Jump to content
Tuts 4 You

[crackme] .NET Unpack/CrackMe


SUB Z3R0

Recommended Posts

That's exactly what I did ? Not more not less. Ok since CodeVeil 1.3 I even need Phant0m

for not being kicked out, when patching the encrypting/decrypting code.

I would say calling this one 'for beginners' is a bit harsh.

Even if you're done with unpacking, it's still weird ****.

And btw it's also very buggy code.. I had several exceptions when entering

something as serial (in the original exe). So I lost motivation to go on.. :\

Link to comment
That's exactly what I did ? Not more not less. Ok since CodeVeil 1.3 I even need Phant0m

for not being kicked out, when patching the encrypting/decrypting code.

1. as it was said in tutorial http://www.tuts4you.com/download.php?view.2004 i found:

00409680	66:0F280F	   MOVAPS XMM1,DQWORD PTR DS:[EDI]
00409684 66:0F2806 MOVAPS XMM0,DQWORD PTR DS:[ESI]
00409688 66:0FEFCB PXOR MM1,MM3
0040968C 66:0F290E MOVAPS DQWORD PTR DS:[ESI],XMM1
00409690 66:0FEFC3 PXOR MM0,MM3
00409694 66:0F2907 MOVAPS DQWORD PTR DS:[EDI],XMM0
00409698 83C6 10 ADD ESI,10
0040969B 83C7 10 ADD EDI,10
0040969E 49 DEC ECX
0040969F ^ 75 DF JNZ SHORT CrackMe.00409680
004096A1 5A POP EDX ; kernel32.7C816FF7
004096A2 59 POP ECX ; kernel32.7C816FF7
004096A3 5F POP EDI ; kernel32.7C816FF7
004096A4 5E POP ESI ; kernel32.7C816FF7
004096A5 C3 RETN

2. then found some free space at:

00409F80	90			  NOP

3. enter the code from your tut:

;Beginning Address was : 00409F80JNZ 00409680
LEA EAX,DWORD PTR DS:[409680]
MOV DWORD PTR DS:[EAX],5E5F595A
MOV BYTE PTR DS:[EAX+4],0C3
JMP 00409680;End Address was : 00409F96

and

0040969F   /0F85 DB080000   JNZ CrackMe.00409F80
004096A5 |C3 RETN

4. in tutorial it was said that "routine should be executed only once" so when i get to the "004096A5 |C3 RETN", i've changed it to

pop edx
pop ecx
pop edi
pop esi
ret

(to restore stack)

5. F7 to go to "00409755 E8 03000000 CALL CrackMe.0040975D" and Dump it.

ps. When i pressed F9 (Run), i got to that code (00409680) several times before program'd started.

Is that right and what should i do next?

pps. I think it's too difficult to me for now.

Link to comment
0040969F   /0F85 DB080000   JNZ CrackMe.00409F80

You patched it with a JNZ, which is wrong. You need a JMP ofc (like shown in the tut).

And you don't have to place the following POP codes manually, coz that's actually what the

codecave does, when it's finished ;)

Link to comment
0040969F   /0F85 DB080000   JNZ CrackMe.00409F80

You patched it with a JNZ, which is wrong. You need a JMP ofc (like shown in the tut).

And you don't have to place the following POP codes manually, coz that's actually what the

codecave does, when it's finished ;)

Ok. With JMP works as in tutorial. Got dump with WinHex.

Then i try to cut "unnecessary bytes". But i found these bytes only for ".text" section (i cut 1000-4096). How to find them for other sections?

"Section Headers" of CFF looks strange...

224502bk7.png

btw, before i closed Olly, i noticed that sections starts with:

.text

00402000 2B1B SUB EBX,DWORD PTR DS:[EBX]

00402002 0179 00 ADD DWORD PTR DS:[ECX],EDI

00402005 0000 ADD BYTE PTR DS:[EAX],AL

00402007 0048 00 ADD BYTE PTR DS:[EAX],CL

.rsrc

00406000 ........?........0?.........H.?.?.....?4.VS_VERSION_INFO..

00406080 ??.......?...........D.VarFileInfo..$.Translation...??.S

00406100 tringFileInfo.?.000004b0.4.CompanyName..once4ever.8FileDescr

00406180 iption..CrackMe.0FileVersion..1.0.0.0.8.InternalName.CrackMe.

.reloc

00408000 00 40 00 00 0C 00 00 00 B0 3F 00 00 00 00 00 00 .@......

WinHexDump_undone.rar

Link to comment

Yea not necessary to cut anything. I only shortened the reloc.

If you already got a dump, then you can simply compare urs with mine in CFF.

Link to comment
Yea not necessary to cut anything. I only shortened the reloc.

If you already got a dump, then you can simply compare urs with mine in CFF.

Well, i still don't quite understand, but it works. :)

In .NET Reflector i see again: "Arithmetic operation resulted in an overflow."

In SpicesNet5 it's ok, but how to get the key... this is part of code: :confused:

namespace a
{
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using a; public sealed abstract class a
{
private static string b;
static a()
{
a.b = "ZXCVBNMLKJHGFDSAQWERRTYUIOP1*()@#qwertyuiopasdfghjkl;zxcvbnm,./\'+=-_234567890";
}
public static string b(string b)
{
string txt5;
bool bl = !(b == "");
if (!bl)
{
txt5 = "";
}
else
{
char ch = a.b['<'];
string[] arr5 = new string[] {
ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(),
ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString()};
ch = a.b['\u0016'];
ch = a.b['\u0006'];
ch = a.b['\r'];
ch = a.b['\u001e'];
ch = a.b['\t'];
ch = a.b['\u0013'];
ch = a.b['$'];
ch = a.b['\u000b'];
string txt = string.Concat(arr5);
arr5 = new string[] {
ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(),
ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString()};
ch = a.b['4'];
ch = a.b['+'];
ch = a.b['\r'];
ch = a.b['!'];
ch = a.b['\u0014'];
ch = a.b['='];
ch = a.b[','];
ch = a.b['\u0011'];
ch = a.b['\''];
string txt1 = string.Concat(arr5);
ch = a.b['\u000e'];
ch = a.b['\n'];
ch = a.b['\u000f'];
ch = a.b['\u001b'];
string txt2 = string.Concat(ch.ToString(), ch.ToString(), ch.ToString(), ch.ToString());
int i = 2;
arr5 = new string[16];
ch = a.b['\"'];
ch = a.b['\u0006'];
ch = a.b['\u0019'];
ch = a.b['\u0011'];
ch = a.b['\u0002'];
ch = a.b['<'];
ch = a.b['\u001f'];
ch = a.b['\n'];
ch = a.b['\u0004'];
ch = a.b['\u0007'];
ch = a.b['\u0013'];
ch = a.b['1'];
ch = a.b['#'];
ch = a.b['7'];
ch = a.b['\u000e'];
ch = a.b['\u0001'];
string txt3 = string.Concat(arr5);
int i1 = 256;
byte[] arr = Encoding.ASCII.GetBytes(txt3);
byte[] arr1 = Encoding.ASCII.GetBytes(txt1);
byte[] arr2 = Encoding.UTF8.GetBytes(b);
PasswordDeriveBytes passwordDeriveBytes = new PasswordDeriveBytes(txt, arr1, txt2, i);
byte[] arr3 = passwordDeriveBytes.GetBytes(i1 / 8);
RijndaelManaged rijndaelManaged = new RijndaelManaged();
rijndaelManaged.Mode = CipherMode.CBC;
ICryptoTransform iCryptoTransform = rijndaelManaged.CreateEncryptor(arr3, arr);
MemoryStream memoryStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(memoryStream, iCryptoTransform, 1);
cryptoStream.Write(arr2, 0, arr2.Length);
cryptoStream.FlushFinalBlock();
byte[] arr4 = memoryStream.ToArray();
memoryStream.Close();
cryptoStream.Close();
return Convert.ToBase64String(arr4);
}
return txt5;
}
public static extern string d(string b);
}
}

It's too much for me. I give up.

Thanks for help with unpacking.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...