Jump to content
Tuts 4 You

[reverseme] #9 By Lena151


lena151

Recommended Posts

This is an attempt to code an "uncrackable" program in assembler. See http://www.tuts4you.com/forum/index.php?sh...c=12949&hl= to read the complete story.

Aesthetics-only patching is NOT a valid solution! e.g. editing "UNREGISTERED" into whatever in a resources editor. Of course that this doesn't effectively register anything, right? Adding code, etc to make the ReverseMe display something isn't a valid thing either, right? You may however patch the reg scheme so that false data is still accepted as valid. If patching, please explain your solution so that I can verify its validity. It's clear that a keygen is preferred.

Good luck and have fun

lena151.

ReverseMe_9_by_lena151.rar

Link to comment
Guest ManiacX

Thanks lenna!

Gonna give it a shot now ;)

BTW: You were the person that into'd me into reversing.....After going through ur tuts, I am pretty good in revving. I don't release any of my cracks publicly (yet). Thanks, again!

Edited by ManiacX
Link to comment

Eeek.

Getting owned by this one right now. The obfuscation is a pain, but nothing major (although I like the 2 or 3 processes checking whether it has been deobfuscated).

Currently getting owned just before the GetTickCount and GetFileSize (probably one of the first proper anti debugger checks). Think I've figured out why but get the feeling I'm not getting very far fast though :)

Link to comment

Started having a proper look at this now. I get the feeling you're not messing around with the debugger detection though!! :P

moid.exe, hacnho.exe, snd.exe, cim's.exe, lbr68.exe, ollydbg_execryptor.exe, ollyice.exe, ollydbg.exe, ollyshadow.exe, shadow.exe

Hope I get enough time to make some progress... there is sooo much recursively called junk code though!

Link to comment

My Olly isn't listed in there lol :P

looks a nice protection it detects all these debuggers by name WTH ? :D

nice work Lena and keep it up ;)

Link to comment

Everything I have come accross is encrypted. Essentially for the protection I quoted above it decrypts these names, then uses Process32First to cycle open processes (and lstrsmp to test). It then encrypts everything again.

Theres plenty more protection in here though.

Link to comment

Nice use of the SEH too.

XOR ESI, ESI

DIV ESI

I still *believe* I'm getting somewhere, but it could all be a complete waste of time :)

Link to comment
but it could all be a complete waste of time :)

Nonono, you are doing just fine and I'm pleased someone takes a look in it, it's appreciated.

Everything you've found so far is correct. The first exe being a wink to MOID who has keygenned #8 (hehe, how the hell should I know what he's named his own olly :lol: )

Hey Loki, I'm finishing Part#40 in the newbie series on ReverseMe#8. I guess you'll want me to wait releasing it not to spoil your experience on #9? Or is somebody else still looking in #9? BTW, has some other experienced cracker tried #9 yet? (Just curious for some feedback). Thanks.

lena151.

Edited by lena151
Link to comment

Hey lena. I wouldn't wait for me to finish this... just release #40 and I'll have a read when I am ready. Think I'm doing alright - its the constant checks that are tricky. I'v just found your checksum type thing (after the calls to GetUserName, GetVolumeInformation etc) which seems to be checking 401000 to 407FFF (I assume its a checksum).

I've deobfuscated the entire thing, just wading through it now - problem is I'm away for the weekend and may not get much chance to do much on it so wouldn't want you to not release on my behalf!!

Its good fun though... doable, but as you say, its about the amount of time you can spend on it :)

Link to comment

It's pretty disappointing that only 1 person at SnD and 1 person at ARTeam looked into this or cared to give some feedback.

It was already mentioned by Angel-55 that only a couple starters are interested in my ****. Still, it's damn hard to find out this is completely correct too.

I won't be around much any more. Goodbye all, it has been fun for a while.

The newbie series has ended hereby, then again, who cares...

lena151.

Link to comment

i also have been having a peek at this when i have had time.. the truth is it is actually quite difficult for a lot of us.. :o it's all the obfuscation makes it very confusing to trace.. ;) it's not that no one has taken interest it is just a very time consuming thing to reverse.. :(:wub::flowers:

Link to comment

not really so time consuming if you do it correctly. I found the right algo very quickly by the way and without trace the programme and without even spent much time deobfuscating it.

scherzo

Link to comment

Well, it's not good to hear, but almost all good things have an end...

I wanna thank you very much for you legendary series, I've learned A LOT from your tutorials!

Best Regards to you Lena, enjoy your life and good luck in the future! :flowers::flowers:

~Till.ch

Edited by Till.ch
Link to comment

Due to many heartwarming pm's and mails, I may still be around from time to time but the series is discontinued.

... the truth is it is actually quite difficult for a lot of us... it's all the obfuscation makes it very confusing to trace..

That's exactly the feedback I was asking for. What was found quickly etc. I wanted to know if I had to make it much harder to become really uncrackable because with more time, I would definately have implemented better obfuscation as I only used obfuscation by byte coding.

On ARTeam forum, it was mentioned that experienced crackers didn't reply because of ego (it seems crackers don't want to confess they failed solving something (?)). I didn't think of that yet, and I can hardly imagine it. I'm not sure what you guys think but I tend to believe that no experienced cracker has tried it (except Loki and syk who only glanced over it due lack of time). Oh, and I'm aiming noone in particular, I only want to say that experienced crackers have far more challenging stuff to solve, hence aren't interested, that's really all I mean to say.

All this is in fact a derive from the poll if everything is crackable. If this reverseme#9 beats everybody (I can definately make it many many times harder) ... wow, then those people in the poll saying that everything is crackable ... are just rediculously mistaken LOL Nonono, I tend to believe that no experienced cracker has really taken the time to try yet. Ehrr ... I intended to make the next Part in the series about "cracking the uncrackable ReverseMe" (hehe, would have made up a nice title huh?).

An example (that I also explained on ARTeam forum): I have everywhere coded calls to apis in the "traditional" way (throughout the complete ReverseMe#9) (and also byte coded the sensitive ones as such).

Like:

invoke wsprintf,addr Buffer,addr Format,esi

What if I had obfuscated every call to an api everywhere in ReverseMe#9 as follows and also byte coded the complete ReverseMe (just a quick example, can be made much much more complicated):

@@:
jmp @f-5
call CreateFile ;obfuscation: is never executed, can be a call to any api
add esp,4
push eax
add eax,esp ;useless code
push esi
mov eax,6
CLC ;useless code
push offset Format
imul eax,eax,1
stc ;useless code
push offset Buffer
mov edi,eax ;useless code
lea edi,[wsprintf+eax] ;nice obfuscation: will point to another api, can easily be made random too
jmp @f
call ReadFile ;obfuscation: is never executed, can be a call to any api
call @b+7
@@:
add edi,-6
call edi ;call to the real api (wsprintf in this example)
add esp,0Ch
pop eax

This does exactly the same (assemble it if you doubt). The "useless" code can be extended as much as wanted. If I then had byte coded this .... what better obfuscation already. And there are many more tricks like this. Anyway ...

Like said, the project is abandoned.

Thanks for your info now though.

... I found the right algo very quickly by the way...

If you are scherzocrk (?) who pm'ed me on another forum, then look again as you are nowhere near the real algo. It is what I meant in my reply by "you made a major mistake and need to look again" ...

lena151.

Link to comment

I've been away for a few days but still had a bit of a look at this. Still away but back to normal tomorrow.

To be honest, I think its probably the case that a number of people started on this and failed either due it being too tough or needing too much time. after all, the obfuscation is there to stop it being solved quickly? As someone said above, very few people will own up to trying and failing - I was the only one to 'post' that this one and the one moid solved were owning me at first. I'm fairly confident I wasn't the only one though.

From what I've seen there is a lot in this and a huge amount is decoy and anti debug (including process checking, FindWindow, checks for winice.dat and other SICE files/services, RDTSC, illegal operations etc).

Lena, I realise you're feeling dejected right now and that this project is 'over' but its still the most interesting crackme I've seen in a long while, so I'll be giving you some proper feedback tomorrow when I get home. Thanks for taking the time to code it, it was appreciated :)

Link to comment
  • 3 weeks later...

Thanks all for the kind words also by pm. It's much appreciated.

THANKS FOR EVERYTHING YOU HAVE DONE FOR THE SCENE.

Wow!Wow! You know, I only put some reversing basics together in a series! Every reverser could have done it!

.... a huge amount is decoy and anti debug ....

This reverseme#9 detects Ring3 debugging in a different way though I added some well-known anti-debugging to decoy it. Don't blindly trust the working of olly because this is exactly what makes ReverseMe#9 so treacherous ... and possibly why it isn't solved yet. Another hint: see Part#40 on ReverseMe#8 though I used a slightly better code protection, different anti-debugger method (not based on resources) and anti-debugger values that interfere in the registration data.

...so I'll be giving you some proper feedback tomorrow...

Ehrrr, did I miss it? Haven't seen it, but I also have a question for all: did someone make progress on this ReverseMe#9? Or find what the registration scheme is based upon (probably Part#40 gives this away)? Around which address starts the reg scheme?

lena151.

Link to comment
  • 4 weeks later...
Wow!Wow! You know, I only put some reversing basics together in a series! Every reverser could have done it!

Yes Lena maybe, but only you can explain all this in this very logical way. I'm sure: in the future your series will be a "citation classic" for all reverse.

And I hope to read the crack with lena n

Link to comment

Oops, I almost forgot to post a solution ...

algo proc hWnd:HWND
local nSize:dword;====== Find the PC user's name
mov nSize,sizeof sName
invoke GetUserName,addr sName,addr nSize;====== Find the PC volume name
invoke GetWindowsDirectory,addr sWinDir,sizeof sWinDir
invoke lstrcpyn,addr sRoot,addr sWinDir,4
invoke GetVolumeInformation,addr sRoot,addr sVolName,sizeof sVolName,addr nVolNum,addr nMaxPath,addr nSysFlags,addr sFileSys,sizeof sFileSys;====== Read the user input (name), length in eax
lea ecx,sNameBuffer
invoke lstrlen,ecx ;====== Name encryption
xor edx, edx
.while (eax > edx)
mov bl,byte ptr [sNameBuffer+edx]
sub bl,dl
rol bl,3
xor bl,dl
mov byte ptr [sNameBuffer+edx],bl
inc edx
.endw;====== The algo
mov byte ptr [sNameBuffer+eax],0CBh;CB byte after name
mov bx,word ptr [sName+1] ;2nd & 3rd byte from username
mov word ptr [sNameBuffer+eax+1],bx
mov bx,word ptr [sVolName+2] ;and the 3rd & 4th byte from the volume name
mov word ptr [sNameBuffer+eax+3],bx
mov dword ptr [sNameBuffer+eax+5],0FF03C766h;7 bytes executed to return to the code
mov dword ptr [sNameBuffer+eax+9],0E3FF75h;====== Creating the registry values
invoke RegCreateKeyExA,HKEY_LOCAL_MACHINE,addr Reg_Path,0,addr Reg_String,0,2001Fh,0,addr Reg_Result,addr Reg_DP
invoke RegSetValueExA,ds:Reg_Result,addr Reg_Sub_Key,0,1,addr sNameBuffer,Sizeof sNameBuffer
invoke RegCloseKey,HKEY_LOCAL_MACHINExor eax, eax
ret
algo endp

Thanks to all who looked into this.

lena151.

ReverseMe_9bylena151_Keygen.rar

Edited by lena151
Link to comment

Great to hear you back lena151, Anyway how's life right now? By the way thanks for posting a solution I will try to digest it little by little.. :D

GrEeTZ,

aNtRoBs

Link to comment

mov dword ptr [sNameBuffer+eax+5],0FF03C766h; '7 bytes executed to return to the code'

mov dword ptr [sNameBuffer+eax+9],0E3FF75h

this is where i got stuck.. :)

Link to comment
  • 2 weeks later...

I just wanted to say that I really appreciated the lena tuts.

Although I thought I would know a lot about reversing *yeah, s0nY :) *,

some hints in using olly really opened my eyes.

Lena, you did a great job for the community, especially for the

newbies ... just as Fravia, Orc and tkC did with their tutorials years before

*imho you did better, video tuts are really great*.

See ya,

ViperBJK

*just another VSISG, Ex-UNF, Ex-NFREE, Ex-Paramind member*

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...