 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
john0312
Grandmaster Cheater
 Reputation: 0
Joined: 07 Jan 2006
Posts: 713
Location: QW5nbGljYW4g SGlnaCBTY2 hvb2wgKD FMJzA1LD JMJzA2 KSwgU2l uZ2Fwb3 Jl
|
 Posted: Mon Mar 05, 2007 12:11 am Post subject: |
 |
|
| x0r wrote: |
1.You spelled suing incorrectly.
2. The word "but" cannot be used to start any text. (as you did in your last sentence with the text in brackets) Nor do you capitalize the first the first word in bracketed text.
3. What are you going to do in retaliation, John? Raid my bank account?! |
1&2: THANKS! For the grammar correction(s)!
3: Teach you math!
_________________
Pardon me for my English, I failed them when I was in Primary School.
My blog: http://john0312.wordpress.com/
Windows Vista is bad, DO NOT USE! If you disagree, feel free to argue with me through PM, GTalk or MSN.
 |
|
| Back to top |
|
 |
Ungreat
Expert Cheater
![]() Reputation: 0
Joined: 27 Feb 2007
Posts: 215
|
| Posted: Mon Mar 05, 2007 12:17 am Post subject: |
|
|
| Quote: | | So, if you break in one of those functions, and rerun, it probably won't hit your break. Once you realize that and break on all of them, |
You simply need look at the stack and BP right before the call to his semi-randomly chosen function. Then you just rerun and step into the algorithm :-/ Although the first algorithm still seems to be a dummy.
I just fed the parameter an address from the PE Header 
Although I notice you put a bunch of code that seemingly does absolutely nothing (so that you do math then figure out that you didn't need to )
Easy to be able to always know where ot go through the arithmetic, but I personally haven't even gone through all of it
_________________
| Code: | mov r10, qword ptr [rsp+0A28h+arg_5F8]
shl rdx, 20h
mov r11, 7010008004002001h
or rax, rdx
mov rcx, r10
xor rcx, rax
lea rax, [rsp+0A28h+var_2C8] |
Oh man, I'm getting too excited |
|
| Back to top |
|
|
john0312
Grandmaster Cheater
Reputation: 0
Joined: 07 Jan 2006
Posts: 713
Location: QW5nbGljYW4g SGlnaCBTY2 hvb2wgKD FMJzA1LD JMJzA2 KSwgU2l uZ2Fwb3 Jl
|
| Posted: Mon Mar 05, 2007 12:19 am Post subject: |
|
|
| x0r wrote: |
Ok, let's start...
2 * 4 = 7? |
Yes! Smart boy!
Now factorize 902500741514911744795597682857932974663738117798516957863326199
_________________
Pardon me for my English, I failed them when I was in Primary School.
My blog: http://john0312.wordpress.com/
Windows Vista is bad, DO NOT USE! If you disagree, feel free to argue with me through PM, GTalk or MSN.
|
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
 Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Mon Mar 05, 2007 12:24 am Post subject: |
|
|
| Ungreat wrote: | | Quote: | | So, if you break in one of those functions, and rerun, it probably won't hit your break. Once you realize that and break on all of them, |
You simply need look at the stack and BP right before the call to his semi-randomly chosen function. Then you just rerun and step into the algorithm :-/ Although the first algorithm still seems to be a dummy.
I just fed the parameter an address from the PE Header
Although I notice you put a bunch of code that seemingly does absolutely nothing (so that you do math then figure out that you didn't need to )
Easy to be able to always know where ot go through the arithmetic, but I personally haven't even gone through all of it |
Well, the first function just converts the string into an integer, stolen from online -_-. Yeah, some of the math is a red herring, I thought it was pretty cool though: (random) shift right, shift left, leaves you with an even number, then modulo 2 makes it 0  . But (screw x0r, I say but when I want ) most of the math has an effect.
Yeah, once you figure out the random function choice it should be easy to circumvent. I was actually hoping it would look like it was dynamic, but oh well .
~nog_lorp
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
Ungreat
Expert Cheater
![]() Reputation: 0
Joined: 27 Feb 2007
Posts: 215
|
| Posted: Mon Mar 05, 2007 12:30 am Post subject: |
|
|
What would you define as looking dynamic?
At least you hid your arguments/parameters to the average noob (mov [esp],eax <- eax of course being the password).
Call EAX looked dynamic enough to me to BP it the first time  I was correct in doing so as stated before ^^
_________________
| Code: | mov r10, qword ptr [rsp+0A28h+arg_5F8]
shl rdx, 20h
mov r11, 7010008004002001h
or rax, rdx
mov rcx, r10
xor rcx, rax
lea rax, [rsp+0A28h+var_2C8] |
Oh man, I'm getting too excited |
|
| Back to top |
|
|
SunBeam
I post too much
 Reputation: 65
Joined: 25 Feb 2005
Posts: 4023
Location: Romania
|
| Posted: Mon Mar 05, 2007 3:23 am Post subject: |
|
|
Next time don't use so many algorithms at all. I doubt you even know your own password -.-
| Quote: | # 1st "layer"
MOV EAX,DWORD PTR SS:[EBP+8] //my key (considering the compared against is B1940, guess what we do next...)
XOR EAX,5555
NOT EAX
MOV DWORD PTR SS:[EBP+8],EAX
CALL <JMP.&msvcrt.rand>
# 2nd "layer"
MOV EAX,DWORD PTR SS:[EBP+8]
ADD EAX,EAX //eax*2
NOT EAX
MOV DWORD PTR SS:[EBP-4],EAX //put output in the buffer
CMP DWORD PTR SS:[EBP-4],0
JNS SHORT cracknog.00401376
ADD DWORD PTR SS:[EBP-4],3 //add 3 to it
MOV EDX,DWORD PTR SS:[EBP-4] //put result in EDX
SAR EDX,2 //sar it with 2
MOV EAX,EDX //and put it in EAX
SHL EAX,2 //then shl it with 2
ADD EAX,EDX //and dump it in EAX |
The compare is done against EAX (CMP EAX,DWORD PTR SS:[EBP-4])
I think this would be the way to solve it, correct my mistakes... | Quote: |
mov [ebp+8],b1940
mov edx,[ebp+8]
shl edx,2
mov eax,edx
shr eax,2
sub eax,edx
neg eax
sub eax,eax
neg eax
xor eax,5555
|
You fix it...
|
|
| Back to top |
|
|
nog_lorp
Grandmaster Cheater
Reputation: 0
Joined: 26 Feb 2006
Posts: 743
|
| Posted: Mon Mar 05, 2007 9:35 am Post subject: |
|
|
Unsure if that is correct, I haven't solved it myself yet. But the end value it checks is taken from the initial value I input, so I know the solution. It's digits from an irrational mathematical constant.
~nog_lorp
_________________
Mutilated lips give a kiss on the wrist of the worm-like tips of tentacles expanding in my mind
I'm fine accepting only fresh brine you can get another drop of this yeah you wish |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
