View previous topic :: View next topic |
Author |
Message |
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Fri Oct 24, 2008 2:11 pm Post subject: Crackme |
|
|
Before you begin: I know how it looks (and I meant it to look like that).
Level: easy+
Enjoy yourselves
P.S.
Note that this crackme was tested on windows XP only - it might not work on other systems
|
|
Back to top |
|
|
Sinok Cheater Reputation: 0
Joined: 21 Mar 2008 Posts: 34
|
Posted: Sat Oct 25, 2008 7:13 am Post subject: |
|
|
What am I supposed to do?
lol
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Sat Oct 25, 2008 7:19 am Post subject: |
|
|
Make it show the 'good boy' message, of course!
|
|
Back to top |
|
|
opcode0x90 Cheater Reputation: 0
Joined: 05 Aug 2006 Posts: 27
|
Posted: Sat Oct 25, 2008 8:20 am Post subject: |
|
|
Code: |
004010D7 |. BF 00304000 MOV EDI,CrackMe.00403000 ; ASCII "An error has occured! exiting"
004010DC |. F743 68 70000>TEST DWORD PTR DS:[EBX+68],70
004010E3 ^ 75 CE JNZ SHORT CrackMe.004010B3 <-- NOP here
004010E5 |. F643 02 01 TEST BYTE PTR DS:[EBX+2],1
004010E9 ^ 75 C8 JNZ SHORT CrackMe.004010B3 <-- and here
004010EB |. 33DD XOR EBX,EBP
004010ED |. B9 23304000 MOV ECX,CrackMe.00403023 ; ASCII "Hope you enjoyed =]"
|
Encrypted strings and redirected EIP with SetThreadContext eh?
NOP the jmps at 004010E3 and 004010E9.
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Sat Oct 25, 2008 10:49 am Post subject: |
|
|
These are just anti debug tricks
The message is still being overwritten - you're half way there
|
|
Back to top |
|
|
opcode0x90 Cheater Reputation: 0
Joined: 05 Aug 2006 Posts: 27
|
Posted: Sun Oct 26, 2008 5:00 am Post subject: |
|
|
If the correct message is "Hope you enjoyed =]" it cant be much simpler.
0040100B 49 DEC ECX
0040100C ^ 79 FC JNS SHORT CrackMe.0040100A
0040100E 0F89 B3000000 JNS CrackMe.004010C7
00401014 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] ; CrackMe.<ModuleEntryPoint>
Redirect JNS CrackMe.004010C7 to JNS CrackMe.004010EB it will display that string and bypass the NtGlobalFlag check altogether.
You should give a clear goal when submitting a crackme.
|
|
Back to top |
|
|
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Sun Oct 26, 2008 7:49 am Post subject: |
|
|
I'll try to make it easier to understand next time
By the way, nice redirection method
|
|
Back to top |
|
|
|