View previous topic :: View next topic |
Author |
Message |
sumnewdude Expert Cheater Reputation: 0
Joined: 23 May 2007 Posts: 181 Location: Where you least expect me.
|
Posted: Wed Mar 05, 2008 4:46 pm Post subject: Crackme~~ |
|
|
Well Im back with a crackme not written in .NET this time it only took me 5 min to make so you can probally solve it fast.
_________________
.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI |
|
Back to top |
|
|
HolyBlah Master Cheater Reputation: 2
Joined: 24 Aug 2007 Posts: 446
|
Posted: Thu Mar 06, 2008 6:15 am Post subject: |
|
|
The first box is 8 letters
The second box is "Watzup?" + every letter in the first box - 31
so for "BlahRulez" in the first box the second box will be: "Watzup?#MBI3VMF["
Last edited by HolyBlah on Fri Mar 07, 2008 1:55 am; edited 1 time in total |
|
Back to top |
|
|
sumnewdude Expert Cheater Reputation: 0
Joined: 23 May 2007 Posts: 181 Location: Where you least expect me.
|
Posted: Thu Mar 06, 2008 6:51 am Post subject: |
|
|
HolyBlah wrote: | The first box is 8 letters
The second box is "Watzup?" + every letter in the first box - 32
so for "BlahRulez" in the first box the second box will be: "Watzup?#MBI3VMF["
|
you did it! but do you mind telling me how?
_________________
.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI |
|
Back to top |
|
|
HolyBlah Master Cheater Reputation: 2
Joined: 24 Aug 2007 Posts: 446
|
Posted: Thu Mar 06, 2008 6:56 am Post subject: |
|
|
BP on __vbaStrCmp
|
|
Back to top |
|
|
sumnewdude Expert Cheater Reputation: 0
Joined: 23 May 2007 Posts: 181 Location: Where you least expect me.
|
Posted: Thu Mar 06, 2008 7:06 am Post subject: |
|
|
HolyBlah wrote: | BP on __vbaStrCmp |
"BP"?? sorry Im not that much in to crackme stuff.
Well Im guessing by BP you mean Breakpoint but how do you find "vbaStrCmp" in Ollydbg? (Im guessing that is what you used)
EDIT: I found Code: | 0040117C .-FF25 4C104000 JMP DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>; MSVBVM60.__vbaStrCmp | im guessing that is what your talking about and I put a toggle breakpoint on there and it looks like it does nothing to me.
_________________
.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Thu Mar 06, 2008 3:59 pm Post subject: |
|
|
BP stands for breakpoint.
_________________
- Retired. |
|
Back to top |
|
|
sumnewdude Expert Cheater Reputation: 0
Joined: 23 May 2007 Posts: 181 Location: Where you least expect me.
|
Posted: Thu Mar 06, 2008 7:13 pm Post subject: |
|
|
Wiccaan wrote: | BP stands for breakpoint. |
Ya but I put a breakpoint where you said and it dosn't do anything diffrent with the program.
_________________
.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Thu Mar 06, 2008 10:14 pm Post subject: |
|
|
First thing you did was check the length, which was 8 chars long and the message was:
Code: | 00401FAF . C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],Crackme_.00401>; UNICODE "sorry too short" |
Looking above that, you have:
Code: | 00401F61 > \8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
00401F64 . 52 PUSH EDX
00401F65 . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00401F6B . 33C9 XOR ECX,ECX
00401F6D . 83F8 08 CMP EAX,8
00401F70 . 0F9CC1 SETL CL
00401F73 . F7D9 NEG ECX
00401F75 . 8BF1 MOV ESI,ECX
00401F77 . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00401F7A . FFD7 CALL EDI |
Which checks the length of the string and compares it to 8. The compare gives it away on how much it wants in size after the LenBstr.
Furthur down you have:
Code: | 004021E7 > \8B4D D0 MOV ECX,DWORD PTR SS:[EBP-30]
004021EA . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
004021ED . 51 PUSH ECX
004021EE . 52 PUSH EDX
004021EF . FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp |
Break on the last line of that and you see:
ECX = bottom box value.
EDX = real value which is Watzup?BBBBBBBB
Enter the password in the bottom box and you win.
Mind you the first box was the compare for the size, you can apparently enter anything in the first box as long as it matches the new value of the 2nd.
Each or so passwords:
Top: aaaaaaaa
Bottom: Watzup?BBBBBBBB
Top: bbbbbbbb
Bottom: Watzup?CCCCCCCC
Bottom is always Watzup? then 8 letters of +1 to the top box letters spot.
_________________
- Retired. |
|
Back to top |
|
|
HolyBlah Master Cheater Reputation: 2
Joined: 24 Aug 2007 Posts: 446
|
Posted: Fri Mar 07, 2008 1:59 am Post subject: |
|
|
Wiccaan wrote: | Bottom is always Watzup? then 8 letters of +1 to the top box letters spot. | It's not +1, it is -31.
Code: | 00402103 . 52 PUSH EDX
00402104 . FF15 78104000 CALL DWORD PTR [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0040210A . 50 PUSH EAX
0040210B . FF15 18104000 CALL DWORD PTR [<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00402111 . 66:2D 1F00 SUB AX,1F
00402115 . 8D4D 88 LEA ECX,DWORD PTR [EBP-78]
00402118 . 0F80 7A020000 JO Crackme_.00402398
0040211E . 0FBFC0 MOVSX EAX,AX
00402121 . 50 PUSH EAX
00402122 . 51 PUSH ECX
00402123 . FF15 70104000 CALL DWORD PTR [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi |
for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!"
|
|
Back to top |
|
|
sumnewdude Expert Cheater Reputation: 0
Joined: 23 May 2007 Posts: 181 Location: Where you least expect me.
|
Posted: Fri Mar 07, 2008 7:16 am Post subject: |
|
|
HolyBlah wrote: | Wiccaan wrote: | Bottom is always Watzup? then 8 letters of +1 to the top box letters spot. | It's not +1, it is -31.
Code: | 00402103 . 52 PUSH EDX
00402104 . FF15 78104000 CALL DWORD PTR [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0040210A . 50 PUSH EAX
0040210B . FF15 18104000 CALL DWORD PTR [<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00402111 . 66:2D 1F00 SUB AX,1F
00402115 . 8D4D 88 LEA ECX,DWORD PTR [EBP-78]
00402118 . 0F80 7A020000 JO Crackme_.00402398
0040211E . 0FBFC0 MOVSX EAX,AX
00402121 . 50 PUSH EAX
00402122 . 51 PUSH ECX
00402123 . FF15 70104000 CALL DWORD PTR [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi |
for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!" |
Heh to me this looks like a bunch of random letters do you know of a good tut?
_________________
.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Sat Mar 08, 2008 12:22 pm Post subject: |
|
|
HolyBlah wrote: | Wiccaan wrote: | Bottom is always Watzup? then 8 letters of +1 to the top box letters spot. | It's not +1, it is -31.
Code: | 00402103 . 52 PUSH EDX
00402104 . FF15 78104000 CALL DWORD PTR [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0040210A . 50 PUSH EAX
0040210B . FF15 18104000 CALL DWORD PTR [<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00402111 . 66:2D 1F00 SUB AX,1F
00402115 . 8D4D 88 LEA ECX,DWORD PTR [EBP-78]
00402118 . 0F80 7A020000 JO Crackme_.00402398
0040211E . 0FBFC0 MOVSX EAX,AX
00402121 . 50 PUSH EAX
00402122 . 51 PUSH ECX
00402123 . FF15 70104000 CALL DWORD PTR [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi |
for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!" |
Yeah my bad on that one, wasn't paying attention when I was writing that out.
_________________
- Retired. |
|
Back to top |
|
|
sumnewdude Expert Cheater Reputation: 0
Joined: 23 May 2007 Posts: 181 Location: Where you least expect me.
|
Posted: Wed Mar 12, 2008 8:13 pm Post subject: |
|
|
Wiccaan wrote: | HolyBlah wrote: | Wiccaan wrote: | Bottom is always Watzup? then 8 letters of +1 to the top box letters spot. | It's not +1, it is -31.
Code: | 00402103 . 52 PUSH EDX
00402104 . FF15 78104000 CALL DWORD PTR [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0040210A . 50 PUSH EAX
0040210B . FF15 18104000 CALL DWORD PTR [<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
00402111 . 66:2D 1F00 SUB AX,1F
00402115 . 8D4D 88 LEA ECX,DWORD PTR [EBP-78]
00402118 . 0F80 7A020000 JO Crackme_.00402398
0040211E . 0FBFC0 MOVSX EAX,AX
00402121 . 50 PUSH EAX
00402122 . 51 PUSH ECX
00402123 . FF15 70104000 CALL DWORD PTR [<&MSVBVM60.#608>] ; MSVBVM60.rtcVarBstrFromAnsi |
for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!" |
Yeah my bad on that one, wasn't paying attention when I was writing that out. |
oops sorry lol I ment the olly code not the Quote: | for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!" |
_________________
.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI |
|
Back to top |
|
|
Haxory' Grandmaster Cheater Supreme Reputation: 92
Joined: 30 Jul 2007 Posts: 1900
|
Posted: Sat Mar 15, 2008 5:57 am Post subject: |
|
|
sumnewdude wrote: |
Heh to me this looks like a bunch of random letters do you know of a good tut? |
200% QFT
Edit: i kinda started to get it =D
i already cracked 4 or 5 crackme's now
_________________
you and me baby ain't nothing but mammals so lets do it like they do on the discovery channel |
|
Back to top |
|
|
coder sal Master Cheater Reputation: 0
Joined: 11 May 2007 Posts: 304
|
Posted: Fri May 16, 2008 8:06 am Post subject: |
|
|
Wiccaan wrote: | First thing you did was check the length, which was 8 chars long and the message was:
Code: | 00401FAF . C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],Crackme_.00401>; UNICODE "sorry too short" |
Looking above that, you have:
Code: | 00401F61 > \8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
00401F64 . 52 PUSH EDX
00401F65 . FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
00401F6B . 33C9 XOR ECX,ECX
00401F6D . 83F8 08 CMP EAX,8
00401F70 . 0F9CC1 SETL CL
00401F73 . F7D9 NEG ECX
00401F75 . 8BF1 MOV ESI,ECX
00401F77 . 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00401F7A . FFD7 CALL EDI |
Which checks the length of the string and compares it to 8. The compare gives it away on how much it wants in size after the LenBstr.
Furthur down you have:
Code: | 004021E7 > \8B4D D0 MOV ECX,DWORD PTR SS:[EBP-30]
004021EA . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
004021ED . 51 PUSH ECX
004021EE . 52 PUSH EDX
004021EF . FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp |
Break on the last line of that and you see:
ECX = bottom box value.
EDX = real value which is Watzup?BBBBBBBB
Enter the password in the bottom box and you win.
Mind you the first box was the compare for the size, you can apparently enter anything in the first box as long as it matches the new value of the 2nd.
Each or so passwords:
Top: aaaaaaaa
Bottom: Watzup?BBBBBBBB
Top: bbbbbbbb
Bottom: Watzup?CCCCCCCC
Bottom is always Watzup? then 8 letters of +1 to the top box letters spot. |
I tried following what you (Wiccaan) said but:
The registers don't give me any information on the __VbaStrCmp, also I thought it might be the wrong address, but I don't think it is because I did a binary string search...
|
|
Back to top |
|
|
oib111 I post too much Reputation: 0
Joined: 02 Apr 2007 Posts: 2947 Location: you wanna know why?
|
Posted: Fri May 16, 2008 8:22 am Post subject: |
|
|
Set the bp, run the program and do it like your normal trying to do it and it will break there and then give you the info. You can't just set a break point and assume that it is going to give you information.
_________________
8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
Back to top |
|
|
|