Jump to content
Tuts 4 You

[crackme/unpackme] Custom Protection Contest - Solved


Nevyn

Recommended Posts

Unpacked, but still not cracked

The file has been succesfully unpacked by sdy100 Check his unpacked attachment abit further down.

Waiting for a full explanation. Did you run into any problems?

Correct Key solved by Till.ch

Correct key is: correctkeyisthishao

Information

I just recently found my passion for protection coding along with trying to break it.

I've used a opensource packer and made some heavy modifications to it, also added loads of anti-codes.

I've had no success in getting out the correct key which you are supposed to type in, neither been able

to unpack it.

Allthough, i am a terrible reverser, i would like to get a 2nd opinion about this protection. I might go public with the protection later on :)

Your AV will recongnize the exefile as a Trojan Crypter, and thats because most of the AVI's reacts now days to everything that it recons has a

crypto inside of it, or rather, something it can't read.

Here is the URL, please post sugestions, ideas, and how you did to unpack it.

Since its a combined CrackMe/Unpack me, i'd also find it interesting if you were able to get out the correct key :)

I hope you liked the challenge as much as i liked creating it.

Oh and, if the exefile only crashes for you, try shut down olly ;)

Kind Regards Nev.

I pretty much was able to unpack it, so i added some extra time stopping measures, however, I'll have to come up with more anti ways.

URL:

http://tinyurl.com/3cesqg

Edited by Nevyn
Edited topic title...
Link to comment
00411496 895D F0 MOV DWORD PTR SS:[EBP-10],EBX

00411499 FF65 F0 JMP DWORD PTR SS:[EBP-10] // Jmp to OEP

0040599B	8B55 F8		 MOV EDX,DWORD PTR SS:[EBP-8]   
0040599E 58 POP EAX

unpacked.rar

Edited by sdy100
Link to comment
0040599B	8B55 F8		 MOV EDX,DWORD PTR SS:[EBP-8]   
0040599E 58 POP EAX

Allright, That simple huh. Thanks for that, new method then.

Please include if you ran into any problems and what you did.

For me to be able to learn and provide you with harder tasks i'd be glad if you could go through it, other's would be sure to learn aswell.

Used a generic unpacker? I noticed the mackt section, or do you happen to be that one person? :o

Your way is still solid.

Edited by Nevyn
Link to comment

I'll be putting a time limit on the correct key. From now 2hours and i'll disslclosure the key aswell.

Then back to the drawing board. I'll be working hard to make an ever harder challenge for you.

The key is easy to get out :)

Link to comment
.mackt section is added by ImpRec :)

Mmm yeah you are correct, allthough loads of the Generic Unpackers uses Imprec.dll to restore.

I just wanted to make sure :P

Link to comment

The problem is here:

0041132D  |.  89D0					 mov	 eax, edx
0041132F |. 6A 00 push 0
00411331 |. FFD0 call near eax
00411333 |. 8BD8 mov ebx, eax
00411335 |. 8BC3 mov eax, ebx
00411337 |. 66:8138 4D5A cmp word ptr [eax], 5A4D
0041133C |. 0F85 5A010000 jnz UnpackMe.0041149C
00411342 |. 8BF0 mov esi, eax
00411344 |. 0370 3C add esi, dword ptr [eax+3C]
00411347 |. 813E 50450000 cmp dword ptr [esi], 4550
0041134D |. 0F85 49010000 jnz UnpackMe.0041149C
00411353 |. 8B86 80000000 mov eax, dword ptr [esi+80]
00411359 |. 8BD0 mov edx, eax
0041135B |. 03D3 add edx, ebx

eax is C483EC8B, so no GetModuleHandleA or similar. This problem exist also without any debugger running. o0

Link to comment
The problem is here:
0041132D  |.  89D0					 mov	 eax, edx
0041132F |. 6A 00 push 0
00411331 |. FFD0 call near eax
00411333 |. 8BD8 mov ebx, eax
00411335 |. 8BC3 mov eax, ebx
00411337 |. 66:8138 4D5A cmp word ptr [eax], 5A4D
0041133C |. 0F85 5A010000 jnz UnpackMe.0041149C
00411342 |. 8BF0 mov esi, eax
00411344 |. 0370 3C add esi, dword ptr [eax+3C]
00411347 |. 813E 50450000 cmp dword ptr [esi], 4550
0041134D |. 0F85 49010000 jnz UnpackMe.0041149C
00411353 |. 8B86 80000000 mov eax, dword ptr [esi+80]
00411359 |. 8BD0 mov edx, eax
0041135B |. 03D3 add edx, ebx

eax is C483EC8B, so no GetModuleHandleA or similar. This problem exist also without any debugger running. o0

You are making it way to hard, I can give you a tip, just load it the normal open way, Run it, Set a bp at a specific WinAPI and you are there :)

Im not saying that to diss-respect you or anything, i do understand the bad boys can give you abit of problems.

*EDIT

oh wait, you are still not getting it to run? Stupid me, actually, What kind of OS are you running? I havn't exactly os tested my code, only tested for XP Sp2

Edited by Nevyn
Link to comment

Erm I don't know if I got you /you got me right. The application doesn't even run without opening it inside a debugger, running it normal without any tools (except Windows hehe). Is that ok or - like I think - should the program run normally outside any debugging environment?

Link to comment
Erm I don't know if I got you /you got me right. The application doesn't even run without opening it inside a debugger, running it normal without any tools (except Windows hehe). Is that ok or - like I think - should the program run normally outside any debugging environment?

Yeah i came to that conclusion after i posted what i wrote, sorry im le tired.

I'll need to know what OS you're running, before i can say anything for sure :P

Oh well, which case. Time for me to sleep. I'll update the post tomorrow.

Edited by Nevyn
Link to comment

I know nothing on unpacking, but the password is relatively easy to be found, cyphering is pretty simple.

0012FC64  |009042BC  ASCII "correctkeyisthishao"

I have similar problem with this crackme like metr0, only its random on my PC 10 times it wont run,

and then out of the sky it will run, i guess you need to make sure anti-debug stuff is aplyable on various

hardwares to make it work for everybody..

BR, ChupaChu!

Link to comment

It's always good to have some virtual machines running to test it. ;)

When I first tried to load it in Win2k SP4 it crashed, but after that I started it a dozen times and it worked flawlessly.

Trying to load it with Olly always gives me a C0000005.

...

No, wait, it really crashes kind of randomly. Tried many times now, sometimes it crashes, sometimes not.

Link to comment
It's always good to have some virtual machines running to test it. ;)

When I first tried to load it in Win2k SP4 it crashed, but after that I started it a dozen times and it worked flawlessly.

Trying to load it with Olly always gives me a C0000005.

...

No, wait, it really crashes kind of randomly. Tried many times now, sometimes it crashes, sometimes not.

The reason it crashes is because of you running Olly. As long as you have olly loaded, it will crash, unless you patched your olly.

Link to comment

What for it is necessary ImpRec?

Script unwrap

var rgn

var sz

gpa "VirtualProtect","kernel32.dll"

bp $RESULT

erun

bc eip

rtu

sti

sti

mov sz,edx

go eip+2D

mov rgn,eax

eval " damp partial in PeTools or LordPe (select IntelDump) address:{rgn} , size:{sz}"

msg $RESULT

ret

Dumped.rar

Link to comment

Yeah, problem still there for me (on Windows XP SP2). It won't run, neither inside debugger nor outside on plain OS. I currently don't have a VM to test it on other OS.

Maybe some RDTSC problem? Don't know.

Regards,

metr0

Link to comment
Yeah, problem still there for me (on Windows XP SP2). It won't run, neither inside debugger nor outside on plain OS. I currently don't have a VM to test it on other OS.

Maybe some RDTSC problem? Don't know.

Regards,

metr0

I'll be making something new for you in near future. We'll notice then.

Link to comment
Yea key is not hard to get at all.

correctkeyisthishao

Yo man, i think you made mistake, first one was Till.ch IMHO.

So please give credit where credit is due ;)

BR, ChupaChu!

Link to comment
Yea key is not hard to get at all.

correctkeyisthishao

Yo man, i think you made mistake, first one was Till.ch IMHO.

So please give credit where credit is due ;)

BR, ChupaChu!

zomg, i so missed that. thanks.
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...