B_S Posted July 8, 2007 Posted July 8, 2007 (edited) This is my third KeygenMe... Some call it easy and some call it hard... don't forget no patch KeygenMe.rar Edited August 19, 2007 by Teddy Rogers Edited topic title...
Ufo-Pu55y Posted July 8, 2007 Posted July 8, 2007 Is it a KeyfileMe or something ?Coz nothing happens, when I fire it up... Greets
Angel-55 Posted July 9, 2007 Posted July 9, 2007 It's anti **** !! file is obfsucated bro' you'll have to deobfsucate then keygen !!
CyberLord Posted July 9, 2007 Posted July 9, 2007 lots of useless code, obfucation, and pe header tricks. so far, i bypassed several checks for debugger and nothing more. man, i give up. you won
B_S Posted July 17, 2007 Author Posted July 17, 2007 wtf .. crashes on ma system :S U must have bassmod.dll in your system32
Guest shism2 Posted August 15, 2007 Posted August 15, 2007 I have bassmod.dll in my system and crackme still crashes....
SunBeam Posted August 16, 2007 Posted August 16, 2007 (edited) It's actually also an UnpackMe. EP looks a lot ASPR-like, and the memory starting from 401000 till (forgot) is decoded in a function Who's Tania ? Anyway, this is not just a KeyGenMe. It's a KeyFileMe, and using public wrappers over it is lame Whole IAT table is obfuscated : ...and this is where the app crashes : ...trying to access some IAT... ...stored in this allocated section. Follow each JMP from IAT block to get its equivalent API Obviously, APIz are encrypted with individual keys (check table in pic above)... P.S.: Posting the fixed/dumped target in a short while. Hope author doesn't mind... EDIT: RLP 1.7 or higher with IAT protection Edited August 17, 2007 by sunbeam
SunBeam Posted August 17, 2007 Posted August 17, 2007 (edited) 34 stolen bytes, OEP = 405779, a few APIz missing, but that's how far I got : ; Syntax for each function in a thunk (the separator is a TAB); ------------------------------------------------------------; Flag RVA ModuleName Ordinal Name;; Details for <Valid> parameter:; ------------------------------; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set; it to zero if you edit it).; - Ordinal is not considered but you should let '0000' as value.; - ModuleName is not considered but you should let '?' as value.;; 1 = valid: yes -> All next parameters on the line will be considered.; Function imported by ordinal must have no name (the 4th TAB must; be there though).;; 2 = Equivalent to 0 but it is for the loader.;; 3 = Equivalent to 1 but it is for the loader.;; 4 = Equivalent to 0 with (R) tag.;; 5 = Equivalent to 1 with (R) tag.;; And finally, edit this file as your own risk! :-)Target: C:\Documents and Settings\Administrator\Desktop\KeygenMe.ExEOEP: 00005779 IATRVA: 00008000 IATSize: 000000F0FThunk: 00008000 NbFunc: 000000051 00008000 advapi32.dll 01FB RegSetValueExA1 00008004 advapi32.dll 01CF RegCreateKeyExA1 00008008 advapi32.dll 01E4 RegOpenKeyExA1 0000800C advapi32.dll 01CB RegCloseKey1 00008010 advapi32.dll 01EE RegQueryValueExAFThunk: 00008018 NbFunc: 0000000A1 00008018 gdi32.dll 0048 CreatePen1 0000801C gdi32.dll 023D SetTextColor1 00008020 gdi32.dll 004E CreateRoundRectRgn1 00008024 gdi32.dll 003B CreateFontIndirectA1 00008028 gdi32.dll 0217 SetBkMode1 0000802C gdi32.dll 020F SelectObject0 00008030 gdi32.dll 0043 003C02631 00008034 gdi32.dll 0196 GetObjectA1 00008038 gdi32.dll 0090 DeleteObject1 0000803C gdi32.dll 0051 CreateSolidBrushFThunk: 00008044 NbFunc: 000000150 00008044 kernel32.dll 0259 003C01040 00008048 kernel32.dll 036E 003C01110 0000804C kernel32.dll 0089 003C011E0 00008050 kernel32.dll 037C 003C012B1 00008054 kernel32.dll 00B7 ExitProcess0 00008058 kernel32.dll 00E0 003C01451 0000805C kernel32.dll 0174 GetModuleFileNameA1 00008060 kernel32.dll 0176 GetModuleHandleA1 00008064 kernel32.dll 0198 GetProcAddress1 00008068 kernel32.dll 0242 LoadLibraryA1 0000806C kernel32.dll 0247 LoadResource1 00008070 kernel32.dll 036E VirtualFree1 00008074 kernel32.dll 02C6 RtlZeroMemory1 00008078 kernel32.dll 033E SizeofResource1 0000807C kernel32.dll 033F Sleep0 00008080 kernel32.dll 035B 003C01C71 00008084 kernel32.dll 036B VirtualAlloc1 00008088 kernel32.dll 0371 VirtualProtect1 0000808C kernel32.dll 03A8 lstrcmpA1 00008090 kernel32.dll 03AE lstrcpyA1 00008094 kernel32.dll 03B4 lstrlenAFThunk: 0000809C NbFunc: 000000141 0000809C user32.dll 0287 SetWindowTextA1 000080A0 user32.dll 0285 SetWindowRgn1 000080A4 user32.dll 0284 SetWindowPos1 000080A8 user32.dll 0254 SetDlgItemTextA1 000080AC user32.dll 023C SendMessageA1 000080B0 user32.dll 0237 SendDlgItemMessageA0 000080B4 user32.dll 01F3 003C004E1 000080B8 user32.dll 01DD MessageBoxA1 000080BC user32.dll 01BC LoadIconA0 000080C0 user32.dll 018B 003C00750 000080C4 user32.dll 0150 003C00821 000080C8 user32.dll 0112 GetDlgItem1 000080CC user32.dll 01AC IsWindow0 000080D0 user32.dll 00E3 003C00A91 000080D4 user32.dll 00C7 EndDialog0 000080D8 user32.dll 0023 003C00C30 000080DC user32.dll 00BD 003C00D00 000080E0 user32.dll 00B4 003C00DD1 000080E4 user32.dll 009F DialogBoxParamA0 000080E8 user32.dll 02D9 003C00F7 Good luck in fixing the rest. Am tired of manually getting each and every one of them Notes to author: a. If you used the "Detect name changing" option in RLP, and changed app's name, then that's why it's crashing on everyone's PC b. Please test the application before sending it for cracking. I had to run around in circles just to get it open. I know you have a checksum trick or something in there, but that's not the point. In order to get it open, I had to skip this portion : Notice how 409CE3 gets to hold a 0xC3 (RETN). And the call @ 4057BA will call it, then return to : 4057C0 - PUSH 0 4057C2 - CALL 406764 // this here holds "JMP [encoded_ExitProcess]" At which point the application silently exits. We don't even get a chance to see a thing! How to get there: - 42D568 - set hardware bp on exection and run app - once it breaks, remove the hwbp - 405779 - set bp on it (F2) and run it - then it's all tracing... - once you reach 4057C0, set origin at 4057C7 and trace further to a long jump, which also needs killing - located here: That jump leads to an identical ExitProcess as above. Eventually, the app will open, and you'll see this: A few more notes: a. If it's a KeygenMe, then why is it also a "CrackMe #3" and an UnpackMe? Just curious... b. When you enter your name in the box, and try to delete it to input another name, the previous name doesn't get erased, making the next text you input overlap over the old one - LOOKS UGLY! That's about it. Lost the appetite to keygen this app. No offense... Edited August 17, 2007 by sunbeam
B_S Posted August 18, 2007 Author Posted August 18, 2007 (edited) WoW Amazing In my computer my crackme works fine and I don't pack or protect this crackme I'm just use name changing protection and some anti debug code Edited August 18, 2007 by B_S
zako Posted August 18, 2007 Posted August 18, 2007 and I don't pack or protect this crackme Doesn't run for me in or out of a debugger, and that does look like rlp to me too.
SunBeam Posted August 18, 2007 Posted August 18, 2007 It is packed with RLP, even if he denies it. I know it from the way RLP steals exactly 34 bytes, plus the way it handles IAT (you've seen the VM...)
B_S Posted August 19, 2007 Author Posted August 19, 2007 ohh... sorry I forget for this ... I packed the crackMe with RLP + VMProtection sorry... CrackMe_3.rar
SunBeam Posted August 19, 2007 Posted August 19, 2007 (edited) Thanks for clearing that up. Now that's more like it Let's see what there is to be done EDIT: Just a quick question - which version of RLP did you use, what options and what fake signature did you pick? Would be nice if you posted a picture Edited August 19, 2007 by sunbeam
SunBeam Posted August 19, 2007 Posted August 19, 2007 (edited) Well, I didn't want to give up on RLP (am stubborn, I know), but the one thing that still confuses me is the stolen bytes. IAT part is solved. I found a portion of code that manipulates (parses) all APIs in the IAT. Check this out:0042E597 75 73 65 72 33 32 2E user32.0042E5A7 64 6C 6C 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C dll.kernel32.dll0042E5B7 00 67 64 69 33 32 2E 64 6C 6C 00 61 64 76 61 70 .gdi32.dll.advap0042E5C7 69 33 32 2E 64 6C 6C 00 02 00 00 00 11 22 33 44 i32.dll...."3D0042E5D7 53 65 74 57 69 6E 64 6F 77 54 65 78 74 41 00 [b]9C SetWindowTextA.œ0042E5E7 80 40 00[/b] 00 53 65 74 57 69 6E 64 6F 77 52 67 6E €@..SetWindowRgn0042E5F7 00 [b]A0 80 40 00[/b] 00 53 65 74 57 69 6E 64 6F 77 50 . €@..SetWindowP0042E607 6F 73 00 [b]A4 80 40 00[/b] 00 53 65 74 44 6C 67 49 74 os.RLP.zip Edited August 19, 2007 by sunbeam
B_S Posted August 23, 2007 Author Posted August 23, 2007 WoW I protected my keygenme only with RLP by ap0x
SunBeam Posted August 23, 2007 Posted August 23, 2007 Yeah. RLP 1.9 (the FULL version which you bought - Basic one doesnt' have code splicing, advanced IAT managing and stolen bytes)
Killboy Posted August 23, 2007 Posted August 23, 2007 RLP != RLPack ;DAfaik RLPack doesn't use junk code, and the IAT Redirection looks a bit different (at least since 1.16 dunno what it looked like before).RLPack doesn't steel OEP like RLP does. Instead, it supports supports OEP execution inside a VM (since 1.18).
SunBeam Posted August 24, 2007 Posted August 24, 2007 (edited) WTF?! RLP = RLPack. It's same application, only updated (RLPack < 1.00; RLP > 1.00 - currently @ 1.19 and same author) T_T. Or am I wrong? o_O Edited August 24, 2007 by sunbeam
Killboy Posted August 24, 2007 Posted August 24, 2007 Well yes and no. RLP went up to version 0.74beta. RLPack started with 1.0x (1.16 was the first commercial version iirc) and is now at 1.19. Hence, RLPack is the successor of RLP Of course RLPack is based on RLP but they differ heavily, considering protection options and price RLPack suports a lite VM, import elimination, spliced code and virtual files (iBox). You can clearly see that this is RLP, just look at the Import Redirection. And if you were able to find stolen bytes (!) and sort of pasted them back to OEP this can't be RLPack. If I'm not horribly mistaken, there was no stolen OEP in RLPack, only VM OEP since 1.18... Sorry for chopping this up, just wanted to make it clear
SunBeam Posted August 24, 2007 Posted August 24, 2007 Good to know. But one thing - the P stands for Pack
ap0x Posted August 24, 2007 Posted August 24, 2007 There was a small problem with my RLP 0.7.4 unpacker by I got it working. Thanks for the sample file
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now