woah!
this 2 day i force myself to burn-out this crackme.
Idea came quite time ago, but i refused to show it, bcoz of bUstard-brute-force.
thusly, yesterday i build VM-like code, which IMHO prevents brute-force.

i will put it also on CrackmesDe.

ya.. also: lets temporary no discuss it.
it is personal challenge.
if quite time will unresolved, then start discussion. OK?

I've solved it
Sending my solution to evaluator...

interesting work as usual ... this file does no execution into KEY file region (respecting intended DEP)

[Attachment deleted at request of evaluator. JMI]

disavowed, your solution REJECTED :P

andrewl, you are near..
but, can't you all read DAMN Source!!??

andrewl, you should not post it open. now others can EAT your finding!
moderator, please, hurry & remove attatchment!

yea yea we can read the source...



attached key file could "burn" any non-existent string for MessageBoxA(), yet it is not solved? why don't you clearly state goal of crackme then?

and if key file data should be read only, why not make your crackme ENFORCE this? GetSystemDEPPolicy/GetProcessDEPPolicy/SetProcessDEPPolicy

1. u mean, below is not clear?!

; THINK, how to burn non existent string for MsgBox:
; "You have found a Black Cat in a Dark Room, although the cat was not even there!"

2. DEP-policy works mostly on appropriate PCs. So solver must agree with statement.
(other way was to put range check before any Jump.)

3. you are on correct way, don't waste time, or other will use your finding.

anything unclear?

No idea why you are rejecting my solution. It works perfectly on Windows XP, Windows Vista, and Windows 7, 32-bit and 64-bit OS's, all with DEP set to its default value for the system and with NX enabled in the BIOS.

bcoz DEP can be changed by user in any ways.. then referring to DEP became meaningless.
thus, you must agree in strongest way: executable pages are only marked so.
or in other words, KEYfile data not means for executing, but for adjustment only.
(or in other wierd words: this crackme is not 1st-level, damn..)

Let me ask you this way: what should the crackmes.de moderators verify before approving someone's solution to your crackme?

with this question, do you mean - you give up on this crackme?!

That's ridiculous. If you wanted DEP to be enforced, you should have used SetProcessDEPPolicy(...).
I still consider my KEY file solution valid.

bwah!
Nobody can ruin your happyness..

BUT, from my side, "I still consider" your solution INvalid.

Looks like we'll have to agree to disagree then

Hei guys,

I made a key file with around 90% of the bytes empty and unused
it doesn't execute code inside the keyfile, vm only

[edit]
je==evaluator!
didn't know that :O
well I'll send my key to you

smk

well, simonzack & wtbw sent me thier ideas.

wtbw found quite uneasy solution to burn string, but he will unable to fit in KEYsz in this way.

instead, simonzack, found not-executable but too much easy solution.
let me say this: this solution is against KongFuZi's description. []

but i wont restrict this solution.
so, simonzack, if you like, choose correct text for MsgBox & release your solution as alternative finding.

In the 'recommended' solution, does it jump outside the vm to execute things?
because 448/4=112, 448/5=89
this is shorter than the message

esp can only be changed from a dword in the keyfile

if want jump out, then only to executable code(not to data)

So evaluator

Does the recommended solution actually jump out of the vm, or jump between opcodes
I just want to know this, because if it does not, I'll stop thinking that way and just focus on the vm opcodes
Or is this too much of a hint?
Right now I've figured out another way to write the message, however it is too short

smk

you are free to do anything; just satisfy description:

; THINK, how to burn non existent string for MsgBox:
; "You have found a Black Cat in a Dark Room, although the cat was not even there!"

Hey eval,

Having ones like this uncommented in the source but not present in the final exe is CRUEL:

mov eax esi | jmp esp
mov ecx esi | jmp esp
mov edx esi | jmp esp
mov ebx esi | jmp esp
mov esp esi | jmp esp
mov ebp esi | jmp esp
mov esi esi | jmp esp
mov edi esi | jmp esp

Edit: Oh, it's that they're commented out with ;; instead of individually. Well still

solver should trusts me, when i written, like:
; Don't fight with crackme... etc

he should imagine, best way to do thing, then implement it..

haha I fucking love this crackme shit...I am going insane

Well is a result going to be published or is this still open? I stopped work on it when you said it was done..

I found another way to write the message

Hope you like it better this time, evaluator
I pm'ed you the key

this way is quite fun! (even if not that what i want).
you can submit it as alternative solution, but, hey, MSG should be other!
("You have found a Black Cat..)

after, you can continue to best. (you are nonstoppable)

now i show, why it is not main solution.
below string
>>THINK, how to burn non existent string for MsgBox

means, that you should NOT deliver Cat in room, even indirectly (crypted).
bcoz:
>>cat was not even there!

delivering a Cat in room is bluff

You mean you want us to get the string from the user via an API? Or load the exe directly and use the copy of it in the source?

that will delivery. so no.
should be like your case, but in better way.

alex_ls has posted alternative solution to this crackme. i'm attaching it here.

it is alternative, bcoz it delivers content e.g. BlackCat (no matter, it is crypted or not).

same kind solution earlier done by simonzack, also is posted here.

on correct path are andrewl & wtbw.

i hope, these alternative can EXTEND their fUnazzie..

Hey I am newbie and I found a solution to this pblm. Pls Check that

why, at least, you not read this thread?

What is the correct solution?

Do u got any other crackmes

ya!
here is another one:

http://www.woodmann.com/forum/showthread.php?13683-Gr.-Crackme-gt-gt-Prove_KongFuZi-lt-lt