Few of my 'cracking-notes'

[enlil]

Hi,

below you will find few of my 'cracking notes'. Nothing new or special but maybe someone will find it useful.

In case of any questions feel free to PM me.

enlil-notes.txt

[b0nd]

Hi enlil,

That's really appreciable. How about you create separate thread for each crackMe and post here? That way things would be more organized and readable. Attachments are something which are not read by most and sometimes they got permission issues as well. Let me know if I could be of any help on that.

Cheers!
b0nd

[enlil]

>> That's really appreciable. How about you create separate thread for each crackMe
>> and post here? That way things would be more organized and readable.

Yes, I thought about it. As well as "eee... but I'm new here, so maybe I will not
post some old-stuff as 100posts to not be banned in a very first day"

Next time, I'll do that (post-by-case).


>> Attachments are something which are not read by most
hehe. that wasn't accident. the reason I've done that was the same as for doing crackme:
if you want it, you will check it.

>> and sometimes they got permission issues as well. Let me know if I could be of any help on that.

I can tell the same as well: if I can help you with anything related to re/malwares/exploitation/crackmes/ctf's,
feel free to let me know. Maybe I will not know the answer but sometimes is even better
to find the 'correct path' with someone else, with who you can talk or do some kind of a 'brain storm'

But it's only 'in my opinion' so... Thanks for the warm welcome.

Cheers

[avidengineer]

Hi B0ND,

It would be great if we can have a weekly cracking challenge followed by a solution, it would be helpful and keeps motivation.

Regards
Ravi Teja

[[s]]

B0nd has the point to make different post for each crackMe. The following crackMe I found really interesting, could please just pass the binary file AD_CM#1.EXE. We can also perform the weekly cracking challenges, the point is who will develop such nice crakMe or we can use any exisiting crackMe. If you have development experience, that would be really nice to start with it.

Code:

---------------------------------------------------------------------------
	  #00.04 - AD_CM#1.EXE

---------------------------------------------------------------------------

From my perspective, very interesting case for new-asm-readers. ;)
So, enjoy:


CPU Disasm
Address   Hex dump          Command                                  Comments
004010A5  |.  66:3D B90B    CMP AX,0BB9
004010A9  |.  75 43         JNE SHORT 004010EE
004010AB  |.  6A 07         PUSH 7                                   ; /MaxCount = 7
004010AD  |.  68 5C304000   PUSH OFFSET 0040305C                     ; |String
004010B2  |.  68 B80B0000   PUSH 0BB8                                ; |ItemID = 3000.
004010B7  |.  FF75 08       PUSH DWORD PTR SS:[ARG.1]                ; |hDialog => [ARG.1]
004010BA  |.  E8 6F000000   CALL <JMP.&USER32.GetDlgItemTextA>       ; \USER32.GetDlgItemTextA
004010BF  |.  B8 5C304000   MOV EAX,OFFSET 0040305C
004010C4  |.  BB 1E304000   MOV EBX,OFFSET 0040301E                  ; ASCII "qWeRtZ"
004010C9  |.  B9 07000000   MOV ECX,7
004010CE  |>  8A13          /MOV DL,BYTE PTR DS:[EBX]
004010D0  |.  3810          |CMP BYTE PTR DS:[EAX],DL
004010D2  |.  75 18         |JNE SHORT 004010EC
004010D4  |.  40            |INC EAX
004010D5  |.  43            |INC EBX
004010D6  |.^ E2 F6         \LOOP SHORT 004010CE
004010D8  |.  6A 40         PUSH 40                                  ; /Type = MB_OK|MB_ICONASTERISK|MB_DEFBUTTON1|MB_APPLMODAL
004010DA  |.  68 09304000   PUSH OFFSET 00403009                     ; |Caption = "ArturDents CrackMe#1"
004010DF  |.  68 36304000   PUSH OFFSET 00403036                     ; |Text = "Yeah, you did it!"
004010E4  |.  FF75 08       PUSH DWORD PTR SS:[ARG.1]                ; |hOwner => [ARG.1]
004010E7  |.  E8 48000000   CALL <JMP.&USER32.MessageBoxA>           ; \USER32.MessageBoxA
004010EC  |>  EB 1A         JMP SHORT 00401108
004010EE  |>  66:3D BA0B    CMP AX,0BBA
004010F2      75 14         JNE SHORT 00401108
004010F4  |.  6A 00         PUSH 0                                   ; lParam = NULL
004010F6  |.  68 027D0000   PUSH 7D02                                ; wParam = NotifyCode = MENU/BN_CLICKED..., ID = 32002.
004010FB  |.  68 11010000   PUSH 111                                 ; Msg = WM_COMMAND
00401100  |.  FF75 08       PUSH DWORD PTR SS:[ARG.1]                ; hWnd => [ARG.1]
00401103  |.  E8 32000000   CALL <JMP.&USER32.SendMessageA>          ; Jump to USER32.SendMessageA
00401108  |>  EB 09         JMP SHORT 00401113
0040110A  |>  B8 00000000   MOV EAX,0
0040110F  |.  C9            LEAVE
00401110  |.  C2 1000       RETN 10
00401113  |>  B8 01000000   MOV EAX,1



Well, it looks for me like the string from EAX is compared with EBX.
Serial-key is in EBX and then it's compared char-by-char with value(s)
from DL (users-input serial key).
 
DL compared, loop, next char-value... compared, loop... and so on, until we will
find a 'pair' which is equal. :)

In that case - 'password is hardcoded' so we can find it during reading the ASM.

[avidengineer]

Hi s,

If we can find the archives of past reverse engineering challanges of CTF's we can use them. I will check and update this post if i found one.

[[s]]

Great no problem, it would be helpful get kick start.