View previous topic :: View next topic |
Author |
Message |
nog_lorp Grandmaster Cheater Reputation: 0
Joined: 26 Feb 2006 Posts: 743
|
Posted: Fri Dec 19, 2008 1:00 am Post subject: Get the password crap. |
|
|
The drill:
No point in patching, brute forcing is for bitches.
Get the password - it is a little harder than a plain text comparison, but easier than getting the password from an md5 hash.
Enjoy,
~nog_lorp
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
Back to top |
|
|
&Vage Grandmaster Cheater Supreme Reputation: 0
Joined: 25 Jul 2008 Posts: 1053
|
Posted: Fri Dec 19, 2008 10:45 am Post subject: |
|
|
Will my penis satisfy your asshole?
"aabbbbbb"
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Fri Dec 19, 2008 10:51 am Post subject: |
|
|
abcdefg
If it begins with a then it's always right.
|
|
Back to top |
|
|
nog_lorp Grandmaster Cheater Reputation: 0
Joined: 26 Feb 2006 Posts: 743
|
Posted: Fri Dec 19, 2008 1:58 pm Post subject: |
|
|
No, the "I've had better" message is the fail message.
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
Back to top |
|
|
armakapo Newbie cheater Reputation: 0
Joined: 12 Jul 2007 Posts: 19
|
Posted: Sun Dec 21, 2008 9:49 pm Post subject: |
|
|
how can you get the pass? i have no clue D: i didn't find anything with ollydbg, what can i try next?
_________________
KONOHA SENPUU! |
|
Back to top |
|
|
nog_lorp Grandmaster Cheater Reputation: 0
Joined: 26 Feb 2006 Posts: 743
|
Posted: Sun Dec 21, 2008 10:52 pm Post subject: |
|
|
The plain text password isn't contained in the program. You have to figure out how the algorithm works.
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
Back to top |
|
|
armakapo Newbie cheater Reputation: 0
Joined: 12 Jul 2007 Posts: 19
|
Posted: Sun Dec 21, 2008 11:10 pm Post subject: |
|
|
hmm the thing is ... i don't have any idea on what to do xD i know some c++ and that's it xD
do i need to learn some ollydbg or some kind of language to crack those things? i just don't know how to start to crack xD any guide or very simple crackme appreciated ^^
_________________
KONOHA SENPUU! |
|
Back to top |
|
|
nog_lorp Grandmaster Cheater Reputation: 0
Joined: 26 Feb 2006 Posts: 743
|
Posted: Mon Dec 22, 2008 12:14 am Post subject: |
|
|
Reverse engineering. Trace through with ollydbg and/or IDA pro. I would definitely not recommend this one at all. It is written in C though FYI.
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
Back to top |
|
|
armakapo Newbie cheater Reputation: 0
Joined: 12 Jul 2007 Posts: 19
|
Posted: Mon Dec 22, 2008 12:51 am Post subject: |
|
|
well i have just learnt some basics of ollydbg with few vb basic examples.
i give up on this, i got no clue how to do it.
_________________
KONOHA SENPUU! |
|
Back to top |
|
|
Reak I post too much Reputation: 0
Joined: 15 May 2007 Posts: 3496
|
Posted: Mon Dec 22, 2008 4:56 am Post subject: |
|
|
Code: | ASCII "Insert password into passhole (8 characters, a-p only):"
ASCII "That password was soooooo good!"
ASCII "My passhole only accepts pure a-p passwords, not dirty ethnic passwords."
ASCII "Your password is too big/too smal to satisfy my passhole!"
ASCII "That password was ok, but I've had better."
ASCII "WTF That's the wrong hole!" |
Ok which of these messages am I supposed to get if the password is correct?
|
|
Back to top |
|
|
sponge cake recipe Grandmaster Cheater Supreme Reputation: 22
Joined: 24 Sep 2007 Posts: 1635
|
Posted: Mon Dec 22, 2008 5:03 am Post subject: |
|
|
I'm guessing
Code: | ASCII "That password was soooooo good!" |
|
|
Back to top |
|
|
blackmorpheus Expert Cheater Reputation: 0
Joined: 05 Apr 2008 Posts: 159
|
Posted: Mon Dec 22, 2008 6:37 am Post subject: |
|
|
nop the JE at 004017CD for stupid plain patching.
otherwise, look at the algorithm at 00401707.
The algorithm is pretty hard , it depends only on the first four letters i think.
and SHL EDX,4 means EDX = EDX * 16 right?
|
|
Back to top |
|
|
sponge I'm a spammer Reputation: 1
Joined: 07 Nov 2006 Posts: 6009
|
Posted: Mon Dec 22, 2008 1:22 pm Post subject: |
|
|
blackmorpheus wrote: | otherwise, look at the algorithm at 00401707.
The algorithm is pretty hard , it depends only on the first four letters i think.
and SHL EDX,4 means EDX = EDX * 16 right? |
Code: | 00401707 |> /0FBE144E /MOVSX EDX,BYTE PTR DS:[ESI+ECX*2] ; Which Hole Routine (aaaaaaaa)
0040170B |. |0FB6444E 01 |MOVZX EAX,BYTE PTR DS:[ESI+ECX*2+1]
00401710 |. |83EA 61 |SUB EDX,61
00401713 |. |C1E2 04 |SHL EDX,4
00401716 |. |2C 61 |SUB AL,61
00401718 |. |08D0 |OR AL,DL
0040171A |. |8881 70704000 |MOV BYTE PTR DS:[ECX+407070],AL
00401720 |. |41 |INC ECX
00401721 |. |83F9 03 |CMP ECX,3
00401724 |.^\7E E1 \JLE SHORT crackme.00401707
00401726 |. 8B15 70704000 MOV EDX,DWORD PTR DS:[407070]
0040172C |. 85D2 TEST EDX,EDX
0040172E |. 0F84 F3000000 JE crackme.00401827 ; endr |
AKA this part doesn't really matter. Except for the part where it converts the 8 letters into a dword.
examplestring wrote: | abcdefgh -> ghefcdab (ASCII - 61) -> 67452301. |
The shl edx, 4 just shifts all the nibbles to the left. Meaning the lowest nibble will be zero after the operation. You shouldn't care about the flag change though. Endian change. =)
Anyways, I haven't gotten much farther than that because of sleep deprivation. I only remember stepping through the strange offset storing loop. (Stored offsets like 7xxh times.) I'll work on it later.
_________________
|
|
Back to top |
|
|
nog_lorp Grandmaster Cheater Reputation: 0
Joined: 26 Feb 2006 Posts: 743
|
Posted: Mon Dec 22, 2008 2:03 pm Post subject: |
|
|
Good work. The wronge hole message is because aaaaaaaa tokenizes to 0 in my algorithm, which causes a division by 0 later.
Just FYI, a rundown of the messages:
ASCII "Insert password into passhole (8 characters, a-p only):"
--Password prompt
ASCII "That password was soooooo good!"
--Correct password
ASCII "My passhole only accepts pure a-p passwords, not dirty ethnic passwords."
--Password contained invalid characters
ASCII "Your password is too big/too smal to satisfy my passhole!"
--Password was not 8 characters.
ASCII "That password was ok, but I've had better."
--Password was incorrect (my bad, this was rather ambiguous).
ASCII "WTF That's the wrong hole!"
--You put in a password of "aaaaaaaa" you hoe.
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
Back to top |
|
|
armakapo Newbie cheater Reputation: 0
Joined: 12 Jul 2007 Posts: 19
|
|
Back to top |
|
|
|