View previous topic :: View next topic |
Author |
Message |
zeroc0de Cheater Reputation: 0
Joined: 31 Aug 2008 Posts: 32
|
Posted: Fri Oct 10, 2008 11:53 am Post subject: o_O - [v0.1] Crackme |
|
|
Goal is to figure a way to patch the password check, then figure the real password.
Coded in Delphi, this should be a good, fun and worth challenge.
Have a go, sir
-- Patching the password check is easy. |
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Fri Oct 10, 2008 2:29 pm Post subject: |
|
|
Password: cookie
For any password:
004598BF EB 34 JMP SHORT o_O.004598F5 |
|
Back to top |
|
|
zeroc0de Cheater Reputation: 0
Joined: 31 Aug 2008 Posts: 32
|
Posted: Fri Oct 10, 2008 3:04 pm Post subject: |
|
|
Fucking nice! Can you explain a little how you did find the password? |
|
Back to top |
|
|
Zerith Master Cheater Reputation: 1
Joined: 07 Oct 2007 Posts: 468
|
Posted: Sat Oct 11, 2008 12:13 am Post subject: |
|
|
You apparently had a switch() for every char entered:
Code: |
004599A8 |. 83C0 9D |ADD EAX,-63 ; Switch (cases 63..6F)
004599AB |. 83F8 0C |CMP EAX,0C
004599AE |. 77 6F |JA SHORT o_O.00459A1F
004599B0 |. 0FB680 BE99450>|MOVZX EAX,BYTE PTR DS:[EAX+4599BE]
004599B7 |. FF2485 CB99450>|JMP DWORD PTR DS:[EAX*4+4599CB]
004599BE |. 01 |DB 01 ; Index table to switch 004599CB
|
Code: |
004599E3 |> 8BC6 |MOV EAX,ESI ; ; Case 63 ('c') of switch 004599A8
004599E5 |. F7EF |IMUL EDI
004599E7 |. 0105 D0054600 |ADD DWORD PTR DS:[4605D0],EAX
004599ED |. EB 37 |JMP SHORT o_O.00459A26
004599EF |> 8BC6 |MOV EAX,ESI ; Case 6F ('o') of switch 004599A8
004599F1 |. F7EF |IMUL EDI
004599F3 |. 0105 D0054600 |ADD DWORD PTR DS:[4605D0],EAX
004599F9 |. EB 2B |JMP SHORT o_O.00459A26
004599FB |> 8BC6 |MOV EAX,ESI ; Case 6B ('k') of switch 004599A8
004599FD |. F7EF |IMUL EDI
004599FF |. 0105 D0054600 |ADD DWORD PTR DS:[4605D0],EAX
00459A05 |. EB 1F |JMP SHORT o_O.00459A26
00459A07 |> 8BC6 |MOV EAX,ESI ; Case 69 ('i') of switch 004599A8
00459A09 |. F7EF |IMUL EDI
00459A0B |. 0105 D0054600 |ADD DWORD PTR DS:[4605D0],EAX
00459A11 |. EB 13 |JMP SHORT o_O.00459A26
00459A13 |> 8BC6 |MOV EAX,ESI ; Case 65 ('e') of switch 004599A8
00459A15 |. F7EF |IMUL EDI
00459A17 |. 0105 D0054600 |ADD DWORD PTR DS:[4605D0],EAX
00459A1D |. EB 07 |JMP SHORT o_O.00459A26
00459A1F |> 33C0 |XOR EAX,EAX ; Default case of switch 004599A8
00459A21 |. A3 D0054600 |MOV DWORD PTR DS:[4605D0],EAX
00459A26 |> 47 |INC EDI
00459A27 |. FF4D F4 |DEC DWORD PTR SS:[EBP-C]
00459A2A |.^0F85 2EFFFFFF \JNZ o_O.0045995E
|
Then it was pretty easy tracing and finding the right password |
|
Back to top |
|
|
zeroc0de Cheater Reputation: 0
Joined: 31 Aug 2008 Posts: 32
|
Posted: Sun Oct 12, 2008 3:03 pm Post subject: |
|
|
Thanks, I'll look deeper into it. |
|
Back to top |
|
|
|