Devoney's CrackMe 3.0
| Download crack3.zip, 7 kb (password: crackmes.de) Browse contents of crack3.zip <b>Intro:</b><br>
Difficulty: 4 - Needs special knowledge | Send a message to Devoney » View profile of Devoney » |
Solutions
Solution by _ninar1_, published 02. dec, 2007; download (1318 kb), password: crackmes.de or browse.
_ninar1_ has rated this crackme as quite nice.
Discussion and comments
| z01b 04. Nov 2007 | \Windows\ApiPort |
|---|---|
| Devoney Author 04. Nov 2007 | What do you mean by windows apiport? I did not use other peoples software. If that is what you mean. |
| z01b 05. Nov 2007 | is the location:) |
| DigitalAcid 05. Nov 2007 | I seem to be stuck in an infinite loop :(. |
| DigitalAcid 05. Nov 2007 | Interesting crackme, but i'm not good enough yet to solve it (I see the start and the finish but not the route in between, or at least not the right one). Can't wait to see a solution for this. |
| Devoney Author 06. Nov 2007 | Reply to DigitalAcid: Can not wait for a solution for it either. There really is no infinite loop that I know of... You could have created it by yourself, a little piece of the program is self modifying. Reply to z01b: No the location is not ")" without quotes. (Only one universal location format would be logical... <- thats a hint) |
| DigitalAcid 06. Nov 2007 | Yes, i created the loop, but that's because i wanted to skip the "No security code found" message. It happens because it keeps checking if AL == CC and it does... It seems we have to put some opcodes in the crackme (wich are also used in the algo =) ), but i have no idea wich ones. Then it'll do some encrypting on a text wich should then be the solution or so :|. |
| Devoney Author 06. Nov 2007 | You are dealing with the program in the wrong way... You have found one of the secutiy checkpoints.... Now you have to deal with it ;) and I am not going to spoil the idea of the loop you just mentioned. Goodluck P.s. There are no rules to crack this one. Patch all you want and even bruteforce the app if you want... (which is possible.. but watch out for the nasty debug/patch trick ;) ) |
| Devoney Author 11. Nov 2007 | Still no one came up with a solution? Guess this one is quiete hard then. Though the algorythm isnt that long... |
| red477 13. Nov 2007 | Devoney, hello, the story is good, but the crackme is not, I think. You leave tooo much unknown code and data for us to GUESS. I said GUESS because I don't think there is a way out in the crackme by deduction. As it to bruteforce(it is just another way to guess) and patch, I can not find an aesthetic way for it either:( |
| red477 13. Nov 2007 | Devoney, sorry for my complaints. In fact I am just asking for more clues;) Maybe I should do this in private. I am still working on it, anyway. |
| Devoney Author 13. Nov 2007 | Here are some clues: 1. I have used 2 ways to execute functions, just to confuse the cracker. 2. The bytes created on runtime, and written near the Entry Point are based on a very small algo which uses your security code. Check out the second way the program executes functions, that should help. 3. The way you have to put in the security code is quiete easy. once you have found out how, you must known that OllyDbg has a little issue with the returned data of the function that reads the security code.(maybe other debuggers to, but that I dont know). It was quiete a struggle for me to code it, by accident it has become an anti-debugging option, but it was not the purpose. You can check this problem out quiete easy. Tip: Once you have the correct password and execute the program in the debugger, it still will raise an exception error, or a "Don't send" error in Windows. 4. Patching is not always an option since the "location message" is based on bytes in the program. You really must know what to patch... (see hint 3). Is this better ;) ? Hopefully, If you need more then just post a little comment. If you want to discuss things which you already found out, then PM me! |
| Devoney Author 13. Nov 2007 | Oh yeah, just to spare you stubborn guys a hard time. There is one "bug"/ design problem". DONT RENAME THE PROGRAMM. (If you check out why then this is an additional hint for hint 3 in the previous message) Another hint: the story is about an EXACT location.. It would be logical if this location was in a universal format so everybody could look it up easily... ;) This one is supposed to be hard, but I did not know how hard it is for experienced reversers to finish this one. I have spend approx. 40-50 hours on creating the idea, programming and testing the app. |
| Zaphod 13. Nov 2007 | I just don't get it! At some point I come to this line: mov dl, byte ptr ss:[ecx+eax] At this moment ecx = 0, eax = 401067 Then I would expect dl to get the value of byte ptr[ecx+eax], that is, byte ptr[401067] after execution of the command. A few lines above I can see that the content of 401067 is 90h ( nop ) Never the less dl = CC when that line is executed. How is that possible? what IS it with that ss before [ecx+eax]? If this is part of the nasty debug/patch trick, it really is nasty :) |
| merker 14. Nov 2007 | Nothing readable matches with "SUB EBX, 3EB63F3B". Or is it a very, very, very wrong way to solve it ? |
| Devoney Author 14. Nov 2007 | To merker: This is not the way to deal with it.... You could try though. But it is about an exact location... Not like there is any readable understandable message you could guess. If you have created readables matches a 0 could also be a 12,3,4, or 5 or a B could easily be a C or D. To Zaphod: You should first discover what CC is about. And Why is 401067 90h (NOP), probably because you patched the code. Patching is tricky with this crackme though... The location is based on bytes in the program. So if you patch a wrong byte which is needed for the location then you still have no solution. Goodluck to you all, any problems then let me hear it. |
| Zaphod 14. Nov 2007 | Devoney, I know what CC is about - and I haven't patched anything, at least not in the version I'm working with right now. So I feel rather mystifyed... |
| __imp__ 14. Nov 2007 | @Zaphod: Obviously, you placed some breakpoints and that's why you see CC where it shouldn't be. Anyway, this procedure does nothing except for antidebug. |
| Zaphod 14. Nov 2007 | @__imp__: Nope - no breakpoints at all! But I'll explain exactly another thing that mystifies me. In the hope that someone can explain what is wrong. Just to be absolutely sure I downloaded a new and fresh version of crack3, loaded it in Olly and started stepping F8. When I arrived at "0040102D JGE SHORT crack3.00401047" I changed the sign flag from 1 to 0 to make sure the jump was taken. Pressed F8 to jump, changed the sign flag back to 1 just to be absolutely safe - and went on stepping F8. When I got to "00401062 CALL crack3.0040121C" I tried executing this call in two different ways: 1. F8 to step over the call. This resulted in an exception. 2. F7 to step into the call. Then ctrl-F7 to animate through most of the loop ( 155h bytes ). Stopped with F12 when the loop was almost done and finished manually. This way the call was executed without exceptions. I just don't understand how this can be! Help :) |
| __imp__ 14. Nov 2007 | Yes, it happens exactly as you described (and in IDA too). It looks like some area after 401005 is overwritten, but this can't happen. I have no explanation :( Any ideas? |
| DigitalAcid 14. Nov 2007 | Why can it not happen ? When the loop hits the return, it goes back where it got called from (after the call) wich leads to some algo to modify the code... 99.9% of the time the self-modifying code will be wrong, because the input is wrong (aka the security code). |
| _ninar1_ 14. Nov 2007 | 99.9% of the time the self-modifying code will be wrong. and 0.001 % it works :D i got that right self-modified code when i have time tomorrow i will do the last view on it :D |
| Zaphod 14. Nov 2007 | I think I MAY have found an explanation. It seems that Olly sets a one-shot breakpoint at the line after a call. And removes it immediately after the call have finished. Just some internal Olly-mechanism, as far as I can see. Normally this doesn't matter, but the call to 40121C checks for breakpoints! |
| jE! 16. Nov 2007 | helllo, froinde! i discovered that code snippet, wich is written at 401005h.. wait little, if i discover other things.. or cooperate than.. |
| Devoney Author 16. Nov 2007 | Nice that you have found what needs to written. Do you understand where it is based on? |
| jE! 16. Nov 2007 | no, not uderstood.. but i nothing get on string for msgbox.. can't get clean inglich string..:( |
| DigitalAcid 17. Nov 2007 | Yeah, the self modifying code at 401005 is based on ESI, wich is the sum of every character in the security code... Btw, if we are allowed to patch, we can jump to the goodboy, but then again, we didn't find the security code =). |
| Devoney Author 17. Nov 2007 | You may do what you want. Your virtual mission is to obtain the correct/exact location where the goods should be delivered. You can jump to the goodboy message but you skip alot of code where the message depends on. |
| jE! 17. Nov 2007 | can be "Krasnoiarsk" location? |
| Devoney Author 17. Nov 2007 | Can you send the FBI or CIA to krasnoiarsk? |
| jE! 17. Nov 2007 | before i need to write TUT_paper for them! oh, monei-monei! so, IS location correct & CAN i start writting tut!? |
| Devoney Author 17. Nov 2007 | Is that the text you get? No it is not right. The FBI has fired you. It costed alot of money, time and manpower to initiate the operation. All for nothing. More importantly, it has gain publicity and it is now known worldwide what the FBi was doing there. All the terrorists have probably fled by now.... |
| Devoney Author 17. Nov 2007 | Bloody Hell I discovered a bug... My apologies... This should be changed: 004012EE . 81EB FDF57807 SUB EBX,778F5FD to 004012EE . 81EB FFF67807 SUB EBX,778F6FF Consequences: No major consequences. What you were trying to reverse will not be changed. Only 2 characters in the final message were changed by this... (Could be a hint) I Will post a new executable. Sorry for the inconvienence. Again, if you would have already cracked to the final message then you would know you did right... I designed it the way it was supposed to be... but I did not used the right calculation.. I am ashamed |
| TiGa 17. Nov 2007 | Crackme updated with the new version. |
| jE! 18. Nov 2007 | by invisible inteNational crackme rules, STRINGs (msgbox captions, command lines) must be ANSI bytes.. (ODh,OAh can be for msgbox strings..). i think, you break this rule. Is it TRUE? for example, use of that corrected dword: mov [403020], ebx sub ebx, 0778F6FFh mov [40301C], ebx 1 from 8 char will NOT be ANSI, yeEE?? about 'sub ebx, 3EB63F3Bh' already warned. |
| Devoney Author 18. Nov 2007 | yeah could be. Just needed to complete te text, it contains not only alphabetic characters... Did not know of that rule. Sorry if I broke that rule... www.asciitable.com provided me with the data ;) |
| jE! 18. Nov 2007 | ok, look here.. at least are those command-line first 8 chars ANSI? or what.. |
| merker 18. Nov 2007 | I assume the crackme is unsolvable because the message may contain chars in its full range from 00h to FFh. This means that every solution could be the one and only solution because a test of 'readability' will always fail. |
| _ninar1_ 19. Nov 2007 | chars in its full range from 00h to FFh. yep thats true i just wrote a bruter for the range of 00h to 7Ah but no good message so seams not makeable |
| Devoney Author 19. Nov 2007 | The security code is nine characters long and eight characters contain numbers from 0 to 9 and characters from a to z. One character of the security code needs to be 2d in hex. So your bruter is not coded right otherwise it would have worked. There is 1000ms of Sleep in the program. What did you do with it when you bruteforced the program? Did you patch the code concerning the Sleep function? |
| _ninar1_ 19. Nov 2007 | its not about the security code if the message of the MessageBox has chars-wide between 00h to FFh its not solvable |
| Devoney Author 19. Nov 2007 | Is www.asciitable.com not a good reference for choosing chars? Are there wide-chars in that table? Now what? Crackme useless? Too bad. With the right code it is solved ;) and writing a working bruteforcer can solve it |
| jE! 19. Nov 2007 | bruteforcer must know final product.. sorri (to me?;) |
| _ninar1_ 20. Nov 2007 | yep bruteforcer must know the final char range @devoney ASCII and ANSI charcode u can find here http://www.torsten-horn.de/techdocs/ascii.htm its likely www.asciitable.com if the final produkt only has chars from 00h till 7F it can be bruted |
| Devoney Author 20. Nov 2007 | Why is that? If you try al possible codes for the security code then you must get a good answer. It is only harder to determine by programming if the message makes sense. |
| DigitalAcid 20. Nov 2007 | So, it's better to bruteforce ESI (wich is the sum of all chars in the security code) untill we get something "useful" ? |
| __imp__ 20. Nov 2007 | @DigitalAcid: you can find this sum easily without any bruteforce. But it won't help you find the location :( |
| _ninar1_ 21. Nov 2007 | input Argument is 9 chars long uses 0-9 , a-z , and ONLY one "-" A-Z? also included or only small ones i wrote a bruteforcer that test for all possible combination from 30-7A + one 2D when i will run that bruter i will get all possible security codes in that range and that will be much also with the limitation of one 2D will push my 2x2.400 cores some days to get only all possible security code i will send u that code to let u see what i mean |
| Devoney Author 21. Nov 2007 | Some of you have forgotten some hints. You all have quite some braincapacity or otherwise you would not be doing this. A universal location marker is a gps location. Which contains certain chars. Anyone can look tip up |
| jE! 21. Nov 2007 | under universal location should be meant Deg/Min/Sec; not a GPS, wich not contains simbols but DOT. |
| Devoney Author 21. Nov 2007 | how can I point to a location using time? Deg is degrees? well that is used in a GPS thats why there is a degrees sign in it. but why it is a problem to work with values higher then 7F (or so). Is it any difference if you work your way to 65hex or to BAhex? |
| _ninar1_ 21. Nov 2007 | Is it any difference if you work your way to 65hex or to BAhex? yep more bigger bruter, Much more useless CPU-time betwen there exist more then one GP -format |
| merker 21. Nov 2007 | @Devoney : I think I've solved it via 'bruteforce with wildcards' because of 'unreadable' chars in the final message. Now I want to sent the CIA to a building what looks like the letter 'H'. Is it ok ? |
| Devoney Author 22. Nov 2007 | Yes typically an H ! You did it. Hopefully you understand why i picked this location! That building is a science lab! |
| Zaphod 22. Nov 2007 | merker: Are you writing a tutorial? I hope so... Devoney: I know very little about GPS. Is the format a longitude and a latitude? |
| Devoney Author 22. Nov 2007 | yes in that format. I have mentioned that anyone can easyily look it up! ;) (so pick a format that is widely used, Google earth or so ;) ) |
| merker 22. Nov 2007 | A real science lab ? Ugh. Maybe we should ask the MI5 if Mr. Bond is avaiable for a 'little task'. :) I will wait a little bit with my tutorial, because mostly fun is over if a solution is avaiable. To know what to search (format !) is the key to solve the crackme properly. |
| _ninar1_ 23. Nov 2007 | k also finished that crackme :D a freaking presions "." i missed in the beginning :( that the yellow thing east of that H some northeast a very shocking place :( |
| Devoney Author 23. Nov 2007 | Once finished, what do you think of this crackme? Is it nice or does it suck? |
| _ninar1_ 23. Nov 2007 | was a really cute one , the hard thing was finding the right format the rest was test and compare in my eyes i send you that solution, but also waiting here to submit (Reason merker posted 3 posts above) |
| jE! 09. Dec 2007 | is there russia at: 51¦16'36.33" N 30¦12'39.49" O ?? |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.