deroko's brainbuster
| Download brainbuster.zip, 8 kb (password: crackmes.de) Browse contents of brainbuster.zip Objective is to write keygen or to get good pass for .rar , just check readme.1st.txt
Difficulty: 3 - Getting harder | RatingVotes: 10 View profile of deroko » |
Solutions
Solution by lord_Phoenix, published 09. nov, 2005; download (55 kb), password: crackmes.de or browse.
lord_Phoenix has rated this crackme as boring crap.
Discussion and comments
| born2c0de 29. Oct 2005 | Smart coding there. Disassemblers think the Strings are pieces of Code. Nicely masked with MessageBox Functions. Also includes a INT 3 Debug Interrupt instruction. Neat. I got through the main code...i jus hate the math... |
|---|---|
| deroko Author 29. Oct 2005 | that small part of "math" is there so I could sumbit it as crackme. I was more interested in way of tracing code and breaking it down instead of serial calculation which is not hard =) |
| deroko Author 29. Oct 2005 | @bigboss : If you have solved it(which I doubt) please submit solution and don't give hints that I gave at one serbian forum prior to writing this crackme... |
| bigboss1988 29. Oct 2005 | Am sorry deroko :( but i asked only |
| code_inside 29. Oct 2005 | Ok i've cracked it :) The stuff you use in the beginning is almost the same as my TrapMe CrackMe :) (Which sadly only runs on W98SE...) I'll PM the name+serial. |
| deroko Author 29. Oct 2005 | good job mate, algo for "the stuff" you can find on my hp and it works quite good under win2k/xp =) |
| bigboss1988 30. Oct 2005 | Hi deroko i see 2 trick now ;) patch allow for tricks ? |
| deroko Author 30. Oct 2005 | sure you may patch whatever you want to get good key, but don't make jmp to good message as I've expalined in readme.1st.txt =) |
| bigboss1988 30. Oct 2005 | ok deroko i made it ;) i still searching key :) |
| bigboss1988 31. Oct 2005 | Any hint :D i can't get pass |
| deroko Author 31. Oct 2005 | did you find keycheck routine? |
| bigboss1988 31. Oct 2005 | yes, 004010E6 . BF F1204000 MOV EDI,brainbur.004020F1 ; ASCII "bigboss1988" 004010EB . F3:AB REP STOS DWORD PTR ES:[EDI] 004010ED . B9 19000000 MOV ECX,19 004010F2 . BF 55214000 MOV EDI,brainbur.00402155 ; ASCII "1111111111111" 004010F7 . F3:AB REP STOS DWORD PTR ES:[EDI] 004010F9 . 6A 1E PUSH 1E ; /Count = 1E (30.) 004010FB . 68 F1204000 PUSH brainbur.004020F1 ; |Buffer = brainbur.004020F1 00401100 . 6A 00 PUSH 0 ; |ControlID = 0 00401102 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd 00401105 . E8 F4080000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA 0040110A . 85C0 TEST EAX,EAX 0040110C . 0F84 97010000 JE brainbur.004012A9 00401112 . 83F8 05 CMP EAX,5 00401115 . 0F82 8E010000 JB brainbur.004012A9 0040111B . A3 EE214000 MOV DWORD PTR DS:[4021EE],EAX 00401120 . 6A 1E PUSH 1E ; /Count = 1E (30.) 00401122 . 68 55214000 PUSH brainbur.00402155 ; |Buffer = brainbur.00402155 00401127 . 6A 01 PUSH 1 ; |ControlID = 1 00401129 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd 0040112C . E8 CD080000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA 00401131 . 85C0 TEST EAX,EAX 00401133 . 0F84 70010000 JE brainbur.004012A9 -----------------------------> |
| bigboss1988 31. Oct 2005 | 00401152 21CA AND EDX,ECX 00401154 BE DF9F204D MOV ESI,4D209FDF 00401159 BE DF9F3216 MOV ESI,16329FDF 0040115E 98 CWDE 0040115F 3216 XOR DL,BYTE PTR DS:[ESI] -------------->process terminated?? that's all |
| code_inside 31. Oct 2005 | bigboss1988, That's not the key checking routine, you're stuck at the second protection (TrapFlag Decryption), pay attention to the SEH that has been set up ;) |
| bigboss1988 01. Nov 2005 | code_inside :( i can't slove it submit ur solution i wanna know something nwe ;) |
| MaxM 04. Nov 2005 | Damn! I reopened the cm in IDA and found the tl.cbk -I TOTALLY forgot to check its presence w/LordPE - I took it very bad when Olly exited at start anyway lol By the way, since I don't want to deal with the uncrypting stuff, is there any way to crack without debugging? Eventually reversing some very curious routine around... |
| MaxM 04. Nov 2005 | sigh! I'll patch and start debuggin to track the ref i miss. (ps: change the t-stuff in txxx in my prev post, to make it more obscure, or just remove it -at will) |
| deroko Author 04. Nov 2005 | that's okay no need to delete post =) happy cracking =) |
| MaxM 04. Nov 2005 | @bigboss: check the prior crackme of deroko, the #2 (august one). It uses the same tecnique of this one, just simplified (btw, you can find a ref to it in the paper on SEH i posted on community, search for the Jr IBM in it) |
| lord_Phoenix 07. Nov 2005 | i solved it =) soon i'll submit a solution.. |
| bigboss1988 11. Nov 2005 | thx MaxM lord_Phoenix solved it ;) very nice crackme deroko |
| lord_Phoenix 11. Nov 2005 | very very nice crkme ;) |
| deroko Author 12. Nov 2005 | =) tnx guys I hope that evrybody have learnt what is the purpose of tls callback here and how it works =) |
| lord_Phoenix 12. Nov 2005 | yep tls here is the main thing in protection =) |
| deroko Author 12. Nov 2005 | yap a little knwoledge about debugging is required =) how does olly stop at ep? also you could just erase tls from de in oh =) cheers |
| lord_Phoenix 12. Nov 2005 | most curious thing is ur nanomitez |
| deroko Author 05. Dec 2005 | I've decided to post full src(inc/engines) here it is : hxxp://deroko.headcoders.net/brainbuster/ |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.