Leaderboard

Hello! I am 14yoKID , and i have documented everything tothe best of my ability. If you have any questions, please feel free to reach out or respond to my solution. I appreciate any feedback or discussion. The first step is to look inside the crackme’s binary for any references to “Wrong key!” (the error message). We load the executable into a disassembler or debugger (IDA, x64dbg, or similar). A quick search reveals that “Wrong key! Try again.” is located around the following code: 00408C3E | A1 0CA34000 | mov eax, [0x40A30C] 00408C43 | BA D48C4000 | mov edx, 0x408CD4 ; "Wrong key! Try again." This is where program prints the "Wrong Key! message. Scrolling above that reference,we see : 00408C16 | A1 98B74000 | mov eax, [0x40B798] ; loads the user's computed key 00408C1B | 3B05 ACB74000 | cmp eax, [0x40B7AC] ; compares it to the correct key 00408C21 | 75 1B | jne 0x408C3E ; jump if not equal => "Wrong key!" This shows: The user’s input key is stored at [0x40B798]. The “correct” key resides at [0x40B7AC]. If these two values do not match, we jump to the code that prints “Wrong key! Try again.” If they do match, we take the path that prints “Correct key!, Now Try to Keygen ME !” Finding Where [0x40B7AC] Is Set : Quick look upword in disassembly reveals: 00408BB0 | E8 5BFEFFFF | call 0x408A10 00408BB5 | A3 ACB74000 | mov [0x40B7AC], eax So at address 0x00408BB0, we call a function (which we’ll refer to as sub_408A10). Right after that call, we store EAX into [0x40B7AC]. That means the function at 0x00408A10 produces the correct key in EAX. To finally find a key set a breakpoint at 0x00408BB0 or directly inside sub_408A10 at 0x00408A10. Run the program and break on that address,press F7 ( Step into ) the call to examine how the function computes EAX. Inside sub_408A10, we notice: It reads a hard-coded byte 0x5A from [0x40A298] It loops exactly four times over bytes stored at [0x40A29C..0x40A29F] ( for instance , 0xA5 , 0x3C , 0xD7 , 0x82 ) Each iteration does some arithmetic: XOR , multiply by 12345 , add 0x6789, shift bits, etc. After finishing four iterations, it multiplies EAX by 0xDEADBEEF , does a final XOR and then returns EAX. Stepping through the entire function, we see that every run ends with a single final value: EAX = 0x8981B3E0 Then writes this to [0x40B7AC]. Therefore, the correct key is a constant number: 0x8981B3E0 ( OR IS IT?? ) Even though we know the internal number is 0x8981B3E0 , how do we type it so that crackme accepts it? By stepping into the function that processes (sub_4060A8 or sub_4045D4), or simply by trial and error, we learn: The crackme expects a leading '$' to interpret the rest of the text as hex. Typing XXXX1B3E0 ( dont want to spoil fun for others ) is interpreted as the hex value 0x8981B3E0. This matches the stored correct key, so the crackme prints : Correct key!, Now Try to Keygen ME ! But why $? In this particular crackme, the $ symbol is how the program’s input-parsing routine recognizes the user’s entry as a hexadecimal number. Without the '$' prefix, the code typically treats your input as decimal (or otherwise misreads it). Since the “correct key” is stored internally as the hexadecimal value 0x8981B3E0, the crackme will only accept a matching hex number—and it specifically wants you to indicate “hex mode” with '$'. That’s why typing 0x8981B3E0 or plain 8981B3E0 fails: the program doesn’t parse those formats as the same 32-bit value. Only '$8981B3E0' matches the exact hexadecimal integer 0x8981B3E0 the crackme expects. The final answer of mine and correct/valid key is :

-src -ARTeam.esfv -Thumbs.db -Weakness of the Windows API.Part1.pdf WeaknessoftheWindowsAPI.rar

Replace with the same pattern, Example: Search pattern: 83 E8 04 8B 00 83 F8 23 0F 9C C0 Replace pattern: 83 E8 04 8B 00 83 F8 23 0F 90 90 instead : ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 90

I admit it, I'm just showing off, you can show off if you have the ability. Unfortunately, apart from jealousy, you are useless. You only fantasize about getting someone else's knowledge without any effort. Anyone with some level of proficiency will think and search for clues based on the documents I provide. Only someone like you who only wants to get something for nothing would make these unreasonable demands? Everyone knows who the joke is. You can you up, No can no BB

Provide a KeyGen sample.

@Sh4DoVV How to bypass x64 version of enigma constant used target? Do we have to change CRCs and then change hwid to the given one like changing x86 version of it's hwid using @CodeExplorer's EnigmaHardwareID Tool and scripts for x86 targets? Many thanks in advance. Regards. sean.

@Teddy Rogers I should search in my archive , let me some times

I recommand the people to use this protection because it's very good. The protection is advanced like Pelock but very good. Only a real reserver can do it But it needs much times to be able handle it.

Im pretty sure i have patched most of the things successfully. Results : Screen Recording - Made with FlexClip.webm

View File WinLicense v3.2.2 (Window Function Through an External Plugin) This is a WinLicense 3.2.2/sample, set by default, without adding an SDK in the source code, only adding a window function through an external plugin. I don't know if bypass can be cracked, I tested it and it doesn't. Shedding may be more complicated.Please use your own way to crack it. Whether it's molting, bypass, or keygen, they are all the best methods. No need to upload your proposal, posting a picture is the best answer. I will strive to learn towards your achievements. HWID：1031-E184-1D1E-92A8-AA82-151F-E2BC-34EE NAME：Mr.Leng .RegistCode:2FGP7NTY-22AMY4QL-XXEHAOKD-ZJKHKDKR-VY66SHXY-YTEQXVBF-GAXAEFIA-7BQWOTA5-5CE344K4-VBGMG25R-5TGP26WS-AIKQB3S5-5LDUHEHX-S6KSKH3H-OPPHIFAX-N6WPWIAM WinLicense3.2.2_sample.rar Submitter lengyue Submitted 02/07/2025 Category CrackMe  

@boot How to bypass the x64 target like you had done? Regards. sean.

Very strange,something like self-modifying code,hard to follow I cannot even see where wrong key gets displayed,very unique and strong

do you have installed https://learn.microsoft.com/en-us/windows-hardware/drivers/other-wdk-downloads what source do you use

View File VSEC KeygenMe Simple Code Virtualization KeygenMe ( Not Commercial VM ) Try to find Algorithm and make correct key It's not too hard Your opinions about VM Complexity are welcome. Thanks Submitter Gladiator Submitted 02/05/2025 Category KeygenMe  

I had fun doing ur KeygenMe,virtualization itself is very straightforward-simple as well as "special complexity",i had few problems but i resolved them pretty quick.

Well done 14yoKID and what is your point about it's complexity ? it used internal virtualization ( simple but with special complexity ) Thanks you , you did it very well

usually ?? bytes ... are the bytes that do not change.

look at JohnWho (very basic example) : https://forum.tuts4you.com/topic/17824-making-generic-patcher-with-delphi/

ML.EXE /c /coff /Cp /nologo /I"M:\MASM32\Include" spyfunc.asm LINK.EXE /SUBSYSTEM:WINDOWS /RELEASE /DLL /DEF:"spyfunc.def" /LIBPATH:"M:\MASM32\Lib" /OUT:"spyfunc.dll" spyfunc.obj Adjust for where your MASM32 include and lib folder are located spyfunc.zip spyfunc.IsDebuggerPresent.zip

Here check by yuorself. I think Lena tutorial and script made by LCF-AT help yuo to learn it deeply during many years(it depends on everyone ) perhaps less 3years.

1

1

You can you up, No can no BB

😁 I'm not asking you to share your src or tuts/offer a solution. But your reply in my topic are these useful? No - absolutely not. Only one sentence, one picture, and one RAR package. Even more unfortunately, some files in your RAR package are deliberately VM some code snippets. What can the downloaders learn from your RAR package? Besides the analysis reply I provided, which downloader provided an effective analysis reply? In this topic, you're just trying to get attention by showing-off that you can do this with some deliberately modified files that don't have any useful information. We're here to learn and share knowledge. If you don't want to share, that's fine. No need to brag, but if you do, I don't mind. In addition, this topic would like to give special thanks to @TRISTAN Pro for selflessly sharing his tutorials and knowledge.

1

It is worth mentioning that this example does not require KeyGen - you can try and even bypass it without a valid KeyFile. As I mentioned before, Although some of the code in winmm.dll you provided has been intentionally virtualized, the general logic is as follows: winmm.dll 1. Hook addr_va1 = 0x00B5C19E 2. Modify byte 0x89 of addr_va2 = 0x0055B63E 3. Modify the 0x10A byte of addr_va3 = 0x0065F8B8 4. Remove the hook of addr_va1 KeyGen.exe Generate a KeyFile file using WL's built-in SDK example, which already includes the replaced public key. And then achieve the effect of generating keyFiles ourselves.

Step1: Load the file with SHADOW Olly - OLLYDBG.EXE; or RAMODBG_X2 it will break on: 0048839E >-FF25 00204000 JMP DWORD PTR DS:[0x402000] ; mscoree._CorExeMain There is no need to dump it; everything is already there; you have to fix MetadaRva; and many other stuff. From some reason assembly won't start after fixing in my case.

Bypassed.mp4

https://workupload.com/file/n9KJWfSHNq5 unpack

WindowsFormsApplication4.vmp35.exe: 1. VMUnprotect.Dumper https://github.com/void-stack/VMUnprotect.Dumper/releases/tag/1.1.0.0 2. Unset "IL Only" Flag from .NET Directory with CFF Explorer 3. Demutation Tool https://forum.tuts4you.com/topic/45162-demutation-vmprotect-net https://forum.exetools.com/showthread.php?t=21105 4. de4dot Use --keep-names ntpfg while cleaning the file using de4dot Or use --dont-rename 5. VMP Killer by DarkBullNull Use Option 2 First and Fix CRC and Debug Check https://github.com/DarkBullNull/VMP.NET-Kill https://forum.tuts4you.com/topic/45179-vmpnet-kill/ https://forum.exetools.com/showthread.php?p=131964 6. Unset "IL Only" Flag from .NET Directory with CFF Explorer 7. Use VMProtectNoDelegates to clean delegates https://forum.exetools.com/showthread.php?t=21106 https://forum.tuts4you.com/topic/45163-vmprotectnodelegates-net The only thing left if unvirtualization. WindowsFormsApplication4.vmp35-decrypted-demutate-cleaned.justify_nodel.rar

Almost unpacked! I was only not able to remove the Delegates and the Control flow. What I removed is: - Anti Tamper (manually; the easiest way consists in finding the call to the anti tamper method (which can be identified by looking at ConfuserEx's source code), setting a breakpoint just after (so that the anti tamper method decrypts the CIL code) and getting the decrypted module in the "Module" section of the dnSpy debugger) - Hide Methods (https://github.com/illuZion9999/Rzy-Protector-V2-unpacker/blob/master/Rzy Protector V2 Unpacker/Protections/Hide Methods.cs (not really reliable, though; a good way would be to get the invalid instructions from the exception handler) - Anti Debug (identify the anti debug method by looking at ConfuserEx's source code and add a ret instruction at its start) - Module Flood & Junk (these are just useless methods & instructions, which can be removed without problems (i removed them manually)) - Native methods (using cawk emulator x86 methods retranslater: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/cawk-Emulator/.NET-Instruction-Emulator-master/CawkEmulatorV4/Instructions/Native/X86MethodToILConverter.cs) - Constants Protection (modded the ConfuserEx Unpacker 2 Constants Decryptor to support 3 parameters: https://github.com/hackovh/ConfuserEx-Unpacker-2/blob/master/ConfuserEx Unpacker/ConfuserEx Unpacker/Protections/Constants/Remover.cs ; you can also invoke the decryption which makes it way easier than emulating it) - Mutations (sizeof (https://github.com/RivaTesu/SizeOf-Fixer), simple operations (de4dot: https://github.com/0xd4d/de4dot) & double.parse (the double.parse method is hidden by a delegate but I recognized the protection ; you can still find a tool for it on GitHub, but you would have to change the parameter check if there are delegates (or, ideally, use an emulator, which should support the double.parse protection with or without delegates): https://github.com/Riziebtw/DoubleParseFixer (note that this tool is not really reliable, and would need some changes)) - Call to calli (https://github.com/Riziebtw/CalliFixer; note that this tool solves the call to calli when the call and its pointer are one after the other, while, in the challenge, the call pointer (an ldftn instruction) is set to an IntPtr field, which is used as a parameter for the calli. You would hence have to grab the fields value (which are assigned in the constructor of the <Module> type) and then solve the callis with these values.) Don't hesitate to get my file and remove the Delegates (and control flow but I consider it not necessary to remove) in order to fully solve the challenge! CrackMe - almost unpacked.exe

encrypted in vm Dumps1.rar

what was your 1st step then? (from the screen above all the methods are empty - why?)

First step for a beginner. But the program did not work. Thanks for your help in advance.

Code Virtualizer has recently started to support virtualization for ARM64. You can ask their tech support if they support iOS

@boot How to bypass the constant using hwid lock? Regards. sean.

hi boot how can make shfolder.dll file bro can you make video guide me bro

Jump to module baseaddress+RVA， Set hardware execution breakpoints ,run, set rax==1 run.OK！You will looking. @The Binary Expert Win64GUI_Enigma v.7.40 Win64GUI_Enigma v.7.40_encrypted Without the correct registration code, I cannot crack it~!

shfolder - Unpackme.zip

View File Not easy but not hard CrackMe Try to find the key Hint : The key countains - Specials - Caps - Non caps - Numbers Enter the key and you will see the results. Good luck. Submitter lopeg Submitted 09/12/2020 Category CrackMe

Sure, set hook at the beginning of function like you would normally do. Your hook code should call original function and then process return values. Since you didn't specify which API hook lib you're using, here's an example for Detours: https://reverseengineering.stackexchange.com/a/2470