Log in

View Full Version : 1 byte puzzle


evaluator
March 8th, 2004, 15:29
change 1 byte only

disavowed
March 8th, 2004, 17:48
i guess it's not the correct solution, but i know how to get rid of the nag by changing one byte:
change byte at file offset 0x000000a8 (assuming first byte of file is at offset 0x00000000) from 0x00 to 0x15

evlncrn8
March 8th, 2004, 18:26
Quote:
[Originally Posted by disavowed]i guess it's not the correct solution, but i know how to get rid of the nag by changing one byte:
change byte at file offset 0x000000a8 (assuming first byte of file is at offset 0x00000000) from 0x00 to 0x15



heh thats what i was thinking, couldnt find any other way to do it
i thought it'd be something to do with messing eax in the line for the messagebox
like xchg ah,al so it pointed to the string (and not using the 2nd mov eax,blah) but no go.. not in 1 byte nehows

disavowed
March 8th, 2004, 18:48
maybe evaluator mis-translated "two" as "one" :P

SiNTAX
March 8th, 2004, 19:31
Solved... 1 byte indeed

PM'ed the solution to eval.

ZaiRoN
March 8th, 2004, 19:58
Hi All,
SiNTAX was right... only 1 byte! Very funny puzzle game

good luck
Zai

TQN
March 9th, 2004, 01:27
Change the B8 byte at 00401009 to 86. (Use Binary-Edit in OllyDbg). "registered" string will also be changed to "Registered".
TQN

evlncrn8
March 9th, 2004, 01:44
Quote:
[Originally Posted by TQN]Change the B8 byte at 00401009 to 86. (Use Binary-Edit in OllyDbg). "registered" string will also be changed to "Registered".
TQN



damnit i was close on the xchg ah,al thing.. im just getting rusty in my old age heh

evaluator
March 9th, 2004, 02:13
SiNTAX PM-ed at 12:31 AM

ZaiRoN at 12:53 AM

.. i'm cryyyy

SiNTAX
March 9th, 2004, 04:01
Quote:
[Originally Posted by TQN]Change the B8 byte at 00401009 to 86. (Use Binary-Edit in OllyDbg). "registered" string will also be changed to "Registered".
TQN


Tsssk.. now you've spoiled it for the rest!

ZaiRoN
March 9th, 2004, 07:36
Hi TQN,
why have you written the solution so soon? Now, no other will try the puzzle anymore...

evaluator
March 9th, 2004, 07:41
in addition, more easy 1 byte puzzle, for newbies.

R@dier
March 9th, 2004, 12:44
change [eax+10] to [ESI +10]
at offset 210h change 50 to 56


That was a bit of fun

Best Wishes
R@dier

evaluator
March 9th, 2004, 12:54
Next (de)Generation of 1 byte puzzle..
yep, about 5 hour i trashed, but seems,
not so many will required for solving..

Who will first!?

evaluator
March 9th, 2004, 12:59
in newbies-puzzle:
I was Zairon
II was R@dier

but because R@dier is more newbie, he WON!!

Kayaker
March 9th, 2004, 13:34
Quote:
[Originally Posted by ZaiRoN]Hi TQN,
why have you written the solution so soon? Now, no other will try the puzzle anymore...


No kidding eh? How about if someone wants to post a solution (nothing wrong with that per se), they write it in ROT13? Those who want the solution, have it. Those who don't, only see gibberish. Plus it avoids posting simple 1 byte zipped solutions as well.

http://rot13.com/


OK 1-bite wizard?

ZaiRoN
March 9th, 2004, 14:00
Maybe you misunderstood me; I don't want to stop people from posting solution, they can post it but not so soon...
Btw, a rot13 solution is perfect ;-)

evaluator
March 9th, 2004, 14:17
ya, in fact, better will, if you will PM me solution, so more people will interesting
to solve..

evaluator
March 9th, 2004, 17:24
wooh!?

4 hours comes out & yet nobody solved?
i feel ~8-)

btw, Zairon, this one is for all, not only for newbies.
Don Wooma...

ok, i'm going to sleep; in PM i have 16 free place.
good luck..

ZaiRoN
March 11th, 2004, 07:25
Well, this new puzzle is not so easy than the previous ones. A simple glance to the instructions doesn't help me to find the damned byte. Maybe we can choose another way.
What about a brute-force approach? We know that, at 40106D, edx should be 401090, so we will start changing a simple byte from 401018 to 401068. The scheme will be something like this:
Code:
install seh

@loop:
change the current byte ; the current byte will take values from 00h to FFh
jmp @puzzlecode
@incByte:
inc the current byte
if <current byte has taken all the possible values>
jmp @nextByte
else
jmp @loop

@nextByte:
restore the current byte with the original value and choose the next one (put it to 00h)
if <address of the current byte> == 401069
byte not found...
game over
else
jmp @loop

@ok: ; we have found the byte
remove seh
print the offset and the new byte
game over...

@puzzlecode:
xor ebx, ebx
mov eax, 402010
mov edi, 40107A
lea edx, [eax+10]
@401018:
<<< the modified code from puzzle.exe >>>
if edx == 401090
jmp @ok
else
jmp @incByte

seh_handler:
the "safe place" will be @incByte, nothing more...

A seh is necessary because we don't know what will happen when a single byte will be changed...
These are only some ideas floating on my mind, I don't know if it's really possible to write something like that but... who cares ;-)

Later,
Zai

Harding
March 11th, 2004, 15:03
The bruteforce method did NOT work.
I wrote a ollyscript that would do that...
In the beginning it went well but after a while I (think!) hit the CALL or the JCC instructions and the whole computer went crazy.

I think using your brain would be the best solution.

/Harding

Foreigner
March 11th, 2004, 15:42
Hello Harding,
can you post your script? I have never tried to write an ollyscript and I would like to see an example.

foreigner

ps.Have you solved the puzzle?

evaluator
March 11th, 2004, 18:02
hm..

brute-force looks quite non-humanistic.

-io protesto

Harding
March 11th, 2004, 20:09
Foreigner: Well, when I realized that my 5+ hours of work had been a total waste of time, I deleted the script (since it's useless, why keeep it?)
But there are some very good scripts at hxxp://ollyscript.apsvans.com

Eval: Has anyone found the solution yet? if nor, can't you give us some tip?

ZaiRoN
March 12th, 2004, 06:01
Quote:
[Originally Posted by evaluator]hm..
brute-force looks quite non-humanistic.
-io protesto
As you wish :-)

evaluator
March 12th, 2004, 14:26
nobody yet PM-ed me.
want we call all-world reverserz?

in help i can say:
1.tool i used - HIEW, so use it
2.there is NO garbage code inside.

Harding
March 17th, 2004, 07:09
Ok Eval. I give up, what is the solution?


/Harding

klier
March 17th, 2004, 15:26
please wait...

suggestion : put a deadline on it,like april the first.

Regards,

evaluator
March 17th, 2004, 17:36
I posted it on http://board.anticrack.de.
Lets see.
If there also will not solved, then i will upload it also on cracmes.de..

klier
March 18th, 2004, 12:05
because i cannot PM

255h : 8D --> 71

Regards,

doug
March 18th, 2004, 12:33
good job klier.

(& eval too)

evaluator
March 18th, 2004, 13:50
HECK-ME!

In fact klier's Unusual solution eliminated my unusual failure!
Because i coded it for more tricky solution in another location...
i'm quite sad for my failure..
BTW! try again to find my solution.(now of course will easier)

Harding
March 18th, 2004, 14:29
Klier: Great job! May I ask how you found this one?

Anyone know you I get "evaluation" when I step trough the code but "registered" when I run it?

klier
March 18th, 2004, 16:12
25Eh : 8D-->3C|70|72|75|77|78|7B|7C|7F|A8|B1

Regards,

doug
March 18th, 2004, 19:23
Quote:
[Originally Posted by Harding]Klier: Great job! May I ask how you found this one?

Anyone know you I get "evaluation" when I step trough the code but "registered" when I run it?


the patch at 255h changes the exception handler (mov [esp+4], cl), so when icebp (int 1) at 40106C gets executed, it falls to that new exception handler (40101A), instead of the first one (40107A).

when you trace (presumably with olly?), the exception handler won't get executed.

evaluator
March 19th, 2004, 06:20
klier, Congratz!

You finally solved it.
0040105E > 75h is my default.

Harding
March 19th, 2004, 07:35
doug: Ok, thanks for the explaination. So with Olly I can't let the program take care of the exception?
Usually when an excepton occurs, Olly pauses and lets me choose what to do, why not now?

klier: How did you found this one?

eval: This is fun, you don't have anything more to play with?

klier
March 19th, 2004, 09:03
Harding
>>"I think using your brain would be the best solution."
followed your advice and evaluators to use hiew.

I saw the shr dx,1 and the or dl,-080 but when i tryed to change a byte to make the code do that i always jumped into oblivion or exitprocess.(me newbie,hobbyist)

Asked myself :how and where is edi used (40107A,exitprocess) and how to change it.
And with a little luck and 'lightning-struck'...found a solution.

May be not suffice as explanation but i don't have much time right now.
Have to spread menure on the field(not mine,horsies)

Regards,

evaluator
March 19th, 2004, 18:04
Puzzle No3

Kayaker
March 19th, 2004, 19:01
Quote:
[Originally Posted by ]
eval: This is fun, you don't have anything more to play with?


Ah geez, he's got a hidden closet full of them!

klier
March 20th, 2004, 16:30
evaluator,dirti means more then Registered! in the box?

Regards,

evaluator
March 20th, 2004, 19:01
no, dirti looks..
not important crackme. work on 3.
BTW, Why you can't do PM!? if some truble, ask moderators.

dELTA
March 20th, 2004, 20:30
Quote:
Usually when an excepton occurs, Olly pauses and lets me choose what to do, why not now?

Yes, I'm a bit curious about this myself. Why aren't exceptions that are caused by an int1 hooked in Olly, but rather completely ignored by both Olly and and the program itself when single-stepped? Normal access violation exceptions for example are caught by Olly in both single-step and "running mode" (and you then get to choose whether to pass the exception to the program or not, as usual) but in this case neither Olly nor the program sees the exception at all?! Is this maybe a well known anti-debug trick or something like that? It would be great if anyone could give a more technical explanation for this, maybe you Eval?

doug
March 20th, 2004, 22:16
just a wild guess here, but the opcode used isn't a typical INT1 (CD 01 I believe), but instead an "icebp" as some other disassemblers decode it.

klier
March 21st, 2004, 06:13
if moderator or administrator reads this,can't PM a solution for puzzle03.

Don't know another way to ask!

Regards,

klier
March 21st, 2004, 06:24
OK,problem solved.

Regards,

dELTA
March 21st, 2004, 06:53
Quote:
[Originally Posted by doug]just a wild guess here, but the opcode used isn't a typical INT1 (CD 01 I believe), but instead an "icebp" as some other disassemblers decode it.

Ok, good start, but how come neither the program nor Olly sees this exception when single-stepping, but the program indeed gets it when running normally? That was the kind of technical explanation I was looking for. Eval, or someone else, enlighten us!

klier
March 21st, 2004, 08:29
in olly,

do a bpxint1 and you get the exception.
shift F9 and --> registered.

google on icebp.


Regards,

evaluator
March 21st, 2004, 08:47
OK, klier solved.

**
requested "technical explanation":
When you are "single-stepping" on F1h opcode (or INT01 when it has R3-privilege),
debuggers eats this exception, because they themselves are waiting own single-step exception.
this are common debuggers fault, which not happens in OUR tracerZ

So, for exact result, when you meet F1h opcode (or INT01..),
do not press F8 key on it (for SICE), but instead:
locate SEH addres, set BPX there & close debuggers window by CTRL-D.
then debugger will break & you'll happie

..shame(le) to you..

**
[when not cracked crackme runs, it not does exception.]

klier
March 22nd, 2004, 06:29
have a riddle of my own:

wich byte 1 (one) you have to change in dirtiPuzzle to get this message from virusscanner(if you have one):

virus alert:
'Source: D:\dirti\dirtiPUZZLE.exe
Click for more information about this virus : Bloodhound.W32.EP'

Regards,

evaluator
March 22nd, 2004, 10:33
i not use any anti-vir;
probably it depends on each anti-vir;

evaluator
March 24th, 2004, 06:59
Puzzle 04
corrected, try again

evaluator
March 24th, 2004, 15:12
klier again solved puzzle04 in own way. try another ways also.
what can i say? this puzzle suxnot well tested):

evaluator
March 24th, 2004, 18:37
well, klier also found other ways, include my default.
good buy

who also want be good buy!?

klier
March 24th, 2004, 19:50
i'm choked, a buy?

evaluator
March 25th, 2004, 04:18
boy, boy.. soorri

evaluator
March 29th, 2004, 04:30
easy puzzle05 on MBox theme.

evaluator
March 29th, 2004, 06:45
bene, ZaiRon solved it quickly.