lena151 Posted June 12, 2007 Posted June 12, 2007 This is an attempt to code an "uncrackable" program in assembler. See http://www.tuts4you.com/forum/index.php?sh...c=12949&hl= to read the complete story. Aesthetics-only patching is NOT a valid solution! e.g. editing "UNREGISTERED" into whatever in a resources editor. Of course that this doesn't effectively register anything, right? Adding code, etc to make the ReverseMe display something isn't a valid thing either, right? You may however patch the reg scheme so that false data is still accepted as valid. If patching, please explain your solution so that I can verify its validity. It's clear that a keygen is preferred.Good luck and have funlena151.ReverseMe_9_by_lena151.rar
Guest ManiacX Posted June 12, 2007 Posted June 12, 2007 (edited) Thanks lenna! Gonna give it a shot now BTW: You were the person that into'd me into reversing.....After going through ur tuts, I am pretty good in revving. I don't release any of my cracks publicly (yet). Thanks, again! Edited June 13, 2007 by ManiacX
Loki Posted June 13, 2007 Posted June 13, 2007 Eeek. Getting owned by this one right now. The obfuscation is a pain, but nothing major (although I like the 2 or 3 processes checking whether it has been deobfuscated). Currently getting owned just before the GetTickCount and GetFileSize (probably one of the first proper anti debugger checks). Think I've figured out why but get the feeling I'm not getting very far fast though
Loki Posted June 20, 2007 Posted June 20, 2007 Started having a proper look at this now. I get the feeling you're not messing around with the debugger detection though!! moid.exe, hacnho.exe, snd.exe, cim's.exe, lbr68.exe, ollydbg_execryptor.exe, ollyice.exe, ollydbg.exe, ollyshadow.exe, shadow.exe Hope I get enough time to make some progress... there is sooo much recursively called junk code though!
Angel-55 Posted June 20, 2007 Posted June 20, 2007 My Olly isn't listed in there lol looks a nice protection it detects all these debuggers by name WTH ? nice work Lena and keep it up
Loki Posted June 20, 2007 Posted June 20, 2007 Everything I have come accross is encrypted. Essentially for the protection I quoted above it decrypts these names, then uses Process32First to cycle open processes (and lstrsmp to test). It then encrypts everything again. Theres plenty more protection in here though.
Loki Posted June 20, 2007 Posted June 20, 2007 Nice use of the SEH too. XOR ESI, ESI DIV ESI I still *believe* I'm getting somewhere, but it could all be a complete waste of time
lena151 Posted June 20, 2007 Author Posted June 20, 2007 (edited) but it could all be a complete waste of time Nonono, you are doing just fine and I'm pleased someone takes a look in it, it's appreciated. Everything you've found so far is correct. The first exe being a wink to MOID who has keygenned #8 (hehe, how the hell should I know what he's named his own olly ) Hey Loki, I'm finishing Part#40 in the newbie series on ReverseMe#8. I guess you'll want me to wait releasing it not to spoil your experience on #9? Or is somebody else still looking in #9? BTW, has some other experienced cracker tried #9 yet? (Just curious for some feedback). Thanks. lena151. Edited June 20, 2007 by lena151
Loki Posted June 21, 2007 Posted June 21, 2007 Hey lena. I wouldn't wait for me to finish this... just release #40 and I'll have a read when I am ready. Think I'm doing alright - its the constant checks that are tricky. I'v just found your checksum type thing (after the calls to GetUserName, GetVolumeInformation etc) which seems to be checking 401000 to 407FFF (I assume its a checksum). I've deobfuscated the entire thing, just wading through it now - problem is I'm away for the weekend and may not get much chance to do much on it so wouldn't want you to not release on my behalf!! Its good fun though... doable, but as you say, its about the amount of time you can spend on it
lena151 Posted June 22, 2007 Author Posted June 22, 2007 It's pretty disappointing that only 1 person at SnD and 1 person at ARTeam looked into this or cared to give some feedback. It was already mentioned by Angel-55 that only a couple starters are interested in my ****. Still, it's damn hard to find out this is completely correct too.I won't be around much any more. Goodbye all, it has been fun for a while.The newbie series has ended hereby, then again, who cares...lena151.
syk071c Posted June 22, 2007 Posted June 22, 2007 i also have been having a peek at this when i have had time.. the truth is it is actually quite difficult for a lot of us.. it's all the obfuscation makes it very confusing to trace.. it's not that no one has taken interest it is just a very time consuming thing to reverse..
scherzo Posted June 22, 2007 Posted June 22, 2007 not really so time consuming if you do it correctly. I found the right algo very quickly by the way and without trace the programme and without even spent much time deobfuscating it.scherzo
till Posted June 22, 2007 Posted June 22, 2007 (edited) Well, it's not good to hear, but almost all good things have an end... I wanna thank you very much for you legendary series, I've learned A LOT from your tutorials! Best Regards to you Lena, enjoy your life and good luck in the future! ~Till.ch Edited June 22, 2007 by Till.ch
lena151 Posted June 23, 2007 Author Posted June 23, 2007 Due to many heartwarming pm's and mails, I may still be around from time to time but the series is discontinued. ... the truth is it is actually quite difficult for a lot of us... it's all the obfuscation makes it very confusing to trace..That's exactly the feedback I was asking for. What was found quickly etc. I wanted to know if I had to make it much harder to become really uncrackable because with more time, I would definately have implemented better obfuscation as I only used obfuscation by byte coding.On ARTeam forum, it was mentioned that experienced crackers didn't reply because of ego (it seems crackers don't want to confess they failed solving something (?)). I didn't think of that yet, and I can hardly imagine it. I'm not sure what you guys think but I tend to believe that no experienced cracker has tried it (except Loki and syk who only glanced over it due lack of time). Oh, and I'm aiming noone in particular, I only want to say that experienced crackers have far more challenging stuff to solve, hence aren't interested, that's really all I mean to say.All this is in fact a derive from the poll if everything is crackable. If this reverseme#9 beats everybody (I can definately make it many many times harder) ... wow, then those people in the poll saying that everything is crackable ... are just rediculously mistaken LOL Nonono, I tend to believe that no experienced cracker has really taken the time to try yet. Ehrr ... I intended to make the next Part in the series about "cracking the uncrackable ReverseMe" (hehe, would have made up a nice title huh?).An example (that I also explained on ARTeam forum): I have everywhere coded calls to apis in the "traditional" way (throughout the complete ReverseMe#9) (and also byte coded the sensitive ones as such). Like:invoke wsprintf,addr Buffer,addr Format,esiWhat if I had obfuscated every call to an api everywhere in ReverseMe#9 as follows and also byte coded the complete ReverseMe (just a quick example, can be made much much more complicated):@@:jmp @f-5call CreateFile ;obfuscation: is never executed, can be a call to any apiadd esp,4push eaxadd eax,esp ;useless codepush esimov eax,6CLC ;useless codepush offset Formatimul eax,eax,1stc ;useless codepush offset Buffermov edi,eax ;useless codelea edi,[wsprintf+eax] ;nice obfuscation: will point to another api, can easily be made random toojmp @fcall ReadFile ;obfuscation: is never executed, can be a call to any apicall @b+7@@:add edi,-6call edi ;call to the real api (wsprintf in this example)add esp,0Chpop eaxThis does exactly the same (assemble it if you doubt). The "useless" code can be extended as much as wanted. If I then had byte coded this .... what better obfuscation already. And there are many more tricks like this. Anyway ...Like said, the project is abandoned.Thanks for your info now though.... I found the right algo very quickly by the way...If you are scherzocrk (?) who pm'ed me on another forum, then look again as you are nowhere near the real algo. It is what I meant in my reply by "you made a major mistake and need to look again" ...lena151.
vinnie Posted June 24, 2007 Posted June 24, 2007 "The newbie series has ended hereby, then again, who cares..."lena151.
Loki Posted June 25, 2007 Posted June 25, 2007 I've been away for a few days but still had a bit of a look at this. Still away but back to normal tomorrow. To be honest, I think its probably the case that a number of people started on this and failed either due it being too tough or needing too much time. after all, the obfuscation is there to stop it being solved quickly? As someone said above, very few people will own up to trying and failing - I was the only one to 'post' that this one and the one moid solved were owning me at first. I'm fairly confident I wasn't the only one though. From what I've seen there is a lot in this and a huge amount is decoy and anti debug (including process checking, FindWindow, checks for winice.dat and other SICE files/services, RDTSC, illegal operations etc). Lena, I realise you're feeling dejected right now and that this project is 'over' but its still the most interesting crackme I've seen in a long while, so I'll be giving you some proper feedback tomorrow when I get home. Thanks for taking the time to code it, it was appreciated
lena151 Posted July 13, 2007 Author Posted July 13, 2007 Thanks all for the kind words also by pm. It's much appreciated. THANKS FOR EVERYTHING YOU HAVE DONE FOR THE SCENE.Wow!Wow! You know, I only put some reversing basics together in a series! Every reverser could have done it!.... a huge amount is decoy and anti debug ....This reverseme#9 detects Ring3 debugging in a different way though I added some well-known anti-debugging to decoy it. Don't blindly trust the working of olly because this is exactly what makes ReverseMe#9 so treacherous ... and possibly why it isn't solved yet. Another hint: see Part#40 on ReverseMe#8 though I used a slightly better code protection, different anti-debugger method (not based on resources) and anti-debugger values that interfere in the registration data....so I'll be giving you some proper feedback tomorrow...Ehrrr, did I miss it? Haven't seen it, but I also have a question for all: did someone make progress on this ReverseMe#9? Or find what the registration scheme is based upon (probably Part#40 gives this away)? Around which address starts the reg scheme?lena151.
Guest losredondos Posted July 14, 2007 Posted July 14, 2007 THANK YOU A LOT LENA151 I LIKE YOUR TUT I READ FIRST AND IS VERY INTERESTING.THANK YOU DONT SAY GOODBYE
eboo Posted August 11, 2007 Posted August 11, 2007 Wow!Wow! You know, I only put some reversing basics together in a series! Every reverser could have done it!Yes Lena maybe, but only you can explain all this in this very logical way. I'm sure: in the future your series will be a "citation classic" for all reverse.And I hope to read the crack with lena n
lena151 Posted August 16, 2007 Author Posted August 16, 2007 (edited) Oops, I almost forgot to post a solution ...algo proc hWnd:HWND local nSize:dword;====== Find the PC user's name mov nSize,sizeof sName invoke GetUserName,addr sName,addr nSize;====== Find the PC volume name invoke GetWindowsDirectory,addr sWinDir,sizeof sWinDir invoke lstrcpyn,addr sRoot,addr sWinDir,4 invoke GetVolumeInformation,addr sRoot,addr sVolName,sizeof sVolName,addr nVolNum,addr nMaxPath,addr nSysFlags,addr sFileSys,sizeof sFileSys;====== Read the user input (name), length in eax lea ecx,sNameBuffer invoke lstrlen,ecx ;====== Name encryption xor edx, edx .while (eax > edx) mov bl,byte ptr [sNameBuffer+edx] sub bl,dl rol bl,3 xor bl,dl mov byte ptr [sNameBuffer+edx],bl inc edx .endw;====== The algo mov byte ptr [sNameBuffer+eax],0CBh;CB byte after name mov bx,word ptr [sName+1] ;2nd & 3rd byte from username mov word ptr [sNameBuffer+eax+1],bx mov bx,word ptr [sVolName+2] ;and the 3rd & 4th byte from the volume name mov word ptr [sNameBuffer+eax+3],bx mov dword ptr [sNameBuffer+eax+5],0FF03C766h;7 bytes executed to return to the code mov dword ptr [sNameBuffer+eax+9],0E3FF75h;====== Creating the registry values invoke RegCreateKeyExA,HKEY_LOCAL_MACHINE,addr Reg_Path,0,addr Reg_String,0,2001Fh,0,addr Reg_Result,addr Reg_DP invoke RegSetValueExA,ds:Reg_Result,addr Reg_Sub_Key,0,1,addr sNameBuffer,Sizeof sNameBuffer invoke RegCloseKey,HKEY_LOCAL_MACHINExor eax, eaxretalgo endpThanks to all who looked into this.lena151.ReverseMe_9bylena151_Keygen.rar Edited September 1, 2007 by lena151
antrobs Posted August 18, 2007 Posted August 18, 2007 Great to hear you back lena151, Anyway how's life right now? By the way thanks for posting a solution I will try to digest it little by little.. GrEeTZ, aNtRoBs
syk071c Posted August 18, 2007 Posted August 18, 2007 mov dword ptr [sNameBuffer+eax+5],0FF03C766h; '7 bytes executed to return to the code' mov dword ptr [sNameBuffer+eax+9],0E3FF75h this is where i got stuck..
viperbjk Posted August 30, 2007 Posted August 30, 2007 I just wanted to say that I really appreciated the lena tuts. Although I thought I would know a lot about reversing *yeah, s0nY *, some hints in using olly really opened my eyes. Lena, you did a great job for the community, especially for the newbies ... just as Fravia, Orc and tkC did with their tutorials years before *imho you did better, video tuts are really great*. See ya, ViperBJK *just another VSISG, Ex-UNF, Ex-NFREE, Ex-Paramind member*
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now