Liar Liar

Some of you are using the search to find the other applications. I created a page with the links to the posts
you can see it by clicking here

This application is nothing like what you would encounter when reversing a real application and is the reason that I have decided not to continue to application 11 (in app 11 the password is hidden below the button you need to maximize the app window to see it)
However I will take requests and post solutions for any others that your having problems with so leave a comment or email.

For this application your going to need VB  Decompiler and Olly and as usual the application from HTS.

Start by studying the application, enter a password and then click proceed to get the error 404 message – i got a little suspicious here because I’ve never seen an application return a 404 error unless its being used to get information from the internet and I didn’t get a message from my firewall that it wanted internet access

Open VBD and load app10win into it and then Decompile.
click on the code section and take a little look at the code, the label has quite alot of it. which is strange for a label.
so its obvious that the label isn’t acting like a label at all.
What you need to do is pretty much the same thing as you did for application four, assemble the push from the command button to jump to the label
so make a note of the VA’s and open Olly and load app10win into it.

In the disassembler window press Ctrl and G then go to the VA for the command button and change the PUSH EBP to JMP 4049E0 (the VA for the label)
press F9 to run the program and then press the proceed button again.

As with all these applications there is more then one way to solve them, for ecample we could have used windowjuggler (olly plugin) to find the ‘label’ and click on it
if you dnt have windowjuggler for your olly you can google it.  you can use it to solve app11 too by using it to maximise the apllications window.

I hope you enjoyed and understood these few walk alongs.  I will be adding other crackme’s and maybe even some real applications
any questions or requests can be e-mailed or over IRC — irc.freedom-uplink.net or click here for the java

Bleepy Bleepy

I was torn between writing this and just leaving it, this challenge can’t be learnt from and only requires out of the box thinking to complete.  The reason I am going ahead with this is because it will give you a chance to grab Numega SmartCheck and add it to your list of cracking tools (if you haven’t already got it).

This application requires you to match the sound that it plays – its impossible because the frequency it plays is different to the frequencies it allows you to choose.
The goal here is simple, you must change the frequencies.

The tools you will need are SmartCheck (linked above) and a Hex Editor

Open SmartCheck and then click file and open app9win.
Now click program and then start.
The application will run and you will see some activity in SmartCheck that tells you the Form1 was created and loaded and then Timer1_timer was started.
Close the application because the timer continues and we don’t need it anymore.
Double click on Form1_load and also on Timer1_timer.  You will notice two sets of three string values 200 600 1100 and 100 500 1000 because the application plays three different sounds you can assume these are the frequencies and because the three command buttons each play a different sound,  you can assume that the other set is their frequencies.
Now you know what values needs to be changed you can close SmartCheck

Open your hex editor and drag app9win into it.
Time to search for the values you need to change so click the binoculars (or edit find) and enter the values.
The reason you can’t find them is because they are displayed like .1.0.0. the quickest way to find them is to change your Type box from Text String to Hex Values
Hopefully you already know that the Hex value for 1 is 31 and for zero its 30 the ‘dots’ are represented by 00 and NOT 2E so the value you have to search for is:
3100300030 and as you can see it enters it in the text value.
OR
You could search for ‘timer1‘ and scroll down
Once you have changed the values to match click file and save as app9win2.exe run the new application to see what happens.

Flashy Flashy

In an effort to keep to a simple path I have decided not to write anything for App 7.  I believe that there is no simple way to explain all of the steps in a way that someone who is just starting out will be able to follow and after all that is the reason I started writing these.
For those that care, there is a good tutorial for brute forcing it here, if you just want the password then right click here then click view source and search for app7pass

For this application all you need is OllyDbg and of course you need to get app8win from HTS.

As always start by looking at the application and take some notes.  I noticed that when I entered a code the application simply exited and that after the first six numbers were entered the seventh number didn’t show up.
This could mean that the password is six numbers long and the seventh number you enter will always close the application.

Open Ollydbg then drag and drop app8win into it.
Then take a look at the referenced text strings ( right click in the disassembler window and select search for and then all referenced text strings) scroll down and you will come to this:
0040747B  |   MOV DWORD PTR SS:[EBP-2D4],app8win.00405650    |   UNICODE “Correct! The Magic Number is: “
Right click on this and then click to follow in disassembler and you should pop up here:
00407460     .  C785 9CFBFFFF>MOV DWORD PTR SS:[EBP-464],app8win.0040569C              ;  UNICODE “Correct!”
0040746A    .  89B5 94FBFFFF MOV DWORD PTR SS:[EBP-46C],ESI
00407470     .  FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>]         ;  MSVBVM60.__vbaVarDup
00407476     .  B8 94564000   MOV EAX,app8win.00405694
0040747B    .  C785 2CFDFFFF>MOV DWORD PTR SS:[EBP-2D4],app8win.00405650             ;  UNICODE “Correct! The Magic Number is: “

As you can see this is where we want the program to go so to find out why it doesn’t come here scroll up and and look for the usual suspects
like this:
00407152    .  FF15 10104000         CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVarList>]        ;  MSVBVM60.__vbaFreeVarList
00407158    .  83C4 4C                    ADD ESP,4C
0040715B    .  66:83BD 68FBF      CMP WORD PTR SS:[EBP-498],0
00407163    .  0F84 5D050000       JE app8win.004076C6
The program does a compare and then jumps way past the code we want so highlight the JE and press F2 to set a break point and then run the program
You will have to minimize OllyDbg to see the application, when you press a number the program will break at the JE
The program is already comparing the number we enter to see if its the valid password.  This means that the number could be anything from 1 to 6 numbers long but that doesn’t matter because you should already realise that if the program doesn’t jump this next bit of code it will display the ‘correct’ message
Higlight the JE and then right click and select assemble then change the JE to NOP make sure the box to fill with NOP’s is selected press F2 again to remove your breakpoint and then press F9.

This method is obviously not the method that HTS intended people to use but often the best solution is the simplest.
If you feel like you could find out the true code to enter by going backwards in the code and following along as it compares the entered numbers to the valid ones
I will tell you that the valid code is six numbers long and produces the same outcome as NOPing the JE.

Cloney Cloney

Application six is disapointing, I honestly hope that if you have read the App Five then you have compleated this one already because its exactly the same the only differences are the password and some code above the CMP is self modifying

I will just cover the differences here as it would be a waste of time to write the full walk along again.

Because the code is self modifying  (the application writes the code when it starts running) you must first run the application in olly then right click and search for referenced text strings

when you land at the invalid password if you scroll up a little you will notice that the code is strange looking, simply right click in the disassembler window and click analysis and then analyse code
Again you need to set breakpoints on the CMP and RETN and assemble the JE to JMP – then just enter 123456789 as the password and press enter
use your Hex to ASCII to get the correct password.

Dos'y Dos'y

To follow along with this you will need OllyDbg and some Hex to ACSII conversion and of course you will need app5win from HTS.

This application, unlike the others, is console (or DOS) based and because of this you may have run into a problem.
When you enter a password and the application closes without telling you its invalid or valid.

There are two ways that you can deal with this but for flow and consistency we will only be looking at one
If you have the required tools then lets begin

After having a brief look at the application it doesn’t give a lot information to work with.
The error message appears very quickly and the program exits or there is no error message and the
program exits because the password is wrong

Open OllyDbg, drag and drop app5win into it.

Right click in the disassembler window and click search for and then click all referenced text strings
There isn’t alot here so right away you should notice this:
00401022      PUSH app5win.00407030                                   ASCII “Please enter the password:”
004010C9     PUSH app5win.0040704C                                   ASCII “Invalid Password”
004010E0      PUSH app5win.00407060                                   ASCII “The password is %sn”
As you can see the program must display invalid password and then close very quickly
Right click on the Invalid Password line and then Follow In Disassembler
You should jump here:
004010C3   |. |3B4495 E8        |CMP EAX,DWORD PTR SS:[EBP+EDX*4-18]
004010C7   |. |74 11                  |JE SHORT app5win.004010DA
004010C9   |. |68 4C704000   |PUSH app5win.0040704C                                         ;  ASCII “Invalid Password”
You should be able to see right away that the compare (CMP) decides if we get the invalid password error
Hopefully it is also obvious to you that the loop code from VA 0040109A to VA 004010DA is the routine that will compare
the password you enter to the correct password.
The loop code just above this at VA 00401054 to VA 00401084 collects the password that you have entered and as you can see here:
00401080   |.  837D E4 10    |CMP [LOCAL.7],10
00401084   |.^ 72 CE             JB SHORT app5win.00401054
It will run this 16 times – 10 in Hex (h) is 16 in decimal (d)

That should be enough of an overview to give you an idea of what needs to be done
First you need to make sure that you will always jump the bad error so assemble the JE SHORT app5win.004010DA
to JMP SHORT app5win.004010DA
Secondly, because we know the CMP above this will hold the valid password and the invalid one highlight it and press F2 to set a breakpoint
Finally, because we know that the program exits very quickly set another break point at the RETN at VA 004010F2

Run the program and enter 1234567890ABCDEF (16 chars long because the ‘get input password’ loop runs 16 times)
You will break at |CMP EAX,DWORD PTR SS:[EBP+EDX*4-18] if you look at the pane just below the disassembler window
you will see the following:
Stack SS:[0012FF74]=65776F70
EAX=34333231
Using your Hex to ASCII conversion you should be able to figure out what is going on here so make some notes and press F9
it will look as if nothing has happened because you will break again almost right away, notice though that the information in the pane
has changed now.  You will need to do this at least twice more because as you can see the compare is only comparing 4 chars at a time (4×4=16)
Once you break at the RETN click back onto the application window:

copy copy?

The reason that it shows the password that you already entered as the correct one is because the program has no choice but to display this message.  To get it to show the right password (the one it compares to yours) you would have to enter that one but it is pointless.

The password that it compares to the password that you put in is the password that you must enter on the HTS site.
** I hope you remembered that the compare was going from right to left and so the correct password starts powe and not ewop.

Bangy Bangy

This game is on the top of my ‘I can’t wait to play it’ list, its only a small list, I feel like most games are just re done with the same thin story lines behind them.

I have a feeling that Battlefield Heroes will play a  lot like TFC2 but with the added bonus of player controlled vehicles and the third person camera (also the game will be free)
you should head over to the website and put yourself down for a beta key I wouldn’t hold my breath though as the waiting list seems to be huge.. the only way to ensure you get a beta key is to pre-order a server, then you get sixteen of them.

So apart from being free, cartoonish and sexy looking whats new about this game? .. I’m glad you asked..
rather then just playing as a random squad member your playing as a Hero, you get to design the way your hero looks and acts! you also get a special ‘hero ability’ and there are unlockables (because we all love those)

ok so its not so different from games on the market at the moment, but you wont need to upgrade your graphics or ram to play this, in fact compared to the latest games you’d be surprised at the minimum requirements:

• Operating System: Windows XP or Windows Vista
• CPU: 1.0 GHz
• RAM: 512 Mb (1Gb on Windows Vista)
• Video Card: 64Mb DirectX compliant video card with at least pixel shader 2.0 support
• Hard Drive space: 1Gb of space is required to install the game
• Internet connection: 256kbit Cable/DSL connection

the chances are that when it comes closer to the release date (whenever that might be) the requirements will go up, but hopefully not a whole lot.

I think the reason this game appeals to me is because I really like the other battlefield games and with the cartoon style look and feel there will be a new gamer age group allowed to play, it might not be a good thing, but at least the little tykes wont be running around throwing the same old clechés out at me ‘OMG NOOB !!11 GET LIF’
and who knows this might inspire other games developers to create something less taxing on the pocket.

Buggy Buggy

Unlike the previous applications in this series of challenges, this one cannot be done with a hex editor and requires, at least, some knowledge of assembly language, you can get the required understanding from watching some of the Lena tutorials that I have linked for your convenience or by just reading some papers on it.

This walk-a-long assumes that you already have ollyDbg or another debugger of your choice, you’ll also need to get yourself a VB de-compiler you can download the lite version of VB D here and of course you’ll need App4win.exe from HTS.

For the rest of these tutorials I’ll assume that you’ve opened the app and taken a few notes about it
We obviously need to click one of the buttons.however they switch to a disabled state when the mouse moves above them

Open VB Decompiler and drag and drop app4win into the file name bar or just click file and open it that way.
Once the app has decompiled you need to click code then form1 so that you can see the VA’s of the command buttons
Make a note of the addresses for either command1 or command2 you should understand that we only need to press one of these buttons so there isn’t a need to patch both of them.

If we had the Pro version of VB D we could do the editing here rather then in olly.
Open OllyDbg and drag and drop app4win into it, before we run it we need to set breakpoints on the command button addresses.
press ctrl + G to bring up the goto expression window and put the first address in then hit enter, you should jump to this point:
00402AD0    > 55            PUSH EBP
Press f2 to set a brakepoint and then do the same again with the other addresses, then hit run (f9) and move your mouse over a button.

At this point olly will have “broken” the program at one of your breakpoints.
Click [B] ( at the top of olly  ) then right click and disable all of the breakpoints.
You should realise that if we don’t change the programs behavior at this VA then it will continue and disable the button
Make the program jump to the first address of the command button, hopefully you’ll understand why.
To do this right click PUSH EBP and select assemble, now change it to JMP 402AD0 tick to fill with NOPs then hit ok, hit cancel and press f9.

You could save your changes and dump, but its pointless for this application.
Alternatively there are programs and even plugins for OllyDbg (Window Juggler) that allow you to just re-enable buttons, I will add a walk along using one of these tools some other time.

Sneaky Sneaky

Welcome to the third installment of HTS app cracking, as with the last two apps you will need a HEX editor

Those of us who took the time to read at least one of the other walk-a-longs should have already grabbed app3win.exe from HTS and hopefully have already given it a try for ourselves. (those that did I hope it went well and if not it soon will I’m sure)

We have the tool we need, and the application to crack, so lets get to it

The first thing we do is look at the application
Putting 11111 and authenticating does as we expect, the error and its using an Internet check again.
Open HEX workshop and drag and drop app3win.exe into it

As before we’ll search for part of the error message, so binoculars at the ready!
The first thing you, hopefully, noticed was /missions/application/app3/auth.php?key=
This time the application is using a php file to verify our serial, we wont be able to work out how it calculates the serial or if it compares it to a list.
The thing to note here is that the calculation or compare IS done in the php and not in the application (The php must tell the application that the key is good or bad)

Lets scroll up the code and look at the error message
as you can see:
false…………………..Status: Serial invalid……..
true……………………Status: Validated.
The program gets a true or false and then displays the good or bad error
I hope you have already worked out what needs to be done.

Change the true to false and the false to true. (click in the code before true and start typing, it will over-write the code, then do the same for false)
you should get the following
false…………………..Status: Validated
true……………………Status: Serial invalid
You need to save your changes for them to take effect, click file and save.

It should be obvious what these changes will do (if the php tell our program the serial is false then we get the good message)
If you haven’t watched any of the Lena tuts then I suggest you watch a couple because in App Four we will be using Ollydbg to change the way the program behaves.  you should know that you wont be able to use your HEX editor for the next application.

Hexy Hexy

If you read the previous installment in the HTS App section then you will already have a hex editor if not grab Hex Workshop here. also you’ll want to grab app2win from hack this site

Hopefully if you followed along with App One then you will have already tried this, maybe you even successfully found the serial! if not then don’t worry.

Lets get cracking

As always lets take a look at the application.
The first thing to notice is that it needs to communicate with the Internet to verify the serial but there is no need
to allow it internet access in your firewall settings
Again use the serial 11111111 and notice that its the same error message as the first app
Open hex editor and drag app2win.exe into it.

First click edit and find, search for part of the error message and take a little look at the text.
The sending request is under the error message, and if you look a little further down you should see a GET command
The program goes to a text file on the Internet and compares our serial then gives us the error message.
Lets go to the url that the program is getting the serial from
*GET /application/app2/keys123.txt HTTP/1.1………………….Host: hackthissite.org
The host has to be at the start, then the /application

There are other ways to do this
EG:  if you didn’t have permission to view the file you could replace the host with your own and upload a
keys123.txt file with 11111111

Hacky Hacky

I was talking to a friend (hi Andy) about how he was doing with the Lena tutorials, he said that he’d been following along ok and decided to give some of the apps a go at HTS (hack this site)
unfortunately he didn’t get very far.   The reason for this is pretty simple, its not because he doesn’t fully understand how to use a debugger, or that he doesn’t really understand ASM,  the reason is that he is over complicating it.

You can download the first application from HTS
You will also need a hex editor you can grab HEX Workshop from here, its an epic little editor that I always seem to have three copies of for some unknown reason.

Lets get cracking

The first thing to do is to take a look at it the application.
Run it, enter a serial code and authenticate then take a few notes on what the error says

Open hex workshop and drag and drop app1win.exe into it when its opened
Click edit then find (ctrl + F .. or click the binoculars)
Change the type from hex values to text string and then, in the value bar, enter part of the error message
that you made a note of and click find.
You should come to this – Sorry, you entered an incorrect serial number. Please re-enter. now just scroll up

As simple as that,  in a nutshell the program compares the bad serial with the good ones then displays the error
You can highlight any of the good ones and then copy and paste it into the application serial box.

There isn’t much to learn from this and  I highly doubt that you will ever use this method to crack a real application.