Jump to content
Tuts 4 You

[keygenme] Keygenme #3


B_S

Recommended Posts

lots of useless code, obfucation, and pe header tricks. so far, i bypassed several checks for debugger and nothing more. man, i give up. you won :)

Link to comment
  • 5 weeks later...

It's actually also an UnpackMe. EP looks a lot ASPR-like, and the memory starting from 401000 till (forgot) is decoded in a function :D

62p7a85.jpg

Who's Tania :P ? Anyway, this is not just a KeyGenMe. It's a KeyFileMe, and using public wrappers over it is lame ;)

Whole IAT table is obfuscated :

5z44fav.jpg

...and this is where the app crashes :

54l7dxc.jpg

...trying to access some IAT...

4ot1shv.jpg

...stored in this allocated section. Follow each JMP from IAT block to get its equivalent API :P Obviously, APIz are encrypted with individual keys (check table in pic above)...

P.S.: Posting the fixed/dumped target in a short while. Hope author doesn't mind...

EDIT: RLP 1.7 or higher with IAT protection ;)

Edited by sunbeam
Link to comment

34 stolen bytes, OEP = 405779, a few APIz missing, but that's how far I got :

; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag RVA ModuleName Ordinal Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set
; it to zero if you edit it).
; - Ordinal is not considered but you should let '0000' as value.
; - ModuleName is not considered but you should let '?' as value.
;
; 1 = valid: yes -> All next parameters on the line will be considered.
; Function imported by ordinal must have no name (the 4th TAB must
; be there though).
;
; 2 = Equivalent to 0 but it is for the loader.
;
; 3 = Equivalent to 1 but it is for the loader.
;
; 4 = Equivalent to 0 with (R) tag.
;
; 5 = Equivalent to 1 with (R) tag.
;
; And finally, edit this file as your own risk! :-)Target: C:\Documents and Settings\Administrator\Desktop\KeygenMe.ExE
OEP: 00005779 IATRVA: 00008000 IATSize: 000000F0FThunk: 00008000 NbFunc: 00000005
1 00008000 advapi32.dll 01FB RegSetValueExA
1 00008004 advapi32.dll 01CF RegCreateKeyExA
1 00008008 advapi32.dll 01E4 RegOpenKeyExA
1 0000800C advapi32.dll 01CB RegCloseKey
1 00008010 advapi32.dll 01EE RegQueryValueExAFThunk: 00008018 NbFunc: 0000000A
1 00008018 gdi32.dll 0048 CreatePen
1 0000801C gdi32.dll 023D SetTextColor
1 00008020 gdi32.dll 004E CreateRoundRectRgn
1 00008024 gdi32.dll 003B CreateFontIndirectA
1 00008028 gdi32.dll 0217 SetBkMode
1 0000802C gdi32.dll 020F SelectObject
0 00008030 gdi32.dll 0043 003C0263
1 00008034 gdi32.dll 0196 GetObjectA
1 00008038 gdi32.dll 0090 DeleteObject
1 0000803C gdi32.dll 0051 CreateSolidBrushFThunk: 00008044 NbFunc: 00000015
0 00008044 kernel32.dll 0259 003C0104
0 00008048 kernel32.dll 036E 003C0111
0 0000804C kernel32.dll 0089 003C011E
0 00008050 kernel32.dll 037C 003C012B
1 00008054 kernel32.dll 00B7 ExitProcess
0 00008058 kernel32.dll 00E0 003C0145
1 0000805C kernel32.dll 0174 GetModuleFileNameA
1 00008060 kernel32.dll 0176 GetModuleHandleA
1 00008064 kernel32.dll 0198 GetProcAddress
1 00008068 kernel32.dll 0242 LoadLibraryA
1 0000806C kernel32.dll 0247 LoadResource
1 00008070 kernel32.dll 036E VirtualFree
1 00008074 kernel32.dll 02C6 RtlZeroMemory
1 00008078 kernel32.dll 033E SizeofResource
1 0000807C kernel32.dll 033F Sleep
0 00008080 kernel32.dll 035B 003C01C7
1 00008084 kernel32.dll 036B VirtualAlloc
1 00008088 kernel32.dll 0371 VirtualProtect
1 0000808C kernel32.dll 03A8 lstrcmpA
1 00008090 kernel32.dll 03AE lstrcpyA
1 00008094 kernel32.dll 03B4 lstrlenAFThunk: 0000809C NbFunc: 00000014
1 0000809C user32.dll 0287 SetWindowTextA
1 000080A0 user32.dll 0285 SetWindowRgn
1 000080A4 user32.dll 0284 SetWindowPos
1 000080A8 user32.dll 0254 SetDlgItemTextA
1 000080AC user32.dll 023C SendMessageA
1 000080B0 user32.dll 0237 SendDlgItemMessageA
0 000080B4 user32.dll 01F3 003C004E
1 000080B8 user32.dll 01DD MessageBoxA
1 000080BC user32.dll 01BC LoadIconA
0 000080C0 user32.dll 018B 003C0075
0 000080C4 user32.dll 0150 003C0082
1 000080C8 user32.dll 0112 GetDlgItem
1 000080CC user32.dll 01AC IsWindow
0 000080D0 user32.dll 00E3 003C00A9
1 000080D4 user32.dll 00C7 EndDialog
0 000080D8 user32.dll 0023 003C00C3
0 000080DC user32.dll 00BD 003C00D0
0 000080E0 user32.dll 00B4 003C00DD
1 000080E4 user32.dll 009F DialogBoxParamA
0 000080E8 user32.dll 02D9 003C00F7

Good luck in fixing the rest. Am tired of manually getting each and every one of them :P

Notes to author:

a. If you used the "Detect name changing" option in RLP, and changed app's name, then that's why it's crashing on everyone's PC

b. Please test the application before sending it for cracking. I had to run around in circles just to get it open. I know you have a checksum trick or something in there, but that's not the point. In order to get it open, I had to skip this portion :

4zu5h7a.gif

Notice how 409CE3 gets to hold a 0xC3 (RETN). And the call @ 4057BA will call it, then return to :

4057C0 - PUSH 0

4057C2 - CALL 406764 // this here holds "JMP [encoded_ExitProcess]"

At which point the application silently exits. We don't even get a chance to see a thing!

How to get there:

- 42D568 - set hardware bp on exection and run app

- once it breaks, remove the hwbp

- 405779 - set bp on it (F2) and run it - then it's all tracing...

- once you reach 4057C0, set origin at 4057C7 and trace further to a long jump, which also needs killing - located here:

6ezarfn.gif

That jump leads to an identical ExitProcess as above. Eventually, the app will open, and you'll see this:

4tjft3o.jpg

A few more notes:

a. If it's a KeygenMe, then why is it also a "CrackMe #3" and an UnpackMe? :D Just curious...

b. When you enter your name in the box, and try to delete it to input another name, the previous name doesn't get erased, making the next text you input overlap over the old one - LOOKS UGLY!

That's about it. Lost the appetite to keygen this app. No offense...

Edited by sunbeam
Link to comment

WoW Amazing

In my computer my crackme works fine :D

and I don't pack or protect this crackme :)

I'm just use name changing protection

and some anti debug code :)

Edited by B_S
Link to comment

It is packed with RLP, even if he denies it. I know it from the way RLP steals exactly 34 bytes, plus the way it handles IAT (you've seen the VM...)

Link to comment

Thanks for clearing that up. Now that's more like it :P Let's see what there is to be done :)

EDIT: Just a quick question - which version of RLP did you use, what options and what fake signature did you pick? Would be nice if you posted a picture ;)

Edited by sunbeam
Link to comment

Well, I didn't want to give up on RLP (am stubborn, I know), but the one thing that still confuses me is the stolen bytes. IAT part is solved. I found a portion of code that manipulates (parses) all APIs in the IAT. Check this out:

0042E597							 75 73 65 72 33 32 2E		   user32.

0042E5A7 64 6C 6C 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C dll.kernel32.dll

0042E5B7 00 67 64 69 33 32 2E 64 6C 6C 00 61 64 76 61 70 .gdi32.dll.advap

0042E5C7 69 33 32 2E 64 6C 6C 00 02 00 00 00 11 22 33 44 i32.dll...."3D

0042E5D7 53 65 74 57 69 6E 64 6F 77 54 65 78 74 41 00 [b]9C SetWindowTextA.œ

0042E5E7 80 40 00[/b] 00 53 65 74 57 69 6E 64 6F 77 52 67 6E €@..SetWindowRgn

0042E5F7 00 [b]A0 80 40 00[/b] 00 53 65 74 57 69 6E 64 6F 77 50 . €@..SetWindowP

0042E607 6F 73 00 [b]A4 80 40 00[/b] 00 53 65 74 44 6C 67 49 74 os.

RLP.zip

Edited by sunbeam
Link to comment

RLP != RLPack ;D

Afaik RLPack doesn't use junk code, and the IAT Redirection looks a bit different (at least since 1.16 dunno what it looked like before).

RLPack doesn't steel OEP like RLP does. Instead, it supports supports OEP execution inside a VM (since 1.18).

Link to comment

WTF?! RLP = RLPack. It's same application, only updated (RLPack < 1.00; RLP > 1.00 - currently @ 1.19 and same author) T_T. Or am I wrong? o_O

Edited by sunbeam
Link to comment

Well yes and no.

RLP went up to version 0.74beta.

RLPack started with 1.0x (1.16 was the first commercial version iirc) and is now at 1.19.

Hence, RLPack is the successor of RLP :)

Of course RLPack is based on RLP but they differ heavily, considering protection options and price :P

RLPack suports a lite VM, import elimination, spliced code and virtual files (iBox).

You can clearly see that this is RLP, just look at the Import Redirection.

And if you were able to find stolen bytes (!) and sort of pasted them back to OEP this can't be RLPack.

If I'm not horribly mistaken, there was no stolen OEP in RLPack, only VM OEP since 1.18...

Sorry for chopping this up, just wanted to make it clear :hug:

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...