Jump to content
Tuts 4 You
Sign in to follow this  
tarequl.hassan

[crackme] Extract the picture and write a tutorial

Recommended Posts

tarequl.hassan

Goal: Extract the picture of the Girl at startup and write a tutorial on how you have done it.

colorpicker.rar

Share this post


Link to post
ragdog

Ok i have not a good dumper

But i think is packed with PeInject you have inejcted a splash.dll

set a breakpoint here and step into

0043D2D9 CALL EAX

Now set a breakpoint here

013C1198 CALL 013C12E2 ; JMP to user32.LoadBitmapA

return from LoadBitmapA ist your bitmap

Greets

Edited by ragdog (see edit history)

Share this post


Link to post
tarequl.hassan

Thank you ragdog. But this wont extract the picture. Yes i used PeInject.

Share this post


Link to post
ragdog

return from LoadBitmapA have you the pointer of this picture ;-)

Now must you dump it and write the Bitamp header

Here is a example for safe the bitmap (dumper)

from rohitab


//if you want to save the bitmap to a file now that you have it on your computer,here (i dont take credit for this function)
void SaveBitmap(char *szFilename,HBITMAP hBitmap)
{
HDC hdc=NULL;
FILE* fp=NULL;
LPVOID pBuf=NULL;
BITMAPINFO bmpInfo;
BITMAPFILEHEADER bmpFileHeader;
do{
hdc=GetDC(NULL);
ZeroMemory(&bmpInfo,sizeof(BITMAPINFO));
bmpInfo.bmiHeader.biSize=sizeof(BITMAPINFOHEADER);
GetDIBits(hdc,hBitmap,0,0,NULL,&bmpInfo,DIB_RGB_COLORS);
if(bmpInfo.bmiHeader.biSizeImage<=0)
bmpInfo.bmiHeader.biSizeImage=bmpInfo.bmiHeader.biWidth*abs(bmpInfo.bmiHeader.biHeight)*(bmpInfo.bmiHeader.biBitCount+7)/8;
if((pBuf = malloc(bmpInfo.bmiHeader.biSizeImage))==NULL)
{
MessageBox( NULL, "Unable to Allocate Bitmap Memory", "Error", MB_OK|MB_IConerror);
break;
}
bmpInfo.bmiHeader.biCompression=BI_RGB;
GetDIBits(hdc,hBitmap,0,bmpInfo.bmiHeader.biHeight,pBuf, &bmpInfo, DIB_RGB_COLORS);
if((fp = fopen(szFilename,"wb"))==NULL)
{
MessageBox( NULL, "Unable to Create Bitmap File", "Error", MB_OK|MB_IConerror);
break;
}
bmpFileHeader.bfReserved1=0;
bmpFileHeader.bfReserved2=0;
bmpFileHeader.bfSize=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER)+bmpInfo.bmiHeader.biSizeImage;
bmpFileHeader.bfType='MB';
bmpFileHeader.bfOffBits=sizeof(BITMAPFILEHEADER)+sizeof(BITMAPINFOHEADER);
fwrite(&bmpFileHeader,sizeof(BITMAPFILEHEADER),1,fp);
fwrite(&bmpInfo.bmiHeader,sizeof(BITMAPINFOHEADER),1,fp);
fwrite(pBuf,bmpInfo.bmiHeader.biSizeImage,1,fp);
}while(false);
if(hdc) ReleaseDC(NULL,hdc);
if(pBuf) free(pBuf);
if(fp) fclose(fp);
}
Edited by ragdog (see edit history)
  • Thanks 1

Share this post


Link to post
kao

Small modification of ragdog's idea:

1) breakpoint on LoadBitmapA;

2) look at parameters to the call:


0012F740 00AC119D /CALL to LoadBitmapA from 00AC1198
0012F744 00AC0000 |hInst = 00AC0000
0012F748 00AC3000 \RsrcName = "MyBitmap"

So, the DLL is loaded at address AC0000.

3) Dump memory at address AC0000. I used PETools, so it calculated size of dump automatically (EC000 bytes). But you can always use other tool and dump more memory, it won't hurt.

4) Open dump with CFF and use its resource editor function to extract BMP.

  • Thanks 1

Share this post


Link to post
ragdog

Yes to use tools is your solution good kao

but i think hassan try to coding a extractor like thinstall or not hassan ?

Share this post


Link to post
tarequl.hassan

Yes Ragdog. Trying to coding a extractor

Share this post


Link to post
Teddy Rogers

The [crackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...