[crackme] Anti RE by Virez

[khonel]

[crackme] Anti RE by Virez

compiler : Visual Basic 6.0

level : 8/10 ( for me )

1. just guessing the password in the textbox

2. please make tutorial...

anti_RE.virez.rar

[Vovan666]

it's not crackme, it's bruteforceme RC4. If it's long a key of 20 symbols it's unreal.

Sorry for my bad English.

[khonel]

hmmm... im new in RCE bro Vovan666...

this use RC4 and must use bruteforce method for attack...??

im sorry im forget...

no rule bro... you can use all method (serial fishing, cracking, patching etc)...

Edited May 27, 2012 by khonel

[mrexodia]

Ok,

I don't know if this is a valid solution, but here it goes.

The crackme extracts a file based on the password (RC4 apparently) to the same DIR as the crackme. This file is called "tmp.exe"

My idea: As we know which messagebox should be returned I thought it would be possible to write a code cave that simply replaces the file (which is obviously not the correct one) with my own file that contains the following code:

#include <windows.h>int main()
{
	MessageBoxA(FindWindowA(0, "-- vires n vitri anti crack --"), "vires menyatakan anda lulus:)", "virti pasti cinta vires", 0);
	return 0;
}

I compiled this file and decreased the size a bit, result: 600byte file. Now use CFF Explorer to (first) add the imports:

CloseHandle
CreateFileW
DeleteFileW
WriteFile

And after this, create a new 0x300 byte-sized section where we will delete the bad tmp.exe, create a new one and finally write the compressed custom exe to that file.

My code (can be optimized a bit I think, but I was too lazy to implement TRUNCATE_FILE):

<00407000>
lea eax,dword ptr ds:[ebp-34]
push 2
;Code Cave
pushad ; preserve registers
push 402108 ; UNICODE "tmp.exe"
call dword ptr ds:[406087] ; DeleteFileW
push 0 ; No Handle
push 80 ; No attribute
push 2 ; TRUNCATE_EXSISTING
push 0 ; No security
push 0 ; No share
push 40000000 ; GENERIC_WRITE
push 402108 ; UNICODE "tmp.exe"
call dword ptr ds:[406083] ; CreateFileW
mov ebx,eax ; mov handle in ebx
inc ebx ; increase
test ebx,ebx ; compare with 0 (means handle was -1)
je short @end ; skip write file when fails.
push eax ; Preserve handle
push 0 ; No overlapped
push @written ; Written bytes
push 252 ; Filesize
push @file ; Actual data
push eax ; Handle
call dword ptr ds:[40608B] ; WriteFile
call dword ptr ds:[40607F] ; CloseHandle
@end:
popad ; restore registers
jmp 40293C
@written:
"\0\0\0\0"
@file:
"\x90"

Before saving we first need to actually execute this code cave. I decided to redirect from 0x402937. This is right in front of the actual execution of tmp.exe. You also should binary copy the compressed file in place of that 0x90 byte (I was too lazy to convert it to an ascii table.

Data:

4D 5A BF 00 00 42 00 57 31 C0 EB 58 50 45 00 00 4C 01 01 00 C6 6F 82 E9 D5 3B 5E 6E 1B 13 09 4F
78 00 0F 03 0B 01 31 33 48 41 53 48 48 41 53 48 48 41 53 48 02 00 01 00 48 41 53 48 0C 00 00 00
00 00 40 00 00 00 01 00 00 02 00 00 48 41 53 48 48 41 53 48 04 00 00 00 00 00 00 00 00 00 42 06
00 00 01 00 90 50 40 BB 02 00 00 00 5D BE 62 01 40 00 6A 00 59 E9 5F 00 00 00 00 00 48 41 53 48
03 00 00 00 01 D3 50 F7 E2 F7 F3 31 DB EB 09 00 48 41 53 48 00 00 00 00 5A 39 C1 72 06 29 C1 92
29 D0 43 C3 00 00 41 06 00 00 01 00 00 02 00 00 01 00 00 00 48 41 53 48 00 00 00 00 48 41 53 48
E0 00 00 E0 0F A3 2D 78 01 40 00 11 C9 45 01 C0 85 C0 79 F0 E8 AB FF FF FF 60 AD 01 F8 74 36 6A
0A 58 89 44 24 14 89 44 24 10 AD 31 ED 4D 45 01 C0 72 FB 75 0C D1 EB 61 75 D6 D0 17 73 DB 47 EB
F9 60 AC 0F B6 D0 32 07 6B C0 6F 02 07 48 4F 00 D2 72 F3 75 F9 BF 26 01 42 00 B9 A3 FE 1F 03 73
0C F3 66 AB 0A 06 61 8D 76 0B 7B AD C3 F7 F1 8D 3C 57 89 E9 31 C0 AE 74 04 0A 2F 75 02 41 41 48
0F B6 14 07 D3 E2 01 54 84 34 40 7E F3 29 D8 78 0C 4F FE 04 07 D0 2C 1F 75 03 D0 14 1F 61 46 EB
8C 00 3C FF BD FF FE FF FF AB 00 20 80 DA FE BD FF FF FF FF CD 00 80 C0 BB 01 80 88 73 59 AB 9B
9C 5B 29 B7 7F 2A DF FF F8 5F E7 EB 5B 23 B5 AE 22 CF 6C 99 CB B6 DC F2 BC 78 68 D1 05 37 34 24
3B 56 BD F4 4D BE 1A D5 42 47 8A 6E 73 52 4E FD D8 75 C8 04 B7 E5 D4 C5 24 9B E4 F9 14 A3 26 E8
B1 EA F5 A3 3F 34 84 B1 6D 00 1B 45 BF 13 F5 EA 09 4E BC 9C E4 36 7F 95 43 26 74 7A 3A 37 B4 04
CA 14 82 6C 66 A7 E1 F2 81 F8 8A 8D 70 A0 AF 56 C7 15 90 5C C6 EE 15 6C D4 8D F1 1B AA 40 FE DF
AD 6A 66 C3 CC FA 26 18 FF E9 BF FA 3F 61 70 15 69 75 23 2B DB BF 1B 62 15 3E 74 08 94 16 94 15
24 7A 7F F2 AD 59 42 B6 97 ED 3A C1 B7 FA 9B 96 AC 13 41 1A 13 89 7E 18 B3 98 66 BD EB 88 39 4A
CF FB FF 3A 7A A8 8C DF B3 93 6E 9E 1A 6A 6E 43 8E FB

Result is attached.

Greetings,

Mr. eXoDia // T.P.o.D.T 2012

PS Level 2/10, needs a little brain (or luck)

anti_re_cracked.rar

Edited May 27, 2012 by Mr. eXoDia

[ghandi]

Just wondering, the file dropped is an executable no? If so, then you have a start point of the plaintext to bruteforce. Then, if the key is chosen from one of the 'weaker' subsets, you might be able to use the information here: http://marcel.wanda.ch/Archive/WeakKeys

HR,

Ghandi

[khonel]

Mr. eXoDia : thank's very much for solution...

i hope you make solution PDF / video version and upload in your web

Ghandi : thanks for reference..., interesting....

[mrexodia]

@Ghandi: The file has to be an executable indeed... I guess it's also possible to crack it like that, but I'm in a code cave mood

@khonel: I won't... This guide here is clear enough.