[crackme] .NET Unpack/CrackMe

[SUB Z3R0]

Hi there !

try this :

CrackMe.zip

Edited June 3, 2008 by Teddy Rogers
Corrected topic title...

[Kurapica]

Isn't the exe packed with CodeVeil ?

Just wondering

[Ufo-Pu55y]

Yes CodeVeil ^^

sec..

[Ufo-Pu55y]

unpacked.rar

[Nan0miT]

Could you explain how to unpack this crackme.

I read 2 tuts, but still don't understand how to fix dump.

http://www.tuts4you.com/download.php?view.1539

http://www.tuts4you.com/download.php?view.2004

Is it really for beginners?

ps. When i try to open unpacked one from previous post in Reflector i see "Arithmetic operation resulted in an overflow".

Edited June 2, 2008 by Nan0miT

[Ufo-Pu55y]

http://www.tuts4you.com/download.php?view.2004

That's exactly what I did ? Not more not less. Ok since CodeVeil 1.3 I even need Phant0m

for not being kicked out, when patching the encrypting/decrypting code.

I would say calling this one 'for beginners' is a bit harsh.

Even if you're done with unpacking, it's still weird ****.

And btw it's also very buggy code.. I had several exceptions when entering

something as serial (in the original exe). So I lost motivation to go on.. :\

[Nan0miT]

That's exactly what I did ? Not more not less. Ok since CodeVeil 1.3 I even need Phant0m

for not being kicked out, when patching the encrypting/decrypting code.

1. as it was said in tutorial http://www.tuts4you.com/download.php?view.2004 i found:

00409680	66:0F280F	   MOVAPS XMM1,DQWORD PTR DS:[EDI]
00409684	66:0F2806	   MOVAPS XMM0,DQWORD PTR DS:[ESI]
00409688	66:0FEFCB	   PXOR MM1,MM3
0040968C	66:0F290E	   MOVAPS DQWORD PTR DS:[ESI],XMM1
00409690	66:0FEFC3	   PXOR MM0,MM3
00409694	66:0F2907	   MOVAPS DQWORD PTR DS:[EDI],XMM0
00409698	83C6 10		 ADD ESI,10
0040969B	83C7 10		 ADD EDI,10
0040969E	49			  DEC ECX
0040969F  ^ 75 DF		   JNZ SHORT CrackMe.00409680
004096A1	5A			  POP EDX								 ; kernel32.7C816FF7
004096A2	59			  POP ECX								 ; kernel32.7C816FF7
004096A3	5F			  POP EDI								 ; kernel32.7C816FF7
004096A4	5E			  POP ESI								 ; kernel32.7C816FF7
004096A5	C3			  RETN

2. then found some free space at:

00409F80	90			  NOP

3. enter the code from your tut:

;Beginning Address was : 00409F80JNZ 00409680
LEA EAX,DWORD PTR DS:[409680]
MOV DWORD PTR DS:[EAX],5E5F595A
MOV BYTE PTR DS:[EAX+4],0C3
JMP 00409680;End Address was : 00409F96

and

0040969F   /0F85 DB080000   JNZ CrackMe.00409F80
004096A5   |C3			  RETN

4. in tutorial it was said that "routine should be executed only once" so when i get to the "004096A5 |C3 RETN", i've changed it to

pop edx
pop ecx
pop edi
pop esi
ret

(to restore stack)

5. F7 to go to "00409755 E8 03000000 CALL CrackMe.0040975D" and Dump it.

ps. When i pressed F9 (Run), i got to that code (00409680) several times before program'd started.

Is that right and what should i do next?

pps. I think it's too difficult to me for now.

[Ufo-Pu55y]

0040969F   /0F85 DB080000   JNZ CrackMe.00409F80

You patched it with a JNZ, which is wrong. You need a JMP ofc (like shown in the tut).

And you don't have to place the following POP codes manually, coz that's actually what the

codecave does, when it's finished

[Nan0miT]

0040969F   /0F85 DB080000   JNZ CrackMe.00409F80

You patched it with a JNZ, which is wrong. You need a JMP ofc (like shown in the tut).

And you don't have to place the following POP codes manually, coz that's actually what the

codecave does, when it's finished

Ok. With JMP works as in tutorial. Got dump with WinHex.

Then i try to cut "unnecessary bytes". But i found these bytes only for ".text" section (i cut 1000-4096). How to find them for other sections?

"Section Headers" of CFF looks strange...

btw, before i closed Olly, i noticed that sections starts with:

.text

00402000 2B1B SUB EBX,DWORD PTR DS:[EBX]

00402002 0179 00 ADD DWORD PTR DS:[ECX],EDI

00402005 0000 ADD BYTE PTR DS:[EAX],AL

00402007 0048 00 ADD BYTE PTR DS:[EAX],CL

.rsrc

00406000 ........?........0?.........H.?.?.....?4.VS_VERSION_INFO..

00406080 ??.......?...........D.VarFileInfo..$.Translation...??.S

00406100 tringFileInfo.?.000004b0.4.CompanyName..once4ever.8FileDescr

00406180 iption..CrackMe.0FileVersion..1.0.0.0.8.InternalName.CrackMe.

.reloc

00408000 00 40 00 00 0C 00 00 00 B0 3F 00 00 00 00 00 00 .@......

WinHexDump_undone.rar

[Ufo-Pu55y]

Yea not necessary to cut anything. I only shortened the reloc.

If you already got a dump, then you can simply compare urs with mine in CFF.

[Nan0miT]

Yea not necessary to cut anything. I only shortened the reloc.

If you already got a dump, then you can simply compare urs with mine in CFF.

Well, i still don't quite understand, but it works.

In .NET Reflector i see again: "Arithmetic operation resulted in an overflow."

In SpicesNet5 it's ok, but how to get the key... this is part of code:

namespace a
{
	using System;
	using System.IO;
	using System.Security.Cryptography;
	using System.Text;
	using a;	public sealed abstract class a
	{
		private static string b;
		static a()
		{
			a.b = "ZXCVBNMLKJHGFDSAQWERRTYUIOP1*()@#qwertyuiopasdfghjkl;zxcvbnm,./\'+=-_234567890";
		}
		public static string b(string b)
		{
			string txt5;
			bool bl = !(b == "");
			if (!bl)
			{
				txt5 = "";
			}
			else
			{
				char ch = a.b['<'];
				string[] arr5 = new string[] {
						ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(),
						ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString()};
				ch = a.b['\u0016'];
				ch = a.b['\u0006'];
				ch = a.b['\r'];
				ch = a.b['\u001e'];
				ch = a.b['\t'];
				ch = a.b['\u0013'];
				ch = a.b['$'];
				ch = a.b['\u000b'];
				string txt = string.Concat(arr5);
				arr5 = new string[] {
						ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(),
						ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString()};
				ch = a.b['4'];
				ch = a.b['+'];
				ch = a.b['\r'];
				ch = a.b['!'];
				ch = a.b['\u0014'];
				ch = a.b['='];
				ch = a.b[','];
				ch = a.b['\u0011'];
				ch = a.b['\''];
				string txt1 = string.Concat(arr5);
				ch = a.b['\u000e'];
				ch = a.b['\n'];
				ch = a.b['\u000f'];
				ch = a.b['\u001b'];
				string txt2 = string.Concat(ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString());
				int i = 2;
				arr5 = new string[16];
				ch = a.b['\"'];
				ch = a.b['\u0006'];
				ch = a.b['\u0019'];
				ch = a.b['\u0011'];
				ch = a.b['\u0002'];
				ch = a.b['<'];
				ch = a.b['\u001f'];
				ch = a.b['\n'];
				ch = a.b['\u0004'];
				ch = a.b['\u0007'];
				ch = a.b['\u0013'];
				ch = a.b['1'];
				ch = a.b['#'];
				ch = a.b['7'];
				ch = a.b['\u000e'];
				ch = a.b['\u0001'];
				string txt3 = string.Concat(arr5);
				int i1 = 256;
				byte[] arr = Encoding.ASCII.GetBytes(txt3);
				byte[] arr1 = Encoding.ASCII.GetBytes(txt1);
				byte[] arr2 = Encoding.UTF8.GetBytes(b);
				PasswordDeriveBytes passwordDeriveBytes = new PasswordDeriveBytes(txt, arr1, txt2, i);
				byte[] arr3 = passwordDeriveBytes.GetBytes(i1 / 8);
				RijndaelManaged rijndaelManaged = new RijndaelManaged();
				rijndaelManaged.Mode = CipherMode.CBC;
				ICryptoTransform iCryptoTransform = rijndaelManaged.CreateEncryptor(arr3, arr);
				MemoryStream memoryStream = new MemoryStream();
				CryptoStream cryptoStream = new CryptoStream(memoryStream, iCryptoTransform, 1);
				cryptoStream.Write(arr2, 0, arr2.Length);
				cryptoStream.FlushFinalBlock();
				byte[] arr4 = memoryStream.ToArray();
				memoryStream.Close();
				cryptoStream.Close();
				return Convert.ToBase64String(arr4);
			}
			return txt5;
		}
		public static extern string d(string b);
	}
}

It's too much for me. I give up.

Thanks for help with unpacking.