[Crackme] RDG Simple Crackme .NET v4 2015

[RDGMax]

Hello my friends. here a new crackme vb .net

 

 

Try to get the correct serial or patch

 

Correct serial : 100 points

 

Patch: 60 Points

 

Note: Include small delay  sleep x 10

 

Thanks

 

RDG.Crackme.net.v4.2015.zip

Edited April 22, 2015 by RDGMax

[CodeEnding]

file ?

[kao]

I'll take the 100...

kao : C49476D583364356253377056314435396D456F44796C7A55746431564433544

tuts4you : B6B646D664567664A7867365A7A6132746575446F566A42476D35716E4A73314

If nobody else comes up with a tutorial, I'll make one over the weekend.

[XenocodeRCE]

Can't debug it via Reflector's plugin. Redgate is pure shit. Really. http://i.imgur.com/oiwyP6J.png

[RDGMax]

Level 4 

 

top level = 10

[n0th!ng]

i hooked "Operators.CompareString" and logged all the parameters passed to it 

 

user:n0th!ng

serial:4626442694C6B6D57696F326976307779666B6438772F45525A757A707A756E4

[kao]

@noth!ng: that was exactly my approach. Are you willing to write a tutorial so that others can learn, too?

[n0th!ng]

@kao: i am not really good at making tutorials in english, but i can share the source code with few comments if that will help.

[n0th!ng]

anyway i will write the fundamental of how hooking any function

1- get the address of the api that we want to hook it ( i will call the first address(method))

2- get the address of the api that we want to pass the parameters to it // it must have the same parameters and the return value of the first method

3- calculate the size of jump ((FirstAddress + 5) - SecondAddress),5 represent the length of patch 1 byte => for Jump Op Code (0xE9) ,4 byte =>size of address

4- read the 5 byte in the first address and 

5- write a jump to the second address in the first address (use WriteProcessMemory)

6- if you want the program to continue its work you need to rewrite the original bytes to the first address and call the method,and redo the stop from 1 to 5 except 4 

 

 

getting the address of Methods:

we will just use "GetFunctionPointer" api 

https://msdn.microsoft.com/en-us/library/system.runtimemethodhandle.getfunctionpointer%28v=vs.110%29.aspx

 

example :

typeof(Namespace.ClassName).GetMethod(MethodName).MethodHandle.GetFunctionPointer();

 

 

the other api :

WriteProcessMemory

https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx

ReadProcessMemory

https://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx

VirtualProtect

https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898%28v=vs.85%29.aspx

 

Injecting hooking file:

use SimpleManagedInjector by codecracker, in your project create new method , with string parameter , and integer return value

this method must initialize the hook , this one will be executed after injecting the file using SimpleManagedInjector

 

 

 

-------------------------------------------------------------

for second thought, i believed that anybody want to learn he must to try it , or at least search in google how to hook api!

and to be honest i didn't know what exactly i need to write in this tutorial , i believed that "Hook CompareString Method" will be enough 

 

i really want you kao to write another tutorial at least to see how you did it ,and how to make a good tutorial 

 

good luck 

Edited April 23, 2015 by n0th!ng

[kao]

I posted the writeup here: http://lifeinhex.com/sniffing-correct-serial-in-net-crackmes/ - here's a (badly formatted) copy-paste.

 

 

Introduction

In this tutorial I’ll show you a generic way how to break most of the crackmes written in VB.NET. It uses the fact that most crackmes made by beginners will calculate correct serial and do a simple comparison “if enteredSerial = correctSerial then”…

To break such a crackme, you only need to find this comparison and sniff the correct serial. This is a very common approach in x86 world but in .NET world it’s not that popular yet.

As for my target, I’m using “RDG Simple Crackme .NET v4 2015”

GetProcAddress in .NET

In x86 world you can use GetProcAddress function to get address of any API function from any DLL. Can we do something similar in managed environment like .NET? It turns out that we can, but it’s a little bit harder.

So, for example, to get address of Assembly.Load(byte[]) you need to do:

 

MethodBase mb = typeof(Assembly).GetMethod("Load", new Type[] { typeof(byte[]) });IntPtr handle = mb.MethodHandle.GetFunctionPointer();Console.WriteLine("Assembly.Load() = {0:X}", handle.ToInt32());

 

This works well with static classes and static methods. How about non-static methods like RijndaelManaged.CreateDecryptor(byte[], byte[])?

That’s doable as well, like this:

 

RijndaelManaged rijndael = new RijndaelManaged();mb = rijndael.GetType().GetMethod("CreateDecryptor", new Type[] { typeof(byte[]), typeof(byte[]) });handle = mb.MethodHandle.GetFunctionPointer();Console.WriteLine("RijndaelManaged.CreateDecryptor() = {0:X}", handle.ToInt32());

 

To make this reference almost complete – here’s how to get address of .ctor:

 

ConstructorInfo ctor = typeof(MyClass).GetConstructor(Type.EmptyTypes);IntPtr ctorPtr = ctor.MethodHandle.GetFunctionPointer();Console.WriteLine("MyClass constructor = {0:X}", ctorPtr.ToInt32());

 

There are a few gotchas, however..

• In case your target type is located in assembly that’s not NGEN’ed yet, I suggest that you use ngen and install the assembly in cache. That can prevent certain problems later.
• Addresses of functions are obviously different in .NET 2.0 and 4.0. You must compile for correct framework version and target the correct .NET assembly.
• Addresses of functions are different for x86 and x64 framework versions, too. Make sure your assembly is compiled correctly.

Sniffing string compare

Suprisingly, string comparison in VisualBasic.NET and other .NET languages is different. It’s caused by Option Compare statement present in Visual Basic language. So, if the crackme is made in VB.NET, you need to examineOperators.CompareString(string,string,bool) function. For crackmes made in other languages, you’ll need to examine string.Equals(string) or some other variation of this method.

So, using the code I mentioned above, I learned that address ofOperators.CompareString(string,string,bool) on my PC is 599F1D30. Now I need to sniff data passed to this function.

There are several possible approaches. You can try using VisualStudio & Reflector plugin as SpoonStudio tried, you can try using ILSpy and it’s debugger plugin, or you can inject DLL into crackme process, as suggested by noth!ng – but I prefer to use OllyDbg.

Load crackme in OllyDbg, make sure that all the anti-anti-debug plugins are working, all the exceptions ignored, put a breakpoint on 599F1D30 and hope for the best.

Nope. Operators.CompareString is called literally thousands of times. So, we need to do something smarter.

For example, we can use conditional logging breakpoints in Olly. Those breakpoints are quite slow, but it’s still faster than to write some sort of hooking DLL and inject it into crackme. So, we need to set 2 logging breakpoints – one for each string compared. Here is first one:

Place second breakpoint at the next instruction (59CD1D31) and log string atedx+8.

Run the crackme, enter some fake but easily recognizable serial and few minutes later we have the answer:

My entered serial was “1234567890123456789012345678901234567890” and it’s being compared to “C49476D583364356253377056314435396D456F44796C7A55746431564433544″. Hmm, could that be the correct serial for my nickname?  Yes, it is!

Final notes

This was quite nice crackme and I only showed the simplest way to beat it. When you start looking into it, you’ll find some nice anti-debug tricks, some nice anti-patching tricks and pretty nicely obfuscated code.

But that’s a matter for another story. Have fun!

[skypeaful]

Can someone post a record screen tutorial using Screen2EXE for easy learning?

Anyway, thank for kao and noth!ng for explain text tutorial.

[RDGMax]

v5 is comming