Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: Lesson #2.... Lets Rock!

  1. #1
    Rage9
    Guest

    Lesson #2.... Lets Rock!

    You guys asked for it Lesson 2 is ready, this one is a bit harder then the last, freel free to work togeather and/or form teams or somthing... if your not real familiar with windows api you better download the help file http://www.win32asm.com/files/win32api.zip .Three things to do this crackme so if you need a hint or having lots of trouble post or e-mail me, ok? Rock on and remember to have fun!

    http://www16.brinkster.com/realcool23/download/rage2.zip

    -Brad
    realcool23@yahoo.com
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    CoDe_InSiDe
    Guest
    Hi Rage9,

    Hmm... Keygen ?? ;D (Hint)

    Let the Reversing begin
    I'll be back...

    Cya...

    CoDe_InSiDe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    CoDe_InSiDe
    Guest
    Hi Rage9,

    Ok, done
    Let's wait for the other people first since i'm the only one posting yet ;D

    Cya...

    CoDe_InSiDe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    sludge
    Guest
    ooo, ill give it a shot, i could use the practice.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    C_DKnight
    Guest
    ok i'm bored so i'm in. mebbe c ya later

    -cdk
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Muad'Dib
    Guest
    I, too, have finished this one. Lets hope there are harder challenges to come =) A question: was the keygen part a mistake in coding or a trick? (hint Keep 'em coming.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    AirW0lf
    Guest
    Yo all! rage9, nice crackme =] Ive destroyed the nag and added the messagebox when entering a wrong serial. But it looks to me the crackme has a bug, or 'feature'. I always get the same serial, no matter what is the name or the machine. Is it right? Its very late here, I might be wrong...

    AirW0lf
    ---
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    THeHeRmiT
    Guest
    hey people! im glad you confirmed that there was only one serial, as i thought there might have been some little trick, seeing as the name went through a little process before hand.
    i did the messagebox part as well, BUT i am ashamed to say that the nag screen has got me! ive been trying but keep failing
    please someone give me some clue...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    C_DKnight
    Guest
    yea ok. i've worked all the parts and as muad said was a bit too easy but am not complaining: was the first time over a month+ that got me to touch softice again ;-) and yeah it seems like it's hard-coded serial, maybe a bit "lame" but probably because it was easier (?) to have the msgbox to show it

    and as a hint to thehermit, i've no idea what way did muad and airwolf go but i messed around with dialogboxparam call(s) hopefully hinting to bp on settimer/killtimer doesn't ruin anyone's attempts too much, but is a way i used anyway.

    any questions? my email is included..

    -cdk
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    AirW0lf
    Guest
    First of all, thanks Muad for all your help, that live tutorial rox =] Im adding some code to the crackme to fix the bug... Ill show to you guys as soon as I finish it.

    Second, C_DKnight, its not a hard-coded serial... check it out This is how Ive cracked the splash,

    00401000 public start
    00401000 start proc near
    00401000 push 0
    00401002 call j_GetModuleHandleA
    00401007 mov dword_403074, eax
    0040100C push 0
    **40100E push offset sub_401165 Thats the DlgProc (Kayaker explains it in this same forum, another thread
    00401013 push 0
    00401015 push offset aSplash ; "SPLASH"

    then

    00401165 push ebp
    00401166 mov ebp, esp
    00401168 cmp [ebp+arg_4], 110h
    0040116F jnz short loc_401197 ; We dont want to go here, we want to jump this code to 40119D
    00401171 push 0
    00401173 push 3E8h
    00401178 push 3F3h
    0040117D push [ebp+arg_0]
    00401180 call j_SetTimer

    ---
    00401197 cmp [ebp+arg_4], 10h
    0040119B jnz short loc_4011C2
    0040119D push 0

    Why 40119D and not 401197? Because 401197 is handleing the WM_CLOSE event, and as [ebp+arg_4] is NOT 10h, its 110h, it would jump out of the code we want. So I changed two bytes at 00401171 push 00 (6A00) to jmp 40119D (EB2A)
    and it works =]
    btw, check the EB2A, Im almost sure thats the opcode

    AirW0lf
    ---
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Muad'Dib
    Guest
    Now that a few people have solved this crackme, I'll explain WHY it is always the same serial. Rather than spoiling it for everyone who wants to solve it themselves, you can see the attached file (it also explains an effective way to patch the nag).
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Rage9
    Guest
    Good job guys! Yeah it was actually intended to see how many people i could fool with a fake serial routine! It just kinda happened and then i decided to pass it to you guys and not fix it.... but Muad'Dib didn't really explain why it was like that... he just said.."Aha! Rather than returning the serial that was generated, it rather returns the POINTER to the serial that was generated." actually..... NO! after sifting through the code i found that it was all in the call to the api SetDlgItemInt! with the one you guys have the original asembly line looked like:

    invoke SetDlgItemInt,hWnd,IDC_PASS, addr checker,FALSE

    but apon changing it to

    invoke SetDlgItemInt,hWnd,IDC_PASS, checker,FALSE

    the proc indeed returns a value that can be used! see i was passing the address of the address of the variable checker! thats why otherwise she seems to work darn good!

    but i do agree with Muad'Dib's way to solving the nag screen, it is the easiest way i see! im still going to write the essay cuz i have been e-mailed requesting it... peace out!

    -Brad
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Muad'Dib
    Guest
    Exactly what I was saying, it returns the pointer to (the address) of the variable rather than the contents of the variable.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Rage9
    Guest
    sorry my bad, you put it right after the serial generation code, so i assumed that you where saying the generation code returned the pointer, sorry!

    -brad
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    Rage9
    Guest
    For those who want to read an essay......


    -Brad
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. +Orc Lesson 5.1 Problem
    By mickctout in forum The Newbie Forum
    Replies: 14
    Last Post: October 21st, 2005, 19:46
  2. Lets put those graphic processors to use
    By int21hex in forum RCE Cryptographics
    Replies: 2
    Last Post: May 18th, 2004, 00:32
  3. Super Pro Lesson Learnt!
    By sope in forum The Newbie Forum
    Replies: 3
    Last Post: April 23rd, 2003, 01:08
  4. Lesson #3 kiddies
    By Rage9 in forum Mini Project Area
    Replies: 28
    Last Post: November 6th, 2001, 08:36
  5. Lets start another project or something. Ideas welcome
    By ThRaX in forum Mini Project Area
    Replies: 16
    Last Post: January 17th, 2001, 13:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •