I have written a little Crackme which should test your ingenuity pretty well. It is written with Microsoft turn-your-computer-into-a-toaster V6.0 (Visual Basic). You need to supply a password but it does not work the way you probably expect and could turn out to be much harder to crack than expected!

Get the crackme from:
http://www.arrakis.es/~ajr

Good luck!

PS. If noboby manages to crack this within a month I'll supply the source code so that you can see how the hell the thing works. (Assuming enough people have actually tried to crack it).

Hi.

Very nice crackme.
I've got the correct password but did not crack the algorithm.
I used a somewhat brute force attack. I will continue pondering
the algo but look forward to the source.

I have just read your reply and seen that you did in fact use a brute force attack. I could quite easily increase the size of the password. It is rather short to protect the program but the algorithm is, as you say interesting.

As you liked it I will, willingly publish the source once enough people have though about what I did. We are here to learn after all. The method is pretty subtle.

Hi.

I said I used a "somewhat" brute force attack because with even a short password, a standard brute force approach would take way too long. Your current password has 1.400288544882e+73 possibilities. I have created a corresponding lookup table for all keys so even if you increase the password length to 50 chars, it will still take less than one hour to achieve.

However, I still believe the real challenge is to decipher your clever algorithm

I'm still working on that. Later.

I have put a new version on the web page which stops brute force attacks without first patching the code. The algorithm is in fact a little less complex and better.

Try cracking it again.

Hello.

I've dl'ed and began work on 2nd crackme.
I have decrypted a 15 char password but it does not seem to work the same as the last 6 char pass worked in crackme 1. You have successfully added a new twist to the program that has me stumped for the moment I did not patch the brute force check you've added (I'm just living with it).

Good job & I hope others are enjoying it as well.

vReal

Remember what I said about not the usual jumps well you have just got to it. In the first crackme there was a fundamental error which made it easy to crack - the usual jump - oops - I compiled a preliminary version by accident. In this one after the password is XORed have a look at the nearest following proceedure call to a Windows API. Check the registers for the parameters held there and then think a little more. It is a very special API.

I think that other crackres would like to know how you have managed to do what you have done so far and which tools you have used.

Stump the brute force protection by NOPing the call to ExitWindowEX.

Hello.

I have the correct password now. From the clues that you gave me, I was able to determine that the 15th char of the password needed to be changed from 0 to 6. I must admit that this was a challenging crackme and I'm not sure if I could have completed it with out the hints. Thanks for your time. Again, at the end, please post the source code.

vReal

SOURCE CODE - If you send a little tutorial about how you cracked this it could help a lot of people.


Private Sub CheckPassword_Click()
Dim X&, Y&, Z&, J&, I&, P&
Dim Stri$, Char$, iHwnd$
Static Rt As Byte
'Password for x = "#128-*AGF987150"
'Real Password for text box = "#128-*AAF987150" NOTE THAT IT IS DIFFERENT AFTER THE XOR YOU WILL GET A DIFFERENCE OF 6
'Encrypted password = ¹¨ª¯»¿ÕÔÔ¨¨¸¿¸¼
Y = Len(Text1.Text)
'Encrypt the password This is what you followed in memory. You failed at first as this is the "-6" password
For X = 1 To Len(Text1.Text)
Char$ = Mid$(Text1.Text, X, 1)
P& = Asc(Char$) Xor 155 - X
Stri = Stri + Chr$(P&
Next X
'The password must be fifteen characters long Y = 15
'Pad out the password
If Y > 15 Then iHwnd = "¹¨ª¯»¿ÕÔÔ¨¨¸¿¸¼" + Space$(Y - 15)
If Y <= 15 Then iHwnd = "¹¨ª¯»¿ÕÔÔ¨¨¸¿¸¼"
'IF it is OK make Z = 6 This is used as a parameter for SendMessage
For X = 1 To Y
I = Asc(Mid$(iHwnd, X, 1)) Xor Asc(Mid$(Stri, X, 1))
Z = Z + I
Next X
'You could add a comparison of the two strings to cause another false trail here.
'NOW REPEAT THE SAME AND MAKE P=1
P = Z - 5 'Make P = 1
R = Z 'Globally remember the value of Z ie 6.
'If you directly call the API showwindow on the second handle the window will display and then disappear if R <> 6
X = SendMessage(Form2.hwnd, Z, P, Form2.hwnd)
'If Z = 6 and P = 1 we have sent a Activate window message.
'This message is generally sent after OpenWindow. In this case it is the Activate procedure in VB which
'displays the window using SetWindowPos rather than ShowWindow or the VB command Show.
'The password was not OK
'X = 0 is the API fails
If X = 0 Then X = MsgBox("Try again!", vbExclamation + vbOKOnly, "BETTER LUCK NEXT TIME!"
'show the message
Rt = Rt + 1
'Too many tries so Reebot the system
If Rt > 3 Then X = ExitWindowsEx(4 Or 0 Or 2 Or 1, 0) 'FAILED THREE TIMES SO SHUT DOWN WINDOWS
Text1.SetFocus
Text1.SelStart = 0
Text1.SelLength = Len(Text1.Text)
End Sub

Private Sub Quit_Click()
End
End Sub

Private Sub Form_Load()
Text1.SelStart = 0
Text1.SelLength = 9
Label4.Caption = "Handle of This Window: " + Hex$(Me.hwnd) + "h" + Chr(10) + "Handle of Second Window: " + Hex$(Form2.hwnd)
End Sub

'***************************** SECOND FORM *************************
Private Sub Form_Activate()
'This was called via the SendMessage API and not by Visaul Basic
Dim str$, X&
'Show the window using SetWindowPos rather than ShowWindow or the VB Show command.
X = SetWindowPos(Me.hwnd, HWND_TOP, 150, 150, 0, 0, SWP_NOSIZE Or SWP_SHOWWINDOW)
'Well done friend encrypted
For X = 1 To 20
Char$ = Mid$("Ìþ÷÷»ÿôõþ»öâ»ýéòþõÿº", X, 1)
P& = Asc(Char$) Xor 155
str = str + Chr$(P&
Next X

Label1 = str
Form1.Command1.Enabled = False
'This window was not called by our API so close it
If R <> 6 Then Me.Hide
End Sub

'********************* THE BAS FILE *****************
Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Public Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long
Public Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long

Public Const HWND_TOP = 0
Public Const SWP_NOMOVE = &H2
Public Const SWP_NOSIZE = &H1
Public Const SWP_SHOWWINDOW = &H40

Global R&