Jump to content
sulea

crack-me!

By sulea, in Challenges (CTF)

Recommended Posts

sulea Newbie

sulea

Posted
Posted

un nou challenge:

se da urmatorul program:

Download GameWiz32 1.43 - GameWiz32 is a generic cheat tool for games running under Windows 95/98/ME/2000/XP - Softpedia

cerinte: sa se crackuiasca! :)

puteti folosi orice metode doriti, patchuri pe executabil etc

deci este permis orice

astept pm cu rezolvarile, ca de obicei acestea vor fi facute publice mai tarziu

premii: cei ce vor trece de challenge vor primi un log cu conturi random

Link to comment
Share on other sites
giv Newbie

giv

Posted
Posted (edited)

Sal.

Scuze ca "readuc la viata" acest topic dar acum l-am vazut si am observat ca nu a raspuns nimeni la el.

Nu vreau premiu deci nu trimit in PM.

:)

Procedura de verificare a fisierului de licenta este la:

00410C1B >/$  55            PUSH EBP                                 ;  __openfile
0040C529 >/$  55            PUSH EBP                                 ;  _fread

Aceasta incepe la:

0040A780 > .  6A FF         PUSH -0x1                                ;  sub_40A7800040A782   .  68 08284200   PUSH <gw32.__ehhandler$?ExecCommand@?$CH>;  SE handler installation
0040A787   .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0040A78D   .  50            PUSH EAX
0040A78E   .  64:8925 00000>MOV DWORD PTR FS:[0],ESP
0040A795   .  83EC 10       SUB ESP,0x10
0040A798   .  55            PUSH EBP
0040A799   .  56            PUSH ESI
0040A79A   .  57            PUSH EDI
0040A79B   .  8BF1          MOV ESI,ECX
0040A79D   .  E8 AD310100   CALL <gw32.CDialog:InInitDialog(void)>
0040A7A2   .  68 E4B14200   PUSH OFFSET <gw32.Mode>                  ;  ASCII "rb"
0040A7A7   .  68 20B64200   PUSH OFFSET <gw32.aGw32_reg>             ;  ASCII "gw32.reg"
0040A7AC   .  E8 911E0000   CALL <gw32._fopen>

Daca e bine ajungi la:

0040A7F4   . /0F84 B3000000 JE <gw32.loc_40A8AD>0040A7FA   . |57            PUSH EDI
0040A7FB   . |E8 7D1C0000   CALL <gw32._fclose>
0040A800   . |8B0D 30BB4200 MOV ECX,DWORD PTR DS:[<off_42BB30>]      ;  <gw32.unk_42BB44>
0040A806   . |83C4 04       ADD ESP,0x4
0040A809   . |894C24 14     MOV DWORD PTR SS:[ESP+0x14],ECX
0040A80D   . |8B56 5C       MOV EDX,DWORD PTR DS:[ESI+0x5C]
0040A810   . |8B2D C0334200 MOV EBP,DWORD PTR DS:[<&USER32.LoadStrin>;  USER32.LoadStringA
0040A816   . |8D7E 60       LEA EDI,DWORD PTR DS:[ESI+0x60]
0040A819   . |6A 64         PUSH 0x64                                ; /Count = 64 (100.)
0040A81B   . |57            PUSH EDI                                 ; |Buffer
0040A81C   . |68 F4000000   PUSH 0xF4                                ; |RsrcID = STRING "Registered to:
"
0040A821   . |52            PUSH EDX                                 ; |hInst
0040A822   . |C74424 34 000>MOV DWORD PTR SS:[ESP+0x34],0x0          ; |
0040A82A   . |FFD5          CALL EBP                                 ; \LoadStringA

Daca nu:

0040A8AD > > \8B4E 5C       MOV ECX,DWORD PTR DS:[ESI+0x5C]          ;  loc_40A8AD0040A8B0   .  8B2D C0334200 MOV EBP,DWORD PTR DS:[<&USER32.LoadStrin>;  USER32.LoadStringA
0040A8B6   .  8D7E 60       LEA EDI,DWORD PTR DS:[ESI+0x60]
0040A8B9   .  6A 64         PUSH 0x64                                ; /Count = 64 (100.)
0040A8BB   .  57            PUSH EDI                                 ; |Buffer
0040A8BC   .  68 2E010000   PUSH 0x12E                               ; |RsrcID = STRING "
UNREGISTERED SHAREWARE VERSION


PLEASE REGISTER!"
0040A8C1   .  51            PUSH ECX                                 ; |hInst
0040A8C2   .  FFD5          CALL EBP                                 ; \LoadStringA

Acest lucru verifica existenta fisierului de licenta:

0040A7EC   .  8B86 48040000 MOV EAX,DWORD PTR DS:[ESI+0x448]

0040AA31   . /76 76         JBE SHORT <gw32.loc_40AAA9>0040AA33   . |8A4D F3       MOV CL,BYTE PTR SS:[EBP-0xD]
0040AA36   . |B8 01000000   MOV EAX,0x1
0040AA3B   . |2BC3          SUB EAX,EBX
0040AA3D   . |8BF3          MOV ESI,EBX
0040AA3F   . |8945 D8       MOV DWORD PTR SS:[EBP-0x28],EAX
0040AA42 > > |8A06          MOV AL,BYTE PTR DS:[ESI]                           ;  loc_40AA42
0040AA44   . |0FBED0        MOVSX EDX,AL
0040AA47   . |0FBED9        MOVSX EBX,CL
0040AA4A   . |33D3          XOR EDX,EBX
0040AA4C   . |83C2 1E       ADD EDX,0x1E
0040AA4F   . |83FA 2B       CMP EDX,0x2B
0040AA52   . |75 0F         JNZ SHORT <gw32.loc_40AA63>
0040AA54   . |68 2CB64200   PUSH OFFSET <gw32.asc_42B62C>
0040AA59   . |8D4D EC       LEA ECX,DWORD PTR SS:[EBP-0x14]
0040AA5C   . |E8 571F0100   CALL <gw32.sub_41C9B8>
0040AA61   . |EB 0D         JMP SHORT <gw32.loc_40AA70>
0040AA63 > > |32C1          XOR AL,CL                                          ;  Xor caracter citit cu al
0040AA65   . |8D4D EC       LEA ECX,DWORD PTR SS:[EBP-0x14]
0040AA68   . |04 1E         ADD AL,0x1E                                        ;  Adauga hex caracter citit 1E
0040AA6A   . |50            PUSH EAX                                           ;  Pune EAX in stiva
0040AA6B   . |E8 6F1F0100   CALL <gw32.Introducere caracter in string licenta>
0040AA70 > > |8A4D F3       MOV CL,BYTE PTR SS:[EBP-0xD]                       ;  Muta in Cl al doilea caracter din serial
0040AA73   . |0FBE06        MOVSX EAX,BYTE PTR DS:[ESI]                        ;  Muta spatiu gol in EAX
0040AA76   . |0FBED1        MOVSX EDX,CL                                       ;  Muta caracterul citit anterior in EDX
0040AA79   . |33C2          XOR EAX,EDX                                        ;  XOR EAX, EDX
0040AA7B   . |8B55 D8       MOV EDX,DWORD PTR SS:[EBP-0x28]
0040AA7E   . |83C0 1E       ADD EAX,0x1E                                       ;  Adauga la EAX 1E = 30
0040AA81   . |03D6          ADD EDX,ESI                                        ;  Adauga la EDX serialul = 1 caracter
0040AA83   . |0FAFC2        IMUL EAX,EDX                                       ;  Inmulteste EAX cu EDX
0040AA86   . |8B55 E0       MOV EDX,DWORD PTR SS:[EBP-0x20]
0040AA89   . |03D0          ADD EDX,EAX                                        ;  Adauga EAX la EDX
0040AA8B   . |8B45 DC       MOV EAX,DWORD PTR SS:[EBP-0x24]
0040AA8E   . |8955 E0       MOV DWORD PTR SS:[EBP-0x20],EDX
0040AA91   . |8B55 E8       MOV EDX,DWORD PTR SS:[EBP-0x18]
0040AA94   . |40            INC EAX                                            ;  Muta EA la urmatoarea pozitie
0040AA95   . |81E2 FF000000 AND EDX,0xFF                                       ;  AND EDX cu FF
0040AA9B   . |46            INC ESI                                            ;  Incrementeaza ESI
0040AA9C   . |3BC2          CMP EAX,EDX                                        ;  Compara EAX cu EDX
0040AA9E   . |8945 DC       MOV DWORD PTR SS:[EBP-0x24],EAX


Are apoi mai multe verificari pe fisierul de licenta in asa fel incat daca nu exista sau e ceva in neregula cu el aplicatia se va busi.

Per ansamblu nu este greu de "spart" acest program insa necesita rabdare.

Sau pur si simplu se poate sari peste verificarea fisierului de licenta:

0041D24C     /74 0C         JE SHORT <gw32.loc_41D25A>                         ;  Verificare licenta

JE in JMP

Edited by giv
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...