View previous topic :: View next topic |
Author |
Message |
lurc Grandmaster Cheater Supreme Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Sun Apr 20, 2008 8:31 pm Post subject: First CrackMe |
|
|
I was bored, so i thought id make one.
I don't think it should be to hard.
Find the password, or patch it.
_________________
|
|
Back to top |
|
|
Symbol I'm a spammer Reputation: 0
Joined: 18 Apr 2007 Posts: 5094 Location: Israel.
|
Posted: Mon Apr 21, 2008 2:23 am Post subject: |
|
|
Not working.
Did you compiled it as "Release" or "Debug"? I had he same problem, nobody could run it when I compiled as "Debug".
|
|
Back to top |
|
|
killersamurai Expert Cheater Reputation: 0
Joined: 10 Sep 2007 Posts: 197 Location: Colorado
|
Posted: Mon Apr 21, 2008 3:19 am Post subject: |
|
|
Password: calling. Didn't look into the protection much, but it seems like you are doing something with .data.
|
|
Back to top |
|
|
lurc Grandmaster Cheater Supreme Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Mon Apr 21, 2008 7:50 am Post subject: |
|
|
Its compiled as release
killersamurai wrote: | Password: calling. Didn't look into the protection much, but it seems like you are doing something with .data. |
Nice job
_________________
|
|
Back to top |
|
|
Psy Grandmaster Cheater Supreme Reputation: 1
Joined: 27 Mar 2008 Posts: 1366
|
Posted: Mon Apr 21, 2008 8:09 am Post subject: |
|
|
.NET Framework...
|
|
Back to top |
|
|
lurc Grandmaster Cheater Supreme Reputation: 2
Joined: 13 Nov 2006 Posts: 1900
|
Posted: Mon Apr 21, 2008 8:32 am Post subject: |
|
|
I Made it in Pure Win32 API C++
_________________
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Mon Apr 21, 2008 9:26 am Post subject: |
|
|
004012FD: Change JB SHORT 00401330 to JG SHORT 00401330
004011AB: JE 004010A4 to JNZ 004010A4
0040120A: CMP EAX,1 to CMP EAX,0
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8518 Location: 127.0.0.1
|
Posted: Mon Apr 21, 2008 10:11 am Post subject: |
|
|
Little more info on this:
- Compiled with the debug information still enabled which makes this a bit easier to locate things. Firstly, open in Olly. One its open run it, if your Olly is closed or the crackme just closes its cause of some protection inside the crackme (will get to that later). Rename your Olly or get a custom one with some protections.
- Open the crackme in Olly and fully run it so it asks for the password. CTRL+A in Olly to analyze the code, then right click in the code window, choose: Search For -> Name (label) in current module (Be sure the currently selected module is the main exe of the crackme.
- In the module list, locate:
Code: | Names in CrackMe_, item 10
Address=0040205C
Section=.rdata
Type=Import (Known)
Name=MSVCR90.exit
|
Right click this, choose Find References to import, double click the only found reference. This will dump you to:
Code: | 004014EC . FF15 5C204000 CALL DWORD PTR DS:[<&MSVCR90.exit>] ; \exit |
Just above this should be a call:
Code: | 004014D6 . E8 05FDFFFF CALL CrackMe_.004011E0 |
This is the main code start of the program. Follow the call and you will be at the main function.
Next the code:
- First call in the main code is to set the console title.
- Second call in the main code is to IsDebuggerPresent
-- Bypass this with basic Olly plugins or other crappy methods.
- Creates a thread to loop the processes to look for:
-- OLLYDBG.exe, Cheat Engine.exe
-- Looks for the following window titles:
--- OllyDbg, Cheat Engine 5.4, Cheat Engine 5.3
- Terminates the crackme if any of them are found.
- Loops to 100 (I guess for Sleep to let the thread catch up.)
- Loops the word 'Enter the password:' to output to the console.
- Waits for input from user
Anyway, the check method to compare can be found at:
[code]004012B9 . 8DA424 000000>LEA ESP,DWORD PTR SS:[ESP]
004012C0 > 0FB70455 1830>MOVZX EAX,WORD PTR DS:[EDX*2+403018]
004012C8 . 0FB70C55 E033>MOVZX ECX,WORD PTR DS:[EDX*2+4033E0]
004012D0 . 83C0 32 ADD EAX,32
004012D3 . 3BC8 CMP ECX,EAX[code]
The string inputted is split into single characters to compare each character 1 by 1 to the real work.
EAX = current character of actual password.
ECX = current character of inputted password.
Set a break on the compare, pull each character via looping. (Phishing method.)
EDX holds the current character position looping from 0 - what ever the length of the password is. (Just saying this in general.) So:
c = [0*2+403018] = 403018 = 0x31, then add 32 = 0x63 = Ascii c
a = [1*2+403018] = 40301A = 0x2F, then add 32, = 0x61 = Ascii a
and so on..
There is a table in memory that is being read from:
[code]00403010 FE FF FF FF 01 00 00 00 31 00 2F 00 3A 00 3A 00 þÿÿÿ...1./.:.:.
00403020 37 00 3C 00 35 00 00 00 8B 00 A8 00 A8 00 B5 00 7.<.5...‹.¨.¨.µ.
00403030 80 00 9E 00 A3 00 00 00 64 00 76 00 7B 00 2E 00 €.ž.£...d.v.{...
00403040 54 00 7D 00 83 00 74 00 81 00 2F 00 83 00 77 00 T.}.ƒ.t../.ƒ.w.
00403050 74 00 2F 00 7F 00 70 00 82 00 82 00 86 00 7E 00 t./..p.‚.‚.†.~.
00403060 81 00 73 00 49 00 2F 00 00 00 00 00 63 00 82 00 .s.I./.....c.‚.
00403070 8D 00 48 00 3F 00 A4 00 96 00 60 00 9D 00 72 00 .H.?.¤.–.`..r.
00403080 01 00 00 00 40 29 34 00 B8 28 34 00 00 00 00 00 ...@)4.¸(4.....[/code]
Do the rest of the math to pull each char from that table, and you will get the password.
_________________
- Retired. |
|
Back to top |
|
|
|