|
Cheat Engine The Official Site of Cheat Engine
|
View previous topic :: View next topic |
Author |
Message |
coder sal Master Cheater Reputation: 0
Joined: 11 May 2007 Posts: 304
|
Posted: Tue Mar 11, 2008 2:46 pm Post subject: Wiccaan, Labrynth, or anyone else- I need breakpoint help |
|
|
Ok I went on Tuts4you and I learned a few things but I still need help with Gunner's keygenme/crackme, here I quoted what you said.
Wiccaan wrote: | This is more of a keygen me then anything. After looking through this I can't say I found the anti-debug you put in it. There is no call to any debugging API, no checks for processes or window names, etc. So what ever it is it's not to prevent debugging apparently lol.
As for the serial to my name, Lab, the one you posted is wrong. My name and serial would be:
Name: Wiccaan
Serial: 0215187175175171171197145
You missed some numbers. Might be the same case for your others
The key generation is here:
Code: | 0040965F 8B0F MOV ECX,DWORD PTR DS:[EDI]
00409661 57 PUSH EDI
00409662 FF91 08030000 CALL DWORD PTR DS:[ECX+308]
00409668 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
0040966B 50 PUSH EAX
0040966C 52 PUSH EDX
0040966D FF15 3C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00409673 8BD8 MOV EBX,EAX
00409675 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00409678 51 PUSH ECX
00409679 53 PUSH EBX
0040967A 8B03 MOV EAX,DWORD PTR DS:[EBX]
0040967C FF90 A0000000 CALL DWORD PTR DS:[EAX+A0]
00409682 3BC6 CMP EAX,ESI
00409684 DBE2 FCLEX
00409686 7D 12 JGE SHORT CrackMeV.0040969A
00409688 68 A0000000 PUSH 0A0
0040968D 68 FC914000 PUSH CrackMeV.004091FC
00409692 53 PUSH EBX
00409693 50 PUSH EAX
00409694 FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040969A 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
0040969D 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
004096A0 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
004096A3 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
004096A6 52 PUSH EDX
004096A7 50 PUSH EAX
004096A8 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
004096AB C745 BC 0800000>MOV DWORD PTR SS:[EBP-44],8
004096B2 FF15 5C104000 CALL DWORD PTR DS:[<&MSVBVM60.#528>] ; MSVBVM60.rtcUpperCaseVar
004096B8 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004096BB 51 PUSH ECX
004096BC FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>; MSVBVM60.__vbaStrVarMove
004096C2 8B1D B8104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrMove
004096C8 8BD0 MOV EDX,EAX
004096CA 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
004096CD FFD3 CALL EBX ; <&MSVBVM60.__vbaStrMove>
004096CF 8BD0 MOV EDX,EAX
004096D1 8D4F 3C LEA ECX,DWORD PTR DS:[EDI+3C]
004096D4 FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
004096DA 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
004096DD FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004096E3 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004096E6 FF15 D0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
004096EC 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
004096EF 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004096F2 52 PUSH EDX
004096F3 50 PUSH EAX
004096F4 6A 02 PUSH 2
004096F6 FF15 1C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
004096FC 66:8B4F 34 MOV CX,WORD PTR DS:[EDI+34]
00409700 83C4 0C ADD ESP,0C
00409703 66:6BC9 05 IMUL CX,CX,5
00409707 0F80 7D020000 JO CrackMeV.0040998A
0040970D 66:83C1 06 ADD CX,6
00409711 56 PUSH ESI
00409712 0F80 72020000 JO CrackMeV.0040998A
00409718 0FBFD1 MOVSX EDX,CX
0040971B 8957 38 MOV DWORD PTR DS:[EDI+38],EDX
0040971E FF15 00104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI2>; MSVBVM60.__vbaStrI2
00409724 8BD0 MOV EDX,EAX
00409726 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00409729 FFD3 CALL EBX
0040972B 8BD0 MOV EDX,EAX
0040972D 8D4F 40 LEA ECX,DWORD PTR DS:[EDI+40]
00409730 FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00409736 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00409739 FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
0040973F 66:8B57 34 MOV DX,WORD PTR DS:[EDI+34]
00409743 B8 02000000 MOV EAX,2
00409748 B9 01000000 MOV ECX,1
0040974D 8985 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EAX
00409753 8985 6CFFFFFF MOV DWORD PTR SS:[EBP-94],EAX
00409759 8985 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],EAX
0040975F 894D 84 MOV DWORD PTR SS:[EBP-7C],ECX
00409762 898D 64FFFFFF MOV DWORD PTR SS:[EBP-9C],ECX
00409768 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
0040976E 66:8995 74FFFFF>MOV WORD PTR SS:[EBP-8C],DX
00409775 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
0040977B 50 PUSH EAX
0040977C 8D95 5CFFFFFF LEA EDX,DWORD PTR SS:[EBP-A4]
00409782 51 PUSH ECX
00409783 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
00409789 52 PUSH EDX
0040978A 8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
00409790 50 PUSH EAX
00409791 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00409794 51 PUSH ECX
00409795 52 PUSH EDX
00409796 FF15 38104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForInit
0040979C 3BC6 CMP EAX,ESI
0040979E 0F84 BC000000 JE CrackMeV.00409860
004097A4 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004097A7 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
004097AA 50 PUSH EAX
004097AB 51 PUSH ECX
004097AC C745 C4 0100000>MOV DWORD PTR SS:[EBP-3C],1
004097B3 C745 BC 0200000>MOV DWORD PTR SS:[EBP-44],2
004097BA FF15 AC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>; MSVBVM60.__vbaI4Var
004097C0 8B57 3C MOV EDX,DWORD PTR DS:[EDI+3C]
004097C3 50 PUSH EAX
004097C4 52 PUSH EDX
004097C5 FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.#631>] ; MSVBVM60.rtcMidCharBstr
004097CB 8BD0 MOV EDX,EAX
004097CD 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004097D0 FFD3 CALL EBX
004097D2 50 PUSH EAX
004097D3 FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.#516>] ; MSVBVM60.rtcAnsiValueBstr
004097D9 66:6BC0 02 IMUL AX,AX,2
004097DD 8B57 38 MOV EDX,DWORD PTR DS:[EDI+38]
004097E0 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004097E3 0F80 A1010000 JO CrackMeV.0040998A
004097E9 0FBFF0 MOVSX ESI,AX
004097EC 03F2 ADD ESI,EDX
004097EE 0F80 96010000 JO CrackMeV.0040998A
004097F4 FF15 CC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004097FA 8D4D BC LEA ECX,DWORD PTR SS:[EBP-44]
004097FD FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00409803 8B47 40 MOV EAX,DWORD PTR DS:[EDI+40]
00409806 50 PUSH EAX
00409807 56 PUSH ESI
00409808 FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>; MSVBVM60.__vbaStrI4
0040980E 8BD0 MOV EDX,EAX
00409810 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00409813 FFD3 CALL EBX
00409815 50 PUSH EAX
00409816 FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCa>; MSVBVM60.__vbaStrCat
0040981C 8BD0 MOV EDX,EAX
0040981E 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00409821 FFD3 CALL EBX
00409823 8BD0 MOV EDX,EAX
00409825 8D4F 40 LEA ECX,DWORD PTR DS:[EDI+40]
00409828 FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
0040982E 8D4D D0 LEA ECX,DWORD PTR SS:[EBP-30]
00409831 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00409834 51 PUSH ECX
00409835 52 PUSH EDX
00409836 6A 02 PUSH 2
00409838 FF15 9C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStrList
0040983E 83C4 0C ADD ESP,0C
00409841 8D85 20FFFFFF LEA EAX,DWORD PTR SS:[EBP-E0]
00409847 8D8D 30FFFFFF LEA ECX,DWORD PTR SS:[EBP-D0]
0040984D 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00409850 50 PUSH EAX
00409851 51 PUSH ECX
00409852 52 PUSH EDX
00409853 FF15 C4104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>; MSVBVM60.__vbaVarForNext
00409859 33F6 XOR ESI,ESI
0040985B ^ E9 3CFFFFFF JMP CrackMeV.0040979C
00409860 8B07 MOV EAX,DWORD PTR DS:[EDI]
00409862 8D8D 48FFFFFF LEA ECX,DWORD PTR SS:[EBP-B8]
00409868 51 PUSH ECX
00409869 57 PUSH EDI
0040986A C785 48FFFFFF 0>MOV DWORD PTR SS:[EBP-B8],1
00409874 FF90 08070000 CALL DWORD PTR DS:[EAX+708] |
The last call is the call to the check function to compare.
You can break here:
Code: | 00409D31 . FF15 60104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp |
And figure out any name and serial. |
Ok, but how do you break, you right click it, click breakpoint then theres a few options what should I do? And when I break it how would I get the serial for any name?
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Wed Mar 12, 2008 12:07 pm Post subject: |
|
|
In Olly there are a few columns in the CPU window that shows you the code, on the left side that is. Address | Bytes | Code | Comment, just double click on the bytes and it will set a breakpoint. You can tell if theres a break on something if the address is highlighted in red after you double click it. (You can also use F2 to set and remove breakpoints.)
_________________
- Retired. |
|
Back to top |
|
|
coder sal Master Cheater Reputation: 0
Joined: 11 May 2007 Posts: 304
|
Posted: Thu Mar 13, 2008 2:29 pm Post subject: |
|
|
No I know that, its highlighted in red, but how do you find out how the system works and create a keygen with a breakpoint?
|
|
Back to top |
|
|
HolyBlah Master Cheater Reputation: 2
Joined: 24 Aug 2007 Posts: 446
|
Posted: Thu Mar 13, 2008 2:51 pm Post subject: |
|
|
You need to read the ASM code.
Thats code is hard for beginning, try something simple like this.
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Thu Mar 13, 2008 4:00 pm Post subject: |
|
|
Like Holy said, you need to look at the code. Once you understand the flow of ASM things actually stand out to you, and you can say, oh hey I know what thats doing with that number or string.
A pretty simple method to teach yourself how ASM works is making your own crackme using a keygen style method that encrypts a string and checks for the same thing unencrypted or something. Then debug the code and follow it through to see how it works when its in machine level code.
VB changes code a bit though, there will be extra stuff that looks like it shouldn't be there but that is because it is the way the code is compiled. VB will almost always create a new buffer itself to store any value when you manipulate things before putting it back into the one you intended it to go into for one.
For example you could do something like:
Code: | Dim a as Long
a = 1 + 1 |
VB might compile this to use upto 3 variables to handle everything before finally putting the result back into the original buffer.
Pay attention to all the calls and jumps around any code that you think is important. It could jump for specific reasons, like a loop, condition, etc.
_________________
- Retired. |
|
Back to top |
|
|
Labyrnth Moderator Reputation: 9
Joined: 28 Nov 2006 Posts: 6285
|
Posted: Mon Mar 17, 2008 8:19 pm Post subject: |
|
|
If you do a google search for some tutorials.
Lenas Tutorials, You will learn allot.
_________________
|
|
Back to top |
|
|
coder sal Master Cheater Reputation: 0
Joined: 11 May 2007 Posts: 304
|
Posted: Wed May 14, 2008 10:41 am Post subject: |
|
|
Labyrnth wrote: | If you do a google search for some tutorials.
Lenas Tutorials, You will learn allot. |
Whoah, I saw one of the Lena Tutorials, and now I think my head is going to explode lol.
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You cannot download files in this forum
|
|