11111 1 1111 11111 1 1 1 1 11111 1 11111 1 1 1 1 1 1 1111 1 1 11 1 1
1 1
1
11111
11
1
1
1111
1
1
1111
1 1
11111
1
1 1
11111
1
1
1
11 1 1
11111
11111
1 1
1111
1
1 1
1111
1
11
1
1
11
111
1 1
1111
1111
11111
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@
title : easycalc crackme crack : find the password tools : jack's cracker _ level : easy |x| medium
_ |_|
hard
_ |_|
###########################
this dos crackme asks us to insert a valid password. if the code isn't correct it shows the string "hey ... you're in the wrong way :(". ok. if we check the pe code, we see it has packed with upx. after unpack it (with upx too) we open it with olly and we find the bad string into the code. now we're here: 004012f9 . 004012fc . 004012ff . "password :" 00401306 . 0040130b . 0040130e . 00401312 . "%d" 00401319 . 0040131e . 00401325 . 0040132a . 0040132d . password with 00401330 . same, jump to 00401332 . work :)" 00401339 . 0040133e .^
8b45 f8 mov eax,dword ptr ss:[ebp-8] ; |||| 8945 f0 mov dword ptr ss:[ebp-10],eax ; |||| c70424 901240>mov dword ptr ss:[esp],easycalc.00401290 ; ||||ascii e8 55050000 call <jmp.&msvcrt.printf> ; |||\printf 8d45 f4 lea eax,dword ptr ss:[ebp-c] ; ||| 894424 04 mov dword ptr ss:[esp+4],eax ; ||| c70424 9b1240>mov dword ptr ss:[esp],easycalc.0040129b ; |||ascii e8 32050000 call <jmp.&msvcrt.scanf> ; ||\scanf c70424 9e1240>mov dword ptr ss:[esp],easycalc.0040129e ; || e8 36050000 call <jmp.&msvcrt.printf> ; |\printf 8b45 f4 mov eax,dword ptr ss:[ebp-c] ; | <-- put our password 3b45 f0 cmp eax,dword ptr ss:[ebp-10]; | <-- compare our correct one 75 0e jnz short easycalc.00401340 ; | <-- if our isn't the bad string c70424 a01240>mov dword ptr ss:[esp],easycalc.004012a0 ; |ascii "good e8 22050000 eb b2
call <jmp.&msvcrt.printf>; \printf jmp short easycalc.004012f2
00401340 > c70424 b01240>mov dword ptr ss:[esp],easycalc.004012b0 ; |ascii "hey... you're in the wrong way :(" <-- bad string 00401347 . e8 14050000 call <jmp.&msvcrt.printf> ; \printf 0040134c .^ eb a4 jmp short easycalc.004012f2 if we see at address 0040132d at stack [ebp-10] we find the correct password! ( the password in memory is an hex number, so we've to change it in a decimal number before to insert it !) the correct password is : 34275591 p.s. there's a small bug in this file... try to insert a letter into the password and see the disaster ;-)))
special thank’s to ingrid….. thank u my love J