downloadbrowseKLiZMA's CrackMe #5 (Stupid)

Download CrackMe_#5_by_KLiZMA.zip, 3 kb (password: crackmes.de)
Browse contents of CrackMe_#5_by_KLiZMA.zip

Hola!

KLiZMA wrote another stupid crackme for you.

Rulz:
-unpack it carefully
-patch 1 byte (or 2 byte) of this crackme <-- it changed "Not patched!" to "Patched!"
-write good tutorial about...

Difficulty: 2 - Needs a little brain (or luck)
Platform: Windows
Language: C/C++

Published: 17. Feb, 2006
Downloads: 946

Rating

Votes: 6
Crackme is nothing special.

Rate this crackme:

Send a message to KLiZMA »

View profile of KLiZMA »

Solutions

Solution by Rambo, published 24. feb, 2006; download (1 kb), password: crackmes.de or browse.

Rambo has rated this crackme as nothing special.

Solution by EsKiMo, published 24. feb, 2006; download (10 kb), password: crackmes.de or browse.

EsKiMo has rated this crackme as quite nice.

Solution by acidflash, published 24. feb, 2006; download (64 kb), password: crackmes.de or browse.

acidflash has rated this crackme as awesome.

Solution by Kerberos, published 24. feb, 2006; download (54 kb), password: crackmes.de or browse.

Kerberos has not rated this crackme yet.

The submission of solutions is closed.

Discussion and comments

Ank83
17. Feb 2006
Hi KLiZMA !
I need some help with unpacking. I search the web to find some tutorial for unpacking SVKP 1.3x - Pavol Cerven but I didn't find any good. All the tutorial I found lead me to the same error. All of them are with using OllyScripts. So give me some hint how to unpack this crackme ?
I also want to ask you does the goal of this crackme is to print Patched ?
Best Regards
Ank83
HMX0101
17. Feb 2006
The crackme is not packed with SVKP, its packed with FSG
XD
Ank83
17. Feb 2006
I notice that in Olly Dump, but I can't find the OEP ! That is my problem !
HMX0101
17. Feb 2006
@KLiZMA:
You have encrypted/obfuscated the goodboy message?
This make it a little bit more harder.
Ank83
17. Feb 2006
In Olly Dump it shows the FSG signature, bur PEID give me SVKP 1.3x - Pavol Cerven.
HMX0101
17. Feb 2006
Its easy to unpack:

Find the JMP EAX and put a BPX here and run now the crackme break in the breakpoint, trace until this 3 jumps:

004001CD ^\78 F3 JS SHORT crackme.004001C2
004001CF 75 03 JNZ SHORT crackme.004001D4
004001D1 FF63 0C JMP DWORD PTR DS:[EBX+C]

Put a BPX in the 3rd jump, run the crackme and this break in the jump, now trace with F7 or F8 and you land in the OEP :D
Ank83
17. Feb 2006
How can I find the OEP for this one ?
HMX0101
17. Feb 2006
It is useful to unpack?
Ank83
17. Feb 2006
hm...
I found the 3 jump, put a breakpoint on it, and when i press F9 the app doen't get to the breakpoint ! It says:
Error
Dont know how to continue becase memory at adress F22E40B6 is not readable. Try to change EIP or pass exeption to program.
I will try restarting my PC ! Maybe that's the problem.
Ank83
17. Feb 2006
no, that wasn't my problem.
Ank83
17. Feb 2006
it crashes when the second jump (of 3) reach this command kernel32.SetUnhandledExceptionFilter. Maybe something is wrong with my system file. (or I'm missing something).
Thanks HMX0101
HMX0101
18. Feb 2006
To avoid this you can use the UnhandledExceptionFilter 0.22p or HideDebugger plugins.
KLiZMA
Author
18. Feb 2006
Very interest fighting in this comments...
EsKiMo
18. Feb 2006
You can make OllyDbg show you the OEP by selecting "Trace real entry bytewise (very slow!)" in the SFX tab (Debugging options).
crazysky
18. Feb 2006
Why my replyes were disapeared?
Ox87k
18. Feb 2006
for unpacking no problem, but... KLiZMA u made a very g00d j0b! I'm in difficult to find the real byte to patch... i don't understand very well, so ur crackme make me confused! =|
zairon
Moderator
18. Feb 2006
To crazysky:
>Why my replyes were disapeared?
You surely broke one of our rules.
jB_
18. Feb 2006
Same for me, sorry for my previous message which gave really too many tips... I almost gave the solution.
Writing tips for this crackme without giving all is not easy.

Another try:
Ox87k : 'Not patched!', 'Patched'... Think about it. KLiZMA said "patch 1 byte (or 2 byte)". Why? =)
HMX0101
18. Feb 2006
I think that the goodboy message has encrypted/obfuscated,
and this make a little more harder.
kemp
18. Feb 2006
Sent my solution for this.... not sure if it's the correct way to patch it but.... it works! and only 2 bytes ;-)
crazysky
19. Feb 2006
It is just change the beginning address of "Not patch!" to point to the "p" charactor!
Ox87k
19. Feb 2006
crazysky has had my same idea (only 1 byte) =) but i think it's wrong...
I'll wait for some solution! (thanks klizma and jb!)
crazysky
21. Feb 2006
Ox87k,why do you thought my idea is wrong?
Can you show me?
Ox87k
21. Feb 2006
is my thing! i don't sure that this way is correct but... try ;) i'm waiting the solutions!
HMX0101
21. Feb 2006
my way to beat this crackme is very lamest and maybe the solution can be rejected XD
HMX0101
21. Feb 2006
SOME BYTES modifieds (not 1 or 2, various) XD
HMX0101
24. Feb 2006
my solution has rejected because too much solutions XD
HMX0101
24. Feb 2006
i'm waiting the crackme #6 XD
Ox87k
24. Feb 2006
all unpacked solutions files don't work for me. Crash! I've WinXP SP1.. however the my and crazysky idea is right =)

Seems to be too much stupid to be true! ehehe!! i'm waiting for crackme#6 ;)

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.