Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[solved] my first passwordMe / Find the password

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
Hans Henrik
Expert Cheater
Reputation: 0

Joined: 18 Feb 2007
Posts: 177

PostPosted: Sun Jul 24, 2011 10:28 am    Post subject: [solved] my first passwordMe / Find the password Reply with quote

my first PasswordMe (or find the password?), a hard 1 i guess... have not added generic protection crap (packers/protectors/etc), maybe in v2?, but shouldn't be easy anyway.

written in c++, compiled with mingw 3.4.2 (-s -O3)
urls:
http://www.speedyshare.com/files/29558717/PasswordMe.zip
rules:
patched executable is not an accepted solution, get the password. :- )

_________________
Im not around.

im almost never checking the forum anymore


Last edited by Hans Henrik on Sun Jul 24, 2011 11:31 am; edited 1 time in total
Back to top
View user's profile Send private message MSN Messenger
atom0s
Moderator
Reputation: 136

Joined: 25 Jan 2006
Posts: 7134
Location: 127.0.0.1

PostPosted: Sun Jul 24, 2011 11:19 am    Post subject: Reply with quote

Password: 4223084

Given there is a ton of stuff packed into the file to do whatever, my guess is there's extra stuff to throw people off.

How I got the answer:

Loaded the executable into Olly to check if there were any give aways from the start. There was both the nag and the 'correct' responses so that gave away where the 'magic' happens with comparing the input to the real answer.

Going to the start of the function you have:
Code:

00401EF3   . 8D75 98        LEA ESI,DWORD PTR SS:[EBP-68]            ; ||||
00401EF6   . 8D5D 98        LEA EBX,DWORD PTR SS:[EBP-68]            ; ||||
00401EF9   . 893424         MOV DWORD PTR SS:[ESP],ESI               ; ||||
00401EFC   . E8 1F3D0000    CALL <JMP.&msvcrt.atoi>                  ; |||\atoi
00401F01   . 8985 5CFFFFFF  MOV DWORD PTR SS:[EBP-A4],EAX            ; |||
00401F07   . 891C24         MOV DWORD PTR SS:[ESP],EBX               ; |||
00401F0A   . E8 113D0000    CALL <JMP.&msvcrt.atoi>                  ; ||\atoi
00401F0F   . 8D4D 98        LEA ECX,DWORD PTR SS:[EBP-68]            ; ||
00401F12   . 890C24         MOV DWORD PTR SS:[ESP],ECX               ; ||
00401F15   . E8 063D0000    CALL <JMP.&msvcrt.atoi>                  ; |\atoi
00401F1A   . 8B15 6C704000  MOV EDX,DWORD PTR DS:[40706C]            ; |Password.00408158
00401F20   . 891424         MOV DWORD PTR SS:[ESP],EDX               ; |
00401F23   . E8 E83C0000    CALL <JMP.&msvcrt.strlen>                ; \strlen


Which tells us the input is getting converted to a number and the length of another string is important.

Little further down you check if a pointer is valid:
Code:

00401F4D   . 89B5 58FFFFFF  MOV DWORD PTR SS:[EBP-A8],ESI            ; |
00401F53   . 890C24         MOV DWORD PTR SS:[ESP],ECX               ; |
00401F56   . 8995 68FFFFFF  MOV DWORD PTR SS:[EBP-98],EDX            ; |
00401F5C   . E8 DF3E0000    CALL <JMP.&KERNEL32.IsBadReadPtr>        ; \IsBadReadPtr


Which uses some of the info we just got from above, the main two being the strlen return (0x8C) and the input we gave converted to a number.

Afterward, starting at 0x004020C0 we check the input to strings inside the exe. First checks the bad answer, second is the correct answer. Once loaded it jumps back to 0x00401F6C to compare the answer to our input converted to a pointer and read as a string which we tell it to point to the correct answers location in memory.

So in short the first part gave away the answer
Code:

00401F1A   . 8B15 6C704000  MOV EDX,DWORD PTR DS:[40706C]            ; |Password.00408158


40706C is the pointer to the correct answer. Convert this to dec and use the result as the answer.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Hans Henrik
Expert Cheater
Reputation: 0

Joined: 18 Feb 2007
Posts: 177

PostPosted: Sun Jul 24, 2011 11:26 am    Post subject: Reply with quote

Wiccaan: shit, nice1 Very Happy
, i wont make that mistake twice though.
maybe ill make an other 1

_________________
Im not around.

im almost never checking the forum anymore
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites