V!ctor's OneDword
| Download OneDword_by_V!ctor.zip, 2 kb (password: crackmes.de) Browse contents of OneDword_by_V!ctor.zip This crackme uses Self-Modified Code, but there is not SEH or
Difficulty: 2 - Needs a little brain (or luck) | RatingVotes: 5 View profile of V!ctor » |
Solutions
Solution by Taddy, published 13. aug, 2008; download (1 kb), password: crackmes.de or browse.
Taddy has rated this crackme as nothing special.
Solution by [xorolc], published 12. aug, 2008; download (2 kb), password: crackmes.de or browse.
[xorolc] has rated this crackme as boring.
Discussion and comments
| DigitalAcid 08. Aug 2008 | Is there no goodboy message ? I mean, after we found a right password. I found a password that doesn't crash the crackme. In fact there will be more than 1 possible password if there is indeed no goodboy =). |
|---|---|
| PeterPunk 08. Aug 2008 | @DigitalAcid: If you type the right password you'll get the goodboy message: "This is rigth password!!!!!" |
| br0ken 08. Aug 2008 | @DigitalAcid I think you have to find a pwd that shows the goodboy. Some passwords don't crash the cme, but as said in the description, if you press check again cme will crash. |
| DigitalAcid 08. Aug 2008 | Ah, I didn't quite see the goodboy, but it's there indeed =). Pressing the checkbutton twice is because of the xor, i know :). More investigating to do... |
| _Ra_ 08. Aug 2008 | By the way of patching, I did manage to make OneDword pop out the goodboy message. the password that I could retreive has some non-printable characters. I believe that such password is not what we are looking for... |
| br0ken 08. Aug 2008 | @ Ra My calculated pwd has untypable (sp?) characters too :( |
| PeterPunk 08. Aug 2008 | There's a typable password. I think it's unique and you just have to think a little to get it. |
| _Ra_ 09. Aug 2008 | solved. nice one! |
| V!ctor Author 12. Aug 2008 | [xorolc], this psw is not correct! |
| Ox87k 12. Aug 2008 | V!ctor, i tried the [xorolc]'s password and for me it works fine :) |
| p1nasIAT 12. Aug 2008 | [xorolc] and Ox87k; the password has to be typeable (ASCII 0x20-0x7E) - after all we do have a textbox. Solutions with non-typeable characters are not valid. This includes [xorolc]'s solution. |
| br0ken 12. Aug 2008 | I think what Victor means is, the password must be typable. |
| Ox87k 12. Aug 2008 | @all: ok guys but V!ctor didn't write this nowhere so maybe next time he should be more precise >In OneDword there is ONLY ONE right typeable passwords. |
| Xspider 12. Aug 2008 | and why he didn't said that in RULZ ?!?! |
| DigitalAcid 13. Aug 2008 | He did say it, but because his english is not so good, it's a bit hard to understand: "In OneDword is ONE right passwords." |
| V!ctor Author 13. Aug 2008 | OneXor is version 2 of OneDword |
| Xspider 13. Aug 2008 | hmmm i'll see :) |
| Taddy 13. Aug 2008 | I did it :) There are 2 typeable passords. |
| obnoxious 14. Aug 2008 | awesome crackme and a great tut @taddy |
| DigitalAcid 14. Aug 2008 | So, there is now a total of 3 right passwords :). |
| p1nasIAT 14. Aug 2008 | There are at least 4 typeable passwords (not including [xorolc]'s solution). Two of them are from Taddy's solution while the other two are quite self-explanatory looking at Taddy's code. I'll leave the mystery to you for now. I’ll submit a complete solution if no one else wants the credit. Also, none of the submitted solutions are per-definition correct as none of them exploit the entire solution set. This crackme can only be solved (both partly and fully) by brute-forcing. Using a bit of brains the number of possible instruction combinations can be lowered to an acceptable amount and then brute-forced to find the total solution set. |
| simonzack Moderator 14. Aug 2008 | I'm not that good about x86 instructions I bruteforced through the memory to check the last bytes if the jump/call goes within destination range, then check if serial is typable But are there any other instructions that can somehow jump to another place? |
| DigitalAcid 15. Aug 2008 | Push xxx + ret = jump xxx ;) |
| simonzack Moderator 15. Aug 2008 | ah, ret exploits :p |
| p1nasIAT 15. Aug 2008 | DigitalAcid that won't work here because push [address] is 4bytes in itself (which is all we have to work with). Opcode + address = 4 bytes. A ret instruction is 1 byte and so we need 5 bytes to generate these instructions. |
| Taddy 16. Aug 2008 | "Push xxx + ret " wors here because we cann change 4 bytes + there is a 0xFFC3 after the 4th bytes. => our 4 bytes + 0xFF = push [adress] and c3 = retn but 0xD8 xor 0x68 (push) = 0xB0 is untypable character. |
| p1nasIAT 16. Aug 2008 | Taddy - true, I was just talking from top of my head, didn't actually remember the exact bytes there. Looking at them now push is indeed a possibility. |
| Xspider 18. Aug 2008 | @Taddy hi Taddy i'm still don't know how you find this E8 A2D1FCFF CALL 003D0260 can u tell me plz?!?! |
| obnoxious 19. Aug 2008 | @Xspider the location is call 400260 or jmp 400260 |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.