Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[crackme] My take on a crackme
Goto page Previous  1, 2
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
john0312
Grandmaster Cheater
Reputation: 0

Joined: 07 Jan 2006
Posts: 713
Location: QW5nbGljYW4g SGlnaCBTY2 hvb2wgKD FMJzA1LD JMJzA2 KSwgU2l uZ2Fwb3 Jl

PostPosted: Mon Mar 05, 2007 12:11 am    Post subject: Reply with quote

x0r wrote:

1.You spelled suing incorrectly.

2. The word "but" cannot be used to start any text. (as you did in your last sentence with the text in brackets) Nor do you capitalize the first the first word in bracketed text.

3. What are you going to do in retaliation, John? Raid my bank account?!


1&2: THANKS! For the grammar correction(s)!

3: Teach you math!

_________________
Pardon me for my English, I failed them when I was in Primary School.
My blog: http://john0312.wordpress.com/
Windows Vista is bad, DO NOT USE! If you disagree, feel free to argue with me through PM, GTalk or MSN.
Back to top
View user's profile Send private message MSN Messenger
Ungreat
Expert Cheater
Reputation: 0

Joined: 27 Feb 2007
Posts: 215

PostPosted: Mon Mar 05, 2007 12:17 am    Post subject: Reply with quote

Quote:
So, if you break in one of those functions, and rerun, it probably won't hit your break. Once you realize that and break on all of them,
You simply need look at the stack and BP right before the call to his semi-randomly chosen function. Then you just rerun and step into the algorithm :-/ Although the first algorithm still seems to be a dummy.


I just fed the parameter an address from the PE Header Confused

Although I notice you put a bunch of code that seemingly does absolutely nothing (so that you do math then figure out that you didn't need to Confused )

Easy to be able to always know where ot go through the arithmetic, but I personally haven't even gone through all of it Confused

_________________
Code:
mov     r10, qword ptr [rsp+0A28h+arg_5F8]
shl     rdx, 20h
mov     r11, 7010008004002001h
or      rax, rdx
mov     rcx, r10
xor     rcx, rax
lea     rax, [rsp+0A28h+var_2C8]
Oh man, I'm getting too excited
Back to top
View user's profile Send private message
john0312
Grandmaster Cheater
Reputation: 0

Joined: 07 Jan 2006
Posts: 713
Location: QW5nbGljYW4g SGlnaCBTY2 hvb2wgKD FMJzA1LD JMJzA2 KSwgU2l uZ2Fwb3 Jl

PostPosted: Mon Mar 05, 2007 12:19 am    Post subject: Reply with quote

x0r wrote:

Ok, let's start...

2 * 4 = 7?


Yes! Smart boy!
Now factorize 902500741514911744795597682857932974663738117798516957863326199

_________________
Pardon me for my English, I failed them when I was in Primary School.
My blog: http://john0312.wordpress.com/
Windows Vista is bad, DO NOT USE! If you disagree, feel free to argue with me through PM, GTalk or MSN.
Back to top
View user's profile Send private message MSN Messenger
nog_lorp
Grandmaster Cheater
Reputation: 0

Joined: 26 Feb 2006
Posts: 743

PostPosted: Mon Mar 05, 2007 12:24 am    Post subject: Reply with quote

Ungreat wrote:
Quote:
So, if you break in one of those functions, and rerun, it probably won't hit your break. Once you realize that and break on all of them,
You simply need look at the stack and BP right before the call to his semi-randomly chosen function. Then you just rerun and step into the algorithm :-/ Although the first algorithm still seems to be a dummy.


I just fed the parameter an address from the PE Header Confused

Although I notice you put a bunch of code that seemingly does absolutely nothing (so that you do math then figure out that you didn't need to Confused )

Easy to be able to always know where ot go through the arithmetic, but I personally haven't even gone through all of it Confused


Well, the first function just converts the string into an integer, stolen from online -_-. Yeah, some of the math is a red herring, I thought it was pretty cool though: (random) shift right, shift left, leaves you with an even number, then modulo 2 makes it 0 Very Happy. But (screw x0r, I say but when I want Very Happy) most of the math has an effect.

Yeah, once you figure out the random function choice it should be easy to circumvent. I was actually hoping it would look like it was dynamic, but oh well Very Happy.

~nog_lorp

_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish
Back to top
View user's profile Send private message
Ungreat
Expert Cheater
Reputation: 0

Joined: 27 Feb 2007
Posts: 215

PostPosted: Mon Mar 05, 2007 12:30 am    Post subject: Reply with quote

What would you define as looking dynamic?

At least you hid your arguments/parameters to the average noob Confused (mov [esp],eax <- eax of course being the password).

Call EAX looked dynamic enough to me to BP it the first time Razz I was correct in doing so as stated before ^^

_________________
Code:
mov     r10, qword ptr [rsp+0A28h+arg_5F8]
shl     rdx, 20h
mov     r11, 7010008004002001h
or      rax, rdx
mov     rcx, r10
xor     rcx, rax
lea     rax, [rsp+0A28h+var_2C8]
Oh man, I'm getting too excited
Back to top
View user's profile Send private message
SunBeam
I post too much
Reputation: 65

Joined: 25 Feb 2005
Posts: 4022
Location: Romania

PostPosted: Mon Mar 05, 2007 3:23 am    Post subject: Reply with quote

Next time don't use so many algorithms at all. I doubt you even know your own password -.-
Quote:
# 1st "layer"

MOV EAX,DWORD PTR SS:[EBP+8] //my key (considering the compared against is B1940, guess what we do next...)
XOR EAX,5555
NOT EAX
MOV DWORD PTR SS:[EBP+8],EAX

CALL <JMP.&msvcrt.rand>

# 2nd "layer"

MOV EAX,DWORD PTR SS:[EBP+8]
ADD EAX,EAX //eax*2
NOT EAX
MOV DWORD PTR SS:[EBP-4],EAX //put output in the buffer
CMP DWORD PTR SS:[EBP-4],0
JNS SHORT cracknog.00401376
ADD DWORD PTR SS:[EBP-4],3 //add 3 to it
MOV EDX,DWORD PTR SS:[EBP-4] //put result in EDX
SAR EDX,2 //sar it with 2
MOV EAX,EDX //and put it in EAX
SHL EAX,2 //then shl it with 2
ADD EAX,EDX //and dump it in EAX

The compare is done against EAX (CMP EAX,DWORD PTR SS:[EBP-4])

I think this would be the way to solve it, correct my mistakes...
Quote:

mov [ebp+8],b1940
mov edx,[ebp+8]
shl edx,2
mov eax,edx
shr eax,2
sub eax,edx
neg eax
sub eax,eax
neg eax
xor eax,5555

You fix it...
Back to top
View user's profile Send private message
nog_lorp
Grandmaster Cheater
Reputation: 0

Joined: 26 Feb 2006
Posts: 743

PostPosted: Mon Mar 05, 2007 9:35 am    Post subject: Reply with quote

Unsure if that is correct, I haven't solved it myself yet. But the end value it checks is taken from the initial value I input, so I know the solution. It's digits from an irrational mathematical constant.

~nog_lorp

_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites