CrackMe® Practices for Newbies
PROJECT 8: Conquer by MisterE

Re: Joseph's Battles three and four are done
Friday, 19-Mar-99 05:40:31

    Greeting to all,

    Although Battle one was easily fought and won, Battle two still eludes me, mainly because I was not able to locate the enemy troops and my arsenal seems to be uneffective in bringing them to the open. But there were more victories on other front and Battles three and four were fought hard and brought to a victorious conclusion. I already told you how I fought Battle one and here is my strategy fro the last two:

    Throwing caution to the wind and unheeding the advice of MisteE, I went ahead and used W32dasm to fight all Battles and here how it was done.
    After careful steady of the assembly code and the imported function calls, I spotted the function call IsDlgButtonChechecked and decided to break on it. In W32dasm you have to find all the occupancies of this call and place a break on each of them, since you will never know which one will be the first to be called. This is one of the disadvantages of W32dasm. I guess in SoftIce one bpx IsDlgButtonChecked will do the job. Any how. After you run Conquer and bring up the window for Battle three and check some boxes anc click on the Try This combination Button the program will break on IsDlgButtonChecked call and you will land on 4018DC and will see the following snippet of code:

    :004018D4 682D010000              push 0000012D
    :004018D9 FF7508 push [ebp+08]

    * Reference To: USER32.IsDlgButtonChecked, Ord:0187h
    |
    :004018DC E88D050000 Call 00401E6E
    :004018E1 6683F801 cmp ax, 0001
    :004018E5 0F852B010000 jne 00401A16

    It is very important to pay attention to what is pushed on the stack just before the call is made. The first of the two above pushes is most important. There is a series of those calls and you must go through all of them successfully in order to win the game. Please note the jne 00401A16 is the bad cracker jump. If you are familiar with Assemble code you will easily figure out what is happening and you will be able to check the correct boxes.


    Battle four was fought with the same weapons and the same break on IsDlgButtonChecked. But checking the correct boxes is not enough here. You have to provide a username and a valid serial number and a validation code number and that requires some skills, but let me get you started. Again after you run the program and check Battle four you will get the Battlefield window. After providing the information which you think is correct and check the fight Button you should land at 401654 and see the following snippet of code:

    :0040164C 68C8020000 push 000002C8
    :00401651 FF7508 push [ebp+08]

    * Reference To: USER32.IsDlgButtonChecked, Ord:0187h
    |
    :00401654 E815080000 Call 00401E6E
    :00401659 6683F802 cmp ax, 0002
    :0040165D 0F85BF010000 jne 00401822
    :00401663 6A00 push 00000000
    :00401665 6A00 push 00000000
    :00401667 6847010000 push 00000147

    Again, please pay attention to the values pushed on the stack before the call is made. Here also there is a series of those calls and you should go through all of them successfully to reach the final stage. Perhaps I should note here that the jump to 401822 is the bad cracker jump. In the previous sentence I said the final stage and not the end and that is where the real fun begins. And this begins after the last successful check of the Buttons is made and you come to this suction of code:

    :0040178E 33C0 xor eax, eax
    :00401790 A034364000 mov al, byte ptr [00403634]
    :00401795 8A253A3A4000 mov ah, byte ptr [00403A3A]
    :0040179B C1E010 shl eax, 10
    :0040179E 8A2535364000 mov ah, byte ptr [00403635]
    :004017A4 A03B3A4000 mov al, byte ptr [00403A3B]
    :004017A9 8A1D36364000 mov bl, byte ptr [00403636]
    :004017AF 8A3D3C3A4000 mov bh, byte ptr [00403A3C]
    :004017B5 C1E310 shl ebx, 10
    :004017B8 8A3D37364000 mov bh, byte ptr [00403637]
    :004017BE 8A1D3E3A4000 mov bl, byte ptr [00403A3E]
    :004017C4 33C3 xor eax, ebx
    :004017C6 8BD8 mov ebx, eax
    :004017C8 C1EB08 shr ebx, 08
    :004017CB 80FF7F cmp bh, 7F
    :004017CE 7603 jbe 004017D3
    :004017D0 80C782 add bh, 82
    :004017D3 80FF21 cmp bh, 21
    :004017D6 7303 jnb 004017DB
    :004017D8 80C720 add bh, 20
    :004017DB 80FB7F cmp bl, 7F
    :004017DE 7603 jbe 004017E3
    :004017E0 80C382 add bl, 82
    :004017E3 80FB21 cmp bl, 21
    :004017E6 7303 jnb 004017EB
    :004017E8 80C320 add bl, 20
    :004017EB C1E308 shl ebx, 08
    :004017EE 02D8 add bl, al
    :004017F0 331D3D3A4000 xor ebx, dword ptr [00403A3D]
    :004017F6 321D3B3C4000 xor bl, byte ptr [00403C3B]
    :004017FC 0BDB or ebx, ebx
    :004017FE 7522 jne 00401822

    This is where the validation code number is calculated in the most ingenious and interesting manner. Believe it or not this code is calculated not only from the username, as most do, but from the username and the code itself. You figure it out, I find very hard for me to explain although I know how it is done. May be some time later when I am less tired, I will venture an explanation. This is all for now. Good luck.

    Best regards,

    Joseph


    Joseph


Message thread:

Joseph's Thread Task1 finishe (Joseph) (17-Mar-99 06:14:49)

Back to main board