 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
slippppppppp
Grandmaster Cheater
 Reputation: 0
Joined: 08 Aug 2006
Posts: 929
|
 Posted: Sun May 04, 2008 9:34 pm Post subject: A Crackme |
 |
|
| I'm trying to find different simple methods to trick people. |
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sun May 04, 2008 9:46 pm Post subject: |
|
|
Password: 44
_________________
- Retired. |
|
| Back to top |
|
|
slippppppppp
Grandmaster Cheater
Reputation: 0
Joined: 08 Aug 2006
Posts: 929
|
| Posted: Sun May 04, 2008 10:16 pm Post subject: |
|
|
how'd you get it?  |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Mon May 05, 2008 12:23 am Post subject: |
|
|
Open in Olly. Look for "good boy" message which in this case is:
004091A7 BA 20924000 MOV EDX,Project1.00409220 ; ASCII " |/\| 1 |\| "
Above it is a conditional jump, and before that a call. Break on the call. The stack contains your inputted password, and the real password to compare to.
eax = inputted password
edx = real password
_________________
- Retired. |
|
| Back to top |
|
|
Ajax
Grandmaster Cheater Supreme
 Reputation: 0
Joined: 28 Jan 2008
Posts: 1545
|
| Posted: Sun May 11, 2008 2:50 pm Post subject: |
|
|
wow amazing..
_________________
http://forum.cheatengine.org/search.php < The almighty power of this forum =]
Every time someone uses my siggy, a noob dies, and a human being is born.
Drivers are always the answer to everything. |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Sun May 11, 2008 3:07 pm Post subject: |
|
|
Already been cracked, but here is some more for others to look at.
JCC to patch it:*Such as Wicc noted.
----------------
004091A0 |. /75 2A JNZ SHORT Project1.004091CC
Using Incorrect Password: You can see how the code runs.
-------------------------------------------------------------------
| Code: | 00409134 >/$ 55 PUSH EBP
00409135 |. 8BEC MOV EBP,ESP
00409137 |. 83C4 EC ADD ESP,-14
0040913A |. 53 PUSH EBX
0040913B |. 33C0 XOR EAX,EAX ; Project1.0040B048
0040913D |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; Project1.0040B048
00409140 |. A1 9CAA4000 MOV EAX,DWORD PTR DS:[40AA9C]
00409145 |. C600 01 MOV BYTE PTR DS:[EAX],1
00409148 |. B8 488B4000 MOV EAX,Project1.00408B48
0040914D |. E8 6EC1FFFF CALL Project1.004052C0
00409152 |. 33C0 XOR EAX,EAX ; Project1.0040B048
00409154 |. 55 PUSH EBP
00409155 |. 68 0A924000 PUSH Project1.0040920A
0040915A |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0040915D |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00409160 |. 6A 00 PUSH 0 ; /Action = 0
00409162 |. 6A 5A PUSH 5A ; |Key = 5A
00409164 |. E8 A3C4FFFF CALL <JMP.&user32.MapVirtualKeyA> ; \MapVirtualKeyA
00409169 |. 8BD8 MOV EBX,EAX ; Project1.0040B048
0040916B |. BA 20E24000 MOV EDX,Project1.0040E220
00409170 |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
00409175 |. E8 FEA0FFFF CALL Project1.00403278
0040917A |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
0040917F |. E8 60A1FFFF CALL Project1.004032E4
00409184 |. E8 4F9AFFFF CALL Project1.00402BD8
00409189 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0040918C |. 8BC3 MOV EAX,EBX
0040918E |. E8 31CFFFFF CALL Project1.004060C4
00409193 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00409196 |. A1 20E24000 MOV EAX,DWORD PTR DS:[40E220]
0040919B |. E8 CCB5FFFF CALL Project1.0040476C
004091A0 |. 75 2A JNZ SHORT Project1.004091CC
004091CC |> \A1 F0A94000 MOV EAX,DWORD PTR DS:[40A9F0]
004091D1 |. BA 38924000 MOV EDX,Project1.00409238 ; ASCII " 1053 "
004091D6 |. E8 E5B6FFFF CALL Project1.004048C0
004091DB |. E8 1CA3FFFF CALL Project1.004034FC
004091E0 |. E8 F399FFFF CALL Project1.00402BD8
004091E5 |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
004091EA |. E8 F5A0FFFF CALL Project1.004032E4 |
Using Correct Password: You can see how the code runs.
-------------------------------------------------------------------
| Code: | 00409135 |. 8BEC MOV EBP,ESP
00409137 |. 83C4 EC ADD ESP,-14
0040913A |. 53 PUSH EBX
0040913B |. 33C0 XOR EAX,EAX ; Project1.0040B048
0040913D |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; Project1.0040B048
00409140 |. A1 9CAA4000 MOV EAX,DWORD PTR DS:[40AA9C]
00409145 |. C600 01 MOV BYTE PTR DS:[EAX],1
00409148 |. B8 488B4000 MOV EAX,Project1.00408B48
0040914D |. E8 6EC1FFFF CALL Project1.004052C0
00409152 |. 33C0 XOR EAX,EAX ; Project1.0040B048
00409154 |. 55 PUSH EBP
00409155 |. 68 0A924000 PUSH Project1.0040920A
0040915A |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0040915D |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00409160 |. 6A 00 PUSH 0 ; /Action = 0
00409162 |. 6A 5A PUSH 5A ; |Key = 5A
00409164 |. E8 A3C4FFFF CALL <JMP.&user32.MapVirtualKeyA> ; \MapVirtualKeyA
00409169 |. 8BD8 MOV EBX,EAX ; Project1.0040B048
0040916B |. BA 20E24000 MOV EDX,Project1.0040E220
00409170 |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
00409175 |. E8 FEA0FFFF CALL Project1.00403278
0040917A |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
0040917F |. E8 60A1FFFF CALL Project1.004032E4
00409184 |. E8 4F9AFFFF CALL Project1.00402BD8
00409189 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0040918C |. 8BC3 MOV EAX,EBX
0040918E |. E8 31CFFFFF CALL Project1.004060C4
00409193 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00409196 |. A1 20E24000 MOV EAX,DWORD PTR DS:[40E220]
0040919B |. E8 CCB5FFFF CALL Project1.0040476C
004091A0 |. 75 2A JNZ SHORT Project1.004091CC
004091A2 |. A1 F0A94000 MOV EAX,DWORD PTR DS:[40A9F0]
004091A7 |. BA 20924000 MOV EDX,Project1.00409220 ; ASCII " |/\| 1 |\| "
004091AC |. E8 0FB7FFFF CALL Project1.004048C0
004091B1 |. E8 46A3FFFF CALL Project1.004034FC
004091B6 |. E8 1D9AFFFF CALL Project1.00402BD8
004091BB |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
004091C0 |. E8 1FA1FFFF CALL Project1.004032E4 |
|
|
| Back to top |
|
|
coder sal
Master Cheater
 Reputation: 0
Joined: 11 May 2007
Posts: 304
|
| Posted: Thu May 15, 2008 4:23 pm Post subject: |
|
|
| Wiccaan wrote: | Open in Olly. Look for "good boy" message which in this case is:
004091A7 BA 20924000 MOV EDX,Project1.00409220 ; ASCII " |/\| 1 |\| "
Above it is a conditional jump, and before that a call. Break on the call. The stack contains your inputted password, and the real password to compare to.
eax = inputted password
edx = real password |
I followed your instructions:
But IDK what to do know to find out the password, I see the EDX but what should I do with it. |
|
| Back to top |
|
|
slippppppppp
Grandmaster Cheater
Reputation: 0
Joined: 08 Aug 2006
Posts: 929
|
| Posted: Thu May 15, 2008 5:24 pm Post subject: |
|
|
| you set a breakpoint on the wrong address. |
|
| Back to top |
|
|
coder sal
Master Cheater
Reputation: 0
Joined: 11 May 2007
Posts: 304
|
| Posted: Thu May 15, 2008 5:28 pm Post subject: |
|
|
| slippppppppp wrote: | | you set a breakpoint on the wrong address. |
How is it wrong? It's 2 addresses above "00409220". |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Thu May 15, 2008 8:32 pm Post subject: |
|
|
Slip is right you set a break on the wrong address.
You are breaking on the wrong address, Look where i have a BP set.
And look where you are... ???
Once you break on the call, you look in the registers window.
You will see what you typed and what the real one is.
The stack will have the real one as well.
I typed AA, real is 44
 |
|
| Back to top |
|
|
coder sal
Master Cheater
Reputation: 0
Joined: 11 May 2007
Posts: 304
|
| Posted: Fri May 16, 2008 5:38 am Post subject: |
|
|
| Labyrnth wrote: | Slip is right you set a break on the wrong address.
You are breaking on the wrong address, Look where i have a BP set.
And look where you are... ???
Once you break on the call, you look in the registers window.
You will see what you typed and what the real one is.
The stack will have the real one as well.
I typed AA, real is 44
|
Wow thnx that really helped  |
|
| Back to top |
|
|
nwongfeiying
Grandmaster Cheater
![]() Reputation: 2
Joined: 25 Jun 2007
Posts: 695
|
| Posted: Fri May 16, 2008 9:00 am Post subject: |
|
|
| Labyrnth wrote: | Already been cracked, but here is some more for others to look at.
JCC to patch it:*Such as Wicc noted.
----------------
004091A0 |. /75 2A JNZ SHORT Project1.004091CC
Using Incorrect Password: You can see how the code runs.
-------------------------------------------------------------------
| Code: | 00409134 >/$ 55 PUSH EBP
00409135 |. 8BEC MOV EBP,ESP
00409137 |. 83C4 EC ADD ESP,-14
0040913A |. 53 PUSH EBX
0040913B |. 33C0 XOR EAX,EAX ; Project1.0040B048
0040913D |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; Project1.0040B048
00409140 |. A1 9CAA4000 MOV EAX,DWORD PTR DS:[40AA9C]
00409145 |. C600 01 MOV BYTE PTR DS:[EAX],1
00409148 |. B8 488B4000 MOV EAX,Project1.00408B48
0040914D |. E8 6EC1FFFF CALL Project1.004052C0
00409152 |. 33C0 XOR EAX,EAX ; Project1.0040B048
00409154 |. 55 PUSH EBP
00409155 |. 68 0A924000 PUSH Project1.0040920A
0040915A |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0040915D |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00409160 |. 6A 00 PUSH 0 ; /Action = 0
00409162 |. 6A 5A PUSH 5A ; |Key = 5A
00409164 |. E8 A3C4FFFF CALL <JMP.&user32.MapVirtualKeyA> ; \MapVirtualKeyA
00409169 |. 8BD8 MOV EBX,EAX ; Project1.0040B048
0040916B |. BA 20E24000 MOV EDX,Project1.0040E220
00409170 |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
00409175 |. E8 FEA0FFFF CALL Project1.00403278
0040917A |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
0040917F |. E8 60A1FFFF CALL Project1.004032E4
00409184 |. E8 4F9AFFFF CALL Project1.00402BD8
00409189 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0040918C |. 8BC3 MOV EAX,EBX
0040918E |. E8 31CFFFFF CALL Project1.004060C4
00409193 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00409196 |. A1 20E24000 MOV EAX,DWORD PTR DS:[40E220]
0040919B |. E8 CCB5FFFF CALL Project1.0040476C
004091A0 |. 75 2A JNZ SHORT Project1.004091CC
004091CC |> \A1 F0A94000 MOV EAX,DWORD PTR DS:[40A9F0]
004091D1 |. BA 38924000 MOV EDX,Project1.00409238 ; ASCII " 1053 "
004091D6 |. E8 E5B6FFFF CALL Project1.004048C0
004091DB |. E8 1CA3FFFF CALL Project1.004034FC
004091E0 |. E8 F399FFFF CALL Project1.00402BD8
004091E5 |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
004091EA |. E8 F5A0FFFF CALL Project1.004032E4 |
Using Correct Password: You can see how the code runs.
-------------------------------------------------------------------
| Code: | 00409135 |. 8BEC MOV EBP,ESP
00409137 |. 83C4 EC ADD ESP,-14
0040913A |. 53 PUSH EBX
0040913B |. 33C0 XOR EAX,EAX ; Project1.0040B048
0040913D |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; Project1.0040B048
00409140 |. A1 9CAA4000 MOV EAX,DWORD PTR DS:[40AA9C]
00409145 |. C600 01 MOV BYTE PTR DS:[EAX],1
00409148 |. B8 488B4000 MOV EAX,Project1.00408B48
0040914D |. E8 6EC1FFFF CALL Project1.004052C0
00409152 |. 33C0 XOR EAX,EAX ; Project1.0040B048
00409154 |. 55 PUSH EBP
00409155 |. 68 0A924000 PUSH Project1.0040920A
0040915A |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0040915D |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00409160 |. 6A 00 PUSH 0 ; /Action = 0
00409162 |. 6A 5A PUSH 5A ; |Key = 5A
00409164 |. E8 A3C4FFFF CALL <JMP.&user32.MapVirtualKeyA> ; \MapVirtualKeyA
00409169 |. 8BD8 MOV EBX,EAX ; Project1.0040B048
0040916B |. BA 20E24000 MOV EDX,Project1.0040E220
00409170 |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
00409175 |. E8 FEA0FFFF CALL Project1.00403278
0040917A |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
0040917F |. E8 60A1FFFF CALL Project1.004032E4
00409184 |. E8 4F9AFFFF CALL Project1.00402BD8
00409189 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0040918C |. 8BC3 MOV EAX,EBX
0040918E |. E8 31CFFFFF CALL Project1.004060C4
00409193 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00409196 |. A1 20E24000 MOV EAX,DWORD PTR DS:[40E220]
0040919B |. E8 CCB5FFFF CALL Project1.0040476C
004091A0 |. 75 2A JNZ SHORT Project1.004091CC
004091A2 |. A1 F0A94000 MOV EAX,DWORD PTR DS:[40A9F0]
004091A7 |. BA 20924000 MOV EDX,Project1.00409220 ; ASCII " |/\| 1 |\| "
004091AC |. E8 0FB7FFFF CALL Project1.004048C0
004091B1 |. E8 46A3FFFF CALL Project1.004034FC
004091B6 |. E8 1D9AFFFF CALL Project1.00402BD8
004091BB |. A1 5CAA4000 MOV EAX,DWORD PTR DS:[40AA5C]
004091C0 |. E8 1FA1FFFF CALL Project1.004032E4 |
|
Is it possible just to assemble the program and compare the inputted password with the inputted password or is JCC the only method? |
|
| Back to top |
|
|
Labyrnth
Moderator
![]() Reputation: 10
Joined: 28 Nov 2006
Posts: 6301
|
| Posted: Fri May 16, 2008 9:44 am Post subject: |
|
|
Sure can.
If you go into the call you will see a compare
0040919B E8 CCB5FFFF CALL Project1.0040476C
00404773 . 39D0 CMP EAX,EDX
EDX=00A14E78, (ASCII "44")
EAX=00A14E68, (ASCII "AA")
You can do CMP EAX,EAX and it will work with anything you type in because it is comparing it to itself lol 
PS: Please do not quote large posts, just direct your question to the person like: @ Labyrnth |
|
| Back to top |
|
|
nwongfeiying
Grandmaster Cheater
![]() Reputation: 2
Joined: 25 Jun 2007
Posts: 695
|
| Posted: Fri May 16, 2008 5:16 pm Post subject: |
|
|
| All right, thanks. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
