[reverseme] #9 By Lena151

[lena151]

This is an attempt to code an "uncrackable" program in assembler. See http://www.tuts4you.com/forum/index.php?sh...c=12949&hl= to read the complete story.

Aesthetics-only patching is NOT a valid solution! e.g. editing "UNREGISTERED" into whatever in a resources editor. Of course that this doesn't effectively register anything, right? Adding code, etc to make the ReverseMe display something isn't a valid thing either, right? You may however patch the reg scheme so that false data is still accepted as valid. If patching, please explain your solution so that I can verify its validity. It's clear that a keygen is preferred.

Good luck and have fun

lena151.

ReverseMe_9_by_lena151.rar

[Guest ManiacX]

Thanks lenna!

Gonna give it a shot now

BTW: You were the person that into'd me into reversing.....After going through ur tuts, I am pretty good in revving. I don't release any of my cracks publicly (yet). Thanks, again!

Edited June 13, 2007 by ManiacX

[Loki]

Eeek.

Getting owned by this one right now. The obfuscation is a pain, but nothing major (although I like the 2 or 3 processes checking whether it has been deobfuscated).

Currently getting owned just before the GetTickCount and GetFileSize (probably one of the first proper anti debugger checks). Think I've figured out why but get the feeling I'm not getting very far fast though

[syk071c]

some weekend fun...

[Loki]

dude, you have dull weekends

[Loki]

Started having a proper look at this now. I get the feeling you're not messing around with the debugger detection though!!

moid.exe, hacnho.exe, snd.exe, cim's.exe, lbr68.exe, ollydbg_execryptor.exe, ollyice.exe, ollydbg.exe, ollyshadow.exe, shadow.exe

Hope I get enough time to make some progress... there is sooo much recursively called junk code though!

[Angel-55]

My Olly isn't listed in there lol

looks a nice protection it detects all these debuggers by name WTH ?

nice work Lena and keep it up

[Loki]

Everything I have come accross is encrypted. Essentially for the protection I quoted above it decrypts these names, then uses Process32First to cycle open processes (and lstrsmp to test). It then encrypts everything again.

Theres plenty more protection in here though.

[Loki]

Nice use of the SEH too.

XOR ESI, ESI

DIV ESI

I still *believe* I'm getting somewhere, but it could all be a complete waste of time

[lena151]

but it could all be a complete waste of time

Nonono, you are doing just fine and I'm pleased someone takes a look in it, it's appreciated.

Everything you've found so far is correct. The first exe being a wink to MOID who has keygenned #8 (hehe, how the hell should I know what he's named his own olly )

Hey Loki, I'm finishing Part#40 in the newbie series on ReverseMe#8. I guess you'll want me to wait releasing it not to spoil your experience on #9? Or is somebody else still looking in #9? BTW, has some other experienced cracker tried #9 yet? (Just curious for some feedback). Thanks.

lena151.

Edited June 20, 2007 by lena151

[Loki]

Hey lena. I wouldn't wait for me to finish this... just release #40 and I'll have a read when I am ready. Think I'm doing alright - its the constant checks that are tricky. I'v just found your checksum type thing (after the calls to GetUserName, GetVolumeInformation etc) which seems to be checking 401000 to 407FFF (I assume its a checksum).

I've deobfuscated the entire thing, just wading through it now - problem is I'm away for the weekend and may not get much chance to do much on it so wouldn't want you to not release on my behalf!!

Its good fun though... doable, but as you say, its about the amount of time you can spend on it

[lena151]

It's pretty disappointing that only 1 person at SnD and 1 person at ARTeam looked into this or cared to give some feedback.

It was already mentioned by Angel-55 that only a couple starters are interested in my ****. Still, it's damn hard to find out this is completely correct too.

I won't be around much any more. Goodbye all, it has been fun for a while.

The newbie series has ended hereby, then again, who cares...

lena151.

[syk071c]

i also have been having a peek at this when i have had time.. the truth is it is actually quite difficult for a lot of us.. it's all the obfuscation makes it very confusing to trace.. it's not that no one has taken interest it is just a very time consuming thing to reverse..

[scherzo]

not really so time consuming if you do it correctly. I found the right algo very quickly by the way and without trace the programme and without even spent much time deobfuscating it.

scherzo

[till]

Well, it's not good to hear, but almost all good things have an end...

I wanna thank you very much for you legendary series, I've learned A LOT from your tutorials!

Best Regards to you Lena, enjoy your life and good luck in the future!

~Till.ch

Edited June 22, 2007 by Till.ch

[lena151]

Due to many heartwarming pm's and mails, I may still be around from time to time but the series is discontinued.

... the truth is it is actually quite difficult for a lot of us... it's all the obfuscation makes it very confusing to trace..

That's exactly the feedback I was asking for. What was found quickly etc. I wanted to know if I had to make it much harder to become really uncrackable because with more time, I would definately have implemented better obfuscation as I only used obfuscation by byte coding.

On ARTeam forum, it was mentioned that experienced crackers didn't reply because of ego (it seems crackers don't want to confess they failed solving something (?)). I didn't think of that yet, and I can hardly imagine it. I'm not sure what you guys think but I tend to believe that no experienced cracker has tried it (except Loki and syk who only glanced over it due lack of time). Oh, and I'm aiming noone in particular, I only want to say that experienced crackers have far more challenging stuff to solve, hence aren't interested, that's really all I mean to say.

All this is in fact a derive from the poll if everything is crackable. If this reverseme#9 beats everybody (I can definately make it many many times harder) ... wow, then those people in the poll saying that everything is crackable ... are just rediculously mistaken LOL Nonono, I tend to believe that no experienced cracker has really taken the time to try yet. Ehrr ... I intended to make the next Part in the series about "cracking the uncrackable ReverseMe" (hehe, would have made up a nice title huh?).

An example (that I also explained on ARTeam forum): I have everywhere coded calls to apis in the "traditional" way (throughout the complete ReverseMe#9) (and also byte coded the sensitive ones as such).

Like:

invoke wsprintf,addr Buffer,addr Format,esi

What if I had obfuscated every call to an api everywhere in ReverseMe#9 as follows and also byte coded the complete ReverseMe (just a quick example, can be made much much more complicated):

@@:
jmp @f-5
call CreateFile		 ;obfuscation: is never executed, can be a call to any api
add esp,4
push eax
add eax,esp			 ;useless code
push esi
mov eax,6
CLC					 ;useless code
push offset Format
imul eax,eax,1
stc					 ;useless code
push offset Buffer
mov edi,eax			 ;useless code
lea edi,[wsprintf+eax]  ;nice obfuscation: will point to another api, can easily be made random too
jmp @f
call ReadFile		   ;obfuscation: is never executed, can be a call to any api
call @b+7
@@:
add edi,-6
call edi				;call to the real api (wsprintf in this example)
add esp,0Ch
pop eax

This does exactly the same (assemble it if you doubt). The "useless" code can be extended as much as wanted. If I then had byte coded this .... what better obfuscation already. And there are many more tricks like this. Anyway ...

Like said, the project is abandoned.

Thanks for your info now though.

... I found the right algo very quickly by the way...

If you are scherzocrk (?) who pm'ed me on another forum, then look again as you are nowhere near the real algo. It is what I meant in my reply by "you made a major mistake and need to look again" ...

lena151.

[vinnie]

"The newbie series has ended hereby, then again, who cares..."

lena151.

[Loki]

I've been away for a few days but still had a bit of a look at this. Still away but back to normal tomorrow.

To be honest, I think its probably the case that a number of people started on this and failed either due it being too tough or needing too much time. after all, the obfuscation is there to stop it being solved quickly? As someone said above, very few people will own up to trying and failing - I was the only one to 'post' that this one and the one moid solved were owning me at first. I'm fairly confident I wasn't the only one though.

From what I've seen there is a lot in this and a huge amount is decoy and anti debug (including process checking, FindWindow, checks for winice.dat and other SICE files/services, RDTSC, illegal operations etc).

Lena, I realise you're feeling dejected right now and that this project is 'over' but its still the most interesting crackme I've seen in a long while, so I'll be giving you some proper feedback tomorrow when I get home. Thanks for taking the time to code it, it was appreciated

[lena151]

Thanks all for the kind words also by pm. It's much appreciated.

THANKS FOR EVERYTHING YOU HAVE DONE FOR THE SCENE.

Wow!Wow! You know, I only put some reversing basics together in a series! Every reverser could have done it!

.... a huge amount is decoy and anti debug ....

This reverseme#9 detects Ring3 debugging in a different way though I added some well-known anti-debugging to decoy it. Don't blindly trust the working of olly because this is exactly what makes ReverseMe#9 so treacherous ... and possibly why it isn't solved yet. Another hint: see Part#40 on ReverseMe#8 though I used a slightly better code protection, different anti-debugger method (not based on resources) and anti-debugger values that interfere in the registration data.

...so I'll be giving you some proper feedback tomorrow...

Ehrrr, did I miss it? Haven't seen it, but I also have a question for all: did someone make progress on this ReverseMe#9? Or find what the registration scheme is based upon (probably Part#40 gives this away)? Around which address starts the reg scheme?

lena151.

[Guest losredondos]

THANK YOU A LOT LENA151 I LIKE YOUR TUT I READ FIRST AND IS VERY INTERESTING.

THANK YOU DONT SAY GOODBYE

[eboo]

Wow!Wow! You know, I only put some reversing basics together in a series! Every reverser could have done it!

Yes Lena maybe, but only you can explain all this in this very logical way. I'm sure: in the future your series will be a "citation classic" for all reverse.

And I hope to read the crack with lena n

[lena151]

Oops, I almost forgot to post a solution ...

algo proc hWnd:HWND
		local nSize:dword;====== Find the PC user's name
		mov nSize,sizeof sName
		invoke GetUserName,addr sName,addr nSize;====== Find the PC volume name
		invoke GetWindowsDirectory,addr sWinDir,sizeof sWinDir
		invoke lstrcpyn,addr sRoot,addr sWinDir,4
		invoke GetVolumeInformation,addr sRoot,addr sVolName,sizeof sVolName,addr nVolNum,addr nMaxPath,addr nSysFlags,addr sFileSys,sizeof sFileSys;====== Read the user input (name), length in eax
		lea ecx,sNameBuffer 
		invoke lstrlen,ecx ;====== Name encryption
	xor edx, edx
	.while (eax > edx)
		mov bl,byte ptr [sNameBuffer+edx]
		sub bl,dl
		rol bl,3
		xor bl,dl
		mov byte ptr [sNameBuffer+edx],bl
		inc edx
	.endw;====== The algo
		mov byte ptr [sNameBuffer+eax],0CBh;CB byte after name
		mov bx,word ptr [sName+1]	;2nd & 3rd byte from username
		mov word ptr [sNameBuffer+eax+1],bx
		mov bx,word ptr [sVolName+2]	;and the 3rd & 4th byte from the volume name
		mov word ptr [sNameBuffer+eax+3],bx
		mov dword ptr [sNameBuffer+eax+5],0FF03C766h;7 bytes executed to return to the code
		mov dword ptr [sNameBuffer+eax+9],0E3FF75h;====== Creating the registry values
		invoke RegCreateKeyExA,HKEY_LOCAL_MACHINE,addr Reg_Path,0,addr Reg_String,0,2001Fh,0,addr Reg_Result,addr Reg_DP
		invoke RegSetValueExA,ds:Reg_Result,addr Reg_Sub_Key,0,1,addr sNameBuffer,Sizeof sNameBuffer
		invoke RegCloseKey,HKEY_LOCAL_MACHINExor eax, eax
ret
algo endp

Thanks to all who looked into this.

lena151.

ReverseMe_9bylena151_Keygen.rar

Edited September 1, 2007 by lena151

[antrobs]

Great to hear you back lena151, Anyway how's life right now? By the way thanks for posting a solution I will try to digest it little by little..

GrEeTZ,

aNtRoBs

[syk071c]

mov dword ptr [sNameBuffer+eax+5],0FF03C766h; '7 bytes executed to return to the code'

mov dword ptr [sNameBuffer+eax+9],0E3FF75h

this is where i got stuck..

[viperbjk]

I just wanted to say that I really appreciated the lena tuts.

Although I thought I would know a lot about reversing *yeah, s0nY *,

some hints in using olly really opened my eyes.

Lena, you did a great job for the community, especially for the

newbies ... just as Fravia, Orc and tkC did with their tutorials years before

*imho you did better, video tuts are really great*.

See ya,

ViperBJK

*just another VSISG, Ex-UNF, Ex-NFREE, Ex-Paramind member*