View previous topic :: View next topic |
Author |
Message |
juppeli Newbie cheater Reputation: 0
Joined: 04 Jun 2007 Posts: 13
|
Posted: Thu Oct 04, 2007 10:03 am Post subject: Mine noob crackme |
|
|
Hi there, can anyone crack mine crackme? This should be quite easy. When you finish post addresses you used + screenshot from it. Ill start giving tips if anyone cant really crack it.. I patch it always when someone report that he cracked it (if i got time and enough skill : ). Post bugs etc. stuff here too. Idea from 2 form goes to xPerfection, so rep+ for him
//img514.imageshack.us/img514/7486/nimetn234ix1.jpg
Last edited by juppeli on Fri Oct 05, 2007 2:31 pm; edited 1 time in total |
|
Back to top |
|
|
DeletedUser14087 I post too much Reputation: 2
Joined: 21 Jun 2006 Posts: 3069
|
Posted: Thu Oct 04, 2007 11:11 am Post subject: |
|
|
Another one made from VB lolz..
|
|
Back to top |
|
|
juppeli Newbie cheater Reputation: 0
Joined: 04 Jun 2007 Posts: 13
|
Posted: Thu Oct 04, 2007 11:42 am Post subject: |
|
|
Yeah, cracked it?
|
|
Back to top |
|
|
DeletedUser14087 I post too much Reputation: 2
Joined: 21 Jun 2006 Posts: 3069
|
Posted: Thu Oct 04, 2007 12:25 pm Post subject: |
|
|
juppeli wrote: | Yeah, cracked it? |
I can't, it has a bug which the pw is your local ip (start -> run -> cmd -> ipconfig) and it says it's wrong lol
|
|
Back to top |
|
|
juppeli Newbie cheater Reputation: 0
Joined: 04 Jun 2007 Posts: 13
|
Posted: Thu Oct 04, 2007 12:53 pm Post subject: |
|
|
Your local ip has to be right (so only one ip can go thru without cracking) and the password need to be right, or what do you mean? Ip has nothing to do with pw
|
|
Back to top |
|
|
zart Master Cheater Reputation: 0
Joined: 20 Aug 2007 Posts: 351 Location: russia
|
Posted: Thu Oct 04, 2007 12:56 pm Post subject: |
|
|
juppeli wrote: | Your local ip has to be right (so only one ip can go thru without cracking) and the password need to be right, or what do you mean? Ip has nothing to do with pw |
The first form is checking your ip address to 10.169.69.69, then saying "Wrong local ip. Your local ip is blah". This wasn't dependant on the password you entered.
Though I haven't looked much further at it, I'd rather take a crack at talix's keygen.
_________________
0x7A 0x61 0x72 0x74
TEAM RESURRECTiON |
|
Back to top |
|
|
haha01haha01 Grandmaster Cheater Supreme Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Fri Oct 05, 2007 12:33 am Post subject: |
|
|
COMPONENENT MSWINSCK.OCX OR ONE OF ITS DEPENDENCIES NOT CORRECTLY REGISTERED:A FILE IS MISSING OR INVALID.
oh well that crackme was an easy one.
|
|
Back to top |
|
|
juppeli Newbie cheater Reputation: 0
Joined: 04 Jun 2007 Posts: 13
|
Posted: Fri Oct 05, 2007 6:32 am Post subject: |
|
|
So anyone actually cracked it? What addresses did you used for it?
|
|
Back to top |
|
|
SunBeam I post too much Reputation: 65
Joined: 25 Feb 2005 Posts: 4022 Location: Romania
|
Posted: Fri Oct 05, 2007 2:09 pm Post subject: |
|
|
The only good message is when you see "WRONG". Not to mention the 2nd hidden form, which can be easily swapped to be loaded instead of first one As for injection :
Looky looky :
|
|
Back to top |
|
|
juppeli Newbie cheater Reputation: 0
Joined: 04 Jun 2007 Posts: 13
|
Posted: Fri Oct 05, 2007 2:31 pm Post subject: |
|
|
Yeah but sec. form verifys also 1st form information, if they'r wrong it shuts down (as tip)
|
|
Back to top |
|
|
SunBeam I post too much Reputation: 65
Joined: 25 Feb 2005 Posts: 4022 Location: Romania
|
Posted: Fri Oct 05, 2007 2:38 pm Post subject: |
|
|
Okay. I'm not familiar with VB, but...
Run your application in Olly. After you run it, go to this address : 71AB4054 (WS2_32.dll+4054, in case you're on a different OS than XP SP2). Right click, choose "Breakpoint" > "Hardware, on execution". Restart application and run it. Olly should break there.
Pop up CE, Memory View, Ctrl+A and add the script below:
Code: | [ENABLE]
alloc(myIP,128)
alloc(cave,128)
label(back)
myIP:
db 31 30 2E 31 36 39 2E 36 39 2E 36 39
add [eax],al
cave:
push edi
push ecx
mov ecx,D
mov edi,esi
push edi
mov esi,myIP
repe movsb
pop edi
mov eax,edi
pop ecx
pop edi
mov ecx,[ebp-4]
jmp back
WS2_32.dll+4054:
jmp cave
back:
[DISABLE]
WS2_32.dll+4054:
mov eax,esi
mov ecx,[ebp-4]
dealloc(myIP)
dealloc(cave) |
Then from File menu, Assing to table. Once assigned, enable it. What script does is to change the returned IP from WS2_32 lib to "10.169.69.69" (the one you compare to). After that, I tried to understand wtf the VB functions do (can't find any fucking decent documentation on these functions: __vbaVarCmpEq, __vbaVarAnd and __vbaBoolVarNull)...
From decompiling and analysis:
Code: | loc_00402DD5: xor ebx,ebx
...............
loc_004030A0: var_000000D4 = 11
...............
loc_004030FC: var_0000009C = ""
loc_00403119: var_000000A4 = &H8008
loc_00403123: var_74 = "" & ""
loc_00403131: var_00000084 = "" & ""
loc_0040313F: var_00000094 = "" & ""
loc_00403149: call MSVBVM60.DLL.__vbaVarCmpEq("", var_00000094, var_000000A4, var_000000D4)
loc_00403157: call And("", MSVBVM60.DLL.__vbaVarCmpEq("", var_00000094, var_000000A4, var_000000D4))
loc_0040315E: call MSVBVM60.DLL.__vbaBoolVarNull(And("", MSVBVM60.DLL.__vbaVarCmpEq("", var_00000094, var_000000A4, var_000000D4)))
loc_00403169: call MSVBVM60.DLL.__vbaFreeStr
loc_004031AF: If MSVBVM60.DLL.__vbaBoolVarNull(And("", MSVBVM60.DLL.__vbaVarCmpEq("", var_00000094, var_000000A4, var_000000D4))) <> ebx Then
loc_004031BB: If 00409010h = ebx Then
loc_004031C7: CreateObject(00401E5Ch, 00409010h)
loc_004031CD: End If
loc_004031D6: call ecx+000002B4h(00409010h)
loc_004031E0: If ecx+000002B4h(00409010h) < ebx Then
loc_004031EE: call MSVBVM60.DLL.__vbaHresultCheckObj(ecx+000002B4h(00409010h), 00409010h, 00402414h, 000002B4h)
loc_004031F4: End If
loc_004031FA: If 00409024h = ebx Then
loc_00403206: CreateObject(00401AA8h, 00409024h)
loc_0040320C: End If |
Now maybe you can explain to me how the hell can this happen here:
- first EBX == 0
- then, if you look at the pic :
a) if I want to be able to start the 2nd form (Form2), there are two ways to do it :
- either 40315E to return 1 in EAX, at which point if you follow the code, at 403167 EAX gets moved into ESI, and later on, at 4031AC there is a compare (cmp SI, BX); ESI would be 1 from earlier, while EBX is 0
- and what puzzles me next is the command at 4031B5; cmp [static],ebx; as I mentioned earlier, from 402DD5, EBX doesn't change value any longer; so that compare will always fail T_T...
|
|
Back to top |
|
|
haha01haha01 Grandmaster Cheater Supreme Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Sat Oct 06, 2007 6:05 am Post subject: |
|
|
O_O
again sunbeam pwned every1 here.
|
|
Back to top |
|
|
SunBeam I post too much Reputation: 65
Joined: 25 Feb 2005 Posts: 4022 Location: Romania
|
Posted: Sat Oct 06, 2007 4:46 pm Post subject: |
|
|
Not really, cuz the only way I'd "crack" it would be to force 2nd form to load up
|
|
Back to top |
|
|
DeletedUser14087 I post too much Reputation: 2
Joined: 21 Jun 2006 Posts: 3069
|
Posted: Sun Oct 07, 2007 6:07 am Post subject: |
|
|
SunBeam wrote: | Not really, cuz the only way I'd "crack" it would be to force 2nd form to load up |
Wouldn't it consider as Patching ?
|
|
Back to top |
|
|
juppeli Newbie cheater Reputation: 0
Joined: 04 Jun 2007 Posts: 13
|
Posted: Sun Oct 07, 2007 7:09 am Post subject: |
|
|
I dont care how you crack it
|
|
Back to top |
|
|
|