 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
 Posted: Tue Jul 24, 2007 2:59 am Post subject: Crackme Lv. Advanced |
 |
|
This crackme is advanced using delphi asm too, and will generate random digits in a specific box that you'll need to nop 
Good Luck !
and remember, the password will change within the time !, start searching for timers 
|
|
| Back to top |
|
 |
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Tue Jul 24, 2007 3:26 am Post subject: |
|
|
| x0r wrote: | NOP it.
| Code: | | 00451C21 /75 11 JNZ SHORT CrackMe.00451C34 |
fag. |
Dam you x0r, you owned my crackme.
|
|
| Back to top |
|
|
LinuXL0ver
Master Cheater
 Reputation: 0
Joined: 22 Nov 2006
Posts: 368
Location: Toronto
|
| Posted: Tue Jul 24, 2007 3:26 am Post subject: |
|
|
| x0r wrote: | NOP it.
| Code: | | 00451C21 /75 11 JNZ SHORT CrackMe.00451C34 |
fag. |
fag? 
|
|
| Back to top |
|
|
xlcs
Grandmaster Cheater
 Reputation: 0
Joined: 14 Nov 2006
Posts: 945
|
| Posted: Tue Jul 24, 2007 3:30 am Post subject: |
|
|
| <Irwin> F8lXZ-UG9LT-K1
|
|
| Back to top |
|
|
haha01haha01
Grandmaster Cheater Supreme
 Reputation: 0
Joined: 15 Jun 2007
Posts: 1233
Location: http://www.SaviourFagFails.com/
|
| Posted: Tue Jul 24, 2007 6:04 am Post subject: |
|
|
wow kaspersky 3 crackmes in 1 day i realy apreciate this!!
thx ill rep u when ill be able to 
stage 1 completed: protection cracked.
stage 2 completed: crackme patched.
stage 3 completed: understood ur code.
actually tha way ur code work is, it built out of 4 parts.
first,second,third parts check every part of the pass and if the pass isnt matching what it need to, they jump to line 1 in my example:
| Code: | line 1: jmp line 3
line 2:mov al,1
line 3:cmp al,1
line 4:jnz (the part that mention ur wrong)
line 5: u cracked me |
means we must NOT get to line 1.
but every part check the password and if entered pass not equal to the real pass it jump to line 1. if u pass all the checks without jumping to line 1, so the line b4 line 1 will jump to line 2.
stage 4 completed: password found. once u find the way ur code work its easy... set BP on the calls and check the ACSII pointed by eax.
btw prolly all of u know to do these stuff... im doing this cause sometimes noobies check the forum and they wanna know how to crack crackmes... thats how i learned to crack... i once entered this forum and some1 did a "log" on how he cracked the crackme
|
|
| Back to top |
|
|
oib111
I post too much
 Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Tue Jul 24, 2007 7:31 am Post subject: |
|
|
Hey, can you give me that log, I really suck at cracking crackmes.
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
UnLmtD
Grandmaster Cheater
 Reputation: 0
Joined: 13 Mar 2007
Posts: 894
Location: Canada
|
| Posted: Tue Jul 24, 2007 7:41 am Post subject: |
|
|
Generating random number each time idea is lame, at least if you used an algorithm. Also you should add some anti-debugger tricks, for starters you may want to use IsDebuggerPresent() even though it's easy bypassed, it's going to be a challenge for others. And perhaps maybe detect breakpoints (0xCC)
_________________
|
|
| Back to top |
|
|
haha01haha01
Grandmaster Cheater Supreme
Reputation: 0
Joined: 15 Jun 2007
Posts: 1233
Location: http://www.SaviourFagFails.com/
|
| Posted: Tue Jul 24, 2007 7:43 am Post subject: |
|
|
| oib111 wrote: | | Hey, can you give me that log, I really suck at cracking crackmes. |
go to here download the crackme, go to second page, the first post on 2nd page is the log that was my first cracking way.
understand this, and ull be able to crack crackmes (btw if u wanna know how to see the stack, u look at ollydbg under the left upper window, theres a line with the stack)
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Tue Jul 24, 2007 8:00 am Post subject: |
|
|
Uh, I couldn't find it. The first post on the second page was only a crackme, and no1 posted a log on there on how they did it. Could you ust give me th link...?
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Tue Jul 24, 2007 8:14 am Post subject: |
|
|
| haha01haha01 wrote: | wow kaspersky 3 crackmes in 1 day i realy apreciate this!!
thx ill rep u when ill be able to
stage 1 completed: protection cracked.
stage 2 completed: crackme patched.
stage 3 completed: understood ur code.
actually tha way ur code work is, it built out of 4 parts.
first,second,third parts check every part of the pass and if the pass isnt matching what it need to, they jump to line 1 in my example:
| Code: | line 1: jmp line 3
line 2:mov al,1
line 3:cmp al,1
line 4:jnz (the part that mention ur wrong)
line 5: u cracked me |
means we must NOT get to line 1.
but every part check the password and if entered pass not equal to the real pass it jump to line 1. if u pass all the checks without jumping to line 1, so the line b4 line 1 will jump to line 2.
stage 4 completed: password found. once u find the way ur code work its easy... set BP on the calls and check the ACSII pointed by eax.
btw prolly all of u know to do these stuff... im doing this cause sometimes noobies check the forum and they wanna know how to crack crackmes... thats how i learned to crack... i once entered this forum and some1 did a "log" on how he cracked the crackme |
Nice, very nic ! 
*Clap hands*
i really appreacite this and you that you're willing to elarn these, ill make more soon with "Anti-Debugger" tricks as the one above mentioned.
|
|
| Back to top |
|
|
haha01haha01
Grandmaster Cheater Supreme
Reputation: 0
Joined: 15 Jun 2007
Posts: 1233
Location: http://www.SaviourFagFails.com/
|
| Posted: Tue Jul 24, 2007 10:14 am Post subject: |
|
|
| oib111 wrote: | | Uh, I couldn't find it. The first post on the second page was only a crackme, and no1 posted a log on there on how they did it. Could you ust give me th link...? |
umm ok dl the crackme heres the instructions:
As AnonymousX said "3455296" is the password.
Open Target in OllyDbg (or your debugger of choice).
Right Click - "Search for all referenced Text strings"
Scroll up, double click "Welcome to midnight7's crackme".
you will see;
Code:
004013E0 |. C74424 04 0000>MOV DWORD PTR SS:[ESP+4],CrackMe.0044000>; ASCII "==============================
"
004013E8 |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
004013EF |. E8 64AD0300 CALL CrackMe.0043C158
004013F4 |. C74424 04 2000>MOV DWORD PTR SS:[ESP+4],CrackMe.0044002>; ASCII "Wellcom to MidNigh7's crackMe.
"
004013FC |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
00401403 |. E8 50AD0300 CALL CrackMe.0043C158
00401408 |. C74424 04 0000>MOV DWORD PTR SS:[ESP+4],CrackMe.0044000>; ASCII "==============================
"
00401410 |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
00401417 |. E8 3CAD0300 CALL CrackMe.0043C158
0040141C |. C74424 04 4000>MOV DWORD PTR SS:[ESP+4],CrackMe.0044004>; ASCII "Enter the password:
"
00401424 |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
0040142B |. E8 28AD0300 CALL CrackMe.0043C158
00401430 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00401433 |. 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
00401437 |. C70424 6034440>MOV DWORD PTR SS:[ESP],CrackMe.00443460
0040143E |. E8 DD6D0200 CALL CrackMe.00428220
00401443 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00401446 |. 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C]
00401449 |. 75 51 JNZ SHORT CrackMe.0040149C
0040144B |. C74424 04 5600>MOV DWORD PTR SS:[ESP+4],CrackMe.0044005>; ASCII "you just cracked me.
"
00401453 |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
0040145A |. E8 F9AC0300 CALL CrackMe.0043C158
0040145F |. C74424 04 6C00>MOV DWORD PTR SS:[ESP+4],CrackMe.0044006>; ASCII "press any key to get out.
"
00401467 |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
0040146E |. E8 E5AC0300 CALL CrackMe.0043C158
00401473 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00401476 |. 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
0040147A |. C70424 6034440>MOV DWORD PTR SS:[ESP],CrackMe.00443460
00401481 |. E8 9A6D0200 CALL CrackMe.00428220
00401486 |. C74424 04 8700>MOV DWORD PTR SS:[ESP+4],CrackMe.0044008>; ASCII "your out."
0040148E |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
00401495 |. E8 BEAC0300 CALL CrackMe.0043C158
0040149A |. EB 4F JMP SHORT CrackMe.004014EB
0040149C |> C74424 04 9100>MOV DWORD PTR SS:[ESP+4],CrackMe.0044009>; ASCII "OWNAGE!! ZOMGWTFBBQ
"
004014A4 |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
004014AB |. E8 A8AC0300 CALL CrackMe.0043C158
004014B0 |. C74424 04 6C00>MOV DWORD PTR SS:[ESP+4],CrackMe.0044006>; ASCII "press any key to get out.
"
004014B8 |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
004014BF |. E8 94AC0300 CALL CrackMe.0043C158
004014C4 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004014C7 |. 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
004014CB |. C70424 6034440>MOV DWORD PTR SS:[ESP],CrackMe.00443460
004014D2 |. E8 496D0200 CALL CrackMe.00428220
004014D7 |. C74424 04 8700>MOV DWORD PTR SS:[ESP+4],CrackMe.0044008>; ASCII "your out."
004014DF |. C70424 C033440>MOV DWORD PTR SS:[ESP],CrackMe.004433C0
004014E6 |. E8 6DAC0300 CALL CrackMe.0043C158
004014EB |> B8 00000000 MOV EAX,0
004014F0 |. C9 LEAVE
004014F1 \. C3 RETN
It looks all rather innocent with exception to;
Code:
00401443 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00401446 |. 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C]
Just a guess, but i would think [EBP-10] holds out entered password, it then gets stored in EAX. Now, [EBP-C] is compared against EAX, Jump it not equal to badboy message, as see by;
Code:
00401449 |. 75 51 JNZ SHORT CrackMe.0040149C
Place breakpoint at 401443, press F9 to run program. Enter in your password, I used "1337". Olly will break, press F8 to trace calls, stop at "CMP EAX, DWORD PTR SS:[EBP-C]" and take a look at the Stack;
Code:
Stack SS:[0022FF6C]=0034B940
EAX=00000539
I was curious to see what EAX was. I open CALC.exe and typed 539h into the calculator then converted to decimal, fortunately for us it was "1337". Using the same logic, copy "34B940h" (h denoting hex) to CALC.exe, hit conversion to decimal, outputed is "3455296".
Open crackme again, type this as the password and you'll be greeted with the congratulations message. Good work, cracked.
|
|
| Back to top |
|
|
UnLmtD
Grandmaster Cheater
Reputation: 0
Joined: 13 Mar 2007
Posts: 894
Location: Canada
|
| Posted: Tue Jul 24, 2007 10:34 am Post subject: |
|
|
You can also exploit OutputDebugString bug.
_________________
|
|
| Back to top |
|
|
xcelestialx
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 19 Nov 2006
Posts: 1252
Location: Canada, ON
|
| Posted: Tue Jul 24, 2007 11:03 am Post subject: |
|
|
I hate it when ppl attempt to terminate CE and Olly.
_________________
Rep resets. D; Suck.
If you're in Scania, pm me ign.
103 Dk. Scania.
60 Sin. Scania |
|
| Back to top |
|
|
DeletedUser14087
I post too much
![]() Reputation: 2
Joined: 21 Jun 2006
Posts: 3069
|
| Posted: Tue Jul 24, 2007 12:35 pm Post subject: |
|
|
| xcelestialx wrote: | | I hate it when ppl attempt to terminate CE and Olly. |
, ill take it off
|
|
| Back to top |
|
|
oib111
I post too much
Reputation: 0
Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?
|
| Posted: Tue Jul 24, 2007 4:38 pm Post subject: |
|
|
thx haha01haha01 but i found the post.
_________________
| 8D wrote: |
cigs dont make people high, which weed does, which causes them to do bad stuff. like killing |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
