Dettens CrackMes

[jackall]

Thanks for uploading crackMes…
PEiD tells me crackMe#4 is packed and protection is UPX 0.89.6.

Opening crackMe#4 in Olly, Executed POPAD, ESP and to follow in Dump and Set break point on 4-bytes in Dump. Again executed the Jmp to land at OEP (401000). Dump debugged process and saved it.

PEiD confirms that crackMe is clean now.
Running the clean#4, we get an empty window. Noping at 00401181 one gets ‘well done’. But you have specified not to patch it.
Then how to go ahead with the blank dark screen??
Guidance needed...

Regards...

[detten]

The crackme isn't the regular stuff you would expect, its a bit more original
It is hard to give any hints without giving away the solution.

You already found the good guy message, so you should be able to figure out what triggers it. Some 'action' does lead to the goodguy message...

Post back in this thread for a more clear hint.
Good luck!

[jackall]

Yes!! i have found where the good guy msg come from...

0040117A ....... 803D 14B14000 00 ..... CMP BYTE PTR DS:[40B114],0
00401181 ....... 74 1F ..... JE SHORT crackme#.004011A2

0 is compared to ….and if I change the 0 to 1...Well ! you said no patching..

But you hinted there could be a clearer hint...
i wonder what that could be.....

regards..

[detten]

You might want to search where this byte value is set to 1 in your dumped file, and see what calculation code triggers this value to be set to 1.

And a clear hint would be that some 'user input' is needed to solve the crackme. There are only limited ways to provide an application with input through its window...

Good luck.

[jackall]

CMP BYTE PTR DS: [40B114], 0
JE SHORT crackme#.004011A2
Initially...
BYTE PTR DS: [40B114] = 0;
So it jumps to .004011A2 ... to present a blank screen.
If i could set
BYTE PTR DS: [40B114]! =0; i can get 'well done ' msg.

How to set it to =1 (e.g.)?
What user input triggers value to set =1? ; This hint is later provided
i ask myself these questions again and ...

i tried find some help at location 40B114.
AL is added to [EAX] many times. could not make sense of it (here! ignorance is not bliss for me ) it simply adds more and more questions...

What are the user inputs?
keys... mouse...

i am 'groping through deaf darkness ‘...
seems to reach nowhere...

[detten]

If you search the dump for all places where the flag [40B114] is used, you find the addresses you mentioned, but also an interesting one at address [0040130A] ...

Check it out, try to figure out when/how the code block it is in is triggered, and you have the solution.

Good luck.

[detten]

[jackall]

i was away for a while where broadband was not much heard of. There! i missed my favorite forum www.reversing.be and my much awaited posts from the members.

Back home... Back to crackMe#4...

Now with my earlier feeble unsuccessful attempt to solve crackMe#4, i was beginning to feel... may be iam trying to RUN before i could CRAWL. So i need to learn more.

Any way i need to go back to your last 3 posts and make a new beginning from there. and improve my progress curve.

i will let you know whatever progress i make...
Meanwhile thank you for the assistance.
regards...

[detten]

If you try my crackme 5 first, it might be somewhat easier to understand. It is written in assembly so its leaner code.