CrackMe® Practices for Newbies
PROJECT 5: zipfile.exe

iCe's Thread
Monday, 08-Feb-99 23:28:22
    205.241.43.93 writes:

    I'm not sure I'm glad that EB gives me credit for this idea. I may be put before the firing squad before all is said and done.
    I have waited for this to come out so I have no insite except for tonights attempt.

    Hmemcpy was my first breakpoint attempt and as always was successful to a degree. I can't use so I tried and counted unil something happened. After 28 times I returned to the "you blew it" nag. This isn't what I wanted to happen.
    I renabled my breakpoint and searched for the string (my PW) I found it in quite a few but only 4 notable places. They are notable because they repeated. They were:
    30:80916032 - 038
    30:C31B6A0E - A15 ---> I think this one is bogus
    30:D098A032 - 038 ---> a pattern?
    DS:00000372 - 378 ---> This was interesting but the next time I reran the program DS = 30. I don't like that kind of coincidence so I dropped the Hmemcpy breakpoint and fired WDASM up. Since I am still trying to learn assembly I went straight to the dead list and looked for references to API calls. I found some.
    I liked these 4 API calls for breakpoints:
    GetMessageBoxA ---> SiCe didn't like this one
    LSTRLENA ----> I like this one
    LSTRCMPA ----> Another ok API call
    GetDlgItemTextA --> another perennial favorite.

    Before I get started on new breakpoints I thought I would run god old Task and see just what was going on behind my back. The most notable thing was Zipfile. Hwnd Zipfile wasn't particularly helpful, but then I'm tired so I may have missed something. Maybe tomorrow I'll try a BPR RW.

    I cleared my Hmemcpy breakpoint and set a BPX on all four API's listed above. "If you go huntin, you may as well use all yer bullets" BD * then , Input my PW, Be *, , Enter and SiCe braks with the LSTRLENA API call. It counts the string length and eventually pops on GetDlgItemTextA. There was alot of Pushes going on at some point in the trace (I know, I know I should have taken notes but it's getting late. I'll do better tomorrow) so I Dumped
    and I found my PW. I set a BPR on this range. As I through (I still haven't got to Zipile yet.) I noticed that the 3rd and 4th letter of my PW are missing. This particular time it was iCetexas and the e and t were missing.
    I'll run this down tomorrow and see what happens.

    Good luck all


    iCe


Message thread:

iCe's Thread (iCe) (08-Feb-99 23:28:22)

Back to main board