Results 1 to 10 of 10

Thread: Who will help the commander of the ESS Stargoose?

  1. #1
    mythical
    Guest

    Question getkeynametexta????????

    I am currently working on a crackme and I have to find the HOTKEY in order to "crack it".

    My question is what does getkeynametexta do????...and is this a good starting point?

    btw....I'm a newbie
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi,

    getkeynametext: I have never used this function before, but I have read on the documentation that is used in order to retrieve a string that represents the name of the key.
    Maybe, it's not the function you need in order to solve your crackme. You would have to try to identify when and where the crackme defines the key; RegisterHotKey may be a good starting point because it defines an hotkey.

    Can you attach the crackme? It may be the best way to help you :-)

    Ciao,
    ZaiRoN

  3. #3
    mythical
    Guest

    Thumbs up

    Thanks for the help, here is the target file. I would get like to get started in the right direction.I could not attach the .nfo files because it said the file was then too big to be posted, the current file size is 159kb
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi,

    I moved the thread, now, another mini project can begin :-).
    It seems to be a very unusual crackme :-)
    I could not attach the .nfo files
    Can you post the rules and/or what we have to do in order to solve the crackme?

    Thx,
    ZaiRoN

  5. #5
    mythical
    Guest
    This is what all that was included in the crackme.It's a text file I left the nfo out cause all it is it a text pic of his name "Marchare".Any way here is the story and rules.


    MarchHaRe's 2nd crackme ..

    Storyline:
    You are the commander of the ESS Stargoose and flying
    through space as you suddenly realize you forgot how
    to activate the worm-hole device which could open
    up a "tunnel" for you to escape to another world ...

    Hint: You only have a few tries before the worm-hole devices destroyes itself

    Your Mission:
    Find the key to open the wormhole and send the solution
    and how ya got to it to:
    marchhare@woodydrn.com

    Bruteforcing it by pressing all keys does not count as a solution ;-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi,
    I have to find the HOTKEY in order to "crack it".
    Hotkey, are you sure? Seems like the program wants only a sequence of simple keys to be pressed.

    I don't passed too much time on this target but (maybe) these informations will help you. The program is written in delphi and Dede is the tool that will help us. This is a amazing tool, it will help you to easily identify the way for the final goal.
    Load the crackme and take a look at the 'Forms' section. In this section you will find all the info related to tForm1 class (the main window of the crackme). In particular, you can see all the procedures called by the crackme:

    OnClose = FormClose ; called when the window is closed
    OnCreate = FormCreate ; called when the window is created
    OnDestroy = FormDestroy ; called when the window is destroyed
    OnKeyDown = FormKeyDown ; called when a key is pressed
    OnPaint = FormPaint ; called when the window is redrawed
    OnResize = FormResize ; called when the window is resized


    Due to the fact that we need to find a sequence of keys, OnKeyDown seems to be the procedures we are looking for.
    Ok, you go on the procedures section, where you can find all the procedures, and double click on OnKeyDown. You have all the code of the procedure in front of you.

    Now, I suggest you to use your preferred debugger and try to understand what will happen when a key is pressed :-)

    Regards,
    ZaiRoN

  7. #7
    mythical
    Guest

    Thumbs up

    I trted the method, and ran it in Olly and found a referance to "K"
    and then soon got lost in the code.I will keep trying and thanks for the help.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Hi!

    No need to go beyond the RET of this proc...
    Also, what you had found is good, but not enough...

    You might have gotten stuck or lost, but it is not that difficult, so don't dig too deep. On the other hand, maybe you have already solved this?

    /Manko

  9. #9
    mythical
    Guest
    I have found that I have to press K in order to even goto the check. So I press "K" .After that I get lost but have figured away to make BL=02 an by just pressing "K" I will goto the wormhole.
    Here is how..

    0043C46C 55 push ebp
    0043C46D 8BEC mov ebp, esp
    0043C46F 53 push ebx
    0043C470 56 push esi
    0043C471 8BF1 mov esi, ecx --move ecx wich is "k" to ESI
    0043C473 8B5D08 mov ebx, [ebp+$08]

    * Reference to Form1
    |
    0043C476 A114F04300 mov eax, dword ptr [$43F014]

    * Reference to field Form1.OFFS_000C
    |
    0043C47B 8B400C mov eax, [eax+$0C]

    * Reference to GlobalVar_0043F020
    |
    0043C47E A320F04300 mov dword ptr [$43F020], eax --move the number of times I have pressed a key to EAX
    0043C483 833D20F0430005 cmp dword ptr [$43F020], +$05 -- Have I pressed 5 keys?
    0043C48A 750C jnz 0043C498 -- If so End Process, End Program
    0043C48C C60534F0430001 mov byte ptr [$43F034], $01

    |
    0043C493 E84872FCFF call 004036E0
    0043C498 66833E4B cmp word ptr [esi], +$4B -- Compare the key I pressed to "K"
    0043C49C 751A jnz 0043C4B8 -- If so do not jump
    0043C49E F6C301 test bl, $01 -- change this to "mov BL,02"
    0043C4A1 7415 jz 0043C4B8 --"NOP" this
    0043C4A3 F6C302 test bl, $02
    0043C4A6 7410 jz 0043C4B8
    0043C4A8 803D2CF0430000 cmp byte ptr [$43F02C], $00
    0043C4AF 7507 jnz 0043C4B8
    0043C4B1 C6052CF0430001 mov byte ptr [$43F02C], $01
    0043C4B8 FF0520F04300 inc dword ptr [$43F020]

    * Reference to Form1
    |
    0043C4BE A114F04300 mov eax, dword ptr [$43F014]
    0043C4C3 8B1520F04300 mov edx, [$43F020]

    * Reference to field Form1.OFFS_000C
    |
    0043C4C9 89500C mov [eax+$0C], edx
    0043C4CC 5E pop esi
    0043C4CD 5B pop ebx
    0043C4CE 5D pop ebp
    0043C4CF C204 ret $04

    if some one can find out where BL is changed in the code it would be of some help..But this way works.

    Thanks for everyones help.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi,

    You have solved the crackme, well done! But, we can solve the crackme without patching :-)

    This is the syntax of FormKeyDown function: TForm1.FormKeyDown(Sender: TObject; var Key: Word; Shift: TShiftState);
    we are interested in the last two parameters:
    - Key, the key that is been pressed
    - Shift, it can take many values but the more interesting are: ssShift, ssAlt and ssCtrl.
    where BL is changed in the code
    The value of bl is related to 'shift' parameter, in particular you have:
    bl = 1 if shift is pressed (ssShift)
    bl = 2 if alt is pressed (ssAlt)
    bl = 3 if shift+alt is pressed
    bl = 4 if ctrl is pressed (ssCtrl)
    bl = 5 if shift+ctrl is pressed
    and so on...

    We have to pass these two checks:

    CODE:0043C49E test bl, 1 ; checks if the first bit of bl is setted
    CODE:0043C4A1 jz short loc_43C4B8 ; jump if it's not setted
    CODE:0043C4A3 test bl, 2 ; checks if the second bit of bl is setted
    CODE:0043C4A6 jz short loc_43C4B8 ; jump if it's not setted

    The 'test' instruction performs a logical 'and' between the two operands, so, bl must have both first and second bit setted to 1: bl=00000011=03. If bl=03 and 'k' is pressed the crackme is solved :-)

    ZaiRoN

Similar Threads

  1. Trouble cracking windows commander 4.51
    By termose in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: June 6th, 2001, 17:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •