine the file type and if it is packed or not.
Typically for this I load up the file in PEiD, ProtectionID, Detect It Easy etc. to determine if the file is packed mainly. If not typically PEiD is enough to tell what the file was compiled with. This is usually the best heads up on what to expect with the crackme / keygenme application.

If the app is .NET and not packed, we can just open it in apps like ILSpy, DotPeek, Reflector etc.
If the app is not .NET then we have to debug / disassemble it in apps like OllyDbg, IDA, etc.

In this case your app was VB5/6 so we can just debug it in OllyDbg fairly easily.

2. Locating the important function for the keygenning.

Typically the first step for this is just looking at the string references. Look for common messages like "Invalid key", "Error", etc. Run the file and enter bad input and see what the message says and look for that, and so on. If we can find that, then we can just follow the string reference to the code that uses it to get us where we want to be.

In this case with your app, we can use the strings like "Name is too short" or "Bad characters were used" etc.

3. Debugging The App

The last bit in a VB5/6 app that I normally take is debugging. Look for common things that pertain to Visual Basic apps. All of the typical functions in a VB5/6 app all land up making calls to the VB runtime. By this, I mean things like this:
- Checking a strings length calls: MSVBVM60.__vbaLenBstr
- Comparing two strings calls: MSVBVM60.__vbaStrCmp
- Copying a string to another calls: MSVBVM60.__vbaStrCopy
- Concatting a string calls: MSVBVM60.__vbaStrCat

And so on. So we use these as helper functions to locate common things in a crackme / keygen me.

In a lot of cases, basic apps that want a key will have a simple if check.
Code:
If (str1 == str2) then
...


And so on. So the first thing to look into is finding calls to __vbaStrCmp.

Another thing to look at is with your app, you are doing a huge loop to check and create the key char by char of the string. So we can follow the loop til the end to find the branches it can land up falling into.

So at the end of the loop we see a few blocks, 1 tells us if a bad character was entered. Another uses a __vbaStrCmp call. So we look at the __vbaStrCmp call block:
Code:
CPU Disasm
Address   Hex dump          Command                                  Comments
004043D4  |> \8B45 D8       MOV EAX,DWORD PTR SS:[EBP-28]            <-- This is the user inputted key..
004043D7  |.  8B4D E4       MOV ECX,DWORD PTR SS:[EBP-1C]            <-- This is the real generated key..
004043DA  |.  50            PUSH EAX
004043DB  |.  51            PUSH ECX
004043DC  |.  FFD3          CALL EBX                                 ; MSVBVM60.__vbaStrCmp <-- We set our breakpoint here..


At this point we can look at the stack and see the two values that are of interest to us.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Cryptokun
Newbie cheater
Reputation: 0

Joined: 01 Jan 2015
Posts: 23

PostPosted: Sun Jan 04, 2015 2:05 pm    Post subject: Reply with quote

at0mos is pretty right.

Once you have established whether or not the target is packed or protected, and depending on how strong your ASM knowledge is, you can usually jump straight into IDA and start playing around with the disassembled code (the decompilers are a big help as well when dealing with x64 targets if you can afford them or find a cracked copy).

The easiest method, once again as at0mos stated, is to look for strings which is probably easier in IDA than it is in Olly (at least in my opinion after a lot of IDA usage Razz).
Once you have found a string relating to your target (eg "Invalid License", "Invalid Code", "Serial is blacklisted", "Demo Copy", bla, bla, bla) you can trace through the code easily and rip the asm to create a keygen for it or patch it directly to accept any key Smile

The above is assuming that the target is not obfuscated (which might encode the strings using something like hex characters). In that case there is a whole lot of hurting to be expected haha Razz
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites