Crack me help

[TB10]

Hello,

Can someone help me with this crackme, a password protected Setup, written in Delphi, PEid shows me that its not packed with protector.
But it seems to me that it is a selfmodifying exe., i´ve tried to remove the password dialog window in olly, but it looks like there is only one window for all messages, just the text changes(search for text etc. dont help), you can set a breakpoint at "GetKeyState" API, and olly breaks while input Passwort in the Box.
The "Next" Button is grayed out as long you dont insert the right password.
As an Beginner this is not the usual stuff like search for text strings or nag screens, very hard !
So i need help from some good reverser, thank you !
Andy.

[CrackZ]

Looks pretty easy to me. Study sub_417524 in IDA.

Regards,

CrackZ.

[TB10]

Ok, sounds interesting, olly and IDA breaks at 417524, but how could be a code solution looks like, nop, jmp or other ?

[Kayaker]

In this case you can do a 1 byte patch, but I don't think that's the point of the crackme. You should be able to easily see your password compared in the registers (and determine the length it's looking for), and you can change the zero flag on jz/jnz calls to continue in the right direction with a mock password. Then see if you can find the 1 byte patch solution which will EnableWindow() to proceed with the installation even without a password.
Once you do that though you'll want to go back and work on the real algorithm.

[blabberer]

keygen for the crackmes first letter and proof of validity crack me first to crack the rest

Code:

:\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe

[TB10]

First, thank you all !
Hm, i try to understand, at 00417588 CMP EBX,30 Olly breaks when you try to insert first key letter, but where can i find the needed length of password ?
Until now i have no luck changing the zero flags at the jumps, i got only error messages, but there must be a jump to the install window(after the password dialog) right ?

How can i use your Keygen Code !?, sorry i´m just beginning in reverse

[reverser]

People who post screenshots in jpg need to be quartered and shot.

[Aimless]

Come on, PNG lost the battle long ago...

JPG for life!!!!

Have Phun

[TB10]

Indeed, PNG ist better for screenshots, smaller file size, so next time PNG , no problem(before i get quartered here...)

[blabberer]

How can i use your Keygen Code !?, sorry i´m just beginning in reverse

yep that question is indeed beginning in reverse how about moving forward and making some efforts to tow from the front ?
did you find out what windbg is ?
what bp is in that context ?
where bp is set in the command and why ?
what does g do in windbg ?
what does gu do in windbg ?
what would eax hold when returning from a function universally ?
what is an access breakpoint ?
how does an access breakpoint work ?
does it work for both read access and write acesss ?
what other accesses can access breakpoint work for ?
what sizes does it take ?
how many access breakpoints are available ?
what does bd do ?
is there an expression evaluator in the cryptic command ?
if yes what does it evaluate ?
what is the relation if any with the first letter as posted?
do you see a display of it ?
what is displayed on the screen when you simply follow
can you emulate the same scenerio in ollydbg / gdb / ida / hopper / <your own whatever >
if yes what did you understand ?
finally what is the moral of the story ?
now when you reach here you would be able to use the keygen code without asking anyone

[niaren]

Code:

:\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe

OMG what kind of encryption is that!
How did you find out that the hashed input is save at offset 26a0 so quickly. Clearly (after setting bp on getwindowtext and stepping out a couple of times) the hash it stored at address 26a0 (start address looks to be offset 269c) but how did you determine that this is the offset into some chunk of memory allocated previously in the first call to VirtualAlloc? (Sorry for the noob question)

[blabberer]

@niaren the address does not hold hashed output take a look again and for start of the hash you are off by another 4 bytes
look at crackZ hint a very superb hint there ( i just latched into it that is all)
i didnt do anything except finding out who calls the function and then latch into kayakers second hint of one byte patch

must have taken about two minutes to bypass the check without password

once you know you can bypass it without password you are then sure that one of the parameter earlier must be the key
search for the address and you find it is allocated memory
so whooooddddonit?
what is result of the act?
is the offset you saw earlier constant?
how to verify ?
once you verified what else it is looking for ? what could be the algorithm what is the length etc etc

these question should automatically pop up

[TB10]

@blabberer, if i can answer all the List, there ist really no need for any further questions !, well i know, for an expert it´s boring to answer all the stupid beginners questions over and over again, but, without questions - no learning ok, windbg is an debugger, the name says it.
This debugger code stuff is very,very hard to understand for me, just for this small crackme you get tons of code, something of abstract, and which of them is usefull or not ?, try to learning step by step(very small steps) and i read lots of tutorials but until now i found no answer for this special crackme with this intresting keystroke trapping, thats why im asking here, right now an "easy solution" bypassing the password window would be enough for me, i am not in the position to understand detailed whats going on in every line of code, sorry.
2 minutes to bypassing password check ?, oh no !!! woooow , is it really so easy ?, i´m a looser

[blabberer]

well you seem to miss the point of posting

i do not want you to answer all those question
neither do i want you to be an expert answering all those question or even pretend to undertand those question
nor i am bore to answer noobish questions

i just want you to try to understand some of those questions
i just want you to put some efforts into the TRYING part

and i am sure if you try you will find the path

yes it is sbsolutely under 2 minutes to patch a sete opcode somewhere to make this crackme work without password

[Kayaker]

Don't worry TB10, no one is mocking you or anything here. Believe me, we've all been exactly where you are at one time. Part of the learning process is to work through things on your own until the "lightbulb" goes on, one small step at a time. You learn a lot more that way, having to do little researches to understand what people or the code is saying.

One thing that will help you at this point is to learn what each of the opcode instructions DO, before trying to understand what the code DOES. i.e., learn what the words mean before trying to read the language.

For example, I mentioned specifically about changing the zero flag on JZ/JNZ calls to force the code to go in a direction you want so you can continue tracing. Then you seemed to focus on JBE/JAE jumps and complained about not being able to modify them. You need to understand what those jumps actually mean in the context of the previous comparison instructions and how register flags other than the Zero Flag (ZF) are affected, if you want to control them (not that you want to in this particular case anyway).

Similarly, blabberer gave a clue about a SETE opcode which might be important - what exactly is that and what does it do? That's something you need to know more about.


I've attached 2 files, one is the standard opcode mnemonic help file from the Masm32 install. The other, perhaps lesser known, is a small opcode instruction table program that made the rounds on the masm/win32asm forums many years ago. If you can get comfortable with what they are telling you it should help your progress. And if you want to continue to learn assembly language you should at some point devour Iczelion's tutorials, inlcuding the PE tutorials.

http://win32assembly.programminghorizon.com/tutorials.html

Good luck


btw, excellent resolution on the PNG file blabberer. Reverser was bang on! We need to enforce that somehow