Log in

View Full Version : simple crackme without validation button


atlas
May 20th, 2004, 07:39
lol

Am I constrained to use Windasm on this crackme or am I be able to use Sice to do the same job ?
If I can find it with Sice , How ?
In wich case have I not tu use Sice ?

Here is the response of this simple crackme 3625043

prdx_LT
May 26th, 2004, 05:14
tutorial for total newbies

atlas
May 26th, 2004, 14:54
Yes but you don't really answer to my question .
Finally I have found another way with Sice more complicated way ...
I search any tricks to break inside Sice even if I haven't a validation button .
I have found this way
1/bmsg handle wmkey_down
2/s 0 l ffffffff 'false code'
3/bpr with the results of step 2/
At once I land near the solution but I am lucky to find like this .My opinio wm_keydow is not reliable

prdx_LT
May 26th, 2004, 17:36
i'm not good using Sice so I even don't know how to find correct way... I know that's bad but... so I found correct way using tools that I know :/

OorjaHalT
May 27th, 2004, 03:32
Quote:
[Originally Posted by prdx_LT]i'm not good using Sice so I even don't know how to find correct way... I know that's bad but... so I found correct way using tools that I know :/

Simply try bpx hmemcpy and as soon as you enter something it would break
just keep on using F12 till you are in crackme code area

ZaiRoN
May 27th, 2004, 04:01
I think it's always good to have a little knowledge of all the available tools. The crackme is written in Delphi and, this time Softice is not the best tool to use... why not Dede? Dede is almost perfect towards Delphi program. Don't know if you have this tool before but it's pretty intuitive and for the moment, I will not tell you how to solve the crackme with Dede (Where would be the fun... :-)). Try to solve the crackme with this tool and tell us everything you don't understand.

Good luck,
Zai

prdx_LT
May 27th, 2004, 06:36
Quote:
[Originally Posted by OorjaHalT]Simply try bpx hmemcpy and as soon as you enter something it would break
just keep on using F12 till you are in crackme code area


Yes I know hmemcpy but, I don't have any knowledge about Sice, but with tools like W32Dasm, Hiew, peid, etc, I have... I know that I must lear Sice, because it's da best debugger ever... But for this moment I'm using these tools that I know well... :/

OorjaHalT
May 27th, 2004, 12:40
With utmost regard to zairon i disagreethat sice is not the best tool for this crackme which happens to be in delphi. I did crack in sub 1 min. flat using sice and even after using dede you still need another tool to know the password

ZaiRoN
May 27th, 2004, 13:06
Hi OorjaHalT,
nice to see you here.

I suppose you are using 9x where hmemcpy works fine but what about if you use xp/nt/2k os? Imho, for those who don't have much experience it's not so simple, this is the reason why I told that 'softice is not the best tool for this crackme'
Quote:
[Originally Posted by OorjaHalT]even after using dede you still need another tool to know the password
What do you mean? I can clearly see the password with Dede...

later,
ZaiRoN

hobgoblin
May 27th, 2004, 13:51
I used Olly to solve this one. Olly is a good tool to understand what's going on is this proggie, and if you're only looking for the correct serial it will take you less than a minute to find it. In my opinion Olly is the easiest one to use on this one.

regards,
hobgoblin

atlas
May 27th, 2004, 14:03
OorjaHalT , would tou be able to explain your Sice méthod ? Just put wich kind of bpx you have used ...

In the purpose to giv eme any ideas ...

ZaiRoN
May 29th, 2004, 09:03
Hi,
since of there are many ways to solve the crackme, it might be a good idea to have some little solutions based on the tool used. Here is a little explanation using Dede.

Load and process the crackme. After some seconds, Dede ends the initial procedure and shows all the informations retrieved about the crackme.
The 'Forms' panel contains all the relative infos about the form(s) inside the crackme, in this case we have only one form named TForm1. If you click above this voice, you will see all the controls inside the only dialog in the crackme; the one we are looking for is:
Code:
object pass: TEdit ; edit control
Left = 104 ; left position inside the dialog
Top = 16 ; top position inside the dialog
Width = 137 ; width
Height = 21 ; height
Color = clYellow ; background color
TabOrder = 0 ; tab order...
Text = 'Entrer un password valide' ; initial text
OnChange = passChange ; procedure called when the password is changed
end


The check procedure is all inside 'passChange' routine. To see the procedure you have only to click on the 'Procedures' panel and then, double click over the voice 'passChange'. The last thing to do is to read the right password:
Code:
* Reference to: Controls.TControl.GetText(TControl):TCaption;
00464E1B E820C3FCFF call 00431140 ; get the serial
00464E20 8B45FC mov eax, [ebp-$04] ; eax -> serial
* Possible String Reference to: '3625043'
00464E23 BA7C4E4600 mov edx, $00464E7C ; edx = 3625043
* Reference to: System.@LStrCmp;
00464E28 E817F8F9FF call 00404644 ; compare between our serial and '3625043'
00464E2D 7512 jnz 00464E41
* Possible String Reference to: 'Mot de passe correcte'
00464E2F BA8C4E4600 mov edx, $00464E8C ; edx -> "password is right"
* Reference to control TForm1.verif : TEdit
00464E34 8B83F4020000 mov eax, [ebx+$02F4]
* Reference to: Controls.TControl.SetText(TControl;TCaption); ; set the right message
00464E3A E831C3FCFF call 00431170
00464E3F EB10 jmp 00464E51
* Possible String Reference to: 'Password Erroné'
00464E41 BAAC4E4600 mov edx, $00464EAC ; edx -> "password is not right"
* Reference to control TForm1.verif : TEdit
00464E46 8B83F4020000 mov eax, [ebx+$02F4] ; set the wrong message
* Reference to: Controls.TControl.SetText(TControl;TCaption);


regards,
ZaiRoN

atlas
May 30th, 2004, 10:36
Code:

================ Sun May 30 10:52:43 2004
:HWND CRACKMEV
Window Handle hQueue SZ QOwner Class Name Window Procedure
0800(1) 10D7 32 CRACKMEV2 TForm1 1427:00000CC4
0808(2) 10D7 32 CRACKMEV2 Edit 1427:00000DE2
0804(2) 10D7 32 CRACKMEV2 Edit 1427:00000DB6
07FC(1) 10D7 32 CRACKMEV2 TApplication 1427:00000D32
:BMSG 804 WM_KEYDOWN
Break due to BMSG 0804 WM_KEYDOWN (ET=.61 microseconds) +F12 (never think that wm_keydown
could be efficient)
hWnd=0804 wParam=0065 lParam=004C0001 msg=0100 WM_KEYDOWN
:BD*
:S 0 L FFFFFFFF '11223344'
Pattern found at 0187:00BD33C0 (00BD33C0)
:BPR bd33c0 bd33c0+8 rw
;; uses F5 we land near of the comparison with F12 too but F5 is better for this crackme

Break due to BPR #0187:00BD33C0 #0187:00BD33C8 RW
Break due to BPR #0187:00BD33C0 #0187:00BD33C8 RW
Break due to BPR #0187:00BD33C0 #0187:00BD33C8 RW
Break due to BPR #0187:00BD33C0 #0187:00BD33C8 RW ;;so F5x4

017F:0040466F 8B1F MOV EBX,[EDI]
017F:00404671 39D9 CMP ECX,EBX ;;here is the comparison
to see it do this ? ECX ; ? EBX the comparison runs four characters at once and fours characters
;;in a second time
017F:00404673 7558 JNZ 004046CD (JUMP )
017F:004046CD 5A POP EDX