madlogik on 2:02 PM 11/13/2019: So I found the flag when doing the disassembly, and it works when I hit the button... but I had to patch the exe to get through the IsDebuggerPresent and the other conditional jump above it. (and that is not allowed)...
I'm assuming that security cookie must be a file it looks for ... potentially with those 25 numbers strings in it... but I would appreciate some help on how to truly understand it .
Thanks a lot!
juansacco on 6:50 PM 11/13/2019: To bypass for example isdebuggerpresent without patching you can use conditional breakpoints for example, great job madlogik!
coyote_0x90 on 8:06 AM 11/14/2019: I found the flag, but I also had to patch out some conditional jumps. There's a check in the WNDPROC of the window for WM_COMMAND, and when it processes that message, it checks if some functions are 0 instead of calling them and checking the return value.
dMsg = Msg;
if ( Msg 0x10 )
{
if ( dMsg != 0x111 ) // dMsg != WM_COMMAND
return DefWindowProcW(hWndParent, Msg, wParam, lParam);
set_rf_debug_resume_flag_func();
check_debug_registers_func();
if ( sub_401210 || sub_401160 ) // have to patch this out
{
MessageBoxA(hWndParent, "Try harder! Muahahahaha..", "Exploit Pack - http://exploitpack.com", 0x40u);
exit(0);
}
v65 = (unsigned __int16)wParam;
if ( (unsigned __int16)wParam == 100 )
{
// ...
}
}
madlogik on 7:59 PM 11/14/2019: Thanks a lot juansacco and coyote_0x90.
I'll move on for now, but will come back here to see if someone has a solution that has no patching involved.
rmfla on 1:31 AM 11/17/2019: Thanks
drunkenmyno on 11:40 AM 11/21/2019: May i'am wrong but should this application be buffer overflowed to change the window handle ?
omniarepair on 8:02 AM 11/23/2019: Patching saves you lots of time :)
juansacco on 8:33 PM 12/18/2019: It's not a buffer overflow as someone said below! But a crack-me and indeed you can use conditional debuggers to avoid some protections! Glad you like this one!
hlvd on 6:19 AM 12/19/2019: How can I unzip this file? Has any password shared for me?
Vadym on 10:03 AM 12/21/2019: Lets look here about archive password https://crackmes.one/faq
0xC0FFEE on 8:31 PM 12/24/2019: I found the flag without the correct serial number? Is there a right way that involves the serial numbers?
mrT4ntr4 on 5:22 AM 01/20/2020: Tricks ;)
9heartache9 on 1:07 AM 03/06/2020: LRESULT __stdcall sub_4013F0(HWND hWndParent, UINT Msg, WPARAM wParam, LPARAM lParam)
{
int v4; // ST27C_4
CHAR String; // [esp+B90h] [ebp-810h]
unsigned int v7; // [esp+1390h] [ebp-10h]
int savedregs; // [esp+13A0h] [ebp+0h]
sub_41FC80();
v7 = (unsigned int)&savedregs ^ __security_cookie;
if ( Msg 0x10 )
{
if ( Msg != 273 )
return DefWindowProcW(hWndParent, Msg, wParam, lParam);
sub_401350(v7);
sub_4012C0();
if ( sub_401210 || sub_401160 )
{
MessageBoxA(hWndParent, "Try harder! Muahahahaha..", "Exploit Pack - http://exploitpack.com", 0x40u);
exit(0);
}
if ( (unsigned __int16)wParam == 100 )
{
v4 = GetWindowTextLengthW(hWnd);
GetWindowTextA(hWnd, &String, v4 + 1);
JUMPOUT(&loc_41CD62);
}
}
else
{
switch ( Msg )
{
case 0x10u:
DestroyWindow(hWndParent);
break;
case 1u:
dword_423400 = (int)CreateWindowExA(
0,
"button",
"Crack me!",
0x50000000u,
10,
10,
300,
25,
hWndParent,
(HMENU)0x64,
hInstance,
0);
hWnd = CreateWindowExA(0, "edit", &Src, 0x50800000u, 10, 45, 300, 25, hWndParent, (HMENU)0x65, hInstance, 0);
dword_4233FC = CreateWindowExA(
0,
"edit",
"Solved? Email: ",
0x50000800u,
10,
75,
300,
225,
hWndParent,
(HMENU)0x66,
hInstance,
0);
SetFocus(hWnd);
break;
case 2u:
PostQuitMessage(0);
break;
default:
return DefWindowProcW(hWndParent, Msg, wParam, lParam);
}
}
return 0;
}
Harshil55 on 6:38 PM 05/16/2020: It's easy but problem is that to remove try harder.....
I need to patch i didn't find serial key but changed some instructions and exported them.
Need to load every time i need it to crack..
Any one knows serial?