kao Posted March 21, 2014 Posted March 21, 2014 Hi guys, After being idle for a long long time, I'm happy to present you a small challenge. I hope it will keep you busy for a while. From the readme: Goal: write a keygen. Difficulty: 5/10. Protection: yes, there is some. Time required: entire evening or more. This is an oldschool keygenme that will test both your reversing and coding skills. However, if your reversing skills are limited to running OllyScripts, de4dot and Reflector, don't waste your time, you won't break it. If you can't write your own tools, you will struggle. You have been warned. Cracked exes and loaders are for eternal noobs. The only proper solution is a keygen. Requirements: .NET 2.0, tested on 32bit XP, 64bit Win7, 32bit Win8. Have fun! kao. GotSkills_by_kao.zip 5
simple Posted March 21, 2014 Posted March 21, 2014 a keygenner will def tut it bcause this is easy crackin : ) pd - keep up the challenges
Hadits follower Posted March 22, 2014 Posted March 22, 2014 (edited) this is nice obfucator i dont know who ever made it but strong name nice i just remove strong remove name and file full clean at all done but the calli system void and string encryption part is also excellent there hold but trying my best that part hard for me cause u know as well i am still not good coder like u 0xd4d,codecracker,yck1509 but still learning everyday and trying to fix my private obc. just say cool obfucator its must be private ? or made by u you may be ? nice many days after see a nice 2nd new obfucator which is fully new oc ,codecracker obfucator also cool excellent nice both. sorry if offtopic or if you think i something wrong then try to forgive but nice actually if i post again that may be unpack which is just try to unpack thats for saying this this is a nice obfucicator the strong name part is super thats for i cant decrypt string and system void calli => its a new future which as same delegate quality but it fully different ,excellent , just want to say nice obc . dont mind if i offtopic or anything wrong , cause codecracker , yck1509 , 0xd4d was my teacher always respect this 3 guy . yck , 0xd4d many days no seen , excellent obc kao .its bit hard then codecracker's one but both r excellent .many days after seeing a new second obc which is fully different from other commurical obc . sorry for my bad english. Edited March 22, 2014 by Death
kao Posted March 22, 2014 Author Posted March 22, 2014 @Death: I'm glad you like it. If you can make fully unpacked (and correctly working!) file, please feel free to post it here. SN protection, string and call obfuscation is my own, but I don't have a complete obfuscator. The keygenme EXE was handcrafted using ILASM, hex editor and CFF. When someone solves the keygenme, I could write a small tutorial on how it was created. 4
LoLLo90 Posted March 22, 2014 Posted March 22, 2014 Damn! That antitamper!I had to patch mscorlib(Environment.Exit) to modify it a little. I don't think i can stand a chance against this, but i will let you know!
ragdog Posted March 22, 2014 Posted March 22, 2014 This is an oldschool keygenme ?? NET is old school
kao Posted March 22, 2014 Author Posted March 22, 2014 @LoLLo90: Nice catch! I somehow overlooked that. if (badThingDetected){ Environment.Exit(); return; <---- this one is missing. Silly me. }GoodBoyCode();return; @ragdog: What I meant with "old school" is "crackme designed to show some novel idea; hard but solvable" - as opposed to recent "generate correct serial, compare it with entered serial and protect it with off-the-shelf protector" kind of crackme. 2
LoLLo90 Posted March 22, 2014 Posted March 22, 2014 @LoLLo90: Nice catch! I somehow overlooked that. if (badThingDetected) { Environment.Exit(); return; <---- this one is missing. Silly me. } GoodBoyCode(); return; @ragdog: What I meant with "old school" is "crackme designed to show some novel idea; hard but solvable" - as opposed to recent "generate correct serial, compare it with entered serial and protect it with off-the-shelf protector" kind of crackme. I had a stroke of luck!
Hadits follower Posted March 23, 2014 Posted March 23, 2014 (edited) kao sorry for post again its super hard protection for me entrypoint "062a" . so need some help from u . install method body fully jit hooked and super signeture as like dnghvm , the cant grab jitdumper or any any jithooker but all can possible with metadata but ur strong name and anti temper is super hard result for i can't dump installing method .cctor "062a" and jit hook in <module> upside method, really jit dumped success but cant save the unpacked exe for the strong name .if u just littile help me will be glad about the anti temper then it will be eassy for me to unpack . its really super protection that i cant explain ..... , but i am trying thats for just ask about the anti temper location need help from u if u can the location anti temper .this is first time just seen like this super protection . Edited March 23, 2014 by Death
kao Posted March 24, 2014 Author Posted March 24, 2014 The protection is not JIT-hook based, all the .NET code is in plain sight. So, there is no need to use JitDumper.
Hadits follower Posted March 24, 2014 Posted March 24, 2014 (edited) i see all install string in memory run time . so its not jit hooked ? just show a simple memory reading running time ur all string hooked or dynamic i said jitdumper can do the method install method in correct and grab all the memory code but how ever thats not a metter ,i am seeing all string only runtime but u said not hooked confused !! Edited March 24, 2014 by Death
Hadits follower Posted March 25, 2014 Posted March 25, 2014 (edited) i will give tutroial soon how to unpack it properly . i already told you string is hooked and the key which related jit only for your anti temper i cant able save the dump exe , just need some time for understand ur strong anti temper remove then reflection unpack it with one click as same jitdumper , just taking time for the tutroial how to unpack it, not sooo hard bit eassy however good protection this is the key of string decrypt , sample the install method which is hooked and place in .cctor 0x06000001 byte[] data = { 0x6F, 0x6E, 0x31, 0x00, 0x00, 0xE4, 0x35, 0xEF, 0x0E, 0x58, 0x8E, 0x28, 0x0C, 0xF5, 0x01, 0x43, 0x68, 0x65, 0x63, 0x6B, 0x21, 0x00, 0x00, 0xA7, 0xB2, 0x30, 0x3C, 0x40, 0x0E, 0x7E, 0xD9, 0x01, 0x74, 0x65, 0x78, 0x74, 0x42, 0x6F, 0x78, 0x31, 0x00, 0x00, 0x75, 0x03, 0xA0, 0x69, 0x0E, 0xA6, 0xC8, 0x22, 0xAD, 0x01, 0x6B, 0x61, 0x6F, 0x00, 0x42, 0x1E, 0xBA, 0x91, 0xB3, 0x52, 0xB6, 0x96, 0x01, 0x74, 0x65, 0x78, 0x74, 0x42, 0x6F, 0x78, 0x32, 0x00, 0x00, 0xEE, 0x01, 0x2E, 0x2E, 0x2E, 0x20, 0x77, 0x61, 0x69, 0x74, 0x69, 0x6E, 0x67, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x2E, 0x2E, 0x2E, 0x00, 0x54, 0x2F, 0xC8, 0x12, 0x01, 0x6C, 0x61, 0x62, 0x65, 0x6C, 0x31, 0x00, 0x00, 0xCB, 0xA9, 0x27, 0x99, 0x01, 0x4E, 0x61, 0x6D, 0x65, 0x3A, 0x00, 0xFD, 0x74, 0x14, 0xA5, 0x13, 0x01, 0x6C, 0x61, 0x62, 0x65, 0x6C, 0x32, 0x00, 0x00, 0x1C, 0x26, 0x4E, 0x01, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x3A, 0x00, 0x00, 0x0B, 0x01, 0x6C, 0x69, 0x6E, 0x6B, 0x4C, 0x61, 0x62, 0x65, 0x6C, 0x31, 0x00, 0x00, 0x48, 0x01, 0xD6, 0x44, 0x10, 0xE5, 0xBD, 0xB2, 0x08, 0x29, 0x01, 0x28, 0x63, 0x29, 0x20, 0x6B, 0x61, 0x6F, 0x2C, 0x20, 0x32, 0x30, 0x31, 0x34, 0x2E, 0x20, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x62, 0x6F, 0x61, 0x72, 0x64, 0x2E, 0x62, 0x2D, 0x61, 0x74, 0x2D, 0x73, 0x2E, 0x69, 0x6E, 0x66, 0x6F, 0x2F, 0x00, 0x00, 0x98, 0x05, 0x73, 0x97, 0x28, 0x09, 0xCE, 0x0B, 0x4B, 0xB1, 0xE3, 0x4D, 0xEB, 0x01, 0x24, 0x74, 0x68, 0x69, 0x73, 0x2E, 0x49, 0x63, 0x6F, 0x6E, 0x00, 0x00, 0x42, 0xBB, 0x35, 0xB7, 0xFA, 0xD9, 0xFE, 0x78, 0x01, 0x46, 0x6F, 0x72, 0x6D, 0x31, 0x00, 0x45, 0x0C, 0xB7, 0x2E, 0xD3, 0x8E, 0x01, 0x47, 0x6F, 0x74, 0x20, 0x73, 0x6B, 0x69, 0x6C, 0x6C, 0x73, 0x3F, 0x00, 0x00, 0x2D, 0x72, 0xF9, 0x4F, 0xB2, 0x2E, 0x14, 0xA2, 0x7B, 0x08, 0xEB, 0xCC, 0xD2, 0x1F, 0x4E, 0xA7, 0x3E, 0x16, 0x3E, 0xFF, 0x5F, 0xCC, 0x2A, 0x6B, 0xD1, 0x6D, 0x5E, 0x6D, 0x43, 0xAF, 0x4C, 0x00, 0xE3, 0x57, 0x27, 0xA8, 0x74, 0x52, 0x49, 0x4A, 0x9A, 0x1D, 0x80, 0xCF, 0x6A, 0xCC, 0xF7, 0x72, 0x23, 0xD8, 0xEC, 0xCA, 0x31, 0xC2, 0xB8, 0x74, 0x7A, 0x77, 0x9D, 0xE6, 0x4F, 0xED, 0x08, 0x47, 0xB9, 0x27, 0xD9, 0xE4, 0x9A, 0x7F, 0xC2, 0xB9, 0x93, 0xB1, 0xFF, 0xF4, 0x82, 0xDA, 0xE3, 0x6B, 0xFB, 0x98, 0xBB, 0x24, 0x00, 0xC9, 0xC2, 0xD7, 0x93, 0x99, 0xD4, 0x34, 0x4C, 0x9A, 0x57, 0x26, 0x83, 0xBF, 0xA2, 0x66, 0xEE, 0x55, 0xE5, 0xA2, 0xE9, 0x58, 0xCD, 0x9D, 0xE2, 0x96, 0xDD, 0x97, 0x6B, 0x3E, 0x94, 0xD8, 0x40, 0x3E, 0x1A, 0xBB, 0x71, 0xE1, 0x2C, 0x26, 0xA4, 0x00, 0x22, 0xBA, 0xCF, 0x96, 0xF1, 0xE9, 0x3D, 0xB9, 0x26, 0x5B, 0x4D, 0x6C, 0x01, 0x2E, 0x2E, 0x2E, 0x20, 0x77, 0x61, 0x69, 0x74, 0x69, 0x6E, 0x67, 0x20, 0x66, 0x6F, 0x72, 0x20, 0x79, 0x6F, 0x75 }; for read this just binary reader can read it by ur packed exe. edited : other topic something i see which is related appfucator attribute liOnisar that guy said made obfucator like this and give protection services "related buyer or seller" in hackforums , appfucator use online server for read string key and your exe use jit hook for read string key runtime only. Edited March 25, 2014 by Death 1
kao Posted March 25, 2014 Author Posted March 25, 2014 You're making progress, I like that! Again, there is no JIT hook in my keygenme. It's simply a mixed-mode assembly with both .NET and x86 code. 1
Hadits follower Posted March 25, 2014 Posted March 25, 2014 (edited) its ok kao i may be misstake :/ i just want say u something Edited March 25, 2014 by Death
Hadits follower Posted March 25, 2014 Posted March 25, 2014 (edited) here is dump all string and everything have in this dll runtime reading string from here pass pmed 2 way to unpack 1. by dump /dll rebuilt a new netmodule exe combine by original packed exe with hxd.exe or cff or ildasm 2. jitdumper is a debugger which use .load by clr dump native dll clr.zip Edited March 25, 2014 by Death 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now