Hi!

Please help me, show me show to patch this crackme, thanks!

The right password is : nttl

Let's patch its,make it accept with any password.

it's very cool!

1. unpack
2. patch:
0x12424: 301C0100
0x11A9c: BC
3. goto sleep;

Hi Rage,
I think it would be useful if you show us how to solve the crackme
For example, have you used a specific unpacker or, have you unpacked the file manually? Why did you patch the offset at 0x12424?

Ciao,
ZaiRoN

1. unpacked with aspackdie 1.41

2.
its a delphi vlc app, but w/o a standart startup routines. the window is created using RegisterClassA/CreateWindowExA

CODE:00411CA1 push ebx ; lpWndClass
CODE:00411CA2 call RegisterClassA

its a (lpWndClass) ebx;
a few lines above is

mov dword ptr [ebx+4], offset sub_411B68

the WindowProc. So finaly we get to sub_411A2C - the OK btn handler.
The problem here is that the MessageBox is never called w/ an unpacked app. Running the packed one again reveals that

CODE:00411AC9 call Listactns@TListActionLink@AddItem

nonsense ir overwriten w/ a jmp xxxxx to some showmessage routine.
So again with the unpacked one i traced the xrefs starting from the one at the start of that stupid vcl function. that brings us back to the WinMain:

CODE:00411E00 mov eax, ds:dword_4138A4
CODE:00411E05 cmp eax, ds:dword_412424
CODE:00411E0B jnz short loc_411E4B
CODE:00411E0D push offset loc_4118E0

the followed xref is push'ed after a cmp of actuall EP w/ a saved one. So the first patch at 12424 is to replace it with the new EP of the unpacked app.
The second one makes MessageBox always show "registered". It modifies
a push'ed constant back in ok btn handler.
The routine jmp'ed instead of that vcl call checks for serial validity in some perverted way and accordingly to its results calls [ebp-4] is all is ok or [ebp+8] otherwise. [ebp-4] is that push'ed constant - a ptr to routine placing "serial ok" string ptr to a public variable.

3. no additional comments here :P

dump at 411c30
iat=140c8 size = 19c
nop jnz at 411e0b to make prog display message
change jmp at 410b3a to 410b3d
done

Hi rage,

It does not work for me. I have not understand the reason why you have changed the code with this particular byte, indeed.
The instruction at 411A9A moves the pointer to your serial into eax and, to always show the registered message you can simply change the instruction into this one: mov eax, 411B60 (411B60 points to the right serial)

Hi exctlong,
which was your problem exactly?

Ciao,
ZaiRoN

:P
should have been 0x11A92

r4g3, are you sure? This does not work...

Regards

>fc /B unpacked.exe patched.exe
Comparing files unpacked.ExE and PATCHED.EXE
00011A93: E4 BC
00012424: 01 30
00012425: A0 1C
0001B093: E3 6C
0001B094: D5 A9
0001B0B3: 12 2F
0001B0B4: 8B BC

hmmm it seems that i patched in 4 locations, dont remember anything about the last 2 anyways fc doesnt lie, so this is it finaly :P

Patch here:

Old -> 4060C2 0FB657FF
New -> 4060C2 0FB656FF

bl00dk@

Hi,
here is another way to solve the crackme, a simple loader. I did write this as a support for this thread:

http://www.woodmann.net/forum/showthread.php?t=5123

Ciao,
ZaiRoN