Posted June 12, 200718 yr This is an attempt to code an "uncrackable" program in assembler. See http://www.tuts4you.com/forum/index.php?sh...c=12949&hl= to read the complete story. Aesthetics-only patching is NOT a valid solution! e.g. editing "UNREGISTERED" into whatever in a resources editor. Of course that this doesn't effectively register anything, right? Adding code, etc to make the ReverseMe display something isn't a valid thing either, right? You may however patch the reg scheme so that false data is still accepted as valid. If patching, please explain your solution so that I can verify its validity. It's clear that a keygen is preferred.Good luck and have funlena151.ReverseMe_9_by_lena151.rar
June 12, 200718 yr Thanks lenna! Gonna give it a shot now BTW: You were the person that into'd me into reversing.....After going through ur tuts, I am pretty good in revving. I don't release any of my cracks publicly (yet). Thanks, again! Edited June 13, 200718 yr by ManiacX
June 13, 200718 yr Eeek. Getting owned by this one right now. The obfuscation is a pain, but nothing major (although I like the 2 or 3 processes checking whether it has been deobfuscated). Currently getting owned just before the GetTickCount and GetFileSize (probably one of the first proper anti debugger checks). Think I've figured out why but get the feeling I'm not getting very far fast though
June 20, 200718 yr Started having a proper look at this now. I get the feeling you're not messing around with the debugger detection though!! moid.exe, hacnho.exe, snd.exe, cim's.exe, lbr68.exe, ollydbg_execryptor.exe, ollyice.exe, ollydbg.exe, ollyshadow.exe, shadow.exe Hope I get enough time to make some progress... there is sooo much recursively called junk code though!
June 20, 200718 yr My Olly isn't listed in there lol looks a nice protection it detects all these debuggers by name WTH ? nice work Lena and keep it up
June 20, 200718 yr Everything I have come accross is encrypted. Essentially for the protection I quoted above it decrypts these names, then uses Process32First to cycle open processes (and lstrsmp to test). It then encrypts everything again. Theres plenty more protection in here though.
June 20, 200718 yr Nice use of the SEH too. XOR ESI, ESI DIV ESI I still *believe* I'm getting somewhere, but it could all be a complete waste of time
June 20, 200718 yr Author but it could all be a complete waste of time Nonono, you are doing just fine and I'm pleased someone takes a look in it, it's appreciated. Everything you've found so far is correct. The first exe being a wink to MOID who has keygenned #8 (hehe, how the hell should I know what he's named his own olly ) Hey Loki, I'm finishing Part#40 in the newbie series on ReverseMe#8. I guess you'll want me to wait releasing it not to spoil your experience on #9? Or is somebody else still looking in #9? BTW, has some other experienced cracker tried #9 yet? (Just curious for some feedback). Thanks. lena151. Edited June 20, 200718 yr by lena151
June 21, 200718 yr Hey lena. I wouldn't wait for me to finish this... just release #40 and I'll have a read when I am ready. Think I'm doing alright - its the constant checks that are tricky. I'v just found your checksum type thing (after the calls to GetUserName, GetVolumeInformation etc) which seems to be checking 401000 to 407FFF (I assume its a checksum). I've deobfuscated the entire thing, just wading through it now - problem is I'm away for the weekend and may not get much chance to do much on it so wouldn't want you to not release on my behalf!! Its good fun though... doable, but as you say, its about the amount of time you can spend on it
June 22, 200718 yr Author It's pretty disappointing that only 1 person at SnD and 1 person at ARTeam looked into this or cared to give some feedback. It was already mentioned by Angel-55 that only a couple starters are interested in my ****. Still, it's damn hard to find out this is completely correct too.I won't be around much any more. Goodbye all, it has been fun for a while.The newbie series has ended hereby, then again, who cares...lena151.
June 22, 200718 yr i also have been having a peek at this when i have had time.. the truth is it is actually quite difficult for a lot of us.. it's all the obfuscation makes it very confusing to trace.. it's not that no one has taken interest it is just a very time consuming thing to reverse..
June 22, 200718 yr not really so time consuming if you do it correctly. I found the right algo very quickly by the way and without trace the programme and without even spent much time deobfuscating it.scherzo
June 22, 200718 yr Well, it's not good to hear, but almost all good things have an end... I wanna thank you very much for you legendary series, I've learned A LOT from your tutorials! Best Regards to you Lena, enjoy your life and good luck in the future! ~Till.ch Edited June 22, 200718 yr by Till.ch
June 23, 200718 yr Author Due to many heartwarming pm's and mails, I may still be around from time to time but the series is discontinued. ... the truth is it is actually quite difficult for a lot of us... it's all the obfuscation makes it very confusing to trace..That's exactly the feedback I was asking for. What was found quickly etc. I wanted to know if I had to make it much harder to become really uncrackable because with more time, I would definately have implemented better obfuscation as I only used obfuscation by byte coding.On ARTeam forum, it was mentioned that experienced crackers didn't reply because of ego (it seems crackers don't want to confess they failed solving something (?)). I didn't think of that yet, and I can hardly imagine it. I'm not sure what you guys think but I tend to believe that no experienced cracker has tried it (except Loki and syk who only glanced over it due lack of time). Oh, and I'm aiming noone in particular, I only want to say that experienced crackers have far more challenging stuff to solve, hence aren't interested, that's really all I mean to say.All this is in fact a derive from the poll if everything is crackable. If this reverseme#9 beats everybody (I can definately make it many many times harder) ... wow, then those people in the poll saying that everything is crackable ... are just rediculously mistaken LOL Nonono, I tend to believe that no experienced cracker has really taken the time to try yet. Ehrr ... I intended to make the next Part in the series about "cracking the uncrackable ReverseMe" (hehe, would have made up a nice title huh?).An example (that I also explained on ARTeam forum): I have everywhere coded calls to apis in the "traditional" way (throughout the complete ReverseMe#9) (and also byte coded the sensitive ones as such). Like:invoke wsprintf,addr Buffer,addr Format,esiWhat if I had obfuscated every call to an api everywhere in ReverseMe#9 as follows and also byte coded the complete ReverseMe (just a quick example, can be made much much more complicated):@@:jmp @f-5call CreateFile ;obfuscation: is never executed, can be a call to any apiadd esp,4push eaxadd eax,esp ;useless codepush esimov eax,6CLC ;useless codepush offset Formatimul eax,eax,1stc ;useless codepush offset Buffermov edi,eax ;useless codelea edi,[wsprintf+eax] ;nice obfuscation: will point to another api, can easily be made random toojmp @fcall ReadFile ;obfuscation: is never executed, can be a call to any apicall @b+7@@:add edi,-6call edi ;call to the real api (wsprintf in this example)add esp,0Chpop eaxThis does exactly the same (assemble it if you doubt). The "useless" code can be extended as much as wanted. If I then had byte coded this .... what better obfuscation already. And there are many more tricks like this. Anyway ...Like said, the project is abandoned.Thanks for your info now though.... I found the right algo very quickly by the way...If you are scherzocrk (?) who pm'ed me on another forum, then look again as you are nowhere near the real algo. It is what I meant in my reply by "you made a major mistake and need to look again" ...lena151.
June 25, 200718 yr I've been away for a few days but still had a bit of a look at this. Still away but back to normal tomorrow. To be honest, I think its probably the case that a number of people started on this and failed either due it being too tough or needing too much time. after all, the obfuscation is there to stop it being solved quickly? As someone said above, very few people will own up to trying and failing - I was the only one to 'post' that this one and the one moid solved were owning me at first. I'm fairly confident I wasn't the only one though. From what I've seen there is a lot in this and a huge amount is decoy and anti debug (including process checking, FindWindow, checks for winice.dat and other SICE files/services, RDTSC, illegal operations etc). Lena, I realise you're feeling dejected right now and that this project is 'over' but its still the most interesting crackme I've seen in a long while, so I'll be giving you some proper feedback tomorrow when I get home. Thanks for taking the time to code it, it was appreciated
July 13, 200718 yr Author Thanks all for the kind words also by pm. It's much appreciated. THANKS FOR EVERYTHING YOU HAVE DONE FOR THE SCENE.Wow!Wow! You know, I only put some reversing basics together in a series! Every reverser could have done it!.... a huge amount is decoy and anti debug ....This reverseme#9 detects Ring3 debugging in a different way though I added some well-known anti-debugging to decoy it. Don't blindly trust the working of olly because this is exactly what makes ReverseMe#9 so treacherous ... and possibly why it isn't solved yet. Another hint: see Part#40 on ReverseMe#8 though I used a slightly better code protection, different anti-debugger method (not based on resources) and anti-debugger values that interfere in the registration data....so I'll be giving you some proper feedback tomorrow...Ehrrr, did I miss it? Haven't seen it, but I also have a question for all: did someone make progress on this ReverseMe#9? Or find what the registration scheme is based upon (probably Part#40 gives this away)? Around which address starts the reg scheme?lena151.
July 14, 200718 yr THANK YOU A LOT LENA151 I LIKE YOUR TUT I READ FIRST AND IS VERY INTERESTING.THANK YOU DONT SAY GOODBYE
August 11, 200718 yr Wow!Wow! You know, I only put some reversing basics together in a series! Every reverser could have done it!Yes Lena maybe, but only you can explain all this in this very logical way. I'm sure: in the future your series will be a "citation classic" for all reverse.And I hope to read the crack with lena n
August 16, 200718 yr Author Oops, I almost forgot to post a solution ...algo proc hWnd:HWND local nSize:dword;====== Find the PC user's name mov nSize,sizeof sName invoke GetUserName,addr sName,addr nSize;====== Find the PC volume name invoke GetWindowsDirectory,addr sWinDir,sizeof sWinDir invoke lstrcpyn,addr sRoot,addr sWinDir,4 invoke GetVolumeInformation,addr sRoot,addr sVolName,sizeof sVolName,addr nVolNum,addr nMaxPath,addr nSysFlags,addr sFileSys,sizeof sFileSys;====== Read the user input (name), length in eax lea ecx,sNameBuffer invoke lstrlen,ecx ;====== Name encryption xor edx, edx .while (eax > edx) mov bl,byte ptr [sNameBuffer+edx] sub bl,dl rol bl,3 xor bl,dl mov byte ptr [sNameBuffer+edx],bl inc edx .endw;====== The algo mov byte ptr [sNameBuffer+eax],0CBh;CB byte after name mov bx,word ptr [sName+1] ;2nd & 3rd byte from username mov word ptr [sNameBuffer+eax+1],bx mov bx,word ptr [sVolName+2] ;and the 3rd & 4th byte from the volume name mov word ptr [sNameBuffer+eax+3],bx mov dword ptr [sNameBuffer+eax+5],0FF03C766h;7 bytes executed to return to the code mov dword ptr [sNameBuffer+eax+9],0E3FF75h;====== Creating the registry values invoke RegCreateKeyExA,HKEY_LOCAL_MACHINE,addr Reg_Path,0,addr Reg_String,0,2001Fh,0,addr Reg_Result,addr Reg_DP invoke RegSetValueExA,ds:Reg_Result,addr Reg_Sub_Key,0,1,addr sNameBuffer,Sizeof sNameBuffer invoke RegCloseKey,HKEY_LOCAL_MACHINExor eax, eaxretalgo endpThanks to all who looked into this.lena151.ReverseMe_9bylena151_Keygen.rar Edited September 1, 200717 yr by lena151
August 18, 200718 yr Great to hear you back lena151, Anyway how's life right now? By the way thanks for posting a solution I will try to digest it little by little.. GrEeTZ, aNtRoBs
August 18, 200718 yr mov dword ptr [sNameBuffer+eax+5],0FF03C766h; '7 bytes executed to return to the code' mov dword ptr [sNameBuffer+eax+9],0E3FF75h this is where i got stuck..
August 30, 200717 yr I just wanted to say that I really appreciated the lena tuts. Although I thought I would know a lot about reversing *yeah, s0nY *, some hints in using olly really opened my eyes. Lena, you did a great job for the community, especially for the newbies ... just as Fravia, Orc and tkC did with their tutorials years before *imho you did better, video tuts are really great*. See ya, ViperBJK *just another VSISG, Ex-UNF, Ex-NFREE, Ex-Paramind member*
Create an account or sign in to comment