[keygenme] Keygenme #3

[B_S]

This is my third KeygenMe...

Some call it easy and some call it hard...

don't forget no patch

KeygenMe.rar

Edited August 19, 2007 by Teddy Rogers
Edited topic title...

[Ufo-Pu55y]

Is it a KeyfileMe or something ?

Coz nothing happens, when I fire it up...

Greets

[B_S]

KeygenMe and KeyfileMe

[starzboy]

wtf .. crashes on ma system :S

[Angel-55]

It's anti **** !! file is obfsucated bro' you'll have to deobfsucate then keygen !!

[CyberLord]

lots of useless code, obfucation, and pe header tricks. so far, i bypassed several checks for debugger and nothing more. man, i give up. you won

[B_S]

@CyberLord

Don't give up bro

[B_S]

wtf .. crashes on ma system :S

U must have bassmod.dll in your system32

[Guest shism2]

I have bassmod.dll in my system and crackme still crashes....

[SunBeam]

It's actually also an UnpackMe. EP looks a lot ASPR-like, and the memory starting from 401000 till (forgot) is decoded in a function

Who's Tania ? Anyway, this is not just a KeyGenMe. It's a KeyFileMe, and using public wrappers over it is lame

Whole IAT table is obfuscated :

...and this is where the app crashes :

...trying to access some IAT...

...stored in this allocated section. Follow each JMP from IAT block to get its equivalent API Obviously, APIz are encrypted with individual keys (check table in pic above)...

P.S.: Posting the fixed/dumped target in a short while. Hope author doesn't mind...

EDIT: RLP 1.7 or higher with IAT protection

Edited August 17, 2007 by sunbeam

[SunBeam]

34 stolen bytes, OEP = 405779, a few APIz missing, but that's how far I got :

; Syntax for each function in a thunk (the separator is a TAB)
; ------------------------------------------------------------
; Flag   RVA   ModuleName   Ordinal   Name
;
; Details for <Valid> parameter:
; ------------------------------
; Flag:  0 = valid: no  -> - Name contains the address of the redirected API (you can set
;							it to zero if you edit it).
;						  - Ordinal is not considered but you should let '0000' as value.
;						  - ModuleName is not considered but you should let '?' as value.
;
;		1 = valid: yes -> All next parameters on the line will be considered.
;						  Function imported by ordinal must have no name (the 4th TAB must
;																		  be there though).
;
;		2 = Equivalent to 0 but it is for the loader.
;
;		3 = Equivalent to 1 but it is for the loader.
;
;		4 = Equivalent to 0 with (R) tag.
;
;		5 = Equivalent to 1 with (R) tag.
;
; And finally, edit this file as your own risk! :-)Target: C:\Documents and Settings\Administrator\Desktop\KeygenMe.ExE
OEP: 00005779	IATRVA: 00008000	IATSize: 000000F0FThunk: 00008000	NbFunc: 00000005
1	00008000	advapi32.dll	01FB	RegSetValueExA
1	00008004	advapi32.dll	01CF	RegCreateKeyExA
1	00008008	advapi32.dll	01E4	RegOpenKeyExA
1	0000800C	advapi32.dll	01CB	RegCloseKey
1	00008010	advapi32.dll	01EE	RegQueryValueExAFThunk: 00008018	NbFunc: 0000000A
1	00008018	gdi32.dll	0048	CreatePen
1	0000801C	gdi32.dll	023D	SetTextColor
1	00008020	gdi32.dll	004E	CreateRoundRectRgn
1	00008024	gdi32.dll	003B	CreateFontIndirectA
1	00008028	gdi32.dll	0217	SetBkMode
1	0000802C	gdi32.dll	020F	SelectObject
0	00008030	gdi32.dll	0043	003C0263
1	00008034	gdi32.dll	0196	GetObjectA
1	00008038	gdi32.dll	0090	DeleteObject
1	0000803C	gdi32.dll	0051	CreateSolidBrushFThunk: 00008044	NbFunc: 00000015
0	00008044	kernel32.dll	0259	003C0104
0	00008048	kernel32.dll	036E	003C0111
0	0000804C	kernel32.dll	0089	003C011E
0	00008050	kernel32.dll	037C	003C012B
1	00008054	kernel32.dll	00B7	ExitProcess
0	00008058	kernel32.dll	00E0	003C0145
1	0000805C	kernel32.dll	0174	GetModuleFileNameA
1	00008060	kernel32.dll	0176	GetModuleHandleA
1	00008064	kernel32.dll	0198	GetProcAddress
1	00008068	kernel32.dll	0242	LoadLibraryA
1	0000806C	kernel32.dll	0247	LoadResource
1	00008070	kernel32.dll	036E	VirtualFree
1	00008074	kernel32.dll	02C6	RtlZeroMemory
1	00008078	kernel32.dll	033E	SizeofResource
1	0000807C	kernel32.dll	033F	Sleep
0	00008080	kernel32.dll	035B	003C01C7
1	00008084	kernel32.dll	036B	VirtualAlloc
1	00008088	kernel32.dll	0371	VirtualProtect
1	0000808C	kernel32.dll	03A8	lstrcmpA
1	00008090	kernel32.dll	03AE	lstrcpyA
1	00008094	kernel32.dll	03B4	lstrlenAFThunk: 0000809C	NbFunc: 00000014
1	0000809C	user32.dll	0287	SetWindowTextA
1	000080A0	user32.dll	0285	SetWindowRgn
1	000080A4	user32.dll	0284	SetWindowPos
1	000080A8	user32.dll	0254	SetDlgItemTextA
1	000080AC	user32.dll	023C	SendMessageA
1	000080B0	user32.dll	0237	SendDlgItemMessageA
0	000080B4	user32.dll	01F3	003C004E
1	000080B8	user32.dll	01DD	MessageBoxA
1	000080BC	user32.dll	01BC	LoadIconA
0	000080C0	user32.dll	018B	003C0075
0	000080C4	user32.dll	0150	003C0082
1	000080C8	user32.dll	0112	GetDlgItem
1	000080CC	user32.dll	01AC	IsWindow
0	000080D0	user32.dll	00E3	003C00A9
1	000080D4	user32.dll	00C7	EndDialog
0	000080D8	user32.dll	0023	003C00C3
0	000080DC	user32.dll	00BD	003C00D0
0	000080E0	user32.dll	00B4	003C00DD
1	000080E4	user32.dll	009F	DialogBoxParamA
0	000080E8	user32.dll	02D9	003C00F7

Good luck in fixing the rest. Am tired of manually getting each and every one of them

Notes to author:

a. If you used the "Detect name changing" option in RLP, and changed app's name, then that's why it's crashing on everyone's PC

b. Please test the application before sending it for cracking. I had to run around in circles just to get it open. I know you have a checksum trick or something in there, but that's not the point. In order to get it open, I had to skip this portion :

Notice how 409CE3 gets to hold a 0xC3 (RETN). And the call @ 4057BA will call it, then return to :

4057C0 - PUSH 0

4057C2 - CALL 406764 // this here holds "JMP [encoded_ExitProcess]"

At which point the application silently exits. We don't even get a chance to see a thing!

How to get there:

- 42D568 - set hardware bp on exection and run app

- once it breaks, remove the hwbp

- 405779 - set bp on it (F2) and run it - then it's all tracing...

- once you reach 4057C0, set origin at 4057C7 and trace further to a long jump, which also needs killing - located here:

That jump leads to an identical ExitProcess as above. Eventually, the app will open, and you'll see this:

A few more notes:

a. If it's a KeygenMe, then why is it also a "CrackMe #3" and an UnpackMe? Just curious...

b. When you enter your name in the box, and try to delete it to input another name, the previous name doesn't get erased, making the next text you input overlap over the old one - LOOKS UGLY!

That's about it. Lost the appetite to keygen this app. No offense...

Edited August 17, 2007 by sunbeam

[B_S]

WoW Amazing

In my computer my crackme works fine

and I don't pack or protect this crackme

I'm just use name changing protection

and some anti debug code

Edited August 18, 2007 by B_S

[zako]

and I don't pack or protect this crackme

Doesn't run for me in or out of a debugger, and that does look like rlp to me too.

[SunBeam]

It is packed with RLP, even if he denies it. I know it from the way RLP steals exactly 34 bytes, plus the way it handles IAT (you've seen the VM...)

[B_S]

ohh...

sorry I forget for this ...

I packed the crackMe with RLP + VMProtection

sorry...

CrackMe_3.rar

[SunBeam]

Thanks for clearing that up. Now that's more like it Let's see what there is to be done

EDIT: Just a quick question - which version of RLP did you use, what options and what fake signature did you pick? Would be nice if you posted a picture

Edited August 19, 2007 by sunbeam

[SunBeam]

Well, I didn't want to give up on RLP (am stubborn, I know), but the one thing that still confuses me is the stolen bytes. IAT part is solved. I found a portion of code that manipulates (parses) all APIs in the IAT. Check this out:

0042E597							 75 73 65 72 33 32 2E		   user32.

0042E5A7 64 6C 6C 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C dll.kernel32.dll

0042E5B7 00 67 64 69 33 32 2E 64 6C 6C 00 61 64 76 61 70 .gdi32.dll.advap

0042E5C7 69 33 32 2E 64 6C 6C 00 02 00 00 00 11 22 33 44 i32.dll...."3D

0042E5D7 53 65 74 57 69 6E 64 6F 77 54 65 78 74 41 00 [b]9C SetWindowTextA.œ

0042E5E7 80 40 00[/b] 00 53 65 74 57 69 6E 64 6F 77 52 67 6E €@..SetWindowRgn

0042E5F7 00 [b]A0 80 40 00[/b] 00 53 65 74 57 69 6E 64 6F 77 50 . €@..SetWindowP

0042E607 6F 73 00 [b]A4 80 40 00[/b] 00 53 65 74 44 6C 67 49 74 os.

RLP.zip

Edited August 19, 2007 by sunbeam

[B_S]

WoW

I protected my keygenme only with RLP by ap0x

[SunBeam]

Yeah. RLP 1.9 (the FULL version which you bought - Basic one doesnt' have code splicing, advanced IAT managing and stolen bytes)

[Killboy]

RLP != RLPack ;D

Afaik RLPack doesn't use junk code, and the IAT Redirection looks a bit different (at least since 1.16 dunno what it looked like before).

RLPack doesn't steel OEP like RLP does. Instead, it supports supports OEP execution inside a VM (since 1.18).

[SunBeam]

WTF?! RLP = RLPack. It's same application, only updated (RLPack < 1.00; RLP > 1.00 - currently @ 1.19 and same author) T_T. Or am I wrong? o_O

Edited August 24, 2007 by sunbeam

[Killboy]

Well yes and no.

RLP went up to version 0.74beta.

RLPack started with 1.0x (1.16 was the first commercial version iirc) and is now at 1.19.

Hence, RLPack is the successor of RLP

Of course RLPack is based on RLP but they differ heavily, considering protection options and price

RLPack suports a lite VM, import elimination, spliced code and virtual files (iBox).

You can clearly see that this is RLP, just look at the Import Redirection.

And if you were able to find stolen bytes (!) and sort of pasted them back to OEP this can't be RLPack.

If I'm not horribly mistaken, there was no stolen OEP in RLPack, only VM OEP since 1.18...

Sorry for chopping this up, just wanted to make it clear

[SunBeam]

Good to know. But one thing - the P stands for Pack

[ap0x]

There was a small problem with my RLP 0.7.4 unpacker by I got it working. Thanks for the sample file