Jump to content
Tuts 4 You

Crackme #2

mia

By mia
in CrackMe

 Share

Recommended Posts

mia

mia

Posted
Posted (edited)

For those who find my first crackme so easy, Here another crackme for the serial fishing lols. It is little harder than first.

Your aim is to findout the password and hence obtain the goodboy message

Link

 http://www.mytempdir.com/715776

NOTE: Please don't publish the password here.

Edited by mia
yamraaj

yamraaj

Posted
Posted (edited)

Check your PM :) .....

oops i forgot you cannot have PM

So here is the serial...Be Fair and first solve it yourself and then have a look if you want to do so ;)

http://rapidshare.de/files/22207823/Serial.txt.html
Edited by yamraaj
mia

mia

Posted
  • Author
Posted
Check your PM :) .....

oops i forgot you cannot have PM

So here is the serial...Be Fair and first solve it yourself and then have a look if you want to do so ;)

http://rapidshare.de/files/22207823/Serial.txt.html

Ok yamraaj you got it. These crackmes will not trouble you :D

starzboy

starzboy

Posted
Posted (edited)

i was able to follow up here......but still couldnt get the final serial

k....
i mised in thr first case but.....then i found something !0045919							  ------------BP
0040591B	.  5B					POP EBX							;  0012F5E8
0040591C	.  8D45 B0			   LEA EAX,DWORD PTR SS:[EBP-50]
0040591F	.  897D B0			   MOV DWORD PTR SS:[EBP-50],EDI
00405922	.  50					PUSH EAX
00405923	.  897D E8			   MOV DWORD PTR SS:[EBP-18],EDI
00405926	.  897D E4			   MOV DWORD PTR SS:[EBP-1C],EDI
00405929	.  897D E0			   MOV DWORD PTR SS:[EBP-20],EDI
0040592C	.  897D DC			   MOV DWORD PTR SS:[EBP-24],EDI
0040592F	.  897D CC			   MOV DWORD PTR SS:[EBP-34],EDI
00405932	.  897D C8			   MOV DWORD PTR SS:[EBP-38],EDI
00405935	.  897D C4			   MOV DWORD PTR SS:[EBP-3C],EDI
00405938	.  897D C0			   MOV DWORD PTR SS:[EBP-40],EDI
0040593B	.  897D A0			   MOV DWORD PTR SS:[EBP-60],EDI
0040593E	.  897D 90			   MOV DWORD PTR SS:[EBP-70],EDI
00405941	.  89BD 70FFFFFF		 MOV DWORD PTR SS:[EBP-90],EDI
00405947	.  C745 B8 34AC0805	  MOV DWORD PTR SS:[EBP-48],508AC34
0040594E	.  895D B0			   MOV DWORD PTR SS:[EBP-50],EBX
00405951	.  E8 94BAFFFF		   CALL <JMP.&MSVBVM60.#572>
00405956	.  8BD0				  MOV EDX,EAX							  : carries "508AC34"  (1st part of serial)
00405958	.  8D4D E8			   LEA ECX,DWORD PTR SS:[EBP-18]
0040595B	.  E8 90BAFFFF		   CALL <JMP.&MSVBVM60.__vbaStrMove>
00405960	.  8D4D B0			   LEA ECX,DWORD PTR SS:[EBP-50]
00405963	.  E8 7CBAFFFF		   CALL <JMP.&MSVBVM60.__vbaFreeVar>
00405963	.  E8 7CBAFFFF		   CALL <JMP.&MSVBVM60.__vbaFreeVar>
00405968	.  FF75 E8			   PUSH DWORD PTR SS:[EBP-18]
0040596B	.  8D45 B0			   LEA EAX,DWORD PTR SS:[EBP-50]
0040596E	.  C745 B8 6ED03E04	  MOV DWORD PTR SS:[EBP-48],43ED06E
00405975	.  895D B0			   MOV DWORD PTR SS:[EBP-50],EBX
00405978	.  50					PUSH EAX
00405979	.  E8 6CBAFFFF		   CALL <JMP.&MSVBVM60.#572>
0040597E	.  8BD0				  MOV EDX,EAX								: carries "43ED06E"  (2nd part of serial)	 00405980	.  8D4D C4			   LEA ECX,DWORD PTR SS:[EBP-3C]
00405983	.  E8 68BAFFFF		   CALL <JMP.&MSVBVM60.__vbaStrMove>
00405988	.  50					PUSH EAX
00405989	.  E8 50BAFFFF		   CALL <JMP.&MSVBVM60.__vbaStrCat>
0040598E	.  8BD0				  MOV EDX,EAX							;holds the two together as "508AC3443ED06E"
00405990	.  8D4D E4			   LEA ECX,DWORD PTR SS:[EBP-1C]
00405993	.  E8 58BAFFFF		   CALL <JMP.&MSVBVM60.__vbaStrMove>
00405998	.  8D4D C4			   LEA ECX,DWORD PTR SS:[EBP-3C]
0040599B	.  E8 38BAFFFF		   CALL <JMP.&MSVBVM60.__vbaFreeStr>
004059A0	.  8D4D B0			   LEA ECX,DWORD PTR SS:[EBP-50]
004059A3	.  E8 3CBAFFFF		   CALL <JMP.&MSVBVM60.__vbaFreeVar>
004059A8	.  FF75 E4			   PUSH DWORD PTR SS:[EBP-1C]
004059AB	.  8D45 B0			   LEA EAX,DWORD PTR SS:[EBP-50]
004059AE	.  C745 B8 1612EC00	  MOV DWORD PTR SS:[EBP-48],0EC1216
004059B5	.  895D B0			   MOV DWORD PTR SS:[EBP-50],EBX
004059B8	.  50					PUSH EAX
004059B9	.  E8 2CBAFFFF		   CALL <JMP.&MSVBVM60.#572>
004059BE	.  8BD0				  MOV EDX,EAX								  : carries "EC1216"  (3rd part of serial)  
004059C0	.  8D4D C4			   LEA ECX,DWORD PTR SS:[EBP-3C]
004059C3	.  E8 28BAFFFF		   CALL <JMP.&MSVBVM60.__vbaStrMove>
004059C8	.  50					PUSH EAX
004059C9	.  E8 10BAFFFF		   CALL <JMP.&MSVBVM60.__vbaStrCat>
004059CE	.  8BD0				  MOV EDX,EAX
004059D0	.  8D4D E0			   LEA ECX,DWORD PTR SS:[EBP-20]
004059D3	.  E8 18BAFFFF		   CALL <JMP.&MSVBVM60.__vbaStrMove>
004059D8	.  8D4D C4			   LEA ECX,DWORD PTR SS:[EBP-3C]
004059DB	.  E8 F8B9FFFF		   CALL <JMP.&MSVBVM60.__vbaFreeStr>
004059E0	.  8D4D B0			   LEA ECX,DWORD PTR SS:[EBP-50]
004059E3	.  E8 FCB9FFFF		   CALL <JMP.&MSVBVM60.__vbaFreeVar>
004059E8	.  68 70454000		   PUSH CrackMe_.00404570				;  UNICODE "SND-"
004059ED	.  FF75 E0			   PUSH DWORD PTR SS:[EBP-20]
004059F0	.  E8 E9B9FFFF		   CALL <JMP.&MSVBVM60.__vbaStrCat>
004059F5	.  8BD0				  MOV EDX,EAX						; SERIAL...."SND-508AC3443ED06EEC1216" 
004059F7	.  8D4D DC			   LEA ECX,DWORD PTR SS:[EBP-24]
004059FA	.  E8 F1B9FFFF		   CALL <JMP.&MSVBVM60.__vbaStrMove>
004059FF	.  8B45 DC			   MOV EAX,DWORD PTR SS:[EBP-24]
00405A02	.  6A 02				 PUSH 2
00405A04	.  8985 78FFFFFF		 MOV DWORD PTR SS:[EBP-88],EAX
00405A0A	.  5B					POP EBX							;  0012F5E8
00405A0B	.  8D45 B0			   LEA EAX,DWORD PTR SS:[EBP-50]
00405A0E	.  C785 70FFFFFF 0800000>MOV DWORD PTR SS:[EBP-90],8
00405A18	.  50					PUSH EAX
00405A19	.  8D45 A0			   LEA EAX,DWORD PTR SS:[EBP-60]
00405A1C	.  50					PUSH EAX
00405A1D	.  C745 B8 6E000000	  MOV DWORD PTR SS:[EBP-48],6E
00405A24	.  895D B0			   MOV DWORD PTR SS:[EBP-50],EBX
00405A27	.  E8 9AB9FFFF		   CALL <JMP.&MSVBVM60.#573>
00405A2C	.  8D85 70FFFFFF		 LEA EAX,DWORD PTR SS:[EBP-90]
00405A32	.  50					PUSH EAX
00405A33	.  8D45 A0			   LEA EAX,DWORD PTR SS:[EBP-60]
00405A36	.  50					PUSH EAX
00405A37	.  8D45 90			   LEA EAX,DWORD PTR SS:[EBP-70]
00405A3A	.  50					PUSH EAX
00405A3B	.  E8 8CB9FFFF		   CALL <JMP.&MSVBVM60.__vbaVarAdd>
00405A40	.  8BD0				  MOV EDX,EAX
00405A42	.  8D4D CC			   LEA ECX,DWORD PTR SS:[EBP-34]
00405A45	.  E8 88B9FFFF		   CALL <JMP.&MSVBVM60.__vbaVarMove>
00405A4A	.  8D45 A0			   LEA EAX,DWORD PTR SS:[EBP-60]
00405A4D	.  50					PUSH EAX
00405A4E	.  8D45 B0			   LEA EAX,DWORD PTR SS:[EBP-50]
00405A51	.  50					PUSH EAX
00405A52	.  53					PUSH EBX
00405A53	.  E8 68B9FFFF		   CALL <JMP.&MSVBVM60.__vbaFreeVarList>
00405A58	.  8B06				  MOV EAX,DWORD PTR DS:[ESI]			;  CrackMe_.004103F4
00405A5A	.  83C4 0C			   ADD ESP,0C
00405A5D	.  56					PUSH ESI
00405A5E	.  FF90 04030000		 CALL DWORD PTR DS:[EAX+304]
00405A64	.  50					PUSH EAX
00405A65	.  8D45 C0			   LEA EAX,DWORD PTR SS:[EBP-40]
00405A68	.  50					PUSH EAX
00405A69	.  E8 46B9FFFF		   CALL <JMP.&MSVBVM60.__vbaObjSet>
00405A6E	.  8BD8				  MOV EBX,EAX
00405A70	.  8D4D C4			   LEA ECX,DWORD PTR SS:[EBP-3C]
00405A73	.  51					PUSH ECX
00405A74	.  53					PUSH EBX
00405A75	.  8B03				  MOV EAX,DWORD PTR DS:[EBX]
00405A77	.  FF90 A0000000		 CALL DWORD PTR DS:[EAX+A0]
00405A7D	.  3BC7				  CMP EAX,EDI
00405A7F	.  DBE2				  FCLEX

i get my serial as SND-508AC3443ED06EEC1216 but that not correct

Edited by starzboy
mia

mia

Posted
  • Author
Posted

starzboy.... :(:(:(:( . It is easier than your crackme.

ok. small clue

004059F7 . 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]

004059FA . E8 F1B9FFFF CALL <JMP.&MSVBVM60.__vbaStrMove>

004059FF . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]

00405A02 . 6A 02 PUSH 2

00405A04 . 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX

00405A0A . 5B POP EBX ; 0012F5E8

00405A0B . 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]

00405A0E . C785 70FFFFFF 0800000>MOV DWORD PTR SS:[EBP-90],8

00405A18 . 50 PUSH EAX

00405A19 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]

00405A1C . 50 PUSH EAX

00405A1D . C745 B8 6E000000 MOV DWORD PTR SS:[EBP-48],6E <----- TAKE A LOOK HERE, 6E . THIS WILL ALSO ADD UP WITH THE 4th PART OF THE SERIAL.

00405A24 . 895D B0 MOV DWORD PTR SS:[EBP-50],EBX

00405A27 . E8 9AB9FFFF CALL <JMP.&MSVBVM60.#573>

00405A2C . 8D85 70FFFFFF LEA EAX,DWORD PTR SS:[EBP-90]

00405A32 . 50 PUSH EAX

00405A33 . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]

00405A36 . 50 PUSH EAX

00405A37 . 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]

00405A3A . 50 PUSH EAX

00405A3B . E8 8CB9FFFF CALL <JMP.&MSVBVM60.__vbaVarAdd>

00405A40 . 8BD0 MOV EDX,EAX

00405A42 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]

00405A45 . E8 88B9FFFF CALL <JMP.&MSVBVM60.__vbaVarMove>

00405A4A . 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]

00405A4D . 50 PUSH EAX

i get my serial as SND-508AC3443ED06EEC1216 but that not correct

or you can put a BP on _vbaVarTstEq and look at the stack window. Register window won't give you the last serial.

mia

starzboy

starzboy

Posted
Posted

k got it....

added in the end right !

thanx for the help !....

i was sort of a bit confused !

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...