juansacco's ExploitPack-Challenge

Author:
juansacco

Language:
C/C++

Upload:
2019-11-01 12:00

Download

Platform:
Windows

Difficulty:
2.0

Quality:
4.0

Arch:
x86

Downloads:
4

Writeups:
0

Comments:
14

Description

Find the correct serial number to win the challenge! This crackme implements some basic protections to get you warm up :-) Rules: - Patched is not allowed! - Have fun!

Comments (14)
Writeups (0)

You must be logged in to post a comment

madlogik on 2019-11-13 14:02: So I found the flag when doing the disassembly, and it works when I hit the button... but I had to patch the exe to get through the IsDebuggerPresent and the other conditional jump above it. (and that is not allowed)... I'm assuming that security cookie must be a file it looks for ... potentially with those 25 numbers strings in it... but I would appreciate some help on how to truly understand it . Thanks a lot!

juansacco on 2019-11-13 18:50: To bypass for example isdebuggerpresent without patching you can use conditional breakpoints for example, great job madlogik!

coyote_0x90 on 2019-11-14 08:06: I found the flag, but I also had to patch out some conditional jumps. There's a check in the WNDPROC of the window for WM_COMMAND, and when it processes that message, it checks if some functions are 0 instead of calling them and checking the return value. dMsg = Msg; if ( Msg 0x10 ) { if ( dMsg != 0x111 ) // dMsg != WM_COMMAND return DefWindowProcW(hWndParent, Msg, wParam, lParam); set_rf_debug_resume_flag_func(); check_debug_registers_func(); if ( sub_401210 || sub_401160 ) // have to patch this out { MessageBoxA(hWndParent, "Try harder! Muahahahaha..", "Exploit Pack - http://exploitpack.com", 0x40u); exit(0); } v65 = (unsigned __int16)wParam; if ( (unsigned __int16)wParam == 100 ) { // ... } }

madlogik on 2019-11-14 19:59: Thanks a lot juansacco and coyote_0x90. I'll move on for now, but will come back here to see if someone has a solution that has no patching involved.

rmfla on 2019-11-17 01:31: Thanks

drunkenmyno on 2019-11-21 11:40: May i'am wrong but should this application be buffer overflowed to change the window handle ?

omniarepair on 2019-11-23 08:02: Patching saves you lots of time :)

juansacco on 2019-12-18 20:33: It's not a buffer overflow as someone said below! But a crack-me and indeed you can use conditional debuggers to avoid some protections! Glad you like this one!

hlvd on 2019-12-19 06:19: How can I unzip this file? Has any password shared for me?

Vadym on 2019-12-21 10:03: Lets look here about archive password https://crackmes.one/faq

0xC0FFEE on 2019-12-24 20:31: I found the flag without the correct serial number? Is there a right way that involves the serial numbers?

mrT4ntr4 on 2020-01-20 05:22: Tricks ;)

9heartache9 on 2020-03-06 01:07: LRESULT __stdcall sub_4013F0(HWND hWndParent, UINT Msg, WPARAM wParam, LPARAM lParam) { int v4; // ST27C_4 CHAR String; // [esp+B90h] [ebp-810h] unsigned int v7; // [esp+1390h] [ebp-10h] int savedregs; // [esp+13A0h] [ebp+0h] sub_41FC80(); v7 = (unsigned int)&savedregs ^ __security_cookie; if ( Msg 0x10 ) { if ( Msg != 273 ) return DefWindowProcW(hWndParent, Msg, wParam, lParam); sub_401350(v7); sub_4012C0(); if ( sub_401210 || sub_401160 ) { MessageBoxA(hWndParent, "Try harder! Muahahahaha..", "Exploit Pack - http://exploitpack.com", 0x40u); exit(0); } if ( (unsigned __int16)wParam == 100 ) { v4 = GetWindowTextLengthW(hWnd); GetWindowTextA(hWnd, &String, v4 + 1); JUMPOUT(&loc_41CD62); } } else { switch ( Msg ) { case 0x10u: DestroyWindow(hWndParent); break; case 1u: dword_423400 = (int)CreateWindowExA( 0, "button", "Crack me!", 0x50000000u, 10, 10, 300, 25, hWndParent, (HMENU)0x64, hInstance, 0); hWnd = CreateWindowExA(0, "edit", &Src, 0x50800000u, 10, 45, 300, 25, hWndParent, (HMENU)0x65, hInstance, 0); dword_4233FC = CreateWindowExA( 0, "edit", "Solved? Email: ", 0x50000800u, 10, 75, 300, 225, hWndParent, (HMENU)0x66, hInstance, 0); SetFocus(hWnd); break; case 2u: PostQuitMessage(0); break; default: return DefWindowProcW(hWndParent, Msg, wParam, lParam); } } return 0; }

Harshil55 on 2020-05-16 18:38: It's easy but problem is that to remove try harder..... I need to patch i didn't find serial key but changed some instructions and exported them. Need to load every time i need it to crack.. Any one knows serial?

You must be logged in to submit a writeup