[crackme] Extract the picture and write a tutorial

December 1, 2012

Goal: Extract the picture of the Girl at startup and write a tutorial on how you have done it.

colorpicker.rar

December 1, 2012

Ok i have not a good dumper

But i think is packed with PeInject you have inejcted a splash.dll

set a breakpoint here and step into

0043D2D9 CALL EAX

Now set a breakpoint here

013C1198 CALL 013C12E2 ; JMP to user32.LoadBitmapA

return from LoadBitmapA ist your bitmap

Greets

Edited December 1, 2012 by ragdog

December 1, 2012

Thank you ragdog. But this wont extract the picture. Yes i used PeInject.

December 1, 2012

return from LoadBitmapA have you the pointer of this picture ;-)

Now must you dump it and write the Bitamp header

Here is a example for safe the bitmap (dumper)

from rohitab


//if you want to save the bitmap to a file now that you have it on your computer,here (i dont take credit for this function)
void SaveBitmap(char *szFilename,HBITMAP hBitmap)
{
HDC hdc=NULL;
FILE* fp=NULL;
LPVOID pBuf=NULL;
BITMAPINFO bmpInfo;
BITMAPFILEHEADER bmpFileHeader;
do{
hdc=GetDC(NULL);
ZeroMemory(&bmpInfo,sizeof(BITMAPINFO));
bmpInfo.bmiHeader.biSize=sizeof(BITMAPINFOHEADER);
GetDIBits(hdc,hBitmap,0,0,NULL,&bmpInfo,DIB_RGB_COLORS);
if(bmpInfo.bmiHeader.biSizeImage<=0)
bmpInfo.bmiHeader.biSizeImage=bmpInfo.bmiHeader.biWidth*abs(bmpInfo.bmiHeader.biHeight)*(bmpInfo.bmiHeader.biBitCount+7)/8;
if((pBuf = malloc(bmpInfo.bmiHeader.biSizeImage))==NULL)
{
	 MessageBox( NULL, "Unable to Allocate Bitmap Memory", "Error", MB_OK|MB_IConerror);
	 break;
}
bmpInfo.bmiHeader.biCompression=BI_RGB;
GetDIBits(hdc,hBitmap,0,bmpInfo.bmiHeader.biHeight,pBuf, &bmpInfo, DIB_RGB_COLORS);
if((fp = fopen(szFilename,"wb"))==NULL)
{
	 MessageBox( NULL, "Unable to Create Bitmap File", "Error", MB_OK|MB_IConerror);
	 break;
}
bmpFileHeader.bfReserved1=0;
bmpFileHeader.bfReserved2=0;
bmpFileHeader.bfSize=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+bmpInfo.bmiHeader.biSizeImage;
bmpFileHeader.bfType='MB';
bmpFileHeader.bfOffBits=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER);
fwrite(&bmpFileHeader,sizeof(BITMAPFILEHEADER),1,fp);
fwrite(&bmpInfo.bmiHeader,sizeof(BITMAPINFOHEADER),1,fp);
fwrite(pBuf,bmpInfo.bmiHeader.biSizeImage,1,fp);
}while(false);
if(hdc) ReleaseDC(NULL,hdc);
if(pBuf) free(pBuf);
if(fp) fclose(fp);
}

Edited December 1, 2012 by ragdog

December 1, 2012

Small modification of ragdog's idea:

1) breakpoint on LoadBitmapA;

2) look at parameters to the call:


0012F740 00AC119D /CALL to LoadBitmapA from 00AC1198
0012F744 00AC0000 |hInst = 00AC0000
0012F748 00AC3000 \RsrcName = "MyBitmap"

So, the DLL is loaded at address AC0000.

3) Dump memory at address AC0000. I used PETools, so it calculated size of dump automatically (EC000 bytes). But you can always use other tool and dump more memory, it won't hurt.

4) Open dump with CFF and use its resource editor function to extract BMP.

December 1, 2012

Yes to use tools is your solution good kao

but i think hassan try to coding a extractor like thinstall or not hassan ?

December 1, 2012

Yes Ragdog. Trying to coding a extractor

December 1, 2012

The [crackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Sign In

[crackme] Extract the picture and write a tutorial

Recommended Posts

tarequl.hassan

ragdog

tarequl.hassan

ragdog

kao

ragdog

tarequl.hassan

Teddy Rogers

Create an account or sign in to comment

Create an account

Sign in

Community

Search