Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Wiccaan, Labrynth, or anyone else- I need breakpoint help

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
coder sal
Master Cheater
Reputation: 0

Joined: 11 May 2007
Posts: 304

PostPosted: Tue Mar 11, 2008 2:46 pm    Post subject: Wiccaan, Labrynth, or anyone else- I need breakpoint help Reply with quote

Ok I went on Tuts4you and I learned a few things but I still need help with Gunner's keygenme/crackme, here I quoted what you said.


Wiccaan wrote:
This is more of a keygen me then anything. After looking through this I can't say I found the anti-debug you put in it. There is no call to any debugging API, no checks for processes or window names, etc. So what ever it is it's not to prevent debugging apparently lol.

As for the serial to my name, Lab, the one you posted is wrong. My name and serial would be:

Name: Wiccaan
Serial: 0215187175175171171197145

You missed some numbers. Might be the same case for your others Wink

The key generation is here:

Code:
0040965F    8B0F            MOV ECX,DWORD PTR DS:[EDI]
00409661    57              PUSH EDI
00409662    FF91 08030000   CALL DWORD PTR DS:[ECX+308]
00409668    8D55 CC         LEA EDX,DWORD PTR SS:[EBP-34]
0040966B    50              PUSH EAX
0040966C    52              PUSH EDX
0040966D    FF15 3C104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00409673    8BD8            MOV EBX,EAX
00409675    8D4D D4         LEA ECX,DWORD PTR SS:[EBP-2C]
00409678    51              PUSH ECX
00409679    53              PUSH EBX
0040967A    8B03            MOV EAX,DWORD PTR DS:[EBX]
0040967C    FF90 A0000000   CALL DWORD PTR DS:[EAX+A0]
00409682    3BC6            CMP EAX,ESI
00409684    DBE2            FCLEX
00409686    7D 12           JGE SHORT CrackMeV.0040969A
00409688    68 A0000000     PUSH 0A0
0040968D    68 FC914000     PUSH CrackMeV.004091FC
00409692    53              PUSH EBX
00409693    50              PUSH EAX
00409694    FF15 30104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040969A    8B45 D4         MOV EAX,DWORD PTR SS:[EBP-2C]
0040969D    8D55 BC         LEA EDX,DWORD PTR SS:[EBP-44]
004096A0    8945 C4         MOV DWORD PTR SS:[EBP-3C],EAX
004096A3    8D45 AC         LEA EAX,DWORD PTR SS:[EBP-54]
004096A6    52              PUSH EDX
004096A7    50              PUSH EAX
004096A8    8975 D4         MOV DWORD PTR SS:[EBP-2C],ESI
004096AB    C745 BC 0800000>MOV DWORD PTR SS:[EBP-44],8
004096B2    FF15 5C104000   CALL DWORD PTR DS:[<&MSVBVM60.#528>]     ; MSVBVM60.rtcUpperCaseVar
004096B8    8D4D AC         LEA ECX,DWORD PTR SS:[EBP-54]
004096BB    51              PUSH ECX
004096BC    FF15 18104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
004096C2    8B1D B8104000   MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
004096C8    8BD0            MOV EDX,EAX
004096CA    8D4D D0         LEA ECX,DWORD PTR SS:[EBP-30]
004096CD    FFD3            CALL EBX                                 ; <&MSVBVM60.__vbaStrMove>
004096CF    8BD0            MOV EDX,EAX
004096D1    8D4F 3C         LEA ECX,DWORD PTR DS:[EDI+3C]
004096D4    FF15 98104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
004096DA    8D4D D0         LEA ECX,DWORD PTR SS:[EBP-30]
004096DD    FF15 CC104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004096E3    8D4D CC         LEA ECX,DWORD PTR SS:[EBP-34]
004096E6    FF15 D0104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004096EC    8D55 AC         LEA EDX,DWORD PTR SS:[EBP-54]
004096EF    8D45 BC         LEA EAX,DWORD PTR SS:[EBP-44]
004096F2    52              PUSH EDX
004096F3    50              PUSH EAX
004096F4    6A 02           PUSH 2
004096F6    FF15 1C104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004096FC    66:8B4F 34      MOV CX,WORD PTR DS:[EDI+34]
00409700    83C4 0C         ADD ESP,0C
00409703    66:6BC9 05      IMUL CX,CX,5
00409707    0F80 7D020000   JO CrackMeV.0040998A
0040970D    66:83C1 06      ADD CX,6
00409711    56              PUSH ESI
00409712    0F80 72020000   JO CrackMeV.0040998A
00409718    0FBFD1          MOVSX EDX,CX
0040971B    8957 38         MOV DWORD PTR DS:[EDI+38],EDX
0040971E    FF15 00104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI2>; MSVBVM60.__vbaStrI2
00409724    8BD0            MOV EDX,EAX
00409726    8D4D D4         LEA ECX,DWORD PTR SS:[EBP-2C]
00409729    FFD3            CALL EBX
0040972B    8BD0            MOV EDX,EAX
0040972D    8D4F 40         LEA ECX,DWORD PTR DS:[EDI+40]
00409730    FF15 98104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00409736    8D4D D4         LEA ECX,DWORD PTR SS:[EBP-2C]
00409739    FF15 CC104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040973F    66:8B57 34      MOV DX,WORD PTR DS:[EDI+34]
00409743    B8 02000000     MOV EAX,2
00409748    B9 01000000     MOV ECX,1
0040974D    8985 7CFFFFFF   MOV DWORD PTR SS:[EBP-84],EAX
00409753    8985 6CFFFFFF   MOV DWORD PTR SS:[EBP-94],EAX
00409759    8985 5CFFFFFF   MOV DWORD PTR SS:[EBP-A4],EAX
0040975F    894D 84         MOV DWORD PTR SS:[EBP-7C],ECX
00409762    898D 64FFFFFF   MOV DWORD PTR SS:[EBP-9C],ECX
00409768    8D85 7CFFFFFF   LEA EAX,DWORD PTR SS:[EBP-84]
0040976E    66:8995 74FFFFF>MOV WORD PTR SS:[EBP-8C],DX
00409775    8D8D 6CFFFFFF   LEA ECX,DWORD PTR SS:[EBP-94]
0040977B    50              PUSH EAX
0040977C    8D95 5CFFFFFF   LEA EDX,DWORD PTR SS:[EBP-A4]
00409782    51              PUSH ECX
00409783    8D85 20FFFFFF   LEA EAX,DWORD PTR SS:[EBP-E0]
00409789    52              PUSH EDX
0040978A    8D8D 30FFFFFF   LEA ECX,DWORD PTR SS:[EBP-D0]
00409790    50              PUSH EAX
00409791    8D55 DC         LEA EDX,DWORD PTR SS:[EBP-24]
00409794    51              PUSH ECX
00409795    52              PUSH EDX
00409796    FF15 38104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForInit
0040979C    3BC6            CMP EAX,ESI
0040979E    0F84 BC000000   JE CrackMeV.00409860
004097A4    8D45 BC         LEA EAX,DWORD PTR SS:[EBP-44]
004097A7    8D4D DC         LEA ECX,DWORD PTR SS:[EBP-24]
004097AA    50              PUSH EAX
004097AB    51              PUSH ECX
004097AC    C745 C4 0100000>MOV DWORD PTR SS:[EBP-3C],1
004097B3    C745 BC 0200000>MOV DWORD PTR SS:[EBP-44],2
004097BA    FF15 AC104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
004097C0    8B57 3C         MOV EDX,DWORD PTR DS:[EDI+3C]
004097C3    50              PUSH EAX
004097C4    52              PUSH EDX
004097C5    FF15 50104000   CALL DWORD PTR DS:[<&MSVBVM60.#631>]     ; MSVBVM60.rtcMidCharBstr
004097CB    8BD0            MOV EDX,EAX
004097CD    8D4D D4         LEA ECX,DWORD PTR SS:[EBP-2C]
004097D0    FFD3            CALL EBX
004097D2    50              PUSH EAX
004097D3    FF15 24104000   CALL DWORD PTR DS:[<&MSVBVM60.#516>]     ; MSVBVM60.rtcAnsiValueBstr
004097D9    66:6BC0 02      IMUL AX,AX,2
004097DD    8B57 38         MOV EDX,DWORD PTR DS:[EDI+38]
004097E0    8D4D D4         LEA ECX,DWORD PTR SS:[EBP-2C]
004097E3    0F80 A1010000   JO CrackMeV.0040998A
004097E9    0FBFF0          MOVSX ESI,AX
004097EC    03F2            ADD ESI,EDX
004097EE    0F80 96010000   JO CrackMeV.0040998A
004097F4    FF15 CC104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004097FA    8D4D BC         LEA ECX,DWORD PTR SS:[EBP-44]
004097FD    FF15 10104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00409803    8B47 40         MOV EAX,DWORD PTR DS:[EDI+40]
00409806    50              PUSH EAX
00409807    56              PUSH ESI
00409808    FF15 0C104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
0040980E    8BD0            MOV EDX,EAX
00409810    8D4D D4         LEA ECX,DWORD PTR SS:[EBP-2C]
00409813    FFD3            CALL EBX
00409815    50              PUSH EAX
00409816    FF15 2C104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
0040981C    8BD0            MOV EDX,EAX
0040981E    8D4D D0         LEA ECX,DWORD PTR SS:[EBP-30]
00409821    FFD3            CALL EBX
00409823    8BD0            MOV EDX,EAX
00409825    8D4F 40         LEA ECX,DWORD PTR DS:[EDI+40]
00409828    FF15 98104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0040982E    8D4D D0         LEA ECX,DWORD PTR SS:[EBP-30]
00409831    8D55 D4         LEA EDX,DWORD PTR SS:[EBP-2C]
00409834    51              PUSH ECX
00409835    52              PUSH EDX
00409836    6A 02           PUSH 2
00409838    FF15 9C104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0040983E    83C4 0C         ADD ESP,0C
00409841    8D85 20FFFFFF   LEA EAX,DWORD PTR SS:[EBP-E0]
00409847    8D8D 30FFFFFF   LEA ECX,DWORD PTR SS:[EBP-D0]
0040984D    8D55 DC         LEA EDX,DWORD PTR SS:[EBP-24]
00409850    50              PUSH EAX
00409851    51              PUSH ECX
00409852    52              PUSH EDX
00409853    FF15 C4104000   CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForNext
00409859    33F6            XOR ESI,ESI
0040985B  ^ E9 3CFFFFFF     JMP CrackMeV.0040979C
00409860    8B07            MOV EAX,DWORD PTR DS:[EDI]
00409862    8D8D 48FFFFFF   LEA ECX,DWORD PTR SS:[EBP-B8]
00409868    51              PUSH ECX
00409869    57              PUSH EDI
0040986A    C785 48FFFFFF 0>MOV DWORD PTR SS:[EBP-B8],1
00409874    FF90 08070000   CALL DWORD PTR DS:[EAX+708]


The last call is the call to the check function to compare.

You can break here:

Code:
00409D31   .  FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp


And figure out any name and serial.


Ok, but how do you break, you right click it, click breakpoint then theres a few options what should I do? And when I break it how would I get the serial for any name?
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Wed Mar 12, 2008 12:07 pm    Post subject: Reply with quote

In Olly there are a few columns in the CPU window that shows you the code, on the left side that is. Address | Bytes | Code | Comment, just double click on the bytes and it will set a breakpoint. You can tell if theres a break on something if the address is highlighted in red after you double click it. (You can also use F2 to set and remove breakpoints.)
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
coder sal
Master Cheater
Reputation: 0

Joined: 11 May 2007
Posts: 304

PostPosted: Thu Mar 13, 2008 2:29 pm    Post subject: Reply with quote

No I know that, its highlighted in red, but how do you find out how the system works and create a keygen with a breakpoint?
Back to top
View user's profile Send private message
HolyBlah
Master Cheater
Reputation: 2

Joined: 24 Aug 2007
Posts: 446

PostPosted: Thu Mar 13, 2008 2:51 pm    Post subject: Reply with quote

You need to read the ASM code.

Thats code is hard for beginning, try something simple like this.
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Thu Mar 13, 2008 4:00 pm    Post subject: Reply with quote

Like Holy said, you need to look at the code. Once you understand the flow of ASM things actually stand out to you, and you can say, oh hey I know what thats doing with that number or string.

A pretty simple method to teach yourself how ASM works is making your own crackme using a keygen style method that encrypts a string and checks for the same thing unencrypted or something. Then debug the code and follow it through to see how it works when its in machine level code.

VB changes code a bit though, there will be extra stuff that looks like it shouldn't be there but that is because it is the way the code is compiled. VB will almost always create a new buffer itself to store any value when you manipulate things before putting it back into the one you intended it to go into for one.

For example you could do something like:

Code:
Dim a as Long
a = 1 + 1


VB might compile this to use upto 3 variables to handle everything before finally putting the result back into the original buffer.

Pay attention to all the calls and jumps around any code that you think is important. It could jump for specific reasons, like a loop, condition, etc.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Labyrnth
Moderator
Reputation: 9

Joined: 28 Nov 2006
Posts: 6285

PostPosted: Mon Mar 17, 2008 8:19 pm    Post subject: Reply with quote

If you do a google search for some tutorials.

Lenas Tutorials, You will learn allot.

_________________

Back to top
View user's profile Send private message
coder sal
Master Cheater
Reputation: 0

Joined: 11 May 2007
Posts: 304

PostPosted: Wed May 14, 2008 10:41 am    Post subject: Reply with quote

Labyrnth wrote:
If you do a google search for some tutorials.

Lenas Tutorials, You will learn allot.


Whoah, I saw one of the Lena Tutorials, and now I think my head is going to explode lol.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites