Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Could not solve a crackme

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
CrAckME
How do I cheat?
Reputation: 0

Joined: 16 Nov 2013
Posts: 5
PostPosted: Sat Nov 16, 2013 5:40 am    Post subject: Could not solve a crackme Reply with quote
CrackMe download:
Code:
speedyshare.c om/fJAdk/stage0.exe


I've stucked on the part of:
Code:
prntscr.c om/24huz1


Code:

virustotal.c om/en/file/ce58c5e68393a85657f94ac13ca86e08b5c5c29d5009145e71d12a123db71284/analysis/


PLEASE HELP
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
PostPosted: Sat Nov 16, 2013 2:56 pm    Post subject: Reply with quote
Get the user input password:
Code:
011010BB  |. 68 14211001    PUSH stage0.01102114                     ; /format = "%30s"
011010C0  |. FF15 A4201001  CALL DWORD PTR DS:[<&MSVCR90.scanf>]     ; \scanf


Get the length of the input:
Code:
011010C6  |. 8D8424 2802000>LEA EAX,DWORD PTR SS:[ESP+0x228]
011010CD  |. 83C4 24        ADD ESP,0x24
011010D0  |. 8D50 01        LEA EDX,DWORD PTR DS:[EAX+0x1]
011010D3  |> 8A08           /MOV CL,BYTE PTR DS:[EAX]
011010D5  |. 40             |INC EAX
011010D6  |. 84C9           |TEST CL,CL
011010D8  |.^75 F9          \JNZ SHORT stage0.011010D3


Ensure the length is not 0:
Code:
011010DA  |. 2BC2           SUB EAX,EDX
011010DC  |. 33C9           XOR ECX,ECX
011010DE  |. 85C0           TEST EAX,EAX
011010E0  |. 7E 0D          JLE SHORT stage0.011010EF


Xor each input character with 0x57:
Code:
011010E2  |> 80B40C 0402000>/XOR BYTE PTR SS:[ESP+ECX+0x204],0x57
011010EA  |. 41             |INC ECX
011010EB  |. 3BC8           |CMP ECX,EAX
011010ED  |.^7C F3          \JL SHORT stage0.011010E2


Load string into EAX 'RealPassword':
Code:
011010EF  |> B9 30211001    MOV ECX,stage0.01102130                  ;  ASCII "45678"
011010F4  |. 8D8424 0401000>LEA EAX,DWORD PTR SS:[ESP+0x104]
011010FB  |. EB 03          JMP SHORT stage0.l


Compare 45678 to 'RealPassword':
Code:
011010FD  |  8D49 00        LEA ECX,DWORD PTR DS:[ECX]
l  |> 8A10           /MOV DL,BYTE PTR DS:[EAX]
01101102  |. 3A11           |CMP DL,BYTE PTR DS:[ECX]
01101104  |. 75 1A          |JNZ SHORT stage0.01101120
01101106  |. 84D2           |TEST DL,DL
01101108  |. 74 12          |JE SHORT stage0.0110111C
0110110A  |. 8A50 01        |MOV DL,BYTE PTR DS:[EAX+0x1]
0110110D  |. 3A51 01        |CMP DL,BYTE PTR DS:[ECX+0x1]
n  |. 75 0E          |JNZ SHORT stage0.01101120
01101112  |. 83C0 02        |ADD EAX,0x2
01101115  |. 83C1 02        |ADD ECX,0x2
01101118  |. 84D2           |TEST DL,DL
0110111A  |.^75 E4          \JNZ SHORT stage0.l


Test if password matched 'RealPassword':
Code:
0110111C  |> 33C0           XOR EAX,EAX
0110111E  |. EB 05          JMP SHORT stage0.01101125
01101120  |> 1BC0           SBB EAX,EAX
01101122  |. 83D8 FF        SBB EAX,-0x1
01101125  |> 85C0           TEST EAX,EAX
01101127  |. 75 22          JNZ SHORT stage0.0110114B
01101129  |. 68 38211001    PUSH stage0.01102138                     ;  ASCII "Wrong Password."
0110112E  |. FFD6           CALL ESI
01101130  |. 83C4 04        ADD ESP,0x4
01101133  |. 33C0           XOR EAX,EAX
01101135  |. 5E             POP ESI
01101136  |. 8B8C24 0003000>MOV ECX,DWORD PTR SS:[ESP+0x300]
0110113D  |. 33CC           XOR ECX,ESP
0110113F  |. E8 25010000    CALL stage0.01101269
01101144  |. 81C4 04030000  ADD ESP,0x304
0110114A  |. C3             RETN


Test if our given password xor'd is 0x14 characters long:
Code:
0110114B  |> 8D8424 0402000>LEA EAX,DWORD PTR SS:[ESP+0x204]
01101152  |. 8D50 01        LEA EDX,DWORD PTR DS:[EAX+0x1]
01101155  |> 8A08           /MOV CL,BYTE PTR DS:[EAX]
01101157  |. 40             |INC EAX
01101158  |. 84C9           |TEST CL,CL
0110115A  |.^75 F9          \JNZ SHORT stage0.01101155
0110115C  |. 2BC2           SUB EAX,EDX
0110115E  |. 83F8 14        CMP EAX,0x14
01101161  |. 74 22          JE SHORT stage0.01101185
01101163  |. 68 4C211001    PUSH stage0.0110214C                     ;  ASCII "Wrong Password."
01101168  |. FFD6           CALL ESI
0110116A  |. 83C4 04        ADD ESP,0x4
0110116D  |. 33C0           XOR EAX,EAX
0110116F  |. 5E             POP ESI
01101170  |. 8B8C24 0003000>MOV ECX,DWORD PTR SS:[ESP+0x300]
01101177  |. 33CC           XOR ECX,ESP
01101179  |. E8 EB000000    CALL stage0.01101269
0110117E  |. 81C4 04030000  ADD ESP,0x304
01101184  |. C3             RETN


Compare our xor'd password with another xor'd password stored in esp+4:
Code:
01101185  |> 8D4C24 04      LEA ECX,DWORD PTR SS:[ESP+0x4]
01101189  |. 8D8424 0402000>LEA EAX,DWORD PTR SS:[ESP+0x204]
01101190  |> 8A10           /MOV DL,BYTE PTR DS:[EAX]
01101192  |. 3A11           |CMP DL,BYTE PTR DS:[ECX]
01101194  |. 75 1A          |JNZ SHORT stage0.011011B0
01101196  |. 84D2           |TEST DL,DL
01101198  |. 74 12          |JE SHORT stage0.011011AC
0110119A  |. 8A50 01        |MOV DL,BYTE PTR DS:[EAX+0x1]
0110119D  |. 3A51 01        |CMP DL,BYTE PTR DS:[ECX+0x1]
011011A0  |. 75 0E          |JNZ SHORT stage0.011011B0
011011A2  |. 83C0 02        |ADD EAX,0x2
011011A5  |. 83C1 02        |ADD ECX,0x2
011011A8  |. 84D2           |TEST DL,DL
011011AA  |.^75 E4          \JNZ SHORT stage0.01101190
011011AC  |> 33C0           XOR EAX,EAX
011011AE  |. EB 05          JMP SHORT stage0.011011B5
011011B0  |> 1BC0           SBB EAX,EAX
011011B2  |. 83D8 FF        SBB EAX,-0x1
011011B5  |> 85C0           TEST EAX,EAX
011011B7  |. 74 22          JE SHORT stage0.011011DB
011011B9  |. 68 60211001    PUSH stage0.01102160                     ;  ASCII "Wrong Password."
011011BE  |. FFD6           CALL ESI


All of the starting compares are to make you think that the password is 'RealPassword'. The only check that matters is the size check for the password length.

At the end, ESP+4 holds the real password xor'd with 0x57:
Code:
CPU Dump
Address   Hex dump                                         ASCII
0043F978  01 32 25 2E|1B 38 39 30|07 36 24 24|20 38 25 33| 2%.8906$$ 8%3
0043F988  65 67 67 6E|00 00 00 00|00 00 00 00|00 00 00 00| eggn


Xor this and you get the real password: VeryLongPassword2009

And the resulting screen:
Code:

Enter Pasword:
VeryLongPassword2009

Good Job!
Send email to [email protected] with subject: stage0_fd60d641dc9efb8f5b
79a9b5a75b006b.
Attach your resume. Good luck!

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites