 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Hans Henrik
Expert Cheater
 Reputation: 0
Joined: 18 Feb 2007
Posts: 178
|
 Posted: Sun Jul 24, 2011 10:28 am Post subject: [solved] my first passwordMe / Find the password |
 |
|
my first PasswordMe (or find the password?), a hard 1 i guess... have not added generic protection crap (packers/protectors/etc), maybe in v2?, but shouldn't be easy anyway.
written in c++, compiled with mingw 3.4.2 (-s -O3)
urls:
http://www.speedyshare.com/files/29558717/PasswordMe.zip
rules:
patched executable is not an accepted solution, get the password. :- )
_________________
Im not around.
im almost never checking the forum anymore
Last edited by Hans Henrik on Sun Jul 24, 2011 11:31 am; edited 1 time in total |
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sun Jul 24, 2011 11:19 am Post subject: |
|
|
Password: 4223084
Given there is a ton of stuff packed into the file to do whatever, my guess is there's extra stuff to throw people off.
How I got the answer:
Loaded the executable into Olly to check if there were any give aways from the start. There was both the nag and the 'correct' responses so that gave away where the 'magic' happens with comparing the input to the real answer.
Going to the start of the function you have:
| Code: |
00401EF3 . 8D75 98 LEA ESI,DWORD PTR SS:[EBP-68] ; ||||
00401EF6 . 8D5D 98 LEA EBX,DWORD PTR SS:[EBP-68] ; ||||
00401EF9 . 893424 MOV DWORD PTR SS:[ESP],ESI ; ||||
00401EFC . E8 1F3D0000 CALL <JMP.&msvcrt.atoi> ; |||\atoi
00401F01 . 8985 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],EAX ; |||
00401F07 . 891C24 MOV DWORD PTR SS:[ESP],EBX ; |||
00401F0A . E8 113D0000 CALL <JMP.&msvcrt.atoi> ; ||\atoi
00401F0F . 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] ; ||
00401F12 . 890C24 MOV DWORD PTR SS:[ESP],ECX ; ||
00401F15 . E8 063D0000 CALL <JMP.&msvcrt.atoi> ; |\atoi
00401F1A . 8B15 6C704000 MOV EDX,DWORD PTR DS:[40706C] ; |Password.00408158
00401F20 . 891424 MOV DWORD PTR SS:[ESP],EDX ; |
00401F23 . E8 E83C0000 CALL <JMP.&msvcrt.strlen> ; \strlen
|
Which tells us the input is getting converted to a number and the length of another string is important.
Little further down you check if a pointer is valid:
| Code: |
00401F4D . 89B5 58FFFFFF MOV DWORD PTR SS:[EBP-A8],ESI ; |
00401F53 . 890C24 MOV DWORD PTR SS:[ESP],ECX ; |
00401F56 . 8995 68FFFFFF MOV DWORD PTR SS:[EBP-98],EDX ; |
00401F5C . E8 DF3E0000 CALL <JMP.&KERNEL32.IsBadReadPtr> ; \IsBadReadPtr
|
Which uses some of the info we just got from above, the main two being the strlen return (0x8C) and the input we gave converted to a number.
Afterward, starting at 0x004020C0 we check the input to strings inside the exe. First checks the bad answer, second is the correct answer. Once loaded it jumps back to 0x00401F6C to compare the answer to our input converted to a pointer and read as a string which we tell it to point to the correct answers location in memory.
So in short the first part gave away the answer
| Code: |
00401F1A . 8B15 6C704000 MOV EDX,DWORD PTR DS:[40706C] ; |Password.00408158
|
40706C is the pointer to the correct answer. Convert this to dec and use the result as the answer.
_________________
- Retired. |
|
| Back to top |
|
|
Hans Henrik
Expert Cheater
Reputation: 0
Joined: 18 Feb 2007
Posts: 178
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
