Jump to content
Tuts 4 You

[crackme] Anti RE by Virez


khonel

Recommended Posts

it's not crackme, it's bruteforceme RC4. If it's long a key of 20 symbols it's unreal.

Sorry for my bad English.

Link to comment

hmmm... im new in RCE bro Vovan666... :cc_confused:

this use RC4 and must use bruteforce method for attack...??

:rule: im sorry im forget...

no rule bro... you can use all method (serial fishing, cracking, patching etc)...

Edited by khonel
Link to comment

Ok,

I don't know if this is a valid solution, but here it goes.

The crackme extracts a file based on the password (RC4 apparently) to the same DIR as the crackme. This file is called "tmp.exe"

My idea: As we know which messagebox should be returned I thought it would be possible to write a code cave that simply replaces the file (which is obviously not the correct one) with my own file that contains the following code:

#include <windows.h>int main()
{
MessageBoxA(FindWindowA(0, "-- vires n vitri anti crack --"), "vires menyatakan anda lulus:)", "virti pasti cinta vires", 0);
return 0;
}

I compiled this file and decreased the size a bit, result: 600byte file. Now use CFF Explorer to (first) add the imports:

CloseHandle
CreateFileW
DeleteFileW
WriteFile

And after this, create a new 0x300 byte-sized section where we will delete the bad tmp.exe, create a new one and finally write the compressed custom exe to that file.

My code (can be optimized a bit I think, but I was too lazy to implement TRUNCATE_FILE):

<00407000>
lea eax,dword ptr ds:[ebp-34]
push 2
;Code Cave
pushad ; preserve registers
push 402108 ; UNICODE "tmp.exe"
call dword ptr ds:[406087] ; DeleteFileW
push 0 ; No Handle
push 80 ; No attribute
push 2 ; TRUNCATE_EXSISTING
push 0 ; No security
push 0 ; No share
push 40000000 ; GENERIC_WRITE
push 402108 ; UNICODE "tmp.exe"
call dword ptr ds:[406083] ; CreateFileW
mov ebx,eax ; mov handle in ebx
inc ebx ; increase
test ebx,ebx ; compare with 0 (means handle was -1)
je short @end ; skip write file when fails.
push eax ; Preserve handle
push 0 ; No overlapped
push @written ; Written bytes
push 252 ; Filesize
push @file ; Actual data
push eax ; Handle
call dword ptr ds:[40608B] ; WriteFile
call dword ptr ds:[40607F] ; CloseHandle
@end:
popad ; restore registers
jmp 40293C
@written:
"\0\0\0\0"
@file:
"\x90"

Before saving we first need to actually execute this code cave. I decided to redirect from 0x402937. This is right in front of the actual execution of tmp.exe. You also should binary copy the compressed file in place of that 0x90 byte (I was too lazy to convert it to an ascii table.

Data:

4D 5A BF 00 00 42 00 57 31 C0 EB 58 50 45 00 00 4C 01 01 00 C6 6F 82 E9 D5 3B 5E 6E 1B 13 09 4F
78 00 0F 03 0B 01 31 33 48 41 53 48 48 41 53 48 48 41 53 48 02 00 01 00 48 41 53 48 0C 00 00 00
00 00 40 00 00 00 01 00 00 02 00 00 48 41 53 48 48 41 53 48 04 00 00 00 00 00 00 00 00 00 42 06
00 00 01 00 90 50 40 BB 02 00 00 00 5D BE 62 01 40 00 6A 00 59 E9 5F 00 00 00 00 00 48 41 53 48
03 00 00 00 01 D3 50 F7 E2 F7 F3 31 DB EB 09 00 48 41 53 48 00 00 00 00 5A 39 C1 72 06 29 C1 92
29 D0 43 C3 00 00 41 06 00 00 01 00 00 02 00 00 01 00 00 00 48 41 53 48 00 00 00 00 48 41 53 48
E0 00 00 E0 0F A3 2D 78 01 40 00 11 C9 45 01 C0 85 C0 79 F0 E8 AB FF FF FF 60 AD 01 F8 74 36 6A
0A 58 89 44 24 14 89 44 24 10 AD 31 ED 4D 45 01 C0 72 FB 75 0C D1 EB 61 75 D6 D0 17 73 DB 47 EB
F9 60 AC 0F B6 D0 32 07 6B C0 6F 02 07 48 4F 00 D2 72 F3 75 F9 BF 26 01 42 00 B9 A3 FE 1F 03 73
0C F3 66 AB 0A 06 61 8D 76 0B 7B AD C3 F7 F1 8D 3C 57 89 E9 31 C0 AE 74 04 0A 2F 75 02 41 41 48
0F B6 14 07 D3 E2 01 54 84 34 40 7E F3 29 D8 78 0C 4F FE 04 07 D0 2C 1F 75 03 D0 14 1F 61 46 EB
8C 00 3C FF BD FF FE FF FF AB 00 20 80 DA FE BD FF FF FF FF CD 00 80 C0 BB 01 80 88 73 59 AB 9B
9C 5B 29 B7 7F 2A DF FF F8 5F E7 EB 5B 23 B5 AE 22 CF 6C 99 CB B6 DC F2 BC 78 68 D1 05 37 34 24
3B 56 BD F4 4D BE 1A D5 42 47 8A 6E 73 52 4E FD D8 75 C8 04 B7 E5 D4 C5 24 9B E4 F9 14 A3 26 E8
B1 EA F5 A3 3F 34 84 B1 6D 00 1B 45 BF 13 F5 EA 09 4E BC 9C E4 36 7F 95 43 26 74 7A 3A 37 B4 04
CA 14 82 6C 66 A7 E1 F2 81 F8 8A 8D 70 A0 AF 56 C7 15 90 5C C6 EE 15 6C D4 8D F1 1B AA 40 FE DF
AD 6A 66 C3 CC FA 26 18 FF E9 BF FA 3F 61 70 15 69 75 23 2B DB BF 1B 62 15 3E 74 08 94 16 94 15
24 7A 7F F2 AD 59 42 B6 97 ED 3A C1 B7 FA 9B 96 AC 13 41 1A 13 89 7E 18 B3 98 66 BD EB 88 39 4A
CF FB FF 3A 7A A8 8C DF B3 93 6E 9E 1A 6A 6E 43 8E FB

Result is attached.

Greetings,

Mr. eXoDia // T.P.o.D.T 2012

PS Level 2/10, needs a little brain (or luck)

anti_re_cracked.rar

Edited by Mr. eXoDia
  • Like 1
Link to comment

Mr. eXoDia : thank's very much for solution...

i hope you make solution PDF / video version and upload in your web :notworthy:

Ghandi : thanks for reference..., interesting.... :yes:

Link to comment

@Ghandi: The file has to be an executable indeed... I guess it's also possible to crack it like that, but I'm in a code cave mood :)

@khonel: I won't... This guide here is clear enough.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...