Jump to content
Tuts 4 You

Keygenme N


Killboy

Recommended Posts

Hey :)

Here's my very first keygenme, thought it was time for such thing.

I'm not going to say that much about it, it's your job to find out.

It uses quite a lot antidebug, so if you find it crashing even outside a debugger or you are ABSOLUTELY sure antidebug cought you falsely, write it here and I *might* remove some of the antidebug...

I'm pretty sure it doesn't run on < NT system, but I can't say for sure. Worth a try I guess ;)

You might experience false positives by AVs, I tested it at virustotal.com (go ahead and check for yourself) and only 4 of them reported it as 'malicious' or trojan.

This is due to the packer used, so don't worry and get a proper AV if yours complains. Avast doesn't, I guess that's a good sign lol

As for level 4/10: The algo itself is not that hard, no complicated maths (only 2 or 3 times you will actually have to think) but mainly mean tricks.

If you add the antidebug and the packer, I think it sums up to 4.

For all the pros out there, 4/10 corresponds to Ziggy^(-10) :D

Sooo, I hope some people will take a look at it and it's at least some fun...good luck :>

It's attached...

Special thanks go to:

- The chinese coder of the water effect, don't know his name right now (might add that later if I find the src again)

- UFO and metr0 for testing

// I'm sure you'll quickly find out why it's called REC ;D

KB_KGM_1.rar

Edited by Killboy
Link to comment

Killboy

Hey Killboy, will have a try - ok, at least a quick look, depends on how much time I can afford... o0. Looked very nice, and now that I've got an working import rebuilder, chances are good for you. :) Let's see if my math knowledge is good enough. :P

Greetz

Link to comment

Before I go off investigating absolutely nothing... is there anti VM code in here? I get "app failed to initialise properly (0xc000012d)" when starting (outside debugger) in my XP VM.

Link to comment

Shi*!! It screwed up my system... amusing though, but the right and left mouse button functions were swapped and desktop hanged as well as explorer hanged after a few seconds!

I have Win XP SP2...

Oricode.

Edited by oricode
Link to comment

Didn't run for me at first, because of a lack of virtual memory. Well what do you want when the last section is 500 MB big :P

Simple to fix, just change the last section's virtual size from 1F001000 to 00001000, and the SizeOfImage from 1F036000 to 36000. I hope that doesn't trigger antipatching stuff.

Export directory, relocations and SizeOf(Code|[un]InitializedData) look messed up too, but the exe runs fine on my XP SP2 non-virtual even without fixing them.

Didn't run it through a debugger or anything yet... I hope that doesn't trigger violent antidbg like Oricode says because that would be out of line.

Link to comment

There's not explicitly anti VM stuff, only antidebug. Probably catches a few VMs due to memory management or certain apis...

@Oricode:

I'm not sure which detection is crashing it, I suppose it's the anti-driver stuff. It checks for those:

"\\\\.\\SICE", "\\\\.\\SIWVID", "\\\\.\\SIWDEBUG", "\\\\.\\FROGSICE", "\\\\.\\ICEEXT", "\\\\.\\SuperBPMDev0", "\\\\.\\TRW", "\\\\.\\TRWDEBUG", "\\\\.\\TRW2000", "\\\\.\\SYSER", "\\\\.\\FILEMON", "\\\\.\\FILEM", "\\\\.\\FILEVXD", "\\\\.\\REGMON", "\\\\.\\REGVXD", "\\\\.\\REGSYS", "anti_rdtsc.sys", "fakerdtsc.sys"

Dunno if that helps or if you're able to fix that. Otherwise I'll have to loosen the antidebug a little :)

I just swapped mouse buttons and disabled the foreground window before the actual checking routine kicks in, not to intentionally harm you or your OS :)

QUICK FIX:

Removed the driver stuff and the huge section...hope it works a little better now

Edited by Killboy
Link to comment

Uh, sorry Killboy... several problems with x64 (and no - I won't switch back to x86). :) First problem is iat. Since I know I currenty can't rebuild it, I didn't take a further look at the protector. The only thing I recognized - second problem, uh - is, that the code resolved the base of kernel32.dll dynamically (and eax, blah and that sub eax, 1000 stuff until content is equal to signature). Problem is, that somehow there's an access violation using that algo. It seems like m$ somehow rearranged their kernel32.dll? o0

Let's see if I'll find some time to set up a vm... Sorry mate. :x

Link to comment

Oki... unpacking it (after fixing the PE stuff) goes like:

00434338	893C8A		  MOV DWORD PTR DS:[EDX+ECX*4],EDI

change to

00434338	89048A		  MOV DWORD PTR DS:[EDX+ECX*4],EAX

After this 1 byte patch, brake at OEP.. ImpRec.. ready ;'X

Link to comment
  • 2 weeks later...

I dont know nothing on packing, so i had to look at it without unpacking,

its loaded with debug detection calls..

I would like to try to disable them all.. if anyone can post unpacked version?

Link to comment
  • 1 month later...

Anyone ?

I wouldn't like to post an unpacked version because it contains an 'evil trick' to prevent it from being unpacked, hoped it confuses a few but apparently nobody actually tried...

Too cheap ? Too hard ? Too nasty ? Give me something :(

Link to comment

Don't get me wrong, this wasn't meant to force you to do it ;)

Just saw the few people having tried at first but nobody replied so I was wondering why, no need to try again if you already stopped after the first attempt.

Maybe there are some suggestions which I can take into account for another crackme...

Edited by Killboy
Link to comment

The problem with easy keygenmes is they aren't much fun to create :-/

Guess I'll stick with unpackmes then, was worth a try though :D

Thanks to everyone who tried :)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...