Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Crackme~~
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
sumnewdude
Expert Cheater
Reputation: 0

Joined: 23 May 2007
Posts: 181
Location: Where you least expect me.

PostPosted: Wed Mar 05, 2008 4:46 pm    Post subject: Crackme~~ Reply with quote

Well Im back with a crackme not written in .NET this time it only took me 5 min to make so you can probally solve it fast. Mad
_________________

.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI
Back to top
View user's profile Send private message
HolyBlah
Master Cheater
Reputation: 2

Joined: 24 Aug 2007
Posts: 446

PostPosted: Thu Mar 06, 2008 6:15 am    Post subject: Reply with quote

The first box is 8 letters

The second box is "Watzup?" + every letter in the first box - 31
so for "BlahRulez" in the first box the second box will be: "Watzup?#MBI3VMF["
Very Happy


Last edited by HolyBlah on Fri Mar 07, 2008 1:55 am; edited 1 time in total
Back to top
View user's profile Send private message
sumnewdude
Expert Cheater
Reputation: 0

Joined: 23 May 2007
Posts: 181
Location: Where you least expect me.

PostPosted: Thu Mar 06, 2008 6:51 am    Post subject: Reply with quote

HolyBlah wrote:
The first box is 8 letters

The second box is "Watzup?" + every letter in the first box - 32
so for "BlahRulez" in the first box the second box will be: "Watzup?#MBI3VMF["
Very Happy


you did it! but do you mind telling me how?

_________________

.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI
Back to top
View user's profile Send private message
HolyBlah
Master Cheater
Reputation: 2

Joined: 24 Aug 2007
Posts: 446

PostPosted: Thu Mar 06, 2008 6:56 am    Post subject: Reply with quote

BP on __vbaStrCmp Very Happy
Back to top
View user's profile Send private message
sumnewdude
Expert Cheater
Reputation: 0

Joined: 23 May 2007
Posts: 181
Location: Where you least expect me.

PostPosted: Thu Mar 06, 2008 7:06 am    Post subject: Reply with quote

HolyBlah wrote:
BP on __vbaStrCmp Very Happy

"BP"?? sorry Im not that much in to crackme stuff.

Well Im guessing by BP you mean Breakpoint but how do you find "vbaStrCmp" in Ollydbg? (Im guessing that is what you used)

EDIT: I found
Code:
 0040117C   .-FF25 4C104000  JMP DWORD PTR DS:[<&MSVBVM60.__vbaStrCmp>;  MSVBVM60.__vbaStrCmp
im guessing that is what your talking about and I put a toggle breakpoint on there and it looks like it does nothing to me.
_________________

.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Thu Mar 06, 2008 3:59 pm    Post subject: Reply with quote

BP stands for breakpoint.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
sumnewdude
Expert Cheater
Reputation: 0

Joined: 23 May 2007
Posts: 181
Location: Where you least expect me.

PostPosted: Thu Mar 06, 2008 7:13 pm    Post subject: Reply with quote

Wiccaan wrote:
BP stands for breakpoint.

Ya but I put a breakpoint where you said and it dosn't do anything diffrent with the program.

_________________

.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Thu Mar 06, 2008 10:14 pm    Post subject: Reply with quote

First thing you did was check the length, which was 8 chars long and the message was:

Code:
00401FAF   .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],Crackme_.00401>;  UNICODE "sorry too short"


Looking above that, you have:

Code:
00401F61   > \8B55 D0       MOV EDX,DWORD PTR SS:[EBP-30]
00401F64   .  52            PUSH EDX
00401F65   .  FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;  MSVBVM60.__vbaLenBstr
00401F6B   .  33C9          XOR ECX,ECX
00401F6D   .  83F8 08       CMP EAX,8
00401F70   .  0F9CC1        SETL CL
00401F73   .  F7D9          NEG ECX
00401F75   .  8BF1          MOV ESI,ECX
00401F77   .  8D4D D0       LEA ECX,DWORD PTR SS:[EBP-30]
00401F7A   .  FFD7          CALL EDI


Which checks the length of the string and compares it to 8. The compare gives it away on how much it wants in size after the LenBstr.

Furthur down you have:

Code:
004021E7   > \8B4D D0       MOV ECX,DWORD PTR SS:[EBP-30]
004021EA   .  8B55 D8       MOV EDX,DWORD PTR SS:[EBP-28]
004021ED   .  51            PUSH ECX
004021EE   .  52            PUSH EDX
004021EF   .  FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp


Break on the last line of that and you see:

ECX = bottom box value.
EDX = real value which is Watzup?BBBBBBBB

Enter the password in the bottom box and you win.

Mind you the first box was the compare for the size, you can apparently enter anything in the first box as long as it matches the new value of the 2nd.

Each or so passwords:

Top: aaaaaaaa
Bottom: Watzup?BBBBBBBB

Top: bbbbbbbb
Bottom: Watzup?CCCCCCCC

Bottom is always Watzup? then 8 letters of +1 to the top box letters spot.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
HolyBlah
Master Cheater
Reputation: 2

Joined: 24 Aug 2007
Posts: 446

PostPosted: Fri Mar 07, 2008 1:59 am    Post subject: Reply with quote

Wiccaan wrote:
Bottom is always Watzup? then 8 letters of +1 to the top box letters spot.
It's not +1, it is -31.

Code:
00402103   .  52            PUSH EDX
00402104   .  FF15 78104000 CALL DWORD PTR [<&MSVBVM60.__vbaStrVarVal>]          ;  MSVBVM60.__vbaStrVarVal
0040210A   .  50            PUSH EAX
0040210B   .  FF15 18104000 CALL DWORD PTR [<&MSVBVM60.#516>]                    ;  MSVBVM60.rtcAnsiValueBstr
00402111   .  66:2D 1F00    SUB AX,1F
00402115   .  8D4D 88       LEA ECX,DWORD PTR [EBP-78]
00402118   .  0F80 7A020000 JO Crackme_.00402398
0040211E   .  0FBFC0        MOVSX EAX,AX
00402121   .  50            PUSH EAX
00402122   .  51            PUSH ECX
00402123   .  FF15 70104000 CALL DWORD PTR [<&MSVBVM60.#608>]                    ;  MSVBVM60.rtcVarBstrFromAnsi



for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!"
Back to top
View user's profile Send private message
sumnewdude
Expert Cheater
Reputation: 0

Joined: 23 May 2007
Posts: 181
Location: Where you least expect me.

PostPosted: Fri Mar 07, 2008 7:16 am    Post subject: Reply with quote

HolyBlah wrote:
Wiccaan wrote:
Bottom is always Watzup? then 8 letters of +1 to the top box letters spot.
It's not +1, it is -31.

Code:
00402103   .  52            PUSH EDX
00402104   .  FF15 78104000 CALL DWORD PTR [<&MSVBVM60.__vbaStrVarVal>]          ;  MSVBVM60.__vbaStrVarVal
0040210A   .  50            PUSH EAX
0040210B   .  FF15 18104000 CALL DWORD PTR [<&MSVBVM60.#516>]                    ;  MSVBVM60.rtcAnsiValueBstr
00402111   .  66:2D 1F00    SUB AX,1F
00402115   .  8D4D 88       LEA ECX,DWORD PTR [EBP-78]
00402118   .  0F80 7A020000 JO Crackme_.00402398
0040211E   .  0FBFC0        MOVSX EAX,AX
00402121   .  50            PUSH EAX
00402122   .  51            PUSH ECX
00402123   .  FF15 70104000 CALL DWORD PTR [<&MSVBVM60.#608>]                    ;  MSVBVM60.rtcVarBstrFromAnsi



for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!"



Heh to me this looks like a bunch of random letters do you know of a good tut?

_________________

.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sat Mar 08, 2008 12:22 pm    Post subject: Reply with quote

HolyBlah wrote:
Wiccaan wrote:
Bottom is always Watzup? then 8 letters of +1 to the top box letters spot.
It's not +1, it is -31.

Code:
00402103   .  52            PUSH EDX
00402104   .  FF15 78104000 CALL DWORD PTR [<&MSVBVM60.__vbaStrVarVal>]          ;  MSVBVM60.__vbaStrVarVal
0040210A   .  50            PUSH EAX
0040210B   .  FF15 18104000 CALL DWORD PTR [<&MSVBVM60.#516>]                    ;  MSVBVM60.rtcAnsiValueBstr
00402111   .  66:2D 1F00    SUB AX,1F
00402115   .  8D4D 88       LEA ECX,DWORD PTR [EBP-78]
00402118   .  0F80 7A020000 JO Crackme_.00402398
0040211E   .  0FBFC0        MOVSX EAX,AX
00402121   .  50            PUSH EAX
00402122   .  51            PUSH ECX
00402123   .  FF15 70104000 CALL DWORD PTR [<&MSVBVM60.#608>]                    ;  MSVBVM60.rtcVarBstrFromAnsi



for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!"


Yeah my bad on that one, wasn't paying attention when I was writing that out.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
sumnewdude
Expert Cheater
Reputation: 0

Joined: 23 May 2007
Posts: 181
Location: Where you least expect me.

PostPosted: Wed Mar 12, 2008 8:13 pm    Post subject: Reply with quote

Wiccaan wrote:
HolyBlah wrote:
Wiccaan wrote:
Bottom is always Watzup? then 8 letters of +1 to the top box letters spot.
It's not +1, it is -31.

Code:
00402103   .  52            PUSH EDX
00402104   .  FF15 78104000 CALL DWORD PTR [<&MSVBVM60.__vbaStrVarVal>]          ;  MSVBVM60.__vbaStrVarVal
0040210A   .  50            PUSH EAX
0040210B   .  FF15 18104000 CALL DWORD PTR [<&MSVBVM60.#516>]                    ;  MSVBVM60.rtcAnsiValueBstr
00402111   .  66:2D 1F00    SUB AX,1F
00402115   .  8D4D 88       LEA ECX,DWORD PTR [EBP-78]
00402118   .  0F80 7A020000 JO Crackme_.00402398
0040211E   .  0FBFC0        MOVSX EAX,AX
00402121   .  50            PUSH EAX
00402122   .  51            PUSH ECX
00402123   .  FF15 70104000 CALL DWORD PTR [<&MSVBVM60.#608>]                    ;  MSVBVM60.rtcVarBstrFromAnsi



for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!"


Yeah my bad on that one, wasn't paying attention when I was writing that out.


oops sorry lol I ment the olly code not the
Quote:
for "@@@@@@@@":
"AAAAAAAA" != "!!!!!!!!"

_________________

.erutangis ruoy ni siht esu neht ,sdrawkcab siht daer ot hguone trams erew uoy fI
Back to top
View user's profile Send private message
Haxory'
Grandmaster Cheater Supreme
Reputation: 92

Joined: 30 Jul 2007
Posts: 1900

PostPosted: Sat Mar 15, 2008 5:57 am    Post subject: Reply with quote

sumnewdude wrote:

Heh to me this looks like a bunch of random letters do you know of a good tut?


200% QFT

Edit: i kinda started to get it =D
i already cracked 4 or 5 crackme's now

_________________
you and me baby ain't nothing but mammals so lets do it like they do on the discovery channel
Back to top
View user's profile Send private message
coder sal
Master Cheater
Reputation: 0

Joined: 11 May 2007
Posts: 304

PostPosted: Fri May 16, 2008 8:06 am    Post subject: Reply with quote

Wiccaan wrote:
First thing you did was check the length, which was 8 chars long and the message was:

Code:
00401FAF   .  C785 70FFFFFF>MOV DWORD PTR SS:[EBP-90],Crackme_.00401>;  UNICODE "sorry too short"


Looking above that, you have:

Code:
00401F61   > \8B55 D0       MOV EDX,DWORD PTR SS:[EBP-30]
00401F64   .  52            PUSH EDX
00401F65   .  FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;  MSVBVM60.__vbaLenBstr
00401F6B   .  33C9          XOR ECX,ECX
00401F6D   .  83F8 08       CMP EAX,8
00401F70   .  0F9CC1        SETL CL
00401F73   .  F7D9          NEG ECX
00401F75   .  8BF1          MOV ESI,ECX
00401F77   .  8D4D D0       LEA ECX,DWORD PTR SS:[EBP-30]
00401F7A   .  FFD7          CALL EDI


Which checks the length of the string and compares it to 8. The compare gives it away on how much it wants in size after the LenBstr.

Furthur down you have:

Code:
004021E7   > \8B4D D0       MOV ECX,DWORD PTR SS:[EBP-30]
004021EA   .  8B55 D8       MOV EDX,DWORD PTR SS:[EBP-28]
004021ED   .  51            PUSH ECX
004021EE   .  52            PUSH EDX
004021EF   .  FF15 4C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;  MSVBVM60.__vbaStrCmp


Break on the last line of that and you see:

ECX = bottom box value.
EDX = real value which is Watzup?BBBBBBBB

Enter the password in the bottom box and you win.

Mind you the first box was the compare for the size, you can apparently enter anything in the first box as long as it matches the new value of the 2nd.

Each or so passwords:

Top: aaaaaaaa
Bottom: Watzup?BBBBBBBB

Top: bbbbbbbb
Bottom: Watzup?CCCCCCCC

Bottom is always Watzup? then 8 letters of +1 to the top box letters spot.


I tried following what you (Wiccaan) said but:

The registers don't give me any information on the __VbaStrCmp, also I thought it might be the wrong address, but I don't think it is because I did a binary string search...
Back to top
View user's profile Send private message
oib111
I post too much
Reputation: 0

Joined: 02 Apr 2007
Posts: 2947
Location: you wanna know why?

PostPosted: Fri May 16, 2008 8:22 am    Post subject: Reply with quote

Set the bp, run the program and do it like your normal trying to do it and it will break there and then give you the info. You can't just set a break point and assume that it is going to give you information.
_________________


8D wrote:

cigs dont make people high, which weed does, which causes them to do bad stuff. like killing
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites