[CleanUP]CrackME_Level_6

[LoLLo90]

Good day reverser !
I propose today a new crackme that has been created by me and Lollo90.Target :
Silver : Create a patched executable;
Gold : Create a patched,cleaned executable and reveal the correct password.Programming Language :
Visual Basic .NETInfo
The program was developed and protected by me and Lollo90.
To test your username and your password you have to click the image on the right.
A window will open, which will clearly show the success of the crack.
At the start, and at the check of the password ,it can seem that is going to crash, wait some seconds and it will works perfectly.

 

Screenshot : 

 

http://www.mediafire.com/download.php?4ez99o204jpo144

https://mega.co.nz/#!h4g3DYZL!DXHnLl1sM6BMwvfjbByiOC6T23dVFzlaT8zVEx7A2Qc

 

https://www.virustotal.com/file/9e39de3c88e118cdc2d0b961fa506b3df09469effa2b21ed0b87f2d8796a82e7/analysis/1360359728/

[kao]

In my VMWare (32bit XP, .NET3.5 SP1) it tries to delete itself by running cmd.exe and ping.exe for delay. The same behaviour is very common in malware.

Considering that, there is no way I will run this shit on my real PC.

[LoLLo90]

In my VMWare (32bit XP, .NET3.5 SP1) it tries to delete itself by running cmd.exe and ping.exe for delay. The same behaviour is very common in malware.

Considering that, there is no way I will run this shit on my real PC.

It autodeletes if you modify it. I am not posting a virus, if you want scan on virustotal or whatever yourself do it

[kao]

It autodeletes if you modify it.

Funny - I didn't change a single byte in it. I just launched it from C:\ using Windows Explorer. Edited February 11, 2013 by kao

[LoLLo90]

Funny - I didn't change a single byte in it. I just launched it from C:\ using Windows Explorer.

Really i don't know what to tell. I posted it also in other forums,and works for all people that have tried. Maybe can you try to download it again?

[Hadits follower]

modifying confuser with long byte + invalid fake method putted in table 1 million up + enigma nice to see it again. 

http://www.hackforums.net/showthread.php?tid=3242531

[LoLLo90]

modifying confuser with long byte + invalid fake method putted in table 1 million up + enigma nice to see it again. 

http://www.hackforums.net/showthread.php?tid=3242531

LOl stop giving -1 on posts only because you can't crack it..

[Hadits follower]

i decrypted il code ur confuser and dump ur enigma .

 

http://www.2shared.com/file/ykhCmuPc/Enigma_unpacked_confuser_decry.html

 

- why? because its damage my os.

cant crack i am not pro in cracking .still learner .for deob it i lost data once i formate my pc thats for u got - . u cant talking about rep its not allowed.

 

there had more cracker they can do it for u.

talking about - not allowed in this forums u can report

Edited February 11, 2013 by Death

[LoLLo90]

@kao: Kao i would ask something, i  don't know if is possible: is possible that in some way the extracted file from the rar you downloaded has different md5?

[LoLLo90]

No-one can do /wanna try it?

[richyb]

Why the hell would we try this...

 

hackforums already said the file is fishy...

 

now ill tell you why i think it is...

 

based on your screenshot its a simple login form with a few checks, yet upon downloading it the file size is 17MB

 

Why is it so big for such a small app???

 

This file clearly does something not mentioned in your post.

 

DO YOU THINK WE ARE STUPID

[atom0s]

File connects to the net on startup:

 

www.frserver.altervista.org

 

Connects to:

 

http://www.frserver.altervista.org/CleanUp/CleanUp5.php

 

Then connects to:

 

http://frserver.altervista.org/CleanUp/__f.php

http://frserver.altervista.org/CleanUp/_f.php

 

 

 

Then to: (Data seems to be SSL cert info.)

 

http://frserver.altervista.org/CleanUp/_s.php

 

 

Didn't bother going further after seeing it attempt to connect to the net. 

Edited February 16, 2013 by atom0s

[LoLLo90]

Yea at0mos you're right, it connects there to do antitamper cheks, and richyb look well on hf isn't a virus lol

[CodeExplorer]

@LoLLo90:
After unpacking it and entering a random name/password it gives me an message "PaneENuttella"

Is it normal? And what this means? 

[LoLLo90]

@LoLLo90:

After unpacking it and entering a random name/password it gives me an message "PaneENuttella"

Is it normal? And what this means? 

Ohohohoho seems oyu are getting close. However that is only a test message we used during our test.. doesn't mean nothing  don't care of it

[CodeExplorer]

http://www.multiupload.nl/7B0AH8PZJP

Unpacked & cracked!

Just enter any random username & password

 

From Method: A.cb23e3e7a432657fdae2e9d1f62062299::cdd50c39daf6832358449d16e0755fa82

 

  IL_04c8:  /* 72   | (70)004599       */ ldstr      "4A50B2272C087BA0E58BE0092B124364"
  IL_04cd:  /* 16   |                  */ ldc.i4.0
  IL_04ce:  /* 28   | (06)000182       */ call       int32 A.cb23e3e7a432657fdae2e9d1f62062299::smethod_169(object,  object,  bool)
  IL_04d3:  /* 16   |                  */ ldc.i4.0
  IL_04d4:  /* FE01 |                  */ ceq
  IL_04d6:  /* 2D   | 3A               */ brtrue.s   IL_0512
Opcodes: 729945007016288201000616FE012D3A
changing antelast 2D to 0x2C ( brfalse.s <int8 (target)> )
 

smethod_169 calls int32  [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.Operators::CompareString(string,
 string,   bool)

 

[LoLLo90]

Codecracker congratulations! You did really a great job... but there is something you still need to fix.. the msgbox isn't completely correct:

in your exe it says(for other users except for me):

but it should exit to all users like this:

 

There is still another check you need to fix

Edited March 17, 2013 by LoLLo90

[li0nsar3c00l]

Why the hell would we try this...

 

hackforums already said the file is fishy...

 

now ill tell you why i think it is...

 

based on your screenshot its a simple login form with a few checks, yet upon downloading it the file size is 17MB

 

Why is it so big for such a small app???

 

This file clearly does something not mentioned in your post.

 

DO YOU THINK WE ARE STUPID

well, only death said so, i can just say, its pretty good

would like to see more from codecracker

[Hadits follower]

Final Unpacked

 

 

public void method_39(object object_118, object object_119)

{

   object left = null;

   if (Operators.ConditionalCompareObjectEqual(left, "DWNff", false))

   {

       Interaction.MsgBox(RuntimeHelpers.GetObjectValue(GForm0.smethod_5("c3oqvh3vp23jhytppjgpoèae=", "Key_yg3")), MsgBoxStyle.OkOnly, null);

   }

   if (!Operators.ConditionalCompareObjectEqual(left, "Iyevf", false))

   {

   }

}

Unpacked_Final.rar

Edited March 23, 2013 by Death