Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Gr. crackme: >>KongFuZi<<

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

well, simonzack & wtbw sent me thier ideas.

wtbw found quite uneasy solution to burn string, but he will unable to fit in KEYsz in this way.

instead, simonzack, found not-executable but too much easy solution.
let me say this: this solution is against KongFuZi's description. []

but i wont restrict this solution.
so, simonzack, if you like, choose correct text for MsgBox & release your solution as alternative finding.
simonzack
Member
Posts: 30
Joined: Mon Jan 26, 2009 11:56 pm

Re:

Post by simonzack »

In the 'recommended' solution, does it jump outside the vm to execute things?
because 448/4=112, 448/5=89
this is shorter than the message

esp can only be changed from a dword in the keyfile
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

if want jump out, then only to executable code(not to data)
simonzack
Member
Posts: 30
Joined: Mon Jan 26, 2009 11:56 pm

Post by simonzack »

So evaluator

Does the recommended solution actually jump out of the vm, or jump between opcodes
I just want to know this, because if it does not, I'll stop thinking that way and just focus on the vm opcodes
Or is this too much of a hint?
Right now I've figured out another way to write the message, however it is too short

smk
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

you are free to do anything; just satisfy description:

; THINK, how to burn non existent string for MsgBox:
; "You have found a Black Cat in a Dark Room, although the cat was not even there!"
wtbw
Member
Posts: 93
Joined: Sun Feb 06, 2005 9:55 pm

Post by wtbw »

Hey eval,

Having ones like this uncommented in the source but not present in the final exe is CRUEL:

mov eax esi | jmp esp
mov ecx esi | jmp esp
mov edx esi | jmp esp
mov ebx esi | jmp esp
mov esp esi | jmp esp
mov ebp esi | jmp esp
mov esi esi | jmp esp
mov edi esi | jmp esp

Edit: Oh, it's that they're commented out with ;; instead of individually. Well still ;)
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

solver should trusts me, when i written, like:
; Don't fight with crackme... etc

he should imagine, best way to do thing, then implement it..
andrewl

Post by andrewl »

evaluator wrote:solver should trusts me, when i written, like:
; Don't fight with crackme... etc

he should imagine, best way to do thing, then implement it..

haha I fucking love this crackme shit...I am going insane
User avatar
BoB
Posts: 51
Joined: Mon Mar 29, 2010 6:55 pm
Location: UK
Contact:

Post by BoB »

Well is a result going to be published or is this still open? I stopped work on it when you said it was done..
simonzack
Member
Posts: 30
Joined: Mon Jan 26, 2009 11:56 pm

Post by simonzack »

I found another way to write the message

Hope you like it better this time, evaluator
I pm'ed you the key
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

this way is quite fun! (even if not that what i want).
you can submit it as alternative solution, but, hey, MSG should be other!
("You have found a Black Cat..)

after, you can continue to best. (you are nonstoppable)

now i show, why it is not main solution.
below string
>>THINK, how to burn non existent string for MsgBox

means, that you should NOT deliver Cat in room, even indirectly (crypted).
bcoz:
>>cat was not even there!

delivering a Cat in room is bluff
wtbw
Member
Posts: 93
Joined: Sun Feb 06, 2005 9:55 pm

Post by wtbw »

evaluator wrote:delivering a Cat in room is bluff

You mean you want us to get the string from the user via an API? Or load the exe directly and use the copy of it in the source?
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

that will delivery. so no.
should be like your case, but in better way.
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

alex_ls has posted alternative solution to this crackme. i'm attaching it here.

it is alternative, bcoz it delivers content e.g. BlackCat (no matter, it is crypted or not).

same kind solution earlier done by simonzack, also is posted here.

on correct path are andrewl & wtbw.

i hope, these alternative can EXTEND their fUnazzie..
Attachments
alex_ls-solution_to_KongFuZi.zip
(3.17 KiB) Downloaded 75 times
KEYs_simonzack.zip
(558 Bytes) Downloaded 67 times
Chanakya

Post by Chanakya »

Hey I am newbie and I found a solution to this pblm. Pls Check that
Attachments
Broken.rar
(5.32 KiB) Downloaded 68 times
Locked