[crackme/unpackme] Custom Protection Contest - Solved

[Nevyn]

Unpacked, but still not cracked

The file has been succesfully unpacked by sdy100 Check his unpacked attachment abit further down.

Waiting for a full explanation. Did you run into any problems?

Correct Key solved by Till.ch

Correct key is: correctkeyisthishao

Information

I just recently found my passion for protection coding along with trying to break it.

I've used a opensource packer and made some heavy modifications to it, also added loads of anti-codes.

I've had no success in getting out the correct key which you are supposed to type in, neither been able

to unpack it.

Allthough, i am a terrible reverser, i would like to get a 2nd opinion about this protection. I might go public with the protection later on

Your AV will recongnize the exefile as a Trojan Crypter, and thats because most of the AVI's reacts now days to everything that it recons has a

crypto inside of it, or rather, something it can't read.

Here is the URL, please post sugestions, ideas, and how you did to unpack it.

Since its a combined CrackMe/Unpack me, i'd also find it interesting if you were able to get out the correct key

I hope you liked the challenge as much as i liked creating it.

Oh and, if the exefile only crashes for you, try shut down olly

Kind Regards Nev.

I pretty much was able to unpack it, so i added some extra time stopping measures, however, I'll have to come up with more anti ways.

URL:

http://tinyurl.com/3cesqg

Edited January 13, 2008 by Nevyn
Edited topic title...

[kaksii]

grrrr I'll kill you.

Hurry...I just woke up. I'm nervous.

[sdy100]

00411496 895D F0 MOV DWORD PTR SS:[EBP-10],EBX

00411499 FF65 F0 JMP DWORD PTR SS:[EBP-10] // Jmp to OEP

0040599B	8B55 F8		 MOV EDX,DWORD PTR SS:[EBP-8]   
0040599E	58			  POP EAX

unpacked.rar

Edited January 10, 2008 by sdy100

[metr0]

That file doesn't run on my machine (XP SP2, x86, no reversing tools running). o0

[Nevyn]

That file doesn't run on my machine (XP SP2, x86, no reversing tools running). o0

Got SoftIce installed?

or do you get any error code?

[Nevyn]

0040599B	8B55 F8		 MOV EDX,DWORD PTR SS:[EBP-8]   
0040599E	58			  POP EAX

Allright, That simple huh. Thanks for that, new method then.

Please include if you ran into any problems and what you did.

For me to be able to learn and provide you with harder tasks i'd be glad if you could go through it, other's would be sure to learn aswell.

Used a generic unpacker? I noticed the mackt section, or do you happen to be that one person?

Your way is still solid.

Edited January 10, 2008 by Nevyn

[Nevyn]

I'll be putting a time limit on the correct key. From now 2hours and i'll disslclosure the key aswell.

Then back to the drawing board. I'll be working hard to make an ever harder challenge for you.

The key is easy to get out

[Fungus]

.mackt section is added by ImpRec

[Nevyn]

.mackt section is added by ImpRec

Mmm yeah you are correct, allthough loads of the Generic Unpackers uses Imprec.dll to restore.

I just wanted to make sure

[till]

Yea key is not hard to get at all.

correctkeyisthishao

[Sonny27]

The key is even viewable in the stack window when pausing after the badboy

greetz

[metr0]

The problem is here:

0041132D  |.  89D0					 mov	 eax, edx
0041132F  |.  6A 00					push	0
00411331  |.  FFD0					 call	near eax
00411333  |.  8BD8					 mov	 ebx, eax
00411335  |.  8BC3					 mov	 eax, ebx
00411337  |.  66:8138 4D5A			 cmp	 word ptr [eax], 5A4D
0041133C  |.  0F85 5A010000			jnz	 UnpackMe.0041149C
00411342  |.  8BF0					 mov	 esi, eax
00411344  |.  0370 3C				  add	 esi, dword ptr [eax+3C]
00411347  |.  813E 50450000			cmp	 dword ptr [esi], 4550
0041134D  |.  0F85 49010000			jnz	 UnpackMe.0041149C
00411353  |.  8B86 80000000			mov	 eax, dword ptr [esi+80]
00411359  |.  8BD0					 mov	 edx, eax
0041135B  |.  03D3					 add	 edx, ebx

eax is C483EC8B, so no GetModuleHandleA or similar. This problem exist also without any debugger running. o0

[Nevyn]

The problem is here:

0041132D  |.  89D0					 mov	 eax, edx
0041132F  |.  6A 00					push	0
00411331  |.  FFD0					 call	near eax
00411333  |.  8BD8					 mov	 ebx, eax
00411335  |.  8BC3					 mov	 eax, ebx
00411337  |.  66:8138 4D5A			 cmp	 word ptr [eax], 5A4D
0041133C  |.  0F85 5A010000			jnz	 UnpackMe.0041149C
00411342  |.  8BF0					 mov	 esi, eax
00411344  |.  0370 3C				  add	 esi, dword ptr [eax+3C]
00411347  |.  813E 50450000			cmp	 dword ptr [esi], 4550
0041134D  |.  0F85 49010000			jnz	 UnpackMe.0041149C
00411353  |.  8B86 80000000			mov	 eax, dword ptr [esi+80]
00411359  |.  8BD0					 mov	 edx, eax
0041135B  |.  03D3					 add	 edx, ebx

eax is C483EC8B, so no GetModuleHandleA or similar. This problem exist also without any debugger running. o0

You are making it way to hard, I can give you a tip, just load it the normal open way, Run it, Set a bp at a specific WinAPI and you are there

Im not saying that to diss-respect you or anything, i do understand the bad boys can give you abit of problems.

*EDIT

oh wait, you are still not getting it to run? Stupid me, actually, What kind of OS are you running? I havn't exactly os tested my code, only tested for XP Sp2

Edited January 10, 2008 by Nevyn

[metr0]

Erm I don't know if I got you /you got me right. The application doesn't even run without opening it inside a debugger, running it normal without any tools (except Windows hehe). Is that ok or - like I think - should the program run normally outside any debugging environment?

[Nevyn]

Erm I don't know if I got you /you got me right. The application doesn't even run without opening it inside a debugger, running it normal without any tools (except Windows hehe). Is that ok or - like I think - should the program run normally outside any debugging environment?

Yeah i came to that conclusion after i posted what i wrote, sorry im le tired.

I'll need to know what OS you're running, before i can say anything for sure

Oh well, which case. Time for me to sleep. I'll update the post tomorrow.

Edited January 10, 2008 by Nevyn

[ChupaChu]

I know nothing on unpacking, but the password is relatively easy to be found, cyphering is pretty simple.

0012FC64  |009042BC  ASCII "correctkeyisthishao"

I have similar problem with this crackme like metr0, only its random on my PC 10 times it wont run,

and then out of the sky it will run, i guess you need to make sure anti-debug stuff is aplyable on various

hardwares to make it work for everybody..

BR, ChupaChu!

[Durchschuss]

It's always good to have some virtual machines running to test it.

When I first tried to load it in Win2k SP4 it crashed, but after that I started it a dozen times and it worked flawlessly.

Trying to load it with Olly always gives me a C0000005.

...

No, wait, it really crashes kind of randomly. Tried many times now, sometimes it crashes, sometimes not.

[Nevyn]

It's always good to have some virtual machines running to test it.

When I first tried to load it in Win2k SP4 it crashed, but after that I started it a dozen times and it worked flawlessly.

Trying to load it with Olly always gives me a C0000005.

...

No, wait, it really crashes kind of randomly. Tried many times now, sometimes it crashes, sometimes not.

The reason it crashes is because of you running Olly. As long as you have olly loaded, it will crash, unless you patched your olly.

[Durchschuss]

No it crashes without having Olly open as well.

[pavka]

What for it is necessary ImpRec?

Script unwrap

var rgn

var sz

gpa "VirtualProtect","kernel32.dll"

bp $RESULT

erun

bc eip

rtu

sti

sti

mov sz,edx

go eip+2D

mov rgn,eax

eval " damp partial in PeTools or LordPe (select IntelDump) address:{rgn} , size:{sz}"

msg $RESULT

ret

Dumped.rar

[metr0]

Yeah, problem still there for me (on Windows XP SP2). It won't run, neither inside debugger nor outside on plain OS. I currently don't have a VM to test it on other OS.

Maybe some RDTSC problem? Don't know.

Regards,

metr0

[Nevyn]

Yeah, problem still there for me (on Windows XP SP2). It won't run, neither inside debugger nor outside on plain OS. I currently don't have a VM to test it on other OS.

Maybe some RDTSC problem? Don't know.

Regards,

metr0

I'll be making something new for you in near future. We'll notice then.

[ChupaChu]

Yea key is not hard to get at all.

correctkeyisthishao

Yo man, i think you made mistake, first one was Till.ch IMHO.

So please give credit where credit is due

BR, ChupaChu!

[Nevyn]

Yea key is not hard to get at all.

correctkeyisthishao

Yo man, i think you made mistake, first one was Till.ch IMHO.

So please give credit where credit is due

BR, ChupaChu!

zomg, i so missed that. thanks.

[Apakekdah]

I'm just put BPM in first section. and baammm... i'm in oep