| View previous topic :: View next topic |
| Author |
Message |
slippppppppp
Grandmaster Cheater
 Reputation: 0
Joined: 08 Aug 2006
Posts: 929
|
 Posted: Thu May 15, 2008 7:20 pm Post subject: CrackMe |
 |
|
Can anyone find the password to this crackme?
I have to stress that Patching this wont make much of a difference so here:
| Quote: |
Wicca Wiccaan (5:43:37 PM): 00401557 |. /75 02 JNZ SHORT CrackMe.0040155B
|
There, now try to find the password.[/quote] |
|
| Back to top |
|
 |
Labyrnth
Moderator
 Reputation: 9
Joined: 28 Nov 2006
Posts: 6285
|
| Posted: Thu May 15, 2008 9:22 pm Post subject: |
|
|
00401111 3BD3 CMP EDX,EBX
Change to CMP EDX,EDX and use any password you want.
00401113 /75 02 JNZ SHORT CrackMe.00401117
Correct this jump to use any password but the real one.
EDX = real password.
As far as the real password here is ascii representation of it.
7FFDE00C A0 1E á▲ � |
|
| Back to top |
|
|
slippppppppp
Grandmaster Cheater
Reputation: 0
Joined: 08 Aug 2006
Posts: 929
|
| Posted: Thu May 15, 2008 9:56 pm Post subject: |
|
|
 None's solved it yet |
|
| Back to top |
|
|
nwongfeiying
Grandmaster Cheater
![]() Reputation: 2
Joined: 25 Jun 2007
Posts: 695
|
| Posted: Fri May 16, 2008 8:52 am Post subject: |
|
|
| Labyrnth wrote: | 00401111 3BD3 CMP EDX,EBX
Change to CMP EDX,EDX and use any password you want.
00401113 /75 02 JNZ SHORT CrackMe.00401117
Correct this jump to use any password but the real one.
EDX = real password.
As far as the real password here is ascii representation of it.
7FFDE00C A0 1E á▲ � |
What method did you use? |
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Fri May 16, 2008 9:31 am Post subject: |
|
|
Pretty sure that's the encrypted password as it's checked against the encrypted input?
_________________
|
|
| Back to top |
|
|
Labyrnth
Moderator
Reputation: 9
Joined: 28 Nov 2006
Posts: 6285
|
| Posted: Fri May 16, 2008 9:38 am Post subject: |
|
|
| slippppppppp wrote: | | None's solved it yet |
| Quote: | | I have to stress that Patching this wont make much of a difference so here: |
Well, this is what i was targeting really. Patching it will make all the difference. It will work 100% on this application. If it was on a retail soft, very much would be a cracked release for every version released  . |
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Fri May 16, 2008 4:56 pm Post subject: |
|
|
Wow. Did you even test this?
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Fri May 16, 2008 5:36 pm Post subject: |
|
|
Slipppppppppp doesn't even know how to solve it so I can almost guarantee you it's not coded correctly.
_________________
- Retired. |
|
| Back to top |
|
|
Overload
Master Cheater
 Reputation: 0
Joined: 08 Feb 2008
Posts: 293
|
| Posted: Fri May 16, 2008 5:49 pm Post subject: |
|
|
| nwongfeiying wrote: | | Labyrnth wrote: | 00401111 3BD3 CMP EDX,EBX
Change to CMP EDX,EDX and use any password you want.
00401113 /75 02 JNZ SHORT CrackMe.00401117
Correct this jump to use any password but the real one.
EDX = real password.
As far as the real password here is ascii representation of it.
7FFDE00C A0 1E á▲ � |
What method did you use? |
Not so much a method of finding it. Just searching for it.
Its quite simple. All he is doing is changing the compare between EDX and EBX to EDX and EDX. He's just making it compare it with itself, therefore always making it correct. |
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Fri May 16, 2008 6:05 pm Post subject: |
|
|
| Code: | 004014E5 . 60 PUSHAD
004014E6 . 8BC0 MOV EAX,EAX Is this supposed to be clever?
004014E8 . 8BDB MOV EBX,EBX This block of code sets everything
004014EA . 8BD2 MOV EDX,EDX to 0 except edx to C000
004014EC . 8BC9 MOV ECX,ECX
004014EE . 33C0 XOR EAX,EAX
004014F0 . 33DB XOR EBX,EBX
004014F2 . 33D2 XOR EDX,EDX
004014F4 . 33C9 XOR ECX,ECX
004014F6 . C1E8 1F SHR EAX,1F
004014F9 . C1E3 5A SHL EBX,5A
004014FC . C1E2 13 SHL EDX,13
004014FF . C1E9 A1 SHR ECX,0A1
00401502 . 93 XCHG EAX,EBX
00401503 . C1C8 0C ROR EAX,0C
00401506 . 87D9 XCHG ECX,EBX
00401508 . C1CB 0D ROR EBX,0D
0040150B . 83C1 0C ADD ECX,0C
0040150E . C1C1 0C ROL ECX,0C
00401511 . 87D1 XCHG ECX,EDX
00401513 . 61 POPAD makes everything above it useless
00401514 . EB 00 JMP SHORT Copy_of_.00401516
00401516 > 50 PUSH EAX
00401517 . A1 EC1D4700 MOV EAX,DWORD PTR DS:[471DEC] moves 0x31 into eax. I'm guessing it's actually supposed to be the password, but looking at your code, you have no idea how to handle strings. your 20 char password takes 80 bytes in memory because you declared it as DWORD for whatever reason. Making each char separated by 3 null bytes.
0040151C . C1E8 0C SHR EAX,0C sets eax to 0
At this point, EAX looks liek this in in binary:
00000000000000000000000000110001.
shifting right 13 bits:
000000000000000000000000000000000000000110001
00000000000000000000000000000000 == eax
0040151F . 33C3 XOR EAX,EBX At this point ebx is normally 7ffd4000 to 7ffdd000 I have no idea what this actually is, though. So, basically, since EAX is 0, EAX == EBX after the XOR.
00401521 . 83C0 0C ADD EAX,0C EAX is now around 7ffd400c
00401524 . 92 XCHG EAX,EDX Switch EAX and EDX. EDX is what gets compared later.
00401525 . 58 POP EAX After this, some other stuff happens, then It's compared. It doesn't matter what happens since it's so messed up already
00401526 . EB 00 JMP SHORT Copy_of_.00401528
00401528 > 50 PUSH EAX
00401529 . 8D05 C8474700 LEA EAX,DWORD PTR DS:[4747C8]
0040152F . 83C0 01 ADD EAX,1
00401532 . 33C3 XOR EAX,EBX
00401534 . C1E0 0D SHL EAX,0D
00401537 . 03C0 ADD EAX,EAX
00401539 . 93 XCHG EAX,EBX
0040153A . 58 POP EAX
0040153B . EB 00 JMP SHORT Copy_of_.0040153D
0040153D > 8BC0 MOV EAX,EAX
0040153F . C1E0 03 SHL EAX,3
00401542 . 83E8 02 SUB EAX,2
00401545 . 33C6 XOR EAX,ESI
00401547 . 8BC8 MOV ECX,EAX
00401549 . D1E1 SHL ECX,1
0040154B . 83C1 03 ADD ECX,3
0040154E . C1C9 0D ROR ECX,0D
00401551 . 33C1 XOR EAX,ECX
00401553 . EB 00 JMP SHORT Copy_of_.00401555
00401555 > 3BD3 CMP EDX,EBX
|
In short, the strings are fucked up, but it doesn't matter because you don't even handle them as strings. You compare memory addresses that change every time you run it.
_________________
|
|
| Back to top |
|
|
coder sal
Master Cheater
 Reputation: 0
Joined: 11 May 2007
Posts: 304
|
| Posted: Fri May 16, 2008 7:06 pm Post subject: |
|
|
Lol! It worked (Changing it to EDX,EDX), lmao
But how did you find the virtual address with CMP in it?
I tried searching intermodular calls it didn't work..
Did you just scroll down until you found it?
Screenshot:
 |
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Fri May 16, 2008 7:11 pm Post subject: |
|
|
"Incorrect" and "correct" are just strings. (Note 401117 and 40111e) So if you right click on the code>search for>referenced text strings>and look for "correct" or incorrect", you'll come right to there. Then you just look up a bit to find the code that determines where you jump to.
_________________
|
|
| Back to top |
|
|
coder sal
Master Cheater
Reputation: 0
Joined: 11 May 2007
Posts: 304
|
| Posted: Fri May 16, 2008 7:15 pm Post subject: |
|
|
| HalfPrime wrote: | | "Incorrect" and "correct" are just strings. (Note 401117 and 40111e) So if you right click on the code>search for>referenced text strings>and look for "correct" or incorrect", you'll come right to there. Then you just look up a bit to find the code that determines where you jump to. |
Ohhhh I never thought of that |
|
| Back to top |
|
|
Labyrnth
Moderator
Reputation: 9
Joined: 28 Nov 2006
Posts: 6285
|
| Posted: Mon May 19, 2008 12:49 pm Post subject: |
|
|
| Thats a method that should never be over looked, no matter how noobie it is. |
|
| Back to top |
|
|
HalfPrime
Grandmaster Cheater
![]() Reputation: 0
Joined: 12 Mar 2008
Posts: 532
Location: Right there...On your monitor
|
| Posted: Mon May 19, 2008 3:45 pm Post subject: |
|
|
I always try the quick and simple stuff before anything else. If function calls/text strings work, then it'd be a waste of energy to do anything else. If it doesn't work then I get to delve into it.
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
