Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Crack me help

First timers and new learners, this forum is for you. Please use the search function to see if your question has already been answered.
TB10
Junior Member
Posts: 8
Joined: Sun Dec 22, 2013 10:22 am

Crack me help

Post by TB10 »

Hello,

Can someone help me with this crackme, a password protected Setup, written in Delphi, PEid shows me that its not packed with protector.
But it seems to me that it is a selfmodifying exe., i´ve tried to remove the password dialog window in olly, but it looks like there is only one window for all messages, just the text changes(search for text etc. dont help), you can set a breakpoint at "GetKeyState" API, and olly breaks while input Passwort in the Box.
The "Next" Button is grayed out as long you dont insert the right password.
As an Beginner this is not the usual stuff like search for text strings or nag screens, very hard !
So i need help from some good reverser, thank you !
Andy.
Attachments
Setup.zip
(170.88 KiB) Downloaded 159 times
User avatar
CrackZ
Posts: 339
Joined: Wed Dec 06, 2000 8:00 am
Contact:

Post by CrackZ »

Looks pretty easy to me. Study sub_417524 in IDA.

Regards,

CrackZ.
TB10
Junior Member
Posts: 8
Joined: Sun Dec 22, 2013 10:22 am

Post by TB10 »

Ok, sounds interesting, olly and IDA breaks at 417524, but how could be a code solution looks like, nop, jmp or other ?[ATTACH]2869[/ATTACH]
Attachments
IDA_01.jpg
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

In this case you can do a 1 byte patch, but I don't think that's the point of the crackme. You should be able to easily see your password compared in the registers (and determine the length it's looking for), and you can change the zero flag on jz/jnz calls to continue in the right direction with a mock password. Then see if you can find the 1 byte patch solution which will EnableWindow() to proceed with the installation even without a password.
Once you do that though you'll want to go back and work on the real algorithm.
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

keygen for the crackmes first letter and proof of validity crack me first to crack the rest

Code: Select all

:\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe
TB10
Junior Member
Posts: 8
Joined: Sun Dec 22, 2013 10:22 am

Post by TB10 »

First, thank you all !
Hm, i try to understand, at 00417588 CMP EBX,30 Olly breaks when you try to insert first key letter, but where can i find the needed length of password ?
Until now i have no luck changing the zero flags at the jumps, i got only error messages, but there must be a jump to the install window(after the password dialog) right ?

How can i use your Keygen Code !?, sorry i´m just beginning in reverse ;)

[ATTACH]2870[/ATTACH]
Attachments
Olly_01.jpg
reverser
Senior Member
Posts: 104
Joined: Tue May 23, 2006 11:36 am

Post by reverser »

People who post screenshots in jpg need to be quartered and shot.
The attachment jpg_vs_png.png is no longer available
Attachments
jpg_vs_png.png
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

Come on, PNG lost the battle long ago... :)

JPG for life!!!!

Have Phun
Blame Microsoft, get l337 !!
TB10
Junior Member
Posts: 8
Joined: Sun Dec 22, 2013 10:22 am

Post by TB10 »

Indeed, PNG ist better for screenshots, smaller file size, so next time PNG , no problem(before i get quartered here... :D )
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

How can i use your Keygen Code !?, sorry i´m just beginning in reverse

yep that question is indeed beginning in reverse how about moving forward and making some efforts to tow from the front ?
did you find out what windbg is ?
what bp is in that context ?
where bp is set in the command and why ?
what does g do in windbg ?
what does gu do in windbg ?
what would eax hold when returning from a function universally ?
what is an access breakpoint ?
how does an access breakpoint work ?
does it work for both read access and write acesss ?
what other accesses can access breakpoint work for ?
what sizes does it take ?
how many access breakpoints are available ?
what does bd do ?
is there an expression evaluator in the cryptic command ?
if yes what does it evaluate ?
what is the relation if any with the first letter as posted?
do you see a display of it ?
what is displayed on the screen when you simply follow
can you emulate the same scenerio in ollydbg / gdb / ida / hopper / <your own whatever >
if yes what did you understand ?
finally what is the moral of the story ?
now when you reach here you would be able to use the keygen code without asking anyone :)
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

blabberer wrote:

Code: Select all

:\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe
OMG what kind of encryption is that! :p
How did you find out that the hashed input is save at offset 26a0 so quickly. Clearly (after setting bp on getwindowtext and stepping out a couple of times) the hash it stored at address 26a0 (start address looks to be offset 269c) but how did you determine that this is the offset into some chunk of memory allocated previously in the first call to VirtualAlloc? (Sorry for the noob question)
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

@niaren the address does not hold hashed output take a look again and for start of the hash you are off by another 4 bytes
look at crackZ hint a very superb hint there ( i just latched into it that is all)
i didnt do anything except finding out who calls the function and then latch into kayakers second hint of one byte patch

must have taken about two minutes to bypass the check without password

once you know you can bypass it without password you are then sure that one of the parameter earlier must be the key
search for the address and you find it is allocated memory
so whooooddddonit?
what is result of the act?
is the offset you saw earlier constant?
how to verify ?
once you verified what else it is looking for ? what could be the algorithm what is the length etc etc

these question should automatically pop up
TB10
Junior Member
Posts: 8
Joined: Sun Dec 22, 2013 10:22 am

Post by TB10 »

@blabberer, if i can answer all the List, there ist really no need for any further questions !, well i know, for an expert it´s boring to answer all the stupid beginners questions over and over again, but, without questions - no learning ;) ok, windbg is an debugger, the name says it.
This debugger code stuff is very,very hard to understand for me, just for this small crackme you get tons of code, something of abstract, and which of them is usefull or not ?, try to learning step by step(very small steps) and i read lots of tutorials but until now i found no answer for this special crackme with this intresting keystroke trapping, thats why im asking here, right now an "easy solution" bypassing the password window would be enough for me, i am not in the position to understand detailed whats going on in every line of code, sorry.
2 minutes to bypassing password check ?, oh no !!! woooow :stunned: , is it really so easy ?, i´m a looser :(
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

well you seem to miss the point of posting

i do not want you to answer all those question
neither do i want you to be an expert answering all those question or even pretend to undertand those question
nor i am bore to answer noobish questions

i just want you to try to understand some of those questions
i just want you to put some efforts into the TRYING part

and i am sure if you try you will find the path

yes it is sbsolutely under 2 minutes to patch a sete opcode somewhere to make this crackme work without password
Attachments
try.PNG
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Don't worry TB10, no one is mocking you or anything here. Believe me, we've all been exactly where you are at one time. Part of the learning process is to work through things on your own until the "lightbulb" goes on, one small step at a time. You learn a lot more that way, having to do little researches to understand what people or the code is saying.

One thing that will help you at this point is to learn what each of the opcode instructions DO, before trying to understand what the code DOES. i.e., learn what the words mean before trying to read the language.

For example, I mentioned specifically about changing the zero flag on JZ/JNZ calls to force the code to go in a direction you want so you can continue tracing. Then you seemed to focus on JBE/JAE jumps and complained about not being able to modify them. You need to understand what those jumps actually mean in the context of the previous comparison instructions and how register flags other than the Zero Flag (ZF) are affected, if you want to control them (not that you want to in this particular case anyway).

Similarly, blabberer gave a clue about a SETE opcode which might be important - what exactly is that and what does it do? That's something you need to know more about.


I've attached 2 files, one is the standard opcode mnemonic help file from the Masm32 install. The other, perhaps lesser known, is a small opcode instruction table program that made the rounds on the masm/win32asm forums many years ago. If you can get comfortable with what they are telling you it should help your progress. And if you want to continue to learn assembly language you should at some point devour Iczelion's tutorials, inlcuding the PE tutorials.

http://win32assembly.programminghorizon ... rials.html

Good luck


btw, excellent resolution on the PNG file blabberer. Reverser was bang on! We need to enforce that somehow :)
Attachments
opcodes_masm32_chm.zip
(52.02 KiB) Downloaded 110 times
opcodes.png
opcodes.zip
(26.28 KiB) Downloaded 119 times
Locked