Jump to content
Tuts 4 You

[CrackMe/UnpackMe/RunMe/etc] Saturday Night Challenge!


simple

Recommended Posts

It's saturday night party time! Crack open your laptop and head to the dancefloor w/this latest challenge wooooo hoooooo yeaaahhhh!!Intro:The original project was done by a team who's coders I've learned a lot from and respect. When it gets broken I'll post the orig. credits + source + custom mods + toolsThere's some stupid stuff in there, not trying to be fancy/complicated. The original project was flagged by just about every AV, so I had to briefly change some things to drop the rates to 10/55.Despite false positives, there's nothing malicious about this, the code is easy to read - do confirm yourself.   

 

Once it gets cracked, in an hour or so, I have my own implementation (scans 0/55 on virustotal) that will be a bit more.... involved ; )

 

***********************************************************************

Goal: Input correct code to make .exe run / write tool to extract .exe from existing binaryLanguage: masm & CPacker: noDifficulty: 0.25/10GUI: no, this ain't about pretty buttons!

***********************************************************************

JustForFun.rar

Link to comment

Here is the dump. I dumped it using a different method then what is expected I guess. The 'magic' number is 254 to get the buffer back to the expected executable.


However, you need to walk the xor all 254 keys. 


 


The file data is decoded at the start of the entry point here:


sub_401000((int)dword_403000, 527872, dword_483E6C);


 


This gives us the file size and where it is in memory. So I opened the file in a hex editor and dumped out this area into a C array.


File Offset: 0x00A00


Size: 527872


 


Then in C++ I did:



 
#include <Windows.h>
#include <string>
 
#include "Data.h"
 
int __stdcall sub_401000(int a1, int a2, char a3)
{
  int result; // eax@1
  int v4; // ecx@1
 
  result = a1;
  v4 = a2;
  do
  {
    *(unsigned char *)result++ ^= a3;
    --v4;
  }
  while ( v4 );
  return result;
}
 
int __cdecl main(int argc, char* argv[])
{
    // Decrypt the file..
    for (auto x = 0; x < 255; x++)
        sub_401000((int)hexData, 527872, (char)x);
 
    // Dump the file..
    FILE* f = NULL;
    if (fopen_s(&f, "dump.exe", "wb") != ERROR_SUCCESS)
        return 0;
 
    fwrite(hexData, 1, 527872, f);
    fclose(f);
 
    return ERROR_SUCCESS;
}

 

hexData being the data dump from the file.

dump.7z

Link to comment

Nice job! Do note that the XOR key is 0xFF and to make the file run/decode naturally the passcode is just 1122 (254 won't work)


 


The original project is ExecuteFromMemory by at4re. I added the Xor code in masm and wrote a cli tool in C to format a file. If you want to "pack" your own executables like this, just do -


 


masmbyteformat.exe infile.exe outfile.inc


 


infile.exe = exe you want to xor and format


 


outfile.inc = it will format the bytes in dd little endian format and write them to outfile.inc. this is the file you include in your masm project.


 


There is a small bug in the formatting of the last 4 bytes, just fix it by hand I haven't had time/motivation to fix it. sources attached


 


Tomorrow I will post the next version, stay tuned ; )


sources.7z

  • Like 1
Link to comment

Wooo hooooo yeeeahhhhh party crackers the party continues to Sunday morning ! Show me wat u got !

***********************************************************************

Goal: Input correct code to make .exe run / write tool to extract .exe from existing binary

Language: C

Packer: no

Difficulty: 0.35/10

3rd Party Libraries: OpenSSL

***********************************************************************

PS - Added some features from another project w/angers a couple AV's (2/56), no point in changing entire code base just to remove these detections, but again the file is 100% innocent, if using Avira or Fortanet disable it before dl'ing file.

 

Given that the username and password are both based on user input, does this not turn into a bruteforce-me? It's impossible to tell what the original name/pass are since they are not compared to anything and are just immediately used in the decryption calls to decrypt the resource.

 EVP_DecryptInit(&v39, v7, v44, v43); // v44 is username, v43 is password EVP_DecryptUpdate(&v39, v40, &v42, v45, v47); EVP_DecryptFinal(&v39, (char *)v40 + v42, &v41);
 
This makes it pretty much impossible to tell what the name/pass are without doing any kind of brute forcing.
Link to comment

zadow - both of them work fine on win8x64 for me. If you do not enter the correct key, the incorrect bytes will be written to proc memory hence causing a crash. open JustForFun.exe on win8x64, then type 1122 and it will run.


 


atom0s - notice which type of encryption i'm using. it is not considered an "unbreakable crypto", and several have claimed to break it. and next time i'll change a few lines of openssl source so your static based automated code regenerating tools will not correctly identify the calls i use :rudolph:


Link to comment

zadow - both of them work fine on win8x64 for me. If you do not enter the correct key, the incorrect bytes will be written to proc memory hence causing a crash. open JustForFun.exe on win8x64, then type 1122 and it will run.

 

atom0s - notice which type of encryption i'm using. it is not considered an "unbreakable crypto", and several have claimed to break it. and next time i'll change a few lines of openssl source so your static based automated code regenerating tools will not correctly identify the calls i use :rudolph:

 

I understand its not unbreakable, its just that much of a fun challenge to have to bruteforce it though in my opinion. Dumping the executable is easy, its in the exe's resources. It's just the decryption layer that is kind of a disappointment. 

Link to comment

I understand its not unbreakable, its just that much of a fun challenge to have to bruteforce it though in my opinion. Dumping the executable is easy, its in the exe's resources. It's just the decryption layer that is kind of a disappointment. 

 

 

Hey man don't crash the party! IMO it's no fun to just use auto tools to rebuild easy to read high level code either, but anything goes u know.

U can't say this isn't realistic! U will see this in the wild, reverser can learn to recognize it and walk away ; ) Unless u r a crypto expert...

 

And I dont claim to be smart enough to teach people, etc. I post this to practice/improve my own programming.

 

edit - ok ok ill replace the crypto w/kernel protection

Edited by simple
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...