Thursday, August 21, 2008

V!ctor's OneXor Dissected...:P

The trick behind solving this crackme lies in thinking in the same lines as the author. The code seems such that there is no way one get to the GoodBoy without patching

00401106 /$ 33C0 XOR EAX,EAX
00401108 . 6A 00 PUSH 0
0040110A . 83F8 01 CMP EAX,1
0040110D 74 0C JE SHORT OneXor.0040111B
0040110F . 68 6E304000 PUSH OneXor.0040306E ; ASCII "OneXor by V!ctor "
00401114 . 68 B7304000 PUSH OneXor.004030B7 ; ASCII "Sorry, wrong password." //BadBoy!!!!
00401119 . EB 0A JMP SHORT OneXor.00401125
0040111B 68 6E304000 PUSH OneXor.0040306E ; ASCII "OneXor by V!ctor "
00401120 . 68 9B304000 PUSH OneXor.0040309B ; ASCII "This is right password!!!!!" //GoodBoy!!!!
00401125 > FF35 00314000 PUSH DWORD PTR DS:[403100] ; hOwner = 00070154 ('OneXor by V!ctor ',class='#32770')
0040112B . E8 3A000000 CALL ; \MessageBoxA
00401130 \. C3 RETN

As you can see the only way to get to the good boy wd be to somehow reach the code at VA 40111b but wait still theres some thing missing ahh! yes the PUSH 0 of msg box style. Now the thing to think is that the author does not want a patched solution that means that he must have put that push 0 and jmp 40111b some where. But where!!!!!! Only one easy way to find it.... Binary search of the memory. Press Alt+M right click in the MEMORY Map window hit search n place 6A 00 E9 to search n no sooner you find what you are looking for @ VA 4000B0.

So its clear that one Gud way of solving crackmes is to think in the same line as the author.....:P

No comments: