| View previous topic :: View next topic |
| Author |
Message |
GordonBM
Expert Cheater
![]() Reputation: 0
Joined: 06 Jul 2007
Posts: 205
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 202
Joined: 25 Jan 2006
Posts: 8552
Location: 127.0.0.1
|
 Posted: Fri Aug 13, 2010 3:00 pm Post subject: |
 |
|
Does the button do anything after it's enabled? I enabled it, only thing that changed now is every time the application starts, I get a message box saying:
'DETECTED!!! NO CHEATING!!!'
Some info behind the buttons property:
| Code: | IL_0000: 3802000000 br IL_0007
IL_0005: 26 pop
IL_0006: 16 ldc.i4.0
IL_0007: 00 nop // <== IL_0000
IL_0008: 02 ldarg.0 // ARG: This
IL_0009: 734B00000A newobj Void System.Windows.Forms.Button::.ctor()
IL_000E: 6F33000006 callvirt Void CrackmeButton.Form1::set_Button1(Class System.Windows.Forms.Button)
IL_0013: 00 nop
IL_0014: 02 ldarg.0 // ARG: This
IL_0015: 6F4C00000A callvirt Void System.Windows.Forms.Control::SuspendLayout()
IL_001A: 00 nop
IL_001B: 02 ldarg.0 // ARG: This
IL_001C: 6F32000006 callvirt Class System.Windows.Forms.Button CrackmeButton.Form1::get_Button1()
IL_0021: 16 ldc.i4.0 // <-- This is FALSE flag for button.
IL_0022: 6F4D00000A callvirt Void System.Windows.Forms.Control::set_Enabled(Boolean) |
After locating the above, just hex edit the file to patch the lines to force the set_Enabled to pass true instead. (True is 0x17 if you are wondering.)
Two patches to make what I said above happen:
Offset 0x00000F05 -> Change 0x16 to 0x17
Offset 0x000010DF -> Change 0x16 to 0x17
_________________
- Retired. |
|
| Back to top |
|
|
GordonBM
Expert Cheater
![]() Reputation: 0
Joined: 06 Jul 2007
Posts: 205
|
| Posted: Fri Aug 13, 2010 3:18 pm Post subject: |
|
|
Nice job, but you must get rid of that message box so that if you press the free candy button nothing happens. You might also noticed that after that message box pops up, the button is disabled again.
_________________
| maxuer wrote: |
:p What is a memory scanner and where I found one? |
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 202
Joined: 25 Jan 2006
Posts: 8552
Location: 127.0.0.1
|
| Posted: Fri Aug 13, 2010 3:48 pm Post subject: |
|
|
| GordonBM wrote: | | Nice job, but you must get rid of that message box so that if you press the free candy button nothing happens. You might also noticed that after that message box pops up, the button is disabled again. |
Figured. Nothing hard to fix though, give me a few minutes need to reinstall my VM since it's being slow.
As for the button being re-disabled, the second offset I mentioned above prevents the button from getting disabled after the message box.
Either way, just need to nop out the message box or alter the 'is-enabled' check.
Edit :: Completed.
Ok since you said the button does nothing after it's enabled and clicked, should be finished now. No real point in posting the patched executable so I'll just post the information behind what needs to be done.
Basic just of what is done at startup, this is pseudo code:
| Code: | load_form( )
{
if( button.enabled == true )
{
MsgBox( "DETECTED!!!", "HACKING!!!" )
}
button.enabled = false
} |
The button is set with button.enabled to false in the resource as well so there are two edits that need to be done for it with how the code is setup. First being the actual property when the button is created, the second being after the check if it's enabled.
On creation we have:
| Code: | IL_0013: 00 nop
IL_0014: 02 ldarg.0 // ARG: This
IL_0015: 6F4C00000A callvirt Void System.Windows.Forms.Control::SuspendLayout()
IL_001A: 00 nop
IL_001B: 02 ldarg.0 // ARG: This
IL_001C: 6F32000006 callvirt Class System.Windows.Forms.Button CrackmeButton.Form1::get_Button1()
IL_0021: 16 ldc.i4.0
IL_0022: 6F4D00000A callvirt Void System.Windows.Forms.Control::set_Enabled(Boolean) |
Which says to set the buttons enabled flag to false when it's created. You can change the param 0x16 from false to true which is 0x17.
Next we find the code that detects the buttons state when the form loads which is:
| Code: | IL_0007: 00 nop // <== IL_0000
IL_0008: 02 ldarg.0 // ARG: This
IL_0009: 6F32000006 callvirt Class System.Windows.Forms.Button CrackmeButton.Form1::get_Button1()
IL_000E: 6F6100000A callvirt Boolean System.Windows.Forms.Control::get_Enabled()
IL_0013: 0A stloc.0
IL_0014: 06 ldloc.0
IL_0015: 3911000000 brfalse IL_002B
IL_001A: 720F010070 ldstr "NO CHEATING!!!"
IL_001F: 16 ldc.i4.0
IL_0020: 722D010070 ldstr "DETECTED!!"
IL_0025: 286200000A call ValueType Microsoft.VisualBasic.MsgBoxResult Microsoft.VisualBasic.Interaction::MsgBox(System.Object, ValueType Microsoft.VisualBasic.MsgBoxStyle, System.Object)
IL_002A: 26 pop
IL_002B: 02 ldarg.0 // ARG: This ; <== IL_0015
IL_002C: 6F32000006 callvirt Class System.Windows.Forms.Button CrackmeButton.Form1::get_Button1()
IL_0031: 6F6100000A callvirt Boolean System.Windows.Forms.Control::get_Enabled()
IL_0036: 0A stloc.0
IL_0037: 06 ldloc.0
IL_0038: 390D000000 brfalse IL_004A
IL_003D: 02 ldarg.0 // ARG: This
IL_003E: 6F32000006 callvirt Class System.Windows.Forms.Button CrackmeButton.Form1::get_Button1()
IL_0043: 16 ldc.i4.0
IL_0044: 6F4D00000A callvirt Void System.Windows.Forms.Control::set_Enabled(Boolean)
IL_0049: 00 nop |
Which you can see checks if it's enabled, if true tell us about it, then force the button back to disabled.
So three patches are used to achieve the goal:
Offset 0x00000F05:
0x16 to 0x17 (False to true property patch.)
Offset 0x000010DF:
0x16 to 0x17 (False to true property patch, after message box and check.)
Offset 0x000010B1:
0x39 to 0x3A (Boolean compare to button enable property.)
_________________
- Retired. |
|
| Back to top |
|
|
GordonBM
Expert Cheater
![]() Reputation: 0
Joined: 06 Jul 2007
Posts: 205
|
| Posted: Fri Aug 13, 2010 4:30 pm Post subject: |
|
|
*Claps*
Very very nice indeed!
I will be releasing a new crackme with string encryption, obfuscation and compression and probably anti-debugging too.
_________________
| maxuer wrote: |
:p What is a memory scanner and where I found one? |
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 202
Joined: 25 Jan 2006
Posts: 8552
Location: 127.0.0.1
|
| Posted: Fri Aug 13, 2010 4:37 pm Post subject: |
|
|
Only thing I would say is make the button do something in the next one if you plan to use buttons. Just make the end result part of the application since just enabling a button isn't really much of a crackme. And it not doing anything kinda leaves the person cracking clueless if they completed the objective.
_________________
- Retired. |
|
| Back to top |
|
|
GordonBM
Expert Cheater
![]() Reputation: 0
Joined: 06 Jul 2007
Posts: 205
|
| Posted: Fri Aug 13, 2010 4:48 pm Post subject: |
|
|
| Wiccaan wrote: | | Only thing I would say is make the button do something in the next one if you plan to use buttons. Just make the end result part of the application since just enabling a button isn't really much of a crackme. And it not doing anything kinda leaves the person cracking clueless if they completed the objective. |
Alright man, no problem.
_________________
| maxuer wrote: |
:p What is a memory scanner and where I found one? |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
