Results 1 to 15 of 40

Thread: Crack me help

Hybrid View

  1. #1

    Crack me help

    Hello,

    Can someone help me with this crackme, a password protected Setup, written in Delphi, PEid shows me that its not packed with protector.
    But it seems to me that it is a selfmodifying exe., i´ve tried to remove the password dialog window in olly, but it looks like there is only one window for all messages, just the text changes(search for text etc. dont help), you can set a breakpoint at "GetKeyState" API, and olly breaks while input Passwort in the Box.
    The "Next" Button is grayed out as long you dont insert the right password.
    As an Beginner this is not the usual stuff like search for text strings or nag screens, very hard !
    So i need help from some good reverser, thank you !
    Andy.
    Attached Files Attached Files

  2. #2
    Looks pretty easy to me. Study sub_417524 in IDA.

    Regards,

    CrackZ.

  3. #3
    Ok, sounds interesting, olly and IDA breaks at 417524, but how could be a code solution looks like, nop, jmp or other ?Name:  IDA_01.jpg
Views: 523
Size:  36.9 KB

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,147
    Blog Entries
    5
    In this case you can do a 1 byte patch, but I don't think that's the point of the crackme. You should be able to easily see your password compared in the registers (and determine the length it's looking for), and you can change the zero flag on jz/jnz calls to continue in the right direction with a mock password. Then see if you can find the 1 byte patch solution which will EnableWindow() to proceed with the installation even without a password.
    Once you do that though you'll want to go back and work on the real algorithm.

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,526
    Blog Entries
    15
    keygen for the crackmes first letter and proof of validity crack me first to crack the rest
    Code:
    :\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
    db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe

  6. #6
    First, thank you all !
    Hm, i try to understand, at 00417588 CMP EBX,30 Olly breaks when you try to insert first key letter, but where can i find the needed length of password ?
    Until now i have no luck changing the zero flags at the jumps, i got only error messages, but there must be a jump to the install window(after the password dialog) right ?

    How can i use your Keygen Code !?, sorry i´m just beginning in reverse

    Name:  Olly_01.jpg
Views: 486
Size:  46.6 KB

  7. #7
    Quote Originally Posted by blabberer View Post
    Code:
    :\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
    db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe
    OMG what kind of encryption is that!
    How did you find out that the hashed input is save at offset 26a0 so quickly. Clearly (after setting bp on getwindowtext and stepping out a couple of times) the hash it stored at address 26a0 (start address looks to be offset 269c) but how did you determine that this is the offset into some chunk of memory allocated previously in the first call to VirtualAlloc? (Sorry for the noob question)

  8. #8
    Hi blabberer,

    Code:
    :\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
    db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe

    Code:
    bp KERNEL32!VirtualAlloc;g;
    Set BP on that function and let the debugger run. Somehow you found out that the first call to this function allocates the memory (for program instance or some other large object) that contains the target hash string. We need to save the address returned here in order to set BP on the VA of some byte in the target hash string.

    Code:
    gu;
    Let VirtualAlloc return, eax holds the base address of the allocated memory.

    Code:
    bc *;
    Clear all BPs, we need no further breaks on VirtualAlloc.

    Code:
    r $t1= @eax+26a0;
    Store the VA of some byte into the target hash string into the pseudo register $t1. We need to store this address because this address is used to set a BP.

    Code:
    ba w1 @$t1;g;
    Set a BP which will stop the debugger when the byte at the address in register $t1 is written to. I don't know why but it seems that windbg also accepts this command "ba w1 $t1" without the @ in front of $t1. Also windbg will break at exactly the same place if the BP is written "ba w4 @$t1;" with dword access. Then make the debugger run. The debugger will break at address 403cc8 inside some LStrSetLength function. Eax holds the start address of the target hash string which is offset 269c. offset 26a0 is thus the 4th byte of the string.

    Code:
    db @eax
    dump the memory (byte-wise) starting at offset 269c. It will show the first 3 characters of the target hash string.

    Code:
    bc *;
    Clear all BPs again.

    Code:
    ba r1 @$t1-8;g;g;
    Set a BP which will stop the debugger when the byte at offset 2698h is read. The length of the target hash string is stored in this dword. I guess the idea of setting a read BP here is that when the program is going to compare the target hash string to the input hash string this BP is hit. Then make the debugger run. First time the debugger stops it is at address 403928 inside some LStrCat function. Second time the debugger stops it is at address 403cc4 inside the LStrSetLength function.

    Code:
    bd *;
    disable all BPs

    Code:
    db esi
    esi does not contain a valid address at this moment so this command will show a bunch of question marks. Pressing g one or two additional times esi contains a valid address near the target hash string and a part of the target hash string is shown in the memory dump.

    Code:
    ? ('V'*'V'+1)%'Z'+30
    Clearly you know how the program computes the hash from the input The command ? means that windbg is running the command in 'calculator mode' instead of in 'command mode'. If the first char in the input is 'V' this expression gives the first char in the hash string. However, 'V' is not an acceptable first char in the input in my setup. Could it be that the crackme expects different keys when run on different machines?

Similar Threads

  1. bengaly Crack me
    By wunder in forum The Newbie Forum
    Replies: 15
    Last Post: December 19th, 2010, 23:12
  2. Crack Request
    By Thats Me in forum The Newbie Forum
    Replies: 11
    Last Post: April 1st, 2010, 21:19
  3. Crack for $
    By mike in forum Off Topic
    Replies: 1
    Last Post: October 7th, 2003, 23:32
  4. Serial Crack
    By wonderwoman in forum Malware Analysis and Unpacking Forum
    Replies: 16
    Last Post: November 1st, 2001, 11:36
  5. Lingoware 3 Crack
    By Andhy in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 22nd, 2001, 20:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •