mucki's crackme#8
| Download crackme8.zip, 396 kb (password: crackmes.de) Browse contents of crackme8.zip This is my 8th crackme (keygenme), written in MASM.
Difficulty: 2 - Needs a little brain (or luck) | Send a message to mucki » View profile of mucki » |
Solutions
Solution by Vallani, published 27. oct, 2010; download (219 kb), password: crackmes.de or browse.
Vallani has rated this crackme as quite nice.
Discussion and comments
| Voik 22. Oct 2010 | This will need CRC32 bruteforce, right? It must return zero, i think. |
|---|---|
| mucki Author 22. Oct 2010 | You don't need bruteforce to solve it. The solution is a little bit different (it's more an exploit). Watch the exception handler. |
| Killswitch 22. Oct 2010 | having made these assumptions: hash_x = xor hash_serial, hash_name Z = hash_name / hash_x - V - Z = 0 hash_name / hash_x = 0 | *hash_x hash_name = 0 this is because the serial is only accepted if eax is 0 in the end, hence Z = 0. This would mean that the names would have to be very limited so this doesnt seem very right to me, and the exception handler refers to mov eax, -1, which isnt accepted as a valid solution either, so i'm pretty much stuck after a long time of reversing there. could you tell me if this is the right way to go, please? |
| Killswitch 22. Oct 2010 | i think i might be on the right way.. you have to manipulate the serial to overwrite the exception handler and set it to right after the mov eax, -1? |
| mucki Author 22. Oct 2010 | I had another address in mind. After causing an exception you should also restore the stack because it's often in a mess. |
| Killswitch 22. Oct 2010 | alright, so i basically managed to buffer overflow the push now and it "works" ( given a good serial+name ). trying to write the keygen now |
| Vallani 22. Oct 2010 | I like that KeyGenMe. Nice Work mucki. Vallani: "OTP2tQ00@h#!@" Solution follows after I've got some sleep. Initiating shut down sequence for me now :) . |
| Xspider 23. Oct 2010 | so the story begins from here 004020C8 love this kgnme thank you mucki :D |
| SasukeHa 23. Oct 2010 | This is Very Lame Crack ME Just put same value for username and password for example user: SasukeHa pass: SasukeHa I'd show Vaild serial PUSH 00402000 ; /String2 = "SasukeHa" PUSH 00402011 ; |String1 = "SasukeHa" CALL <JMP.&kernel32.lstrcmpA> ; \KERNEL32.lstrcmp TEST EAX,EAX MOV EAX,10 MOV EBX,OFFSET 0040705C ; ASCII "INVALID SERIAL" JNE SHORT 0040108B ;does user=pass ? ADD EAX,30 ADD EBX,2 ;yes user= ebx here store test INVALID add 2 so it'd omit the 2 first letters -_- turn to VALID PUSH EAX ; /Type PUSH OFFSET 00407039 ; |Caption = "Information" PUSH EBX ; |Text PUSH DWORD PTR SS:[ARG.1] ; |hOwner => [ARG.1] CALL <JMP.&user32.MessageBoxA> ; \USER32.MessageBoxA Sorry but this is one of the worst crackmes I've seen turn to solved please |
| mucki Author 23. Oct 2010 | @SasukeHa: - the serial has to work outside the debugger to get access to the source the last characters must be ==@h#!@ |
| Voik 23. Oct 2010 | Name: mucki Serial: pgqX=w==@h#!@ Very nice crack me! Tutorial soon! (: |
| Voik 23. Oct 2010 | Name: mucki Serial: pgqX=w==@h#!@ Very nice crack me! Tutorial soon! (: mucki = 03970AA6 ------------------------------ 00970AA6 970AA600 00A60A97 101001 100000 101010 010111 29 - 20 - 2A - 17 p - g - q - X ------------------------------- 00000003 00000300 00030000 000000 110000 000000 000000 00 - 30 - 00 - 00 = - w - = - = ------------------------------ "pgqx=w==" + "@h#!@" = "pgqX=w==@h#!@" |
| mucki Author 23. Oct 2010 | ok i'm sorry that i didn't really check the base64 algo so there are many possible solutions. the password for the source is pgqXAw==@h#!@ |
| tamaroth Moderator 25. Oct 2010 | tamaroth ufRG+gRG@h#!@ quite funny with the SEH manipulation, kudos for that ;-) |
| |CraniX| 26. Oct 2010 | Name " " Serial " " Didn't have to crack :P |
| |CraniX| 26. Oct 2010 | Sorry that's not outside the debugger. |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.