Hi ,

I already solved a few crackits (on this site and on others) and in some cases you had to brute-force the password. Up to now, I always copied the code and wrote my own assemblerprogram which bruteforces the algorithm, supplying the function with all possible numbers/characters and comparing the output.

However, it would be smarter to insert a "bruteforcetheinput" method in the crackme itsself.
I already tried this a few times and it worked wonderfully !!

But sometimes I have some really annoying problems which I would like to discuss here:
Let's consider this fragment of a crackme:



This is the end of a small crackme from another site. What I intend to do now is to insert some code with olly's nice assemble function.
Suppose, I would like to add the following (This is just some random code, it shouldn't make any sense...) at 0040112C:



Till here everything looks fine.
Now I just mark the new code -> right click -> Copy to executable -> All modifications -> close the window -> save the file with a new name.
But when I reload this new file I get this:



But this is just sometimes the case (actually mostly to be precise).
But why ????? There must be an explanation. Does anyone have an idea ???
Thank you for any illuminating replies.

- magdeburg

It would be easier for us if you provided a link to the crackit. I can only speculate, but maybe the virtual size of the section is too small?

Ok, let's take Inferno's ASM-Crackit 1.

Here we go:

It's the virtual size. The virtual size of that section is 0x0214, so the code you insert falls outside of the section. If you want to fix it, get a tool like Stud_PE or LordPE or any other tool capable of PE editing, and increase the virtual size.

Wow, thank you !!! I will try it.

You can also solve the problem in OllyDbg, just right click and say that next time to interpeter the bytes as commands. Then re-analyse and voila, your code is back.

Stud_PE is really a great tool ! I can just recommend it
After some hours of research concerning an executable's sections and its' sizes and offsets you really have a great weapon for solving crackits (espacially when you are too lazy to reverse them )

(My favorite way is to simply create a new section at the end of a file. Then you have enough space to insert unrestricted BruteForceAlgorithms )

Ola,

yes inline bruteforcing is a common way of solving *easy* crackits. Even if they are packed and Crypted you still could use a SystemDebugger like SI to inject your code, but in many cases (especially math mes) its just a waste of time since you will never BF a 16char password, or 2* 2^32 nested loops

Ray

Also if the code you have inserted is not referenced (by either a call or a jump) then Olly won't disassemble it. Well, that's a terribly simple way of putting it, but you get the idea

bb

wheter or not olly disassembles it doesn't really matter .. "the code is not garbled" it's just interpreted differently.
just wait until you step into the code and jam ctrl-a


inline bruteforcing is indeed a standard trick in the book, several of my examples are in the discussion afterwards fora. I kinda wonder if this is the best place.