Cheat Engine

[SunBeam]

"From Uligor with love". One and the same crack_me, naked and crypted (for the passionate). Try to find the pass ! (and extra, rip the packer & its protection)

[dezuzi]

MUAHAHA where is it

[Uligor]

I had that problem too, refresh the page and you'll see it.
You need to FIND the pass btw. and then post/pm it.

[SXGuy]

lol found a counter address i think, well increased by 2 everytime u put a password that was too short, but then i dunno what im doing so given up

[SunBeam]

Am fighting with the packer here. I just ignore the pass finding for now

* EDIT *

Unpacked. Enjoy !

[dezuzi]

ok, i got the pass

E1 D6 5F 2D 6C 31 A0 97

cheers

[Uligor]

The key you put in is not E1 D6 5F 2D 6C 31 A0 97.

[SunBeam]

@dezuzi:

- u forgot about the null key » 00
- u also forgot about how push/pop work

The key (encrypted, of course - u also forgot that too ) is :

0097A0316C2D5FD6E1

[dezuzi]

i unput some text, 8 bytes
the 8 bytes are encrypted, then compared to E1 D6 5F 2D 6C 31 A0 97
4 bytes at a time, what do you expect me to tell you?
the encryption is easy, let me get back in there and explain

[Uligor]

[dezuzi]

ok.. maybe its a time-taking encryption and i dont exactly feel like reversing the process for the encrypted password

so i will explain how id have done it.

first off the text i put in is encrypted first for example:

aaaabbbb

the first 4 bytes(aaaa) are xor'd with 112685ff(ff852611)
then that is rotated eight bits left three times
then its xor'd again with 22840861(61088422)

the 4 bytes after that (bbbb) are xor'd with bdaf3812(1238afbd)
then rotated eight bits right seven times
then xor'd with 22840861(61088422)

all id have to do to reverse the encrypted password ( E1D65F2D 6C31A097) is xor it with 22840861(61088422)
rotate the first 4 bytes right 3 times, and xor it with 112685ff(ff852611)
and the other 4.. etc you get my point

dont really feel like doing that but i think ive pretty much "explained" your encryption

[SunBeam]

If want to do a nice job, do it till the end. Even a donkey can see that it's 4 bytes at a time, but that's not what matters. The encrypted text is pushed to the stack as : E1 D6 5F 2D 6C 31 A0 97 00 and pop-ed backwards. But yeah, go ahead, and explain to me how you break it

Am more than interested. Make sure this time you "spoil" my fun

P.S. : There are 3 keys

[dezuzi]

screw it, theres a boundary in how far im willing to mess around with hackme's, im not bothering i already said how the input is encrypted and dont feel like wasting my time converting the password back through a million jumps and calls, and btw E1 D6 5F 2D 6C 31 A0 97 is static, because the password is static

quote SunBeam "The encrypted text is pushed to the stack as : E1 D6 5F 2D 6C 31 A0 97 00 and pop-ed backwards." i hope you mean the password with that, and not the actual typed in text

im sorry i cant supply you with the clean ASCII format of the password, however this hackme was fun you should make more

[SunBeam]

Yeah, I was referring to the password which is text, not numbers These are always fun and nifty to mess around with. Your idea to revert that algorithm is not bad. Add more to it, and apply it right after the check call and before the "bad_boy" jump You might get the clean text (XOR, ROR, ROL, MOV to static )

[dezuzi]

mmm i gave it another try, this is what i got but it doesnt seem to work

this is the reversed in my eyes, the way it works mind have boggled my mind and made me not see the real way it works but here it is

input is: "aaaabbbb"


[code]mov [00332640],E1D65F2D
mov [00332670],6C31A097
mov esi,[00410008] // 75DFB44F
rol esi,05 // turns esi into 7BAEFDA2
mov ecx,ff852611
ror ecx,06 // ecx is old number of mov ecx,[00410000] (ff852611)
and ecx,esi // changes ECx in something else
mov ebx,00332670
mov eax,00332640
xor [ebx],ecx // xor's bbbb area with ecx
xor [eax],ecx // xor's aaaa area with ecx
not byte ptr [ebx] // does something at bbbb address
xor edi,edi //makes edi 0
mov eax,00332640
mov ebx,00332670
dec eax
dec ebx
lewp:
inc eax //restores original aaaa address
inc ebx // restores original bbbb address
ror byte ptr [eax],03 // rotate eight bits left 3 times of aaaa
rol byte ptr [ebx],07 // rotate eight bits right 7 times of bbbb
inc edi //increases untill 4, all 4 bytes done
cmp edi,04 // if not same goes back to rol and ror
jnge lewp
mov eax,00332640 // aaaa loc
mov ebx,00332670 // bbbb loc
mov ecx,FF852611 //00410000
mov edx,1238AFBD // 00410004
xor [eax],ecx //eax = aaaa location// ecx = FF852611
xor [ebx],edx //ebx = bbbb location// edx = 1238AFBD[/code]








original:
[code]xor [eax],ecx //eax = aaaa location// ecx = FF852611
xor [ebx],edx //ebx = bbbb location// edx = 1238AFBD
dec eax
dec ebx
xor edi,edi //makes edi 0
inc eax //restores original aaaa address
inc ebx // restores original bbbb address
rol byte ptr [eax],03 // rotate eight bits left 3 times of aaaa
ror byte ptr [ebx],07 // rotate eight bits right 7 times of bbbb
inc edi //increases untill 4, all 4 bytes done
cmp edi,04 // if not same goes back to rol and ror
jnge 00401141
mov eax,[ebp-10]
mov ebx,[ebp-18]
not byte ptr [ebx] // does something at bbbb address
mov esi,[00410008] // 75DFB44F
ror esi,05 // turns esi into 7BAEFDA2
rol ecx,06 // ecx is old number of mov ecx,[00410000] (ff852611)
and ecx,esi // changes ECx in something else
xor [ebx],ecx // xor's bbbb area with ecx
xor [eax],ecx // xor's aaaa area with ecx[/code]




i tried my best, the fact that the password is static and pushed onto the stack using pushes makes me confused, since there is no real encryption process for the password, its already embedded into it encrypted

so how could i be sure at all if the password was made the same way the text i type is generated?