Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Hi there !

try this :

CrackMe.zip

Edited by Teddy Rogers
Corrected topic title...

Isn't the exe packed with CodeVeil ? :huh:

Just wondering :cc_confused:

Yes CodeVeil ^^

sec..

That's exactly what I did ? Not more not less. Ok since CodeVeil 1.3 I even need Phant0m

for not being kicked out, when patching the encrypting/decrypting code.

I would say calling this one 'for beginners' is a bit harsh.

Even if you're done with unpacking, it's still weird ****.

And btw it's also very buggy code.. I had several exceptions when entering

something as serial (in the original exe). So I lost motivation to go on.. :\

That's exactly what I did ? Not more not less. Ok since CodeVeil 1.3 I even need Phant0m

for not being kicked out, when patching the encrypting/decrypting code.

1. as it was said in tutorial http://www.tuts4you.com/download.php?view.2004 i found:

00409680	66:0F280F	   MOVAPS XMM1,DQWORD PTR DS:[EDI]
00409684 66:0F2806 MOVAPS XMM0,DQWORD PTR DS:[ESI]
00409688 66:0FEFCB PXOR MM1,MM3
0040968C 66:0F290E MOVAPS DQWORD PTR DS:[ESI],XMM1
00409690 66:0FEFC3 PXOR MM0,MM3
00409694 66:0F2907 MOVAPS DQWORD PTR DS:[EDI],XMM0
00409698 83C6 10 ADD ESI,10
0040969B 83C7 10 ADD EDI,10
0040969E 49 DEC ECX
0040969F ^ 75 DF JNZ SHORT CrackMe.00409680
004096A1 5A POP EDX ; kernel32.7C816FF7
004096A2 59 POP ECX ; kernel32.7C816FF7
004096A3 5F POP EDI ; kernel32.7C816FF7
004096A4 5E POP ESI ; kernel32.7C816FF7
004096A5 C3 RETN

2. then found some free space at:

00409F80	90			  NOP

3. enter the code from your tut:

;Beginning Address was : 00409F80JNZ 00409680
LEA EAX,DWORD PTR DS:[409680]
MOV DWORD PTR DS:[EAX],5E5F595A
MOV BYTE PTR DS:[EAX+4],0C3
JMP 00409680;End Address was : 00409F96

and

0040969F   /0F85 DB080000   JNZ CrackMe.00409F80
004096A5 |C3 RETN

4. in tutorial it was said that "routine should be executed only once" so when i get to the "004096A5 |C3 RETN", i've changed it to

pop edx
pop ecx
pop edi
pop esi
ret

(to restore stack)

5. F7 to go to "00409755 E8 03000000 CALL CrackMe.0040975D" and Dump it.

ps. When i pressed F9 (Run), i got to that code (00409680) several times before program'd started.

Is that right and what should i do next?

pps. I think it's too difficult to me for now.

0040969F   /0F85 DB080000   JNZ CrackMe.00409F80

You patched it with a JNZ, which is wrong. You need a JMP ofc (like shown in the tut).

And you don't have to place the following POP codes manually, coz that's actually what the

codecave does, when it's finished ;)

0040969F   /0F85 DB080000   JNZ CrackMe.00409F80

You patched it with a JNZ, which is wrong. You need a JMP ofc (like shown in the tut).

And you don't have to place the following POP codes manually, coz that's actually what the

codecave does, when it's finished ;)

Ok. With JMP works as in tutorial. Got dump with WinHex.

Then i try to cut "unnecessary bytes". But i found these bytes only for ".text" section (i cut 1000-4096). How to find them for other sections?

"Section Headers" of CFF looks strange...

224502bk7.png

btw, before i closed Olly, i noticed that sections starts with:

.text

00402000 2B1B SUB EBX,DWORD PTR DS:[EBX]

00402002 0179 00 ADD DWORD PTR DS:[ECX],EDI

00402005 0000 ADD BYTE PTR DS:[EAX],AL

00402007 0048 00 ADD BYTE PTR DS:[EAX],CL

.rsrc

00406000 ........?........0?.........H.?.?.....?4.VS_VERSION_INFO..

00406080 ??.......?...........D.VarFileInfo..$.Translation...??.S

00406100 tringFileInfo.?.000004b0.4.CompanyName..once4ever.8FileDescr

00406180 iption..CrackMe.0FileVersion..1.0.0.0.8.InternalName.CrackMe.

.reloc

00408000 00 40 00 00 0C 00 00 00 B0 3F 00 00 00 00 00 00 .@......

WinHexDump_undone.rar

Yea not necessary to cut anything. I only shortened the reloc.

If you already got a dump, then you can simply compare urs with mine in CFF.

Yea not necessary to cut anything. I only shortened the reloc.

If you already got a dump, then you can simply compare urs with mine in CFF.

Well, i still don't quite understand, but it works. :)

In .NET Reflector i see again: "Arithmetic operation resulted in an overflow."

In SpicesNet5 it's ok, but how to get the key... this is part of code: :confused:

namespace a
{
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using a; public sealed abstract class a
{
private static string b;
static a()
{
a.b = "ZXCVBNMLKJHGFDSAQWERRTYUIOP1*()@#qwertyuiopasdfghjkl;zxcvbnm,./\'+=-_234567890";
}
public static string b(string b)
{
string txt5;
bool bl = !(b == "");
if (!bl)
{
txt5 = "";
}
else
{
char ch = a.b['<'];
string[] arr5 = new string[] {
ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(),
ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString()};
ch = a.b['\u0016'];
ch = a.b['\u0006'];
ch = a.b['\r'];
ch = a.b['\u001e'];
ch = a.b['\t'];
ch = a.b['\u0013'];
ch = a.b['$'];
ch = a.b['\u000b'];
string txt = string.Concat(arr5);
arr5 = new string[] {
ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(),
ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString()};
ch = a.b['4'];
ch = a.b['+'];
ch = a.b['\r'];
ch = a.b['!'];
ch = a.b['\u0014'];
ch = a.b['='];
ch = a.b[','];
ch = a.b['\u0011'];
ch = a.b['\''];
string txt1 = string.Concat(arr5);
ch = a.b['\u000e'];
ch = a.b['\n'];
ch = a.b['\u000f'];
ch = a.b['\u001b'];
string txt2 = string.Concat(ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString());
int i = 2;
arr5 = new string[16];
ch = a.b['\"'];
ch = a.b['\u0006'];
ch = a.b['\u0019'];
ch = a.b['\u0011'];
ch = a.b['\u0002'];
ch = a.b['<'];
ch = a.b['\u001f'];
ch = a.b['\n'];
ch = a.b['\u0004'];
ch = a.b['\u0007'];
ch = a.b['\u0013'];
ch = a.b['1'];
ch = a.b['#'];
ch = a.b['7'];
ch = a.b['\u000e'];
ch = a.b['\u0001'];
string txt3 = string.Concat(arr5);
int i1 = 256;
byte[] arr = Encoding.ASCII.GetBytes(txt3);
byte[] arr1 = Encoding.ASCII.GetBytes(txt1);
byte[] arr2 = Encoding.UTF8.GetBytes(b);
PasswordDeriveBytes passwordDeriveBytes = new PasswordDeriveBytes(txt, arr1, txt2, i);
byte[] arr3 = passwordDeriveBytes.GetBytes(i1 / 8);
RijndaelManaged rijndaelManaged = new RijndaelManaged();
rijndaelManaged.Mode = CipherMode.CBC;
ICryptoTransform iCryptoTransform = rijndaelManaged.CreateEncryptor(arr3, arr);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, iCryptoTransform, 1);
cryptoStream.Write(arr2, 0, arr2.Length);
cryptoStream.FlushFinalBlock();
byte[] arr4 = memoryStream.ToArray();
memoryStream.Close();
cryptoStream.Close();
return Convert.ToBase64String(arr4);
}
return txt5;
}
public static extern string d(string b);
}
}

It's too much for me. I give up.

Thanks for help with unpacking.

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.