| View previous topic :: View next topic |
| Author |
Message |
Buggy
Advanced Cheater
 Reputation: 0
Joined: 04 Jan 2008
Posts: 72
Location: Republic of Korea (South Korea)
|
 Posted: Mon Mar 31, 2008 7:46 am Post subject: sTRANGE CrackMe II |
 |
|
STRANGE CRakme ii
P.S.
Requires XP or higher
Sometimes it may show BSOD
DO NOT TRY THIS CRACKME WITHOUT DRIVER.SYS!
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Tue Apr 01, 2008 1:40 am Post subject: |
|
|
Doesn't run. Turned everything off on my system, no debugger or anything, tried to run normally. Just makes an error noise and closes without a word or message box.
Opened it up in Olly, looked around, apparently it doesn't even get out of the MSVB runtime before exiting.
Opened it up in VB Decompiler to find what was the startup, and where that was. Apparently according to it the startup is Form1, meaning Form_Load, went to that location in Olly, set a breakpoint, never gets hit. So looks like there is an issue with the exe.
On a side note, cute that you named an entire class after me lol. And whats the driver for? Kinda made me a bit weary on wanted to even look at this one. And the whole 'BSOD' thing lol. You should really make it stable before releasing.
Anyway, looking forward to seeing you fix this if theres an issue, wanna have my go on it 
_________________
- Retired. |
|
| Back to top |
|
|
Buggy
Advanced Cheater
Reputation: 0
Joined: 04 Jan 2008
Posts: 72
Location: Republic of Korea (South Korea)
|
| Posted: Tue Apr 01, 2008 9:21 am Post subject: |
|
|
hmm.. in my pc it runs well..
i'm sorry wiccaan but what operating system are you using??
-_- very strange --
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|
| Back to top |
|
|
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Tue Apr 01, 2008 10:16 am Post subject: |
|
|
| a driver ? it's only a crackme, take it easy lol..
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Tue Apr 01, 2008 5:17 pm Post subject: |
|
|
I'm running XP Home w/SP2. But like I said it doesn't even get out of the VB runtime before crashing and dying.
_________________
- Retired. |
|
| Back to top |
|
|
Buggy
Advanced Cheater
Reputation: 0
Joined: 04 Jan 2008
Posts: 72
Location: Republic of Korea (South Korea)
|
| Posted: Wed Apr 02, 2008 7:23 am Post subject: |
|
|
I've tested in Windows XP Professional(vmware), it occures driver error, i think...
what happened to my crackmebb
:: information of driver ::
Hook some process apis
made in c++
--
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Mon Apr 07, 2008 12:54 am Post subject: |
|
|
Reformatted my computer the other night so just tested this again and it runs now. Will give it a go
EDIT #1: Getting the prog to run through OllyDbg.
Plugins used: OllyAdvanced + HideOlly (Basically turn everything on.)
Along with that I had to patch 1 check due to CopyMemory failing here:
| Code: | 00AD5DB7 . /E9 D0000000 JMP x.00AD5E8C
00AD5DBC |90 NOP |
The original was a JNZ. After the plugins and patch, the exe runs fine.
EDIT #2: Patching the process killing and possible finish solution?
Next annoyance is the process closing anytime you guess the wrong password. This is due to calls to 'End' or in the runtime: __vbaEnd
There are two calls to this during the checks:
| Code: | | 00AC6475 . FF15 2C10AC00 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEnd>] ; MSVBVM60.__vbaEnd |
| Code: | | 00AC660A . FF15 2C10AC00 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEnd>] ; MSVBVM60.__vbaEnd |
Just before these, you can patch the conditional jumps. Something I don't understand is if you patch the two jumps when you enter anything you get a message box now that is simply '!!', is this the correct result when you figure out the name/pass/pin?
EDIT #3: Removed The Driver
Well not really that hard to do since it's not that well integrated into the project, but you can completely remove the driver from being loaded with a few jump patches.
Along with the patches above, there is a check to see if the driver is in the same folder as the executable which can be bypassed with:
| Code: | 00AC571C /E9 95000000 JMP z.00AC57B6
00AC5721 |90 NOP |
Beings that the executable has not checking for the driver other then loading it and making sure its in the same path, its easily removed with that single jump.
Other calls to the driver return ERROR_SERVICE_NOT_FOUND but again, is never checked against to see if the driver was loaded.
(Minor Edit: Hmm.. now it seems its messing up with the driver being gone.. worked fine a few times then started dying now. -.-)
Ok figured out what caused that little issue, another quick check for the driver which is patched with:
| Code: | 00AC5D4D /E9 2A010000 JMP z.00AC5E7C
00AC5D52 |90 NOP |
Running smooth again.
EDIT #4: Yay for another edit.. anyway, this edit is an attachment. Removed all the checks for Olly and such so the exe will run, without the driver, inside Olly without the need of any plugins. 
_________________
- Retired. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
