Keygenme N

[Killboy]

Hey

Here's my very first keygenme, thought it was time for such thing.

I'm not going to say that much about it, it's your job to find out.

It uses quite a lot antidebug, so if you find it crashing even outside a debugger or you are ABSOLUTELY sure antidebug cought you falsely, write it here and I *might* remove some of the antidebug...

I'm pretty sure it doesn't run on < NT system, but I can't say for sure. Worth a try I guess

You might experience false positives by AVs, I tested it at virustotal.com (go ahead and check for yourself) and only 4 of them reported it as 'malicious' or trojan.

This is due to the packer used, so don't worry and get a proper AV if yours complains. Avast doesn't, I guess that's a good sign lol

As for level 4/10: The algo itself is not that hard, no complicated maths (only 2 or 3 times you will actually have to think) but mainly mean tricks.

If you add the antidebug and the packer, I think it sums up to 4.

For all the pros out there, 4/10 corresponds to Ziggy^(-10)

Sooo, I hope some people will take a look at it and it's at least some fun...good luck :>

It's attached...

Special thanks go to:

- The chinese coder of the water effect, don't know his name right now (might add that later if I find the src again)

- UFO and metr0 for testing

// I'm sure you'll quickly find out why it's called REC ;D

KB_KGM_1.rar

Edited September 27, 2007 by Killboy

[metr0]

Killboy

Hey Killboy, will have a try - ok, at least a quick look, depends on how much time I can afford... o0. Looked very nice, and now that I've got an working import rebuilder, chances are good for you. Let's see if my math knowledge is good enough.

Greetz

[Loki]

Not surprisingly, McAfee kills it straight away.

Time for some 'Network associates' process and service killing me thinks. Damn crap AV.

[Loki]

Before I go off investigating absolutely nothing... is there anti VM code in here? I get "app failed to initialise properly (0xc000012d)" when starting (outside debugger) in my XP VM.

[oricode]

Shi*!! It screwed up my system... amusing though, but the right and left mouse button functions were swapped and desktop hanged as well as explorer hanged after a few seconds!

I have Win XP SP2...

Oricode.

Edited September 26, 2007 by oricode

[MOID]

Didn't run for me at first, because of a lack of virtual memory. Well what do you want when the last section is 500 MB big

Simple to fix, just change the last section's virtual size from 1F001000 to 00001000, and the SizeOfImage from 1F036000 to 36000. I hope that doesn't trigger antipatching stuff.

Export directory, relocations and SizeOf(Code|[un]InitializedData) look messed up too, but the exe runs fine on my XP SP2 non-virtual even without fixing them.

Didn't run it through a debugger or anything yet... I hope that doesn't trigger violent antidbg like Oricode says because that would be out of line.

[Loki]

I guess thats why it was killing the VM then.

I'll take a proper look later tonight.

[Killboy]

There's not explicitly anti VM stuff, only antidebug. Probably catches a few VMs due to memory management or certain apis...

@Oricode:

I'm not sure which detection is crashing it, I suppose it's the anti-driver stuff. It checks for those:

"\\\\.\\SICE", "\\\\.\\SIWVID", "\\\\.\\SIWDEBUG", "\\\\.\\FROGSICE", "\\\\.\\ICEEXT", "\\\\.\\SuperBPMDev0", "\\\\.\\TRW", "\\\\.\\TRWDEBUG", "\\\\.\\TRW2000", "\\\\.\\SYSER", "\\\\.\\FILEMON", "\\\\.\\FILEM", "\\\\.\\FILEVXD", "\\\\.\\REGMON", "\\\\.\\REGVXD", "\\\\.\\REGSYS", "anti_rdtsc.sys", "fakerdtsc.sys"

Dunno if that helps or if you're able to fix that. Otherwise I'll have to loosen the antidebug a little

I just swapped mouse buttons and disabled the foreground window before the actual checking routine kicks in, not to intentionally harm you or your OS

QUICK FIX:

Removed the driver stuff and the huge section...hope it works a little better now

Edited September 26, 2007 by Killboy

[oricode]

@Killboy

Am on it! Running fine now...you have packed in a lot of things there.

Oricode.

[metr0]

Uh, sorry Killboy... several problems with x64 (and no - I won't switch back to x86). First problem is iat. Since I know I currenty can't rebuild it, I didn't take a further look at the protector. The only thing I recognized - second problem, uh - is, that the code resolved the base of kernel32.dll dynamically (and eax, blah and that sub eax, 1000 stuff until content is equal to signature). Problem is, that somehow there's an access violation using that algo. It seems like m$ somehow rearranged their kernel32.dll? o0

Let's see if I'll find some time to set up a vm... Sorry mate. :x

[Ufo-Pu55y]

Oki... unpacking it (after fixing the PE stuff) goes like:

00434338	893C8A		  MOV DWORD PTR DS:[EDX+ECX*4],EDI

change to

00434338	89048A		  MOV DWORD PTR DS:[EDX+ECX*4],EAX

After this 1 byte patch, brake at OEP.. ImpRec.. ready ;'X

[ChupaChu]

I dont know nothing on packing, so i had to look at it without unpacking,

its loaded with debug detection calls..

I would like to try to disable them all.. if anyone can post unpacked version?

[Killboy]

Anyone ?

I wouldn't like to post an unpacked version because it contains an 'evil trick' to prevent it from being unpacked, hoped it confuses a few but apparently nobody actually tried...

Too cheap ? Too hard ? Too nasty ? Give me something

[Loki]

Can't remember if I actually got round to it in the end. I'll take a look in a bit and give some sort of feedback

[Killboy]

Don't get me wrong, this wasn't meant to force you to do it

Just saw the few people having tried at first but nobody replied so I was wondering why, no need to try again if you already stopped after the first attempt.

Maybe there are some suggestions which I can take into account for another crackme...

Edited November 26, 2007 by Killboy

[Loki]

Like make it easier?

[ChupaChu]

yea mine sugestion would be - dont pack it

[Killboy]

The problem with easy keygenmes is they aren't much fun to create :-/

Guess I'll stick with unpackmes then, was worth a try though

Thanks to everyone who tried