View previous topic :: View next topic |
Author |
Message |
DoomsDay Grandmaster Cheater Reputation: 0
Joined: 06 Jan 2007 Posts: 768 Location: %HomePath%
|
Posted: Thu Jul 31, 2008 2:34 am Post subject: |
|
|
Break on __vbaStrCmp for the serials; patch: 0x00403416 - NOP it
|
|
Back to top |
|
|
athiwatc Advanced Cheater Reputation: 0
Joined: 22 Sep 2007 Posts: 58
|
Posted: Thu Jul 31, 2008 4:06 am Post subject: |
|
|
This is very easy.
I change 00403467 To JPE SHORT 0040341E that's it ^ ^ have a nice day
|
|
Back to top |
|
|
&Vage Grandmaster Cheater Supreme Reputation: 0
Joined: 25 Jul 2008 Posts: 1053
|
Posted: Thu Jul 31, 2008 11:01 am Post subject: |
|
|
I might be wrong, I know nothing at cracking
This is not a crackme, it's a keygen
Routine:
Code: |
004032D0 > 55 PUSH EBP
004032D1 . 8BEC MOV EBP,ESP
004032D3 . 83EC 0C SUB ESP,0C
004032D6 . 68 56114000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation
004032DB . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004032E1 . 50 PUSH EAX
004032E2 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
004032E9 . 81EC BC000000 SUB ESP,0BC
004032EF . 53 PUSH EBX
004032F0 . 56 PUSH ESI
004032F1 . 57 PUSH EDI
004032F2 . 8965 F4 MOV DWORD PTR SS:[EBP-C],ESP
004032F5 . C745 F8 081140>MOV DWORD PTR SS:[EBP-8],Crack_me.004011>
004032FC . 33DB XOR EBX,EBX
004032FE . 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00403301 . 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
00403304 . 57 PUSH EDI
00403305 . 8B07 MOV EAX,DWORD PTR DS:[EDI]
00403307 . FF50 04 CALL DWORD PTR DS:[EAX+4]
0040330A . 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]
0040330D . 57 PUSH EDI
0040330E . 895D DC MOV DWORD PTR SS:[EBP-24],EBX
00403311 . 895D D8 MOV DWORD PTR SS:[EBP-28],EBX
00403314 . 8919 MOV DWORD PTR DS:[ECX],EBX
00403316 . 8B17 MOV EDX,DWORD PTR DS:[EDI]
00403318 . 895D D4 MOV DWORD PTR SS:[EBP-2C],EBX
0040331B . 895D D0 MOV DWORD PTR SS:[EBP-30],EBX
0040331E . 895D CC MOV DWORD PTR SS:[EBP-34],EBX
00403321 . 895D BC MOV DWORD PTR SS:[EBP-44],EBX
00403324 . 895D AC MOV DWORD PTR SS:[EBP-54],EBX
00403327 . 895D 9C MOV DWORD PTR SS:[EBP-64],EBX
0040332A . 895D 8C MOV DWORD PTR SS:[EBP-74],EBX
0040332D . 899D 7CFFFFFF MOV DWORD PTR SS:[EBP-84],EBX
00403333 . FF92 1C030000 CALL DWORD PTR DS:[EDX+31C]
00403339 . 50 PUSH EAX
0040333A . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0040333D . 50 PUSH EAX
0040333E . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
00403344 . 8BF0 MOV ESI,EAX
00403346 . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
00403349 . 52 PUSH EDX
0040334A . 56 PUSH ESI
0040334B . 8B0E MOV ECX,DWORD PTR DS:[ESI]
0040334D . FF91 A0000000 CALL DWORD PTR DS:[ECX+A0]
00403353 . 3BC3 CMP EAX,EBX
00403355 . DBE2 FCLEX
00403357 . 7D 12 JGE SHORT Crack_me.0040336B
00403359 . 68 A0000000 PUSH 0A0
0040335E . 68 0C1B4000 PUSH Crack_me.00401B0C
00403363 . 56 PUSH ESI
00403364 . 50 PUSH EAX
00403365 . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
0040336B > 8B07 MOV EAX,DWORD PTR DS:[EDI]
0040336D . 57 PUSH EDI
0040336E . FF90 20030000 CALL DWORD PTR DS:[EAX+320]
00403374 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00403377 . 50 PUSH EAX
00403378 . 51 PUSH ECX
00403379 . FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>; MSVBVM60.__vbaObjSet
0040337F . 8BF0 MOV ESI,EAX
00403381 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00403384 . 50 PUSH EAX
00403385 . 56 PUSH ESI
00403386 . 8B16 MOV EDX,DWORD PTR DS:[ESI]
00403388 . FF92 A0000000 CALL DWORD PTR DS:[EDX+A0]
0040338E . 3BC3 CMP EAX,EBX
00403390 . DBE2 FCLEX
00403392 . 7D 12 JGE SHORT Crack_me.004033A6
00403394 . 68 A0000000 PUSH 0A0
00403399 . 68 0C1B4000 PUSH Crack_me.00401B0C
0040339E . 56 PUSH ESI
0040339F . 50 PUSH EAX
004033A0 . FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>; MSVBVM60.__vbaHresultCheckObj
004033A6 > 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
004033A9 . 8B57 38 MOV EDX,DWORD PTR DS:[EDI+38]
004033AC . 51 PUSH ECX
004033AD . 52 PUSH EDX
|
This checks the textbox1
Code: |
004033AE . FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
004033B4 . 8B4F 34 MOV ECX,DWORD PTR DS:[EDI+34]
004033B7 . 8BF0 MOV ESI,EAX
004033B9 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
004033BC . F7DE NEG ESI
004033BE . 1BF6 SBB ESI,ESI
004033C0 . 50 PUSH EAX
004033C1 . 46 INC ESI
004033C2 . 51 PUSH ECX
004033C3 . F7DE NEG ESI
|
This checks the textbox2
Code: |
004033C5 . FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
004033CB . F7D8 NEG EAX
004033CD . 1BC0 SBB EAX,EAX
004033CF . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
004033D2 . 40 INC EAX
004033D3 . 52 PUSH EDX
004033D4 . F7D8 NEG EAX
004033D6 . 23F0 AND ESI,EAX
004033D8 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004033DB . 50 PUSH EAX
004033DC . 6A 02 PUSH 2
|
This checks the value of whatever you did in the last checking routine
Code: |
00403401 . 66:3BF3 CMP SI,BX
|
Basically I'm not good with 16 byte registers.... I can tell you that
Code: |
004033B4 . 8B4F 34 MOV ECX,DWORD PTR DS:[EDI+34]
004033B7 . 8BF0 MOV ESI,EAX
004033B9 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
004033BC . F7DE NEG ESI
004033BE . 1BF6 SBB ESI,ESI
004033C0 . 50 PUSH EAX
004033C1 . 46 INC ESI
004033C2 . 51 PUSH ECX
004033C3 . F7DE NEG ESI
|
This part intrigues me. This sets the value for the register SI. Register BX must be 0 O_O...
Anyways....
John Doe
59kp6 66io
|
|
Back to top |
|
|
sponge I'm a spammer Reputation: 1
Joined: 07 Nov 2006 Posts: 6009
|
Posted: Thu Jul 31, 2008 11:49 am Post subject: |
|
|
It's key phishing.
_________________
|
|
Back to top |
|
|
athiwatc Advanced Cheater Reputation: 0
Joined: 22 Sep 2007 Posts: 58
|
Posted: Thu Jul 31, 2008 11:40 pm Post subject: |
|
|
Lol he did not ask for patch
You know no one is going to sit there an hour and start decrypting your code??
Its very long and its always change so there will be no text serial and you need to make a keygen which I will not ^ ^(In the real world in this case patch will work best!!! Guess So Am Still A NOOB)
|
|
Back to top |
|
|
athiwatc Advanced Cheater Reputation: 0
Joined: 22 Sep 2007 Posts: 58
|
Posted: Fri Aug 01, 2008 12:13 am Post subject: |
|
|
You also a noob ^ ^
|
|
Back to top |
|
|
hcavolsdsadgadsg I'm a spammer Reputation: 26
Joined: 11 Jun 2007 Posts: 5801
|
Posted: Fri Aug 01, 2008 3:19 am Post subject: |
|
|
well, that was easy.
just breakpoint 004033B7 and you'll find the first part of your serial in ECX and the second in EDX.
vbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpadfadfaafd
|
|
Back to top |
|
|
rapion124 Grandmaster Cheater Supreme Reputation: 0
Joined: 25 Mar 2007 Posts: 1095
|
Posted: Fri Aug 08, 2008 7:43 am Post subject: |
|
|
In the real world, keygens > patches. What if the program does an integrity check on itself? The modified byte(s) would be detectable.
|
|
Back to top |
|
|
lolOkayBailolOkayBailolOk Master Cheater Reputation: 1
Joined: 23 Jun 2007 Posts: 307
|
Posted: Fri Aug 08, 2008 1:49 pm Post subject: |
|
|
slovach wrote: | well, that was easy.
just breakpoint 004033B7 and you'll find the first part of your serial in ECX and the second in EDX.
vbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpadfadfaafd |
Uhh sorry but I am a noob in crackme ollying, how did you get to the address 004033B7 in conclusion that ECX and EDX would hold the values?
|
|
Back to top |
|
|
hcavolsdsadgadsg I'm a spammer Reputation: 26
Joined: 11 Jun 2007 Posts: 5801
|
Posted: Fri Aug 08, 2008 1:57 pm Post subject: |
|
|
ColdBlade wrote: | slovach wrote: | well, that was easy.
just breakpoint 004033B7 and you'll find the first part of your serial in ECX and the second in EDX.
vbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpvbastrcmpadfadfaafd |
Uhh sorry but I am a noob in crackme ollying, how did you get to the address 004033B7 in conclusion that ECX and EDX would hold the values? |
just breakpoint vbastrcmp and follow it.
|
|
Back to top |
|
|
Overload Master Cheater Reputation: 0
Joined: 08 Feb 2008 Posts: 293
|
Posted: Sat Aug 09, 2008 2:20 pm Post subject: |
|
|
Name: Overload
Serial 1: 182fs
Serial 2: 455pw6
Piece of cake.
_________________
Blog
Quote: | Rhys says:
you can be my maid
Rhys says:
ill buy you a french maid outfit
Tyler says:
Sounds good
Rhys says:
ill hold you to that |
|
|
Back to top |
|
|
iBot Cheater Reputation: 0
Joined: 12 Sep 2007 Posts: 42
|
Posted: Sun Aug 24, 2008 7:10 pm Post subject: |
|
|
Ill try it
|
|
Back to top |
|
|
zeroc0de Cheater Reputation: 0
Joined: 31 Aug 2008 Posts: 32
|
Posted: Tue Sep 02, 2008 8:00 pm Post subject: |
|
|
rapion124 wrote: | In the real world, keygens > patches. What if the program does an integrity check on itself? The modified byte(s) would be detectable. |
Then you just patch the integrity check.
|
|
Back to top |
|
|
|