Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Tuesday, November 30 2021 @ 01:45 AM CET
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Dettens CrackMes

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Code Reversing
View previous topic :: View next topic  
Author Message
jackall
New to the board
New to the board


Joined: 25 Feb 2008
Posts: 10
Location: india

PostPosted: Thu Mar 13, 2008 11:59 am    Post subject: Dettens CrackMes Reply with quote

Thanks for uploading crackMes…
PEiD tells me crackMe#4 is packed and protection is UPX 0.89.6.

Opening crackMe#4 in Olly, Executed POPAD, ESP and to follow in Dump and Set break point on 4-bytes in Dump. Again executed the Jmp to land at OEP (401000). Dump debugged process and saved it.

PEiD confirms that crackMe is clean now.
Running the clean#4, we get an empty window. Noping at 00401181 one gets ‘well done’. But you have specified not to patch it.
Then how to go ahead with the blank dark screen??
Guidance needed...

Regards...
Back to top
View user's profile Send private message Send e-mail
detten
Site Admin


Joined: 05 Feb 2005
Posts: 317

PostPosted: Thu Mar 13, 2008 5:53 pm    Post subject: Reply with quote

The crackme isn't the regular stuff you would expect, its a bit more original Wink
It is hard to give any hints without giving away the solution.

You already found the good guy message, so you should be able to figure out what triggers it. Some 'action' does lead to the goodguy message...

Post back in this thread for a more clear hint.
Good luck!

_________________
Ignorance is bliss, knowledge is power
Back to top
View user's profile Send private message Visit poster's website
jackall
New to the board
New to the board


Joined: 25 Feb 2008
Posts: 10
Location: india

PostPosted: Fri Mar 14, 2008 4:51 am    Post subject: Reply with quote

Yes!! i have found where the good guy msg come from...

0040117A ....... 803D 14B14000 00 ..... CMP BYTE PTR DS:[40B114],0
00401181 ....... 74 1F ..... JE SHORT crackme#.004011A2

0 is compared to ….and if I change the 0 to 1...Well ! you said no patching..

But you hinted there could be a clearer hint...
i wonder what that could be.....

regards..
Back to top
View user's profile Send private message Send e-mail
detten
Site Admin


Joined: 05 Feb 2005
Posts: 317

PostPosted: Fri Mar 14, 2008 10:09 am    Post subject: Reply with quote

You might want to search where this byte value is set to 1 in your dumped file, and see what calculation code triggers this value to be set to 1.

And a clear hint would be that some 'user input' is needed to solve the crackme. There are only limited ways to provide an application with input through its window... Wink

Good luck.

_________________
Ignorance is bliss, knowledge is power
Back to top
View user's profile Send private message Visit poster's website
jackall
New to the board
New to the board


Joined: 25 Feb 2008
Posts: 10
Location: india

PostPosted: Sat Mar 15, 2008 4:57 am    Post subject: Reply with quote

CMP BYTE PTR DS: [40B114], 0
JE SHORT crackme#.004011A2
Initially...
BYTE PTR DS: [40B114] = 0;
So it jumps to .004011A2 ... to present a blank screen.
If i could set
BYTE PTR DS: [40B114]! =0; i can get 'well done ' msg.

How to set it to =1 (e.g.)?
What user input triggers value to set =1? ; This hint is later provided
i ask myself these questions again and ...

i tried find some help at location 40B114.
AL is added to [EAX] many times. could not make sense of it (here! ignorance is not bliss for me ) it simply adds more and more questions...

What are the user inputs?
keys... mouse...

i am 'groping through deaf darkness ‘...
seems to reach nowhere...
Back to top
View user's profile Send private message Send e-mail
detten
Site Admin


Joined: 05 Feb 2005
Posts: 317

PostPosted: Sat Mar 15, 2008 7:00 pm    Post subject: Reply with quote

If you search the dump for all places where the flag [40B114] is used, you find the addresses you mentioned, but also an interesting one at address [0040130A] ...

Check it out, try to figure out when/how the code block it is in is triggered, and you have the solution.

Good luck.

_________________
Ignorance is bliss, knowledge is power
Back to top
View user's profile Send private message Visit poster's website
detten
Site Admin


Joined: 05 Feb 2005
Posts: 317

PostPosted: Thu Mar 20, 2008 6:23 pm    Post subject: Reply with quote

Quote:
i tried find some help at location 40B114.
AL is added to [EAX] many times. could not make sense of it (here! ignorance is not bliss for me ) it simply adds more and more questions...


I didn't really notice this part of your post the first time I responded, so here is a little general information concerning your questions.

First a little information about the PE parts. Every PE file (exe, dll, ax, ...) consists of a couple of different sections. Mostly the first section is a code section, the second one contains the static variables, there could also be a section containing resources (like images)

The 40B114 is located in the data section (you can discover this by examining the PE header section table), so the AL added to EAX you saw is NOT code, its a number of variables aligned one after the other (ADD EAX,AL actually is zeroed out variables). Its mainly a block of memory addresses used to store data, the interesting part is that you discovered 40B114 to be the variable holding the goodguy(1)/badguy(0) flag.

So as I mentionned in my previous post you need to check out all the places in the code section that do something with that flag, and more specifically set it to 1. If you find that, you should be right below the code that 'decides' if you performed the correct input.

Let us know how you are doing Smile

_________________
Ignorance is bliss, knowledge is power
Back to top
View user's profile Send private message Visit poster's website
jackall
New to the board
New to the board


Joined: 25 Feb 2008
Posts: 10
Location: india

PostPosted: Thu Mar 27, 2008 5:00 am    Post subject: Reply with quote

i was away for a while where broadband was not much heard of. There! i missed my favorite forum www.reversing.be and my much awaited posts from the members.

Back home... Back to crackMe#4...

Now with my earlier feeble unsuccessful attempt to solve crackMe#4, i was beginning to feel... may be iam trying to RUN before i could CRAWL. So i need to learn more.

Any way i need to go back to your last 3 posts and make a new beginning from there. and improve my progress curve.

i will let you know whatever progress i make...
Meanwhile thank you for the assistance.
regards...
Back to top
View user's profile Send private message Send e-mail
detten
Site Admin


Joined: 05 Feb 2005
Posts: 317

PostPosted: Thu Mar 27, 2008 7:38 pm    Post subject: Reply with quote

If you try my crackme 5 first, it might be somewhat easier to understand. It is written in assembly so its leaner code.
_________________
Ignorance is bliss, knowledge is power
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Code Reversing All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2021 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.92 seconds