Results 1 to 11 of 11

Thread: Patch...!? Debugger approach...

  1. #1
    exctlong
    Guest

    Patch,Patch,Patch...!?

    Hi!

    Please help me, show me show to patch this crackme, thanks!

    The right password is : nttl

    Let's patch its,make it accept with any password.

    it's very cool!
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    r4g3
    Guest
    1. unpack
    2. patch:
    0x12424: 301C0100
    0x11A9c: BC
    3. goto sleep;
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi Rage,
    I think it would be useful if you show us how to solve the crackme
    For example, have you used a specific unpacker or, have you unpacked the file manually? Why did you patch the offset at 0x12424?

    Ciao,
    ZaiRoN

  4. #4
    r4g3
    Guest
    ;)

    1. unpacked with aspackdie 1.41

    2.
    its a delphi vlc app, but w/o a standart startup routines. the window is created using RegisterClassA/CreateWindowExA

    CODE:00411CA1 push ebx ; lpWndClass
    CODE:00411CA2 call RegisterClassA

    its a (lpWndClass) ebx;
    a few lines above is

    mov dword ptr [ebx+4], offset sub_411B68

    the WindowProc. So finaly we get to sub_411A2C - the OK btn handler.
    The problem here is that the MessageBox is never called w/ an unpacked app. Running the packed one again reveals that

    CODE:00411AC9 call Listactns@TListActionLink@AddItem

    nonsense ir overwriten w/ a jmp xxxxx to some showmessage routine.
    So again with the unpacked one i traced the xrefs starting from the one at the start of that stupid vcl function. that brings us back to the WinMain:

    CODE:00411E00 mov eax, ds:dword_4138A4
    CODE:00411E05 cmp eax, ds:dword_412424
    CODE:00411E0B jnz short loc_411E4B
    CODE:00411E0D push offset loc_4118E0

    the followed xref is push'ed after a cmp of actuall EP w/ a saved one. So the first patch at 12424 is to replace it with the new EP of the unpacked app.
    The second one makes MessageBox always show "registered". It modifies
    a push'ed constant back in ok btn handler.
    The routine jmp'ed instead of that vcl call checks for serial validity in some perverted way and accordingly to its results calls [ebp-4] is all is ok or [ebp+8] otherwise. [ebp-4] is that push'ed constant - a ptr to routine placing "serial ok" string ptr to a public variable.

    3. no additional comments here :P
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    dump at 411c30
    iat=140c8 size = 19c
    nop jnz at 411e0b to make prog display message
    change jmp at 410b3a to 410b3d
    done

  6. #6
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi rage,
    0x11A9c: BC
    It does not work for me. I have not understand the reason why you have changed the code with this particular byte, indeed.
    The instruction at 411A9A moves the pointer to your serial into eax and, to always show the registered message you can simply change the instruction into this one: mov eax, 411B60 (411B60 points to the right serial)

    Hi exctlong,
    which was your problem exactly?

    Ciao,
    ZaiRoN

  7. #7
    r4g3
    Guest
    :P
    should have been 0x11A92
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    should have been 0x11A92
    r4g3, are you sure? This does not work...

    Regards

  9. #9
    r4g3
    Guest
    >fc /B unpacked.exe patched.exe
    Comparing files unpacked.ExE and PATCHED.EXE
    00011A93: E4 BC
    00012424: 01 30
    00012425: A0 1C
    0001B093: E3 6C
    0001B094: D5 A9
    0001B0B3: 12 2F
    0001B0B4: 8B BC

    hmmm it seems that i patched in 4 locations, dont remember anything about the last 2 anyways fc doesnt lie, so this is it finaly :P
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    bl00dk@
    Guest
    Patch here:

    Old -> 4060C2 0FB657FF
    New -> 4060C2 0FB656FF

    bl00dk@
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi,
    here is another way to solve the crackme, a simple loader. I did write this as a support for this thread:

    http://www.woodmann.net/forum/showthread.php?t=5123

    Ciao,
    ZaiRoN
    Attached Files Attached Files

Similar Threads

  1. maybe a different approach to SecuROM et. al.
    By Darkelf in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: April 28th, 2010, 07:14
  2. SHA-1 Collision Search - New approach
    By OHPen in forum RCE Cryptographics
    Replies: 4
    Last Post: June 15th, 2009, 05:07
  3. Keygen approach for a Delphi app
    By Silver in forum The Newbie Forum
    Replies: 7
    Last Post: September 21st, 2004, 07:40
  4. ASPR 1.23 loader SEH approach
    By Mrklippel in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: April 20th, 2004, 09:34
  5. Crackme using a different approach
    By The Diver in forum Mini Project Area
    Replies: 0
    Last Post: April 22nd, 2001, 06:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •