Cheat Engine

[voidREMIX]

Obfuscation: High

This is just taste of the new crack me thats about to come. Just testing some anti debug tricks.


Patching is allowed. I rather you find the password then patch :/

[zart]

i'll try this in the morn

[voidREMIX]

Bump

[slippppppppp]

took me 5 seconds =P

00401161 : Push voidsrem.00409060

[voidREMIX]

Well thats a simple way of patching. I was thinking of changing jumps.

[SunBeam]

So far:

00401153 > /52 PUSH EDX
00401154 . |33D2 XOR EDX,EDX
00401156 . |BA 12000000 MOV EDX,12
0040115B . |83FA 12 CMP EDX,12
0040115E .^\75 F3 JNZ SHORT voidsRem.00401153
00401160 . 5A POP EDX
00401161 > 68 58904000 PUSH voidsRem.00409058 ; ASCII "Wrong"
00401166 . E8 6A020000 CALL voidsRem.004013D5
0040116B . 83C4 04 ADD ESP,4
0040116E . E9 71010000 JMP voidsRem.004012E4
00401173 > 68 60904000 PUSH voidsRem.00409060 ; ASCII "Win"
00401178 . E8 58020000 CALL voidsRem.004013D5
0040117D . 83C4 04 ADD ESP,4
00401180 . E9 5D010000 JMP voidsRem.004012E2
00401185 > 0C 80 OR AL,80
00401187 . 0C 70 OR AL,70
00401189 . 0C 60 OR AL,60
0040118B . 0C 50 OR AL,50
0040118D . 0C 40 OR AL,40
0040118F . 0C 30 OR AL,30
00401191 . 0C 20 OR AL,20
00401193 . 0C 10 OR AL,10
00401195 . 0C 00 OR AL,0
00401197 . 68 50134000 PUSH voidsRem.00401350
0040119C . 68 A0904000 PUSH voidsRem.004090A0 ; ASCII "Enter"

Looks pretty obvious Poke around the ORs

Here's the pattern:

00401148 . A3 68904000 MOV DWORD PTR DS:[409068],EAX
0040114D . 58 POP EAX
0040114E . E9 93010000 JMP voidsRem.004012E6
......
004012E6 >^\E9 9AFEFFFF JMP voidsRem.00401185
......
00401185 > /0C 80 OR AL,80
00401187 . |0C 70 OR AL,70
00401189 . |0C 60 OR AL,60
0040118B . |0C 50 OR AL,50
0040118D . |0C 40 OR AL,40
0040118F . |0C 30 OR AL,30
00401191 . |0C 20 OR AL,20
00401193 . |0C 10 OR AL,10
00401195 . |0C 00 OR AL,0

I suggest you take it backwards from 401195 up to 401185 to decode EAX Be back later, for now it's BEACH time for me

[Symbol]

oh yea is that ascii? :O
i never thought about it, im still learning from lena's tutorials i guess i havent learned this yet...
thats... PF<2(6t O_O
and its wrong... so yea im a complete failure at cracking =P
ill look at the code some more
oh yea i found the jmp to win, but it test register with itself and then je so i dont understand how can it jmp without patching O_o
or can it...?

[voidREMIX]

;D Sunbeam fell into my trap!


@Symbol

[SunBeam]

I glanced at it. Didn't fall into the trap. Chillax Too bad you had to "explain" yourself

[DeletedUser14087]

[voidREMIX]

Patched.

[SunBeam]

Maybe you explain these lines T_T

0040120A MOVSX EAX,BYTE PTR DS:[409A3C]
00401211 CMP EAX,DWORD PTR DS:[409068]

DS:[00409068]=0053A000
EAX=00000035

There's no way in hell that could be possible, unless you patch the program...

EDIT 1: Poking around that EDX, to see how to make it write 53A000 along with my test_key...

EDIT 2: How about

004012CC PUSH -1 ; /Timeout = INFINITE
004012CE CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep

Set a timeout of 1. Using the appropriate Sleep timeout will output the needed EDX for next piece of code to be used

EDIT 3: The password would be

[zart]

[SunBeam]

ROFL. Chexor this out





@zart: Chillax, Casper is only trolling

@void: That's all I can get. I dunno any "console KEYS" tricks, so spare me the thrill. Already mentioned the pass -> : | (with no spaces, since phpBB would turn it into a smilie -> )

[voidREMIX]

D: Faggotry.


BTW You use <-- smiley to much. Mind unblocking me from MSN D: