Number of crackmes:
Number of writeups:
Comments:
| Name | Author | Language | Arch | Difficulty | Quality | Platform | Date | Writeups | Comments |
|---|
| Crackme | Infos |
|---|
| Comment | Link |
|---|---|
| this might help someone (example: create a hook or something like that) = https://github.com/avabuku681-creator/enjoy_offset-crackmes.one---praisetheveil- | ==> |
| Final: #define _CRT_SECURE_NO_WARNINGS #include #include #include const DWORD GETPASSWORD_OFFSET = 0x1dc1; const unsigned char ENCODED_DATA[25] = { 0x72, 0x70, 0x72, 0x76, 0x71, 0xb8, 0x76, 0xa0, 0x84, 0xbc, 0xbd, 0xb5, 0x87, 0x76, 0xbc, 0xb4, 0x73, 0x77, 0x75, 0xbc, 0x83, 0xa0, 0x76, 0x81, 0xa3 }; void* GetAddress(DWORD offset) { return (void*)((DWORD_PTR)GetModuleHandleA(nullptr) + offset); } void CalculateRealPassword(char* outputBuffer) { unsigned char buffer[75] = { 0 }; int idx = 0; for (int i = 0; i (8 - shift)) | (temp shift); buffer[i] = dynamicKey ^ buffer[i]; } strncpy_s(outputBuffer, 64, (char*)buffer, 64); } void PatchGetPassword() { BYTE* funcAddr = (BYTE*)GetAddress(GETPASSWORD_OFFSET); DWORD oldProtect; VirtualProtect(funcAddr, 200, PAGE_EXECUTE_READWRITE, &oldProtect); BYTE newCode[] = { 0x55, 0x48, 0x89, 0xE5, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x89, 0x4D, 0x10, 0x48, 0x8B, 0x4D, 0x10, 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x28, 0x5D, 0xC3 }; *(void**)(newCode + 19) = (void*)CalculateRealPassword; memcpy(funcAddr, newCode, sizeof(newCode)); VirtualProtect(funcAddr, 200, oldProtect, &oldProtect); } // Функция для показа пасхалки Bobx DWORD WINAPI ShowBobxEasterEgg(LPVOID lpParam) { if (!GetConsoleWindow()) { AllocConsole(); freopen("CONOUT$", "w", stdout); } system("cls"); printf("\n\n"); printf("===============================================\n"); printf(" BOBX SECRET EASTER EGG ACTIVATED!\n"); printf("===============================================\n"); const char* asciiArt = "BBBB OOO BBBB XX XX\n" "B B O O B B XXXX \n" "BBBB O O BBBB XX \n" "B B O O B B XXXX \n" "BBBB OOO BBBB XX XX\n"; printf("%s\n", asciiArt); const char* messages[] = { "Shoutout to Bobx!", "For Bobx ??? do not crack too fast ;)", "Respect, Bobx!", "Bobx detected? Maybe..." }; srand(GetTickCount()); int randomIndex = rand() % 4; printf(" %s\n", messages[randomIndex]); printf("\n"); printf(" Secret message unlocked!\n"); printf(" But the real challenge continues...\n"); printf("===============================================\n\n"); printf("Press ENTER to return to crackme..."); getchar(); // Восстанавливаем консоль system("cls"); printf("===============================================\n"); printf(" SECURE CRACKME CHALLENGE - ULTRA HARD\n"); printf(" BY BOBX\n"); printf("===============================================\n\n"); printf("[*] Security checks passed.\n"); printf("[*] System integrity verified.\n\n"); printf("[*] Enter password (or type 'about'): "); return 0; } HHOOK keyboardHook = nullptr; LRESULT CALLBACK KeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) { if (nCode = 0 && wParam == WM_KEYDOWN) { KBDLLHOOKSTRUCT* kbdStruct = (KBDLLHOOKSTRUCT*)lParam; // F1 if (kbdStruct-vkCode == VK_F1) { CreateThread(nullptr, 0, ShowBobxEasterEgg, nullptr, 0, nullptr); return 1; } // F2 else if (kbdStruct-vkCode == VK_F2) { char password[64]; CalculateRealPassword(password); if (!GetConsoleWindow()) { AllocConsole(); freopen("CONOUT$", "w", stdout); } printf("\nCurrent Password: %s\n", password); return 1; } // Ctrl+Shift+B else if (kbdStruct-vkCode == 0x42 && // B GetAsyncKeyState(VK_CONTROL) & 0x8000 && GetAsyncKeyState(VK_SHIFT) & 0x8000) { CreateThread(nullptr, 0, ShowBobxEasterEgg, nullptr, 0, nullptr); return 1; } } return CallNextHookEx(keyboardHook, nCode, wParam, lParam); } DWORD WINAPI HookThread(LPVOID lpParam) { Sleep(1000); keyboardHook = SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardProc, GetModuleHandle(nullptr), 0); MSG msg; while (GetMessage(&msg, nullptr, 0, 0)) { TranslateMessage(&msg); DispatchMessage(&msg); } return 0; } void Initialize() { PatchGetPassword(); } extern "C" __declspec(dllexport) void DummyExport() {} BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) { if (reason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); Initialize(); CreateThread(nullptr, 0, HookThread, nullptr, 0, nullptr); } else if (reason == DLL_PROCESS_DETACH) { if (keyboardHook) { UnhookWindowsHookEx(keyboardHook); } } return TRUE; } | ==> |
| I implemented a dll based on the following program: #define _CRT_SECURE_NO_WARNINGS #include #include #include const DWORD GETPASSWORD_OFFSET = 0x1dc1; const unsigned char ENCODED_DATA[25] = { 0x72, 0x70, 0x72, 0x76, 0x71, 0xb8, 0x76, 0xa0, 0x84, 0xbc, 0xbd, 0xb5, 0x87, 0x76, 0xbc, 0xb4, 0x73, 0x77, 0x75, 0xbc, 0x83, 0xa0, 0x76, 0x81, 0xa3 }; void* GetAddress(DWORD offset) { return (void*)((DWORD_PTR)GetModuleHandleA(nullptr) + offset); } void CalculateRealPassword(char* outputBuffer) { unsigned char buffer[75] = { 0 }; int idx = 0; // Собираем буфер из зашифрованных данных (как в оригинале) for (int i = 0; i (8 - shift)) | (temp shift); buffer[i] = dynamicKey ^ buffer[i]; } strncpy_s(outputBuffer, 64, (char*)buffer, 64); } void PatchGetPassword() { BYTE* funcAddr = (BYTE*)GetAddress(GETPASSWORD_OFFSET); DWORD oldProtect; VirtualProtect(funcAddr, 200, PAGE_EXECUTE_READWRITE, &oldProtect); BYTE newCode[] = { 0x55, 0x48, 0x89, 0xE5, 0x48, 0x83, 0xEC, 0x28, 0x48, 0x89, 0x4D, 0x10, 0x48, 0x8B, 0x4D, 0x10, 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x28, 0x5D, 0xC3 }; *(void**)(newCode + 19) = (void*)CalculateRealPassword; memcpy(funcAddr, newCode, sizeof(newCode)); VirtualProtect(funcAddr, 200, oldProtect, &oldProtect); } void Initialize() { PatchGetPassword(); } void ShowPasswordInConsole() { Sleep(1000); char password[64]; CalculateRealPassword(password); if (!GetConsoleWindow()) { AllocConsole(); freopen("CONOUT$", "w", stdout); } printf(password); } DWORD WINAPI AutoInputThread(LPVOID lpParam) { ShowPasswordInConsole(); return 0; } extern "C" __declspec(dllexport) void DummyExport() {} BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) { if (reason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); Initialize(); CreateThread(nullptr, 0, AutoInputThread, nullptr, 0, nullptr); } return TRUE; } I was too bored. Test it out | ==> |