Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 40

Thread: Crack me help

  1. #16
    Thanks to blabberer and kayaker !, thats my intention, to learn by trying, the hard thing is to find the right point in the tons oft code, so the hints for "look at xxxxxx" and the thing with the SETE is helpfull, thats excatly what im lookin for !, changing a register flag on some position, but the lot of jumps and rtn. confusing me.(like a ping pong game)
    Hm, there a some SETE opcodes...hm, i suspect someone of this enables the grayed out "next" Button.
    I will check this.

    thank you for opcode map !, also find a good web page with detailed opcode descripton.

  2. #17
    Quote Originally Posted by Kayaker View Post

    btw, excellent resolution on the PNG file blabberer. Reverser was bang on! We need to enforce that somehow

    Nooooo.....!!!! Et Tu, Brutus????

    What thus happens to my jpgs? My preciousssss.s.s......

    Have Phun
    Blame Microsoft, get l337 !!

  3. #18
    Quote Originally Posted by blabberer View Post
    @niaren the address does not hold hashed output take a look again and for start of the hash you are off by another 4 bytes
    look at crackZ hint a very superb hint there ( i just latched into it that is all)
    i didnt do anything except finding out who calls the function and then latch into kayakers second hint of one byte patch
    Hi blabberer
    What I meant was that in general if you take any address you see in the debugger and its in the heap somewhere then I'm unsure if it is straight forward to decompose it into base + offset like you did in the windbg command...the reason I'm asking is that there could be a vast amount of memory allocations and deallocations in a program.

    For the setup.exe there is an alternative (and also easy) way to get to the interesting code as shown by crackz. IDA shows two references to GetWindowTextA. The one at 00408851 is most interesting. Setting a BP there (windbg will break immediately), stepping out one time (gu) and we land here

    Name:  idaview.png
Views: 201
Size:  17.8 KB

    Unfortunately, I have spent a couple of hours trying to work out the keygen both in assembly and in octave. Unless I have made some bugs (which is most likely ) it seems that no input string can map to the expected hash string

  4. #19
    This script generates 3000+ valid keys

    Code:
    %00992698 17 00 00 00 50 58 31 51 47  ....PX1QG
    %009926a1 54 54 45 55 3c 53 37 3f 3c  TTEU<S7?<
    %009926aa 39 54 34 33 33 38 37 4d 33  9T43387M3
    
    hash = {'50', '58' '31' '51' '47' '54' '54' '45' '55' '3c',...
        '53' '37' '3f' '3c' '39' '54' '34' '33' '33' '38' '37' '4d' '33'};
    hash2 = hex2dec(hash);
    
    Nkeys = 0;
    L = 23;
    minkey = 48;
    maxkey = 90;
    key  = minkey*ones(1,L);
    accs = zeros(1,L);
    i = 1;
    M = 2^32;
    while(i>0 & i<=L)
        Li = L-i;
        acc = accs(i);
        c = key(i);
        t = rem(acc*Li,M);
        acc = rem(acc + t,M) + c;
        y = rem(acc*c,M) + i;
        y = rem(y,90);
        if(y<48)
            y = y+48;
        end
        while(y<48 | y>90)
            y = rem(y,90);
            if(y<48)
                y = y+48;
            end
        end
    
        if(y == hash2(i))
            if(i==23)
                Nkeys = Nkeys +1;
                char(key)
                key(i) = c + 1;
                if(key(i) > maxkey)
                    key(i) = minkey;
                    i = i - 1;
                    if(i>0)
                        key(i) = key(i) + 1;
                    end
                end
            else
                i = i +1;
                accs(i) = acc;
            end
        else
            key(i) = c + 1;
            if(key(i) > maxkey)
                key(i) = minkey;
                i = i - 1;
                if(i>0)
                    key(i) = key(i) + 1;
                end
            end
        end
    end
    Nkeys
    The first key generated is:=4PC1HSMJ28A@L86M7JF:K0
    The last key generated is: OX4SGJIKLX<1=:0RU?1<H?K

    Many more keys can be generated if the range of input chars is expanded.

  5. #20
    Hi blabberer,

    Code:
    :\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
    db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe

    Code:
    bp KERNEL32!VirtualAlloc;g;
    Set BP on that function and let the debugger run. Somehow you found out that the first call to this function allocates the memory (for program instance or some other large object) that contains the target hash string. We need to save the address returned here in order to set BP on the VA of some byte in the target hash string.

    Code:
    gu;
    Let VirtualAlloc return, eax holds the base address of the allocated memory.

    Code:
    bc *;
    Clear all BPs, we need no further breaks on VirtualAlloc.

    Code:
    r $t1= @eax+26a0;
    Store the VA of some byte into the target hash string into the pseudo register $t1. We need to store this address because this address is used to set a BP.

    Code:
    ba w1 @$t1;g;
    Set a BP which will stop the debugger when the byte at the address in register $t1 is written to. I don't know why but it seems that windbg also accepts this command "ba w1 $t1" without the @ in front of $t1. Also windbg will break at exactly the same place if the BP is written "ba w4 @$t1;" with dword access. Then make the debugger run. The debugger will break at address 403cc8 inside some LStrSetLength function. Eax holds the start address of the target hash string which is offset 269c. offset 26a0 is thus the 4th byte of the string.

    Code:
    db @eax
    dump the memory (byte-wise) starting at offset 269c. It will show the first 3 characters of the target hash string.

    Code:
    bc *;
    Clear all BPs again.

    Code:
    ba r1 @$t1-8;g;g;
    Set a BP which will stop the debugger when the byte at offset 2698h is read. The length of the target hash string is stored in this dword. I guess the idea of setting a read BP here is that when the program is going to compare the target hash string to the input hash string this BP is hit. Then make the debugger run. First time the debugger stops it is at address 403928 inside some LStrCat function. Second time the debugger stops it is at address 403cc4 inside the LStrSetLength function.

    Code:
    bd *;
    disable all BPs

    Code:
    db esi
    esi does not contain a valid address at this moment so this command will show a bunch of question marks. Pressing g one or two additional times esi contains a valid address near the target hash string and a part of the target hash string is shown in the memory dump.

    Code:
    ? ('V'*'V'+1)%'Z'+30
    Clearly you know how the program computes the hash from the input The command ? means that windbg is running the command in 'calculator mode' instead of in 'command mode'. If the first char in the input is 'V' this expression gives the first char in the hash string. However, 'V' is not an acceptable first char in the input in my setup. Could it be that the crackme expects different keys when run on different machines?

  6. #21
    Could it be that the crackme expects different keys when run on different machines?
    Definitely not, the password ist always the same, no matter on what computer system the crackme runs, thats one of the few things i now about, and it is build with "smart install maker" i found out.

  7. #22
    I concur entirely with niaren. An interesting exercise might be to narrow the range of valid input chars to just the alphanumeric set; a look through the valid results might uncover the authors actual password as opposed to those that work ;-).

  8. #23
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Keygenning in Matlab niaren? That's different

  9. #24
    Quote Originally Posted by TB10 View Post
    Definitely not, the password ist always the same, no matter on what computer system the crackme runs, thats one of the few things i now about, and it is build with "smart install maker" i found out.
    It seems that the password is the same in that it reads the target hash from the file at offset 0x1E4DF. Maybe you can check if you read the same string at that address in your setup.exe

    Name:  tarhash.png
Views: 174
Size:  23.1 KB

    By the way, is it possible that you can reveal where you got the crackme from?

  10. #25
    Quote Originally Posted by Kayaker View Post
    Keygenning in Matlab niaren? That's different
    Hi Kayaker, I almost fell of my chair laughing when I saw your comment I'm a little embarrased about the Matlab thing but I hoped that nobody would recognize Matlab to a hammer everything looks like......
    From blabberers post I learned about the ? command. That is very interesting. Because I also saw that it supports loops. Then maybe it is possible to keygen in windbg

  11. #26
    Quote Originally Posted by CrackZ View Post
    I concur entirely with niaren. An interesting exercise might be to narrow the range of valid input chars to just the alphanumeric set; a look through the valid results might uncover the authors actual password as opposed to those that work ;-).
    Hi CrackZ, I did try that but have not found anything obvious. Constraining the valid input chars to the alphanumeric set including lower and uppper letters ([0-9A-Za-z]) the keygen generates more than 7.000.000 possible keygens.
    Considering only lower letters ([a-z])the keygen produces 6 possible keys
    whdklposvbnaazjdqscrzua
    whdklposvbnaazjdqscrzui
    whdklposvbnaazjdqscrzup
    whdklposvbnaaztrwwttzua
    whdklposvbnaaztrwwttzui
    whdklposvbnaaztrwwttzup
    Considering only Upper letters or Upper letters in combination with digits the keygen is not able to generate any valid keys. Dunno what else to try..

  12. #27
    It seems that the password is the same in that it reads the target hash from the file at offset 0x1E4DF
    Bingo !, thats the ENCRYPTED password !, sorry, unfortunately i do not remember exactly the adress where i got this crackme, buuuut i simply try the tool with which it was created !, the "smart install maker", nice programm to create installers, so i build one exe. with my own password to look on the same position in hex editor, and find that it shows really the encrypted password just tried to change the LENGTH of it to compare)so, next step i simply copy the password of my own exe. to the crackme(and replace original), the length MUST be equal ! in hex editor, an tried my luck, and it works fine !
    Ok, thats indeed not a really smart reverser solution, but easy for an newbie, and a good learning step.But it intrests me how the encryption works and is there a way to decrypt that thing in ollydbg(or other) it seems that the encryption algorythm is not randomize, that means, for example 123 results always in same encrypted letters, but it depends on the whole combination of the Password, not on single letters.
    The keygen stuff sounds interesting, but how how can that work on custom (not generated) passwords ?

    i´ve created the screenshot as PNG but upload Manager changed it to (bad) JPEG, only external filehoster for PNG ?
    Attached Images Attached Images  

  13. #28
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    @niaren
    nice to see you crack the windbg encryption
    you use @ in windbg when playing with registers or pseudo registers to eliminate symbol resolving time
    windbg interprets @Ecx as pointing to register ECX not to some symbol named ecx many a times you can get away with $t1 but once in a while it will bite you and start loading infinite no of symbols and downlaod infinite number of pdbs and then will print out error symbol ecx not resolved
    iirc this behaviour is documented i think but i made it a habit to do poi(@ecx) poi(@esp+4) instead of poi(eax)

    yes you can keygen in windbg

    as to resolving to base+offset yes it should hold true if you break and trap the return

    just let loose L= 23 in your script

    for starters this password
    Code:
     CX2g!F%q9&gf6R1D11ssdr4442222222226
    should get you the first 8 of the hash constantly


    EAX 009B40F4 ASCII "PX1QGTTEO>:0ERPZHY7C36UVI<3L3R;>YN="
    ECX 00000000
    EDX 009926A8 ASCII "PX1QGTTEU<S7?<9T43387M3"

  14. #29
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Quote Originally Posted by TB10 View Post
    i´ve created the screenshot as PNG but upload Manager changed it to (bad) JPEG, only external filehoster for PNG ?
    That's fine, vBulletin automatically converts PNG to JPG if it's over a certain size (currently set at 1024x768).

    Preciousssss is safe from the sneaky little hobbitses...

  15. #30
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    @niaren there is a typo address should be 26b0 and not 26A0

    when you run the command windbg should print the first 8 letters of the hardcoded hash and continue till you input a letter in the edit box
    when you enter a letter it should dump the result as well as the answer for the expression
    'V' is just a letter if you input C in edit box windbg should show you the dump and answer like below corresponding to the first letter


    Code:
    Processing initial command 'bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26b0;ba w1 @$t1;g;db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('C'*'C'+1)%'Z'+30;g'0:000> bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26b0;ba w1 @$t1;g;db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('C'*'C'+1)%'Z'+30;g
    Breakpoint 0 hit  < valloc break
    Breakpoint 0 hit  < ba w1 break
    009926a8  50 58 31 51 47 54 54 00-00 00 00 00 00 00 00 00  PX1QGTT.........
    009926b8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    009926c8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    009926d8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    009926e8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    009926f8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    00992708  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    00992718  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    Breakpoint 0 hit <------ ba r1 break and continue with g to start running the crackme;
    Breakpoint 0 hit <------ ba r1 second break when you input a charecter in edit box
    009b40c4  50 00 00 00 f8 b5 41 00-f8 b5 41 00 34 3f 00 00  P.....A...A.4?..
    009b40d4  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    009b40e4  00 00 00 00 00 00 00 00-00 00 00 00 20 9e 40 00  ............ .@.
    009b40f4  00 00 00 00 00 00 00 00-00 00 00 00 00 80 01 00  ................
    009b4104  00 01 00 00 00 00 00 00-00 00 ff ff ff ff 00 00  ................
    009b4114  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
    009b4124  00 00 00 00 00 00 00 00-00 00 00 00 f8 b5 41 00  ..............A.
    009b4134  f8 b5 41 00 cc 3e 00 00-30 00 00 00 01 00 01 00  ..A..>..0.......
    Evaluate expression: 128 = 00000080

    if you want to test the generation and try your hand at bruteforcing till you can keygen

    put this in a txt file and run windbg like this
    Code:
    windbg -c "$$>a< setuppw.txt" Setup.exe
    here are the commands

    Code:
    bp /1 KERNEL32!VirtualAlloc;
    g;
    gu;
    r $t1= @eax+26b0;
    ba w1 /1 @$t1;
    g;
    r $t2 = @eax;
    db @$t2;
    ba r1 @$t1-8;
    g;
    g;
    bs 0 "db /c 20 @esi L20;db /c 20 @$t2 L20;.echo ================;gc";
    g;
    Last edited by blabberer; December 30th, 2013 at 01:08.

Similar Threads

  1. bengaly Crack me
    By wunder in forum The Newbie Forum
    Replies: 15
    Last Post: December 19th, 2010, 23:12
  2. Crack Request
    By Thats Me in forum The Newbie Forum
    Replies: 11
    Last Post: April 1st, 2010, 21:19
  3. Crack for $
    By mike in forum Off Topic
    Replies: 1
    Last Post: October 7th, 2003, 23:32
  4. Serial Crack
    By wonderwoman in forum Malware Analysis and Unpacking Forum
    Replies: 16
    Last Post: November 1st, 2001, 11:36
  5. Lingoware 3 Crack
    By Andhy in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 22nd, 2001, 20:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •