evaluator
03-08-2004, 03:29 PM
change 1 byte only
View Full Version : 1 byte puzzle
disavowed
03-08-2004, 05:48 PM
i guess it's not the correct solution, but i know how to get rid of the nag by changing one byte:
change byte at file offset 0x000000a8 (assuming first byte of file is at offset 0x00000000) from 0x00 to 0x15
change byte at file offset 0x000000a8 (assuming first byte of file is at offset 0x00000000) from 0x00 to 0x15
evlncrn8
03-08-2004, 06:26 PM
Quote:
| [Originally Posted by disavowed]i guess it's not the correct solution, but i know how to get rid of the nag by changing one byte: change byte at file offset 0x000000a8 (assuming first byte of file is at offset 0x00000000) from 0x00 to 0x15 |
heh thats what i was thinking, couldnt find any other way to do it
i thought it'd be something to do with messing eax in the line for the messagebox
like xchg ah,al so it pointed to the string (and not using the 2nd mov eax,blah) but no go.. not in 1 byte nehows
disavowed
03-08-2004, 06:48 PM
maybe evaluator mis-translated "two" as "one" :P
SiNTAX
03-08-2004, 07:31 PM
Solved... 1 byte indeed 
PM'ed the solution to eval.
PM'ed the solution to eval.
ZaiRoN
03-08-2004, 07:58 PM
Hi All,
SiNTAX was right... only 1 byte! Very funny puzzle game
good luck
Zai
SiNTAX was right... only 1 byte! Very funny puzzle game
good luck
Zai
TQN
03-09-2004, 01:27 AM
Change the B8 byte at 00401009 to 86. (Use Binary-Edit in OllyDbg). "registered" string will also be changed to "Registered".
TQN
TQN
evlncrn8
03-09-2004, 01:44 AM
Quote:
| [Originally Posted by TQN]Change the B8 byte at 00401009 to 86. (Use Binary-Edit in OllyDbg). "registered" string will also be changed to "Registered". TQN |
damnit i was close on the xchg ah,al thing.. im just getting rusty in my old age heh
evaluator
03-09-2004, 02:13 AM
SiNTAX PM-ed at 12:31 AM
ZaiRoN at 12:53 AM
.. i'm cryyyy
ZaiRoN at 12:53 AM
.. i'm cryyyy
SiNTAX
03-09-2004, 04:01 AM
Quote:
| [Originally Posted by TQN]Change the B8 byte at 00401009 to 86. (Use Binary-Edit in OllyDbg). "registered" string will also be changed to "Registered". TQN |
Tsssk.. now you've spoiled it for the rest!
ZaiRoN
03-09-2004, 07:36 AM
Hi TQN,
why have you written the solution so soon? Now, no other will try the puzzle anymore...
why have you written the solution so soon? Now, no other will try the puzzle anymore...
evaluator
03-09-2004, 07:41 AM
in addition, more easy 1 byte puzzle, for newbies.
R@dier
03-09-2004, 12:44 PM
change [eax+10] to [ESI +10]
at offset 210h change 50 to 56
That was a bit of fun
Best Wishes
R@dier
at offset 210h change 50 to 56
That was a bit of fun
Best Wishes
R@dier
evaluator
03-09-2004, 12:54 PM
Next (de)Generation of 1 byte puzzle..
yep, about 5 hour i trashed, but seems,
not so many will required for solving..
Who will first!?
yep, about 5 hour i trashed, but seems,
not so many will required for solving..
Who will first!?
evaluator
03-09-2004, 12:59 PM
in newbies-puzzle:
I was Zairon
II was R@dier
but because R@dier is more newbie, he WON!!
I was Zairon
II was R@dier
but because R@dier is more newbie, he WON!!
Kayaker
03-09-2004, 01:34 PM
Quote:
| [Originally Posted by ZaiRoN]Hi TQN, why have you written the solution so soon? Now, no other will try the puzzle anymore... |
No kidding eh? How about if someone wants to post a solution (nothing wrong with that per se), they write it in ROT13? Those who want the solution, have it. Those who don't, only see gibberish. Plus it avoids posting simple 1 byte zipped solutions as well.
http://rot13.com/
OK 1-bite wizard?
ZaiRoN
03-09-2004, 02:00 PM
Maybe you misunderstood me; I don't want to stop people from posting solution, they can post it but not so soon...
Btw, a rot13 solution is perfect ;-)
Btw, a rot13 solution is perfect ;-)
evaluator
03-09-2004, 02:17 PM
ya, in fact, better will, if you will PM me solution, so more people will interesting
to solve..
to solve..
evaluator
03-09-2004, 05:24 PM
wooh!?
4 hours comes out & yet nobody solved?
i feel ~8-)
btw, Zairon, this one is for all, not only for newbies.
Don Wooma...
ok, i'm going to sleep; in PM i have 16 free place.
good luck..
4 hours comes out & yet nobody solved?
i feel ~8-)
btw, Zairon, this one is for all, not only for newbies.
Don Wooma...
ok, i'm going to sleep; in PM i have 16 free place.
good luck..
ZaiRoN
03-11-2004, 07:25 AM
Well, this new puzzle is not so easy than the previous ones. A simple glance to the instructions doesn't help me to find the damned byte. Maybe we can choose another way.
What about a brute-force approach? We know that, at 40106D, edx should be 401090, so we will start changing a simple byte from 401018 to 401068. The scheme will be something like this:
A seh is necessary because we don't know what will happen when a single byte will be changed...
These are only some ideas floating on my mind, I don't know if it's really possible to write something like that but... who cares ;-)
Later,
Zai
What about a brute-force approach? We know that, at 40106D, edx should be 401090, so we will start changing a simple byte from 401018 to 401068. The scheme will be something like this:
Code:
install seh
@loop:
change the current byte ; the current byte will take values from 00h to FFh
jmp @puzzlecode
@incByte:
inc the current byte
if
jmp @nextByte
else
jmp @loop
@nextByte:
restore the current byte with the original value and choose the next one (put it to 00h)
if == 401069
byte not found...
game over
else
jmp @loop
@ok: ; we have found the byte
remove seh
print the offset and the new byte
game over...
@puzzlecode:
xor ebx, ebx
mov eax, 402010
mov edi, 40107A
lea edx, [eax+10]
@401018:
<<< the modified code from puzzle.exe >>>
if edx == 401090
jmp @ok
else
jmp @incByte
seh_handler:
the "safe place" will be @incByte, nothing more...
A seh is necessary because we don't know what will happen when a single byte will be changed...
These are only some ideas floating on my mind, I don't know if it's really possible to write something like that but... who cares ;-)
Later,
Zai
Harding
03-11-2004, 03:03 PM
The bruteforce method did NOT work.
I wrote a ollyscript that would do that...
In the beginning it went well but after a while I (think!) hit the CALL or the JCC instructions and the whole computer went crazy.
I think using your brain would be the best solution.
/Harding
I wrote a ollyscript that would do that...
In the beginning it went well but after a while I (think!) hit the CALL or the JCC instructions and the whole computer went crazy.
I think using your brain would be the best solution.
/Harding
Foreigner
03-11-2004, 03:42 PM
Hello Harding,
can you post your script? I have never tried to write an ollyscript and I would like to see an example.
foreigner
ps.Have you solved the puzzle?
can you post your script? I have never tried to write an ollyscript and I would like to see an example.
foreigner
ps.Have you solved the puzzle?
evaluator
03-11-2004, 06:02 PM
hm..
brute-force looks quite non-humanistic.
-io protesto
brute-force looks quite non-humanistic.
-io protesto
Harding
03-11-2004, 08:09 PM
Foreigner: Well, when I realized that my 5+ hours of work had been a total waste of time, I deleted the script (since it's useless, why keeep it?)
But there are some very good scripts at hxxp://ollyscript.apsvans.com
Eval: Has anyone found the solution yet? if nor, can't you give us some tip?
But there are some very good scripts at hxxp://ollyscript.apsvans.com
Eval: Has anyone found the solution yet? if nor, can't you give us some tip?
ZaiRoN
03-12-2004, 06:01 AM
Quote:
| [Originally Posted by evaluator]hm.. brute-force looks quite non-humanistic. -io protesto |
evaluator
03-12-2004, 02:26 PM
nobody yet PM-ed me.
want we call all-world reverserz?
in help i can say:
1.tool i used - HIEW, so use it
2.there is NO garbage code inside.
want we call all-world reverserz?
in help i can say:
1.tool i used - HIEW, so use it
2.there is NO garbage code inside.
Harding
03-17-2004, 07:09 AM
Ok Eval. I give up, what is the solution?
/Harding
/Harding
klier
03-17-2004, 03:26 PM
please wait...
suggestion : put a deadline on it,like april the first.
Regards,
suggestion : put a deadline on it,like april the first.
Regards,
evaluator
03-17-2004, 05:36 PM
I posted it on http://board.anticrack.de.
Lets see.
If there also will not solved, then i will upload it also on cracmes.de..
Lets see.
If there also will not solved, then i will upload it also on cracmes.de..
klier
03-18-2004, 12:05 PM
because i cannot PM 
255h : 8D --> 71
Regards,
255h : 8D --> 71
Regards,
doug
03-18-2004, 12:33 PM
good job klier.
(& eval too)
(& eval too)
evaluator
03-18-2004, 01:50 PM
HECK-ME!
In fact klier's Unusual solution eliminated my unusual failure!
Because i coded it for more tricky solution in another location...
i'm quite sad for my failure..
BTW! try again to find my solution.(now of course will easier)
In fact klier's Unusual solution eliminated my unusual failure!
Because i coded it for more tricky solution in another location...
i'm quite sad for my failure..
BTW! try again to find my solution.(now of course will easier)
Harding
03-18-2004, 02:29 PM
Klier: Great job! May I ask how you found this one?
Anyone know you I get "evaluation" when I step trough the code but "registered" when I run it?
Anyone know you I get "evaluation" when I step trough the code but "registered" when I run it?
klier
03-18-2004, 04:12 PM
25Eh : 8D-->3C|70|72|75|77|78|7B|7C|7F|A8|B1 
Regards,
Regards,
doug
03-18-2004, 07:23 PM
Quote:
| [Originally Posted by Harding]Klier: Great job! May I ask how you found this one? Anyone know you I get "evaluation" when I step trough the code but "registered" when I run it? |
the patch at 255h changes the exception handler (mov [esp+4], cl), so when icebp (int 1) at 40106C gets executed, it falls to that new exception handler (40101A), instead of the first one (40107A).
when you trace (presumably with olly?), the exception handler won't get executed.
evaluator
03-19-2004, 06:20 AM
klier, Congratz!
You finally solved it.
0040105E > 75h is my default.
You finally solved it.
0040105E > 75h is my default.
Harding
03-19-2004, 07:35 AM
doug: Ok, thanks for the explaination. So with Olly I can't let the program take care of the exception?
Usually when an excepton occurs, Olly pauses and lets me choose what to do, why not now?
klier: How did you found this one?
eval: This is fun, you don't have anything more to play with?
Usually when an excepton occurs, Olly pauses and lets me choose what to do, why not now?
klier: How did you found this one?
eval: This is fun, you don't have anything more to play with?
klier
03-19-2004, 09:03 AM
Harding
>>"I think using your brain would be the best solution."
followed your advice and evaluators to use hiew.
I saw the shr dx,1 and the or dl,-080 but when i tryed to change a byte to make the code do that i always jumped into oblivion or exitprocess.(me newbie,hobbyist)
Asked myself :how and where is edi used (40107A,exitprocess) and how to change it.
And with a little luck and 'lightning-struck'...found a solution.
May be not suffice as explanation but i don't have much time right now.
Have to spread menure on the field(not mine,horsies)
Regards,
>>"I think using your brain would be the best solution."
followed your advice and evaluators to use hiew.
I saw the shr dx,1 and the or dl,-080 but when i tryed to change a byte to make the code do that i always jumped into oblivion or exitprocess.(me newbie,hobbyist)
Asked myself :how and where is edi used (40107A,exitprocess) and how to change it.
And with a little luck and 'lightning-struck'...found a solution.
May be not suffice as explanation but i don't have much time right now.
Have to spread menure on the field(not mine,horsies)
Regards,
evaluator
03-19-2004, 06:04 PM
Puzzle No3
Kayaker
03-19-2004, 07:01 PM
Quote:
| [Originally Posted by ] eval: This is fun, you don't have anything more to play with? |
Ah geez, he's got a hidden closet full of them!
klier
03-20-2004, 04:30 PM
evaluator,dirti means more then Registered! in the box?
Regards,
Regards,
evaluator
03-20-2004, 07:01 PM
no, dirti looks..
not important crackme. work on 3.
BTW, Why you can't do PM!? if some truble, ask moderators.
not important crackme. work on 3.
BTW, Why you can't do PM!? if some truble, ask moderators.
dELTA
03-20-2004, 08:30 PM
Quote:
| Usually when an excepton occurs, Olly pauses and lets me choose what to do, why not now? |
Yes, I'm a bit curious about this myself. Why aren't exceptions that are caused by an int1 hooked in Olly, but rather completely ignored by both Olly and and the program itself when single-stepped? Normal access violation exceptions for example are caught by Olly in both single-step and "running mode" (and you then get to choose whether to pass the exception to the program or not, as usual) but in this case neither Olly nor the program sees the exception at all?! Is this maybe a well known anti-debug trick or something like that? It would be great if anyone could give a more technical explanation for this, maybe you Eval?
doug
03-20-2004, 10:16 PM
just a wild guess here, but the opcode used isn't a typical INT1 (CD 01 I believe), but instead an "icebp" as some other disassemblers decode it.
klier
03-21-2004, 06:13 AM
if moderator or administrator reads this,can't PM a solution for puzzle03. 
Don't know another way to ask!
Regards,
Don't know another way to ask!
Regards,
klier
03-21-2004, 06:24 AM
OK,problem solved.
Regards,
Regards,
dELTA
03-21-2004, 06:53 AM
Quote:
| [Originally Posted by doug]just a wild guess here, but the opcode used isn't a typical INT1 (CD 01 I believe), but instead an "icebp" as some other disassemblers decode it. |
Ok, good start, but how come neither the program nor Olly sees this exception when single-stepping, but the program indeed gets it when running normally? That was the kind of technical explanation I was looking for. Eval, or someone else, enlighten us!
klier
03-21-2004, 08:29 AM
in olly,
do a bpxint1 and you get the exception.
shift F9 and --> registered.
google on icebp.
Regards,
do a bpxint1 and you get the exception.
shift F9 and --> registered.
google on icebp.
Regards,
evaluator
03-21-2004, 08:47 AM
OK, klier solved.
**
requested "technical explanation":
When you are "single-stepping" on F1h opcode (or INT01 when it has R3-privilege),
debuggers eats this exception, because they themselves are waiting own single-step exception.
this are common debuggers fault, which not happens in OUR tracerZ
So, for exact result, when you meet F1h opcode (or INT01..),
do not press F8 key on it (for SICE), but instead:
locate SEH addres, set BPX there & close debuggers window by CTRL-D.
then debugger will break & you'll happie
..shame(le) to you..
**
[when not cracked crackme runs, it not does exception.]
**
requested "technical explanation":
When you are "single-stepping" on F1h opcode (or INT01 when it has R3-privilege),
debuggers eats this exception, because they themselves are waiting own single-step exception.
this are common debuggers fault, which not happens in OUR tracerZ
So, for exact result, when you meet F1h opcode (or INT01..),
do not press F8 key on it (for SICE), but instead:
locate SEH addres, set BPX there & close debuggers window by CTRL-D.
then debugger will break & you'll happie
..shame(le) to you..
**
[when not cracked crackme runs, it not does exception.]
klier
03-22-2004, 06:29 AM
have a riddle of my own: 
wich byte 1 (one) you have to change in dirtiPuzzle to get this message from virusscanner(if you have one):
virus alert:
'Source: D:\dirti\dirtiPUZZLE.exe
Click for more information about this virus : Bloodhound.W32.EP'
Regards,
wich byte 1 (one) you have to change in dirtiPuzzle to get this message from virusscanner(if you have one):
virus alert:
'Source: D:\dirti\dirtiPUZZLE.exe
Click for more information about this virus : Bloodhound.W32.EP'
Regards,
evaluator
03-22-2004, 10:33 AM
i not use any anti-vir;
probably it depends on each anti-vir;
probably it depends on each anti-vir;
evaluator
03-24-2004, 06:59 AM
Puzzle 04
corrected, try again
corrected, try again
evaluator
03-24-2004, 03:12 PM
klier again solved puzzle04 in own way. try another ways also.
what can i say? this puzzle suxnot well tested):
what can i say? this puzzle sux
not well tested):evaluator
03-24-2004, 06:37 PM
well, klier also found other ways, include my default.
good buy
who also want be good buy!?
good buy
who also want be good buy!?
klier
03-24-2004, 07:50 PM
i'm choked, a buy?
evaluator
03-25-2004, 04:18 AM
boy, boy.. soorri
evaluator
03-29-2004, 04:30 AM
easy puzzle05 on MBox theme.
evaluator
03-29-2004, 06:45 AM
bene, ZaiRon solved it quickly.
vBulletin® v3.7.4, Copyright ©2000-2008, Jelsoft Enterprises Ltd.