[CrackMe]Find the password 5 - Register It

[Ownage]

Starting with this level , you'll have some fun.

Register the app!g5.rar

[Gushe]

Ok, yet again, this has been a long time for me, and I have a little question. To not spoil it for others, check the spoiler tag.

Ok, I suppose the application waits for an file to be dropped onto the application, then verifying it's filename and location to see wheither the statusbar should show REGISTERED or UNREGISTERED. THough, it seems to be comparing the file I drop on it with the following file: "Z:\File/.geek", but it is impossible to create such a file on a windows machine. Am I going in the wrong direction or is it meant to be possible to create such a file? (Yes, I have changed my D: into Z: to test this!)

Thanks in advance.

[delldell]

yes you can modify the path of the file at the right moment that

is search's for the file

what I did was patched the file so is always registered

without the file

but still I am not sure about the password cos I

fund 2 strings that are compared one of them is the

pass word but I am not % 100 per cent

I hope somebody cam up with the solution

Edited December 7, 2009 by delldell

[BoRoV]

that string is MD5 hash which undertakes from file thus file must have length in 5 bytes

I bruted this hash uses alphabet for brut all of printing characters, and nothing, and write the own bruter for all of characters I don't want

[deepzero]

and nothing,

yeah, me too.

[hypa]

I started doing this, there are a lot of ways to patch it, I did the single jump, their is also fixing the path string, I didn't look to see how the two keys where generated, but you can patch the one strcmp too. The app wasn't interesting enough to dig deep. I replaced all the mov->ptr just to make it interesting for fixing the path problem(not sure what we where suppose to do there). I didn't see how to key it without patching because the path problem. It was too much trouble to try a virtual drive too.

Edited December 10, 2009 by hiya

[Espair]

Am i the only one who cant seem to find its correct entry point? Cant seem to find the code section (its empty!) <.< Anyone point me in the right direction? starting address is 778E9FDD for me, which isnt right at all.

[BoRoV]

Am i the only one who cant seem to find its correct entry point? Cant seem to find the code section (its empty!) <.< Anyone point me in the right direction? starting address is 778E9FDD for me, which isnt right at all.

check your Olly options, if Debugging options -> Events -> Make first pause at is System breakpoint that is you problem, change to Entry point of main module

I didn't look to see how the two keys where generated

00401187  |.  68 21334000   PUSH g5.00403321                                    ; /Arg3 = 403321  <-- output buffer
0040118C  |.  6A 05         PUSH 5                                              ; |Arg2 = 5  <-- length of buffer
0040118E  |.  68 71324000   PUSH g5.00403271                                    ; |Arg1 = 00403271  <-- input buffer
00401193  |.  E8 E8020000   CALL 00401480                                       ; \00401480

and for all, this is modified MD5, I only now see that

[Espair]

Hmm that doesnt seem to be it BoRoV, settings there are right, if I change it to System breakpoint, its still wrong

Also it crashes on first code execution if I try, doesnt leave me much room to do anything

Edited December 10, 2009 by Espair

[BoRoV]

maybe it bkz conflicted some plugins, try open crackme in pure olly, or in olly 2 (I work in this version )

[Espair]

That was it, it didnt like a plugin, thanks BoRoV!

Actually further looking into it, olly doesnt like x64, olly 2 does which is why it worked, olly advanced had a fix for it though so its good

Solved! woo (with a little help), finally managed to find where it came up with the MD5(?) code, then compared with the one it should have been. Just edited so it would match, came up REGISTERED.

Edited December 10, 2009 by Espair

[hypa]

It's too easy to patch it, and even make it load file correctly and pass the key check, but I think this was suppose to be a keygen from what I'm reading. It's intriguing but I'll leave it to the crypto people

[dim_cr]

Starting with this level , you'll have some fun.

Yes really funny

OK pass is: zkjea