Page 1 of 3 123 LastLast
Results 1 to 15 of 40

Thread: Crack me help

  1. #1

    Crack me help


    Can someone help me with this crackme, a password protected Setup, written in Delphi, PEid shows me that its not packed with protector.
    But it seems to me that it is a selfmodifying exe., ive tried to remove the password dialog window in olly, but it looks like there is only one window for all messages, just the text changes(search for text etc. dont help), you can set a breakpoint at "GetKeyState" API, and olly breaks while input Passwort in the Box.
    The "Next" Button is grayed out as long you dont insert the right password.
    As an Beginner this is not the usual stuff like search for text strings or nag screens, very hard !
    So i need help from some good reverser, thank you !
    Attached Files Attached Files

  2. #2
    Looks pretty easy to me. Study sub_417524 in IDA.



  3. #3
    Ok, sounds interesting, olly and IDA breaks at 417524, but how could be a code solution looks like, nop, jmp or other ?Name:  IDA_01.jpg
Views: 524
Size:  36.9 KB

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    In this case you can do a 1 byte patch, but I don't think that's the point of the crackme. You should be able to easily see your password compared in the registers (and determine the length it's looking for), and you can change the zero flag on jz/jnz calls to continue in the right direction with a mock password. Then see if you can find the 1 byte patch solution which will EnableWindow() to proceed with the installation even without a password.
    Once you do that though you'll want to go back and work on the real algorithm.

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    keygen for the crackmes first letter and proof of validity crack me first to crack the rest
    :\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
    db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe

  6. #6
    First, thank you all !
    Hm, i try to understand, at 00417588 CMP EBX,30 Olly breaks when you try to insert first key letter, but where can i find the needed length of password ?
    Until now i have no luck changing the zero flags at the jumps, i got only error messages, but there must be a jump to the install window(after the password dialog) right ?

    How can i use your Keygen Code !?, sorry im just beginning in reverse

    Name:  Olly_01.jpg
Views: 487
Size:  46.6 KB

  7. #7
    People who post screenshots in jpg need to be quartered and shot.
    Name:  jpg_vs_png.png
Views: 471
Size:  23.2 KB

  8. #8
    Come on, PNG lost the battle long ago...

    JPG for life!!!!

    Have Phun
    Blame Microsoft, get l337 !!

  9. #9
    Indeed, PNG ist better for screenshots, smaller file size, so next time PNG , no problem(before i get quartered here...)

  10. #10
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    How can i use your Keygen Code !?, sorry im just beginning in reverse

    yep that question is indeed beginning in reverse how about moving forward and making some efforts to tow from the front ?
    did you find out what windbg is ?
    what bp is in that context ?
    where bp is set in the command and why ?
    what does g do in windbg ?
    what does gu do in windbg ?
    what would eax hold when returning from a function universally ?
    what is an access breakpoint ?
    how does an access breakpoint work ?
    does it work for both read access and write acesss ?
    what other accesses can access breakpoint work for ?
    what sizes does it take ?
    how many access breakpoints are available ?
    what does bd do ?
    is there an expression evaluator in the cryptic command ?
    if yes what does it evaluate ?
    what is the relation if any with the first letter as posted?
    do you see a display of it ?
    what is displayed on the screen when you simply follow
    can you emulate the same scenerio in ollydbg / gdb / ida / hopper / <your own whatever >
    if yes what did you understand ?
    finally what is the moral of the story ?
    now when you reach here you would be able to use the keygen code without asking anyone

  11. #11
    Quote Originally Posted by blabberer View Post
    :\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
    db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe
    OMG what kind of encryption is that!
    How did you find out that the hashed input is save at offset 26a0 so quickly. Clearly (after setting bp on getwindowtext and stepping out a couple of times) the hash it stored at address 26a0 (start address looks to be offset 269c) but how did you determine that this is the offset into some chunk of memory allocated previously in the first call to VirtualAlloc? (Sorry for the noob question)

  12. #12
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    @niaren the address does not hold hashed output take a look again and for start of the hash you are off by another 4 bytes
    look at crackZ hint a very superb hint there ( i just latched into it that is all)
    i didnt do anything except finding out who calls the function and then latch into kayakers second hint of one byte patch

    must have taken about two minutes to bypass the check without password

    once you know you can bypass it without password you are then sure that one of the parameter earlier must be the key
    search for the address and you find it is allocated memory
    so whooooddddonit?
    what is result of the act?
    is the offset you saw earlier constant?
    how to verify ?
    once you verified what else it is looking for ? what could be the algorithm what is the length etc etc

    these question should automatically pop up

  13. #13
    @blabberer, if i can answer all the List, there ist really no need for any further questions !, well i know, for an expert its boring to answer all the stupid beginners questions over and over again, but, without questions - no learning ok, windbg is an debugger, the name says it.
    This debugger code stuff is very,very hard to understand for me, just for this small crackme you get tons of code, something of abstract, and which of them is usefull or not ?, try to learning step by step(very small steps) and i read lots of tutorials but until now i found no answer for this special crackme with this intresting keystroke trapping, thats why im asking here, right now an "easy solution" bypassing the password window would be enough for me, i am not in the position to understand detailed whats going on in every line of code, sorry.
    2 minutes to bypassing password check ?, oh no !!! woooow , is it really so easy ?, im a looser

  14. #14
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    well you seem to miss the point of posting

    i do not want you to answer all those question
    neither do i want you to be an expert answering all those question or even pretend to undertand those question
    nor i am bore to answer noobish questions

    i just want you to try to understand some of those questions
    i just want you to put some efforts into the TRYING part

    and i am sure if you try you will find the path

    yes it is sbsolutely under 2 minutes to patch a sete opcode somewhere to make this crackme work without password
    Attached Images Attached Images  

  15. #15
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Don't worry TB10, no one is mocking you or anything here. Believe me, we've all been exactly where you are at one time. Part of the learning process is to work through things on your own until the "lightbulb" goes on, one small step at a time. You learn a lot more that way, having to do little researches to understand what people or the code is saying.

    One thing that will help you at this point is to learn what each of the opcode instructions DO, before trying to understand what the code DOES. i.e., learn what the words mean before trying to read the language.

    For example, I mentioned specifically about changing the zero flag on JZ/JNZ calls to force the code to go in a direction you want so you can continue tracing. Then you seemed to focus on JBE/JAE jumps and complained about not being able to modify them. You need to understand what those jumps actually mean in the context of the previous comparison instructions and how register flags other than the Zero Flag (ZF) are affected, if you want to control them (not that you want to in this particular case anyway).

    Similarly, blabberer gave a clue about a SETE opcode which might be important - what exactly is that and what does it do? That's something you need to know more about.

    I've attached 2 files, one is the standard opcode mnemonic help file from the Masm32 install. The other, perhaps lesser known, is a small opcode instruction table program that made the rounds on the masm/win32asm forums many years ago. If you can get comfortable with what they are telling you it should help your progress. And if you want to continue to learn assembly language you should at some point devour Iczelion's tutorials, inlcuding the PE tutorials.

    Good luck

    btw, excellent resolution on the PNG file blabberer. Reverser was bang on! We need to enforce that somehow
    Attached Images Attached Images  
    Attached Files Attached Files

Similar Threads

  1. bengaly Crack me
    By wunder in forum The Newbie Forum
    Replies: 15
    Last Post: December 19th, 2010, 23:12
  2. Crack Request
    By Thats Me in forum The Newbie Forum
    Replies: 11
    Last Post: April 1st, 2010, 21:19
  3. Crack for $
    By mike in forum Off Topic
    Replies: 1
    Last Post: October 7th, 2003, 23:32
  4. Serial Crack
    By wonderwoman in forum Malware Analysis and Unpacking Forum
    Replies: 16
    Last Post: November 1st, 2001, 11:36
  5. Lingoware 3 Crack
    By Andhy in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 22nd, 2001, 20:03


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts