| View previous topic :: View next topic |
| Author |
Message |
natanreis1
Cheater
![]() Reputation: 1
Joined: 01 Apr 2008
Posts: 44
Location: Somewhere over the rainbow
|
 Posted: Tue Jan 25, 2011 9:57 pm Post subject: Try to find my password - [Episode 2] |
  |
|
Hello, i created my frist "Password-me" a few years ago, when i was a beginner. ppl found the password 3 minutes later  .
i created this one today in 30 minutes and i expect u guys spend over 20 minutes to find the right password 
Here is the [NEW] link:
http://localhostr.com/file/sXmXUjt/PasswordMeeeh.rar
Last edited by natanreis1 on Sun Jan 30, 2011 10:46 am; edited 1 time in total |
|
| Back to top |
|
 |
natanreis1
Cheater
![]() Reputation: 1
Joined: 01 Apr 2008
Posts: 44
Location: Somewhere over the rainbow
|
| Posted: Fri Jan 28, 2011 3:41 pm Post subject: |
|
|
| Is it that hard o.o?
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 204
Joined: 25 Jan 2006
Posts: 8581
Location: 127.0.0.1
|
| Posted: Sun Jan 30, 2011 6:58 am Post subject: |
|
|
Got time to check this out, not sure if there is something wrong with it though.
Password I got was: 200211000
Reads calendar info, didn't really look into what it did with it though. However the app crashes after entering the password, doesn't give the fail box though.
_________________
- Retired. |
|
| Back to top |
|
|
natanreis1
Cheater
![]() Reputation: 1
Joined: 01 Apr 2008
Posts: 44
Location: Somewhere over the rainbow
|
| Posted: Sun Jan 30, 2011 10:45 am Post subject: |
|
|
| ok. this is not the password, but the application should not crash when u type a strange string. so I re-compiled it, with a better Checker.
|
|
| Back to top |
|
|
zile
Advanced Cheater
![]() Reputation: 0
Joined: 11 Jul 2009
Posts: 75
|
| Posted: Thu Feb 24, 2011 1:53 am Post subject: |
|
|
| is it close to J0XH0 ? thats what i got lol but it doesnt seem to work :X
|
|
| Back to top |
|
|
natanreis1
Cheater
![]() Reputation: 1
Joined: 01 Apr 2008
Posts: 44
Location: Somewhere over the rainbow
|
| Posted: Thu Feb 24, 2011 6:42 pm Post subject: |
|
|
| no it's not the password and it isn't either close the right password.
|
|
| Back to top |
|
|
natanreis1
Cheater
![]() Reputation: 1
Joined: 01 Apr 2008
Posts: 44
Location: Somewhere over the rainbow
|
| Posted: Sun Mar 27, 2011 7:54 pm Post subject: |
|
|
| the password is : 4725656
|
|
| Back to top |
|
|
Hans Henrik
Expert Cheater
 Reputation: 0
Joined: 18 Feb 2007
Posts: 178
|
| Posted: Fri Jul 22, 2011 8:42 pm Post subject: |
|
|
seems the password is a memory pointer to a function..ik9ok
going to bed, good night x
_________________
Im not around.
im almost never checking the forum anymore |
|
| Back to top |
|
|
natanreis1
Cheater
![]() Reputation: 1
Joined: 01 Apr 2008
Posts: 44
Location: Somewhere over the rainbow
|
| Posted: Sun Jul 31, 2011 10:46 pm Post subject: |
|
|
yep, it is a pointer to a LoadForm Function, but it isn't impossible to find the password, if you reverse it u might see that there is a function after IsBadReadPtr that compares the first few bytes to check if the "pointer" is the right one, so if u search those few bytes in CE you would find like 50 address, and then find the right pointer by using the pro's ultimate cracking method -> Testing 
|
|
| Back to top |
|
|
Hans Henrik
Expert Cheater
Reputation: 0
Joined: 18 Feb 2007
Posts: 178
|
| Posted: Mon Aug 01, 2011 3:51 am Post subject: |
|
|
| natanreis1 wrote: | | u might see that there is a function after IsBadReadPtr that compares the first few bytes to check if the "pointer" is the right one |
yeap, that's what i saw
_________________
Im not around.
im almost never checking the forum anymore |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 204
Joined: 25 Jan 2006
Posts: 8581
Location: 127.0.0.1
|
| Posted: Mon Aug 01, 2011 1:29 pm Post subject: |
|
|
| natanreis1 wrote: | | the password is : 4725656 |
Gunna assume this isn't the real answer due to the picture.
I got a chance to take a second look at this and there are actually several solutions. Probably not what you intended but because of how its programmed there are more then 1 password.
Passwords:
4428852 - Instantly closes the app but is correct.
4425299 - Crashes the app but is correct.
4428868 - Instantly closes the app but is correct.
4428881 - Instantly closes the app but is correct.
4428894 - Instantly closes the app but is correct.
4429063 - Crashes the app but is correct.
4429079 - Crashes the app but is correct.
4429263 - Crashes the app but is correct.
4429387 - Crashes the app but is correct.
4434180 - Crashes the app but is correct.
4434489 - Crashes the app but is correct.
4434507 - Crashes the app but is correct.
4434860 - Crashes the app but is correct.
4435027 - Crashes the app but is correct.
4437212 - Crashes the app but is correct.
<and a bunch more>
I didn't take the time to find the correct one cause there's about 50 more of them that match the byte check. Making it more of a hassle to find then a challenge.
Byte check is:
| Code: |
00481BD8 $ 55 PUSH EBP
00481BD9 . 8BEC MOV EBP,ESP
00481BDB . 83C4 F8 ADD ESP,-8
00481BDE . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00481BE1 . 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
00481BE4 . 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
00481BE7 . 8A03 MOV AL,BYTE PTR DS:[EBX]
00481BE9 . 3C A1 CMP AL,0A1
00481BEB . 75 2A JNZ SHORT Password.00481C17
00481BED . 8A43 01 MOV AL,BYTE PTR DS:[EBX+1]
00481BF0 . 3C 00 CMP AL,0
00481BF2 . 75 23 JNZ SHORT Password.00481C17
00481BF4 . 8A43 02 MOV AL,BYTE PTR DS:[EBX+2]
00481BF7 . 3C 58 CMP AL,58
00481BF9 . 75 1C JNZ SHORT Password.00481C17
00481BFB . 8A43 03 MOV AL,BYTE PTR DS:[EBX+3]
00481BFE . 3C 48 CMP AL,48
00481C00 . 75 15 JNZ SHORT Password.00481C17
00481C02 . 8A43 04 MOV AL,BYTE PTR DS:[EBX+4]
00481C05 . 3C 00 CMP AL,0
00481C07 . 75 0E JNZ SHORT Password.00481C17
00481C09 . BA 01000000 MOV EDX,1
00481C0E . C745 F8 010000>MOV DWORD PTR SS:[EBP-8],1
00481C15 . EB 10 JMP SHORT Password.00481C27
00481C17 > 31D2 XOR EDX,EDX
00481C19 . C745 F8 000000>MOV DWORD PTR SS:[EBP-8],0
00481C20 . EB 05 JMP SHORT Password.00481C27
00481C22 .^E9 71FFFFFF JMP Password.00481B98
00481C27 > 90 NOP
00481C28 . 8B01 MOV EAX,DWORD PTR DS:[ECX]
00481C2A . 59 POP ECX
00481C2B . 59 POP ECX
00481C2C . 5D POP EBP
00481C2D . C3 RETN
|
Which is:
I say the above passwords are 'correct' in the sense they validate through your byte check but crash the app. They might not be the solutions but they do pass the 'is this correct?'.
If anyone is that bored here is a full list of any of the addresses it could be, just convert the address to decimal and enter it as the password:
_________________
- Retired. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
