[CrackMe 2016] Delphi itself checks Version 1.1

[Reasen]

Difficulty : above 5
Language : Delphi XE8
Platform : Windows x86/x64
OS Version : XP and above
Packer / Protector : None

Description :

Improved version of my previous CrackMe, LostIt resolved the CrackMe adding a new section in the executable that redirects the address from where bytes of the functions are read to be able to edit the original function, now for creating the itself-key for decrypting those 2 variables (cracked or not cracked), is needed the pointer address from where it comes, also the function from where checks itself are itself checked to make the key, so his method is no longer valid, good luck to all and have fun!

The objetive of this CrackMe is get the good boy message and not a "mal-decrypted" one.

Edit: For no waste much time, Address of the button function:
005C8800   .  55            PUSH    EBP

CrackMe_1.1.rar

Screenshot :

Edited January 15, 2016 by reasen

[0xNOP]

On 1/14/2016 at 5:25 AM, reasen said:

o his method is no longer valid, good luck to all and have fun!

The objetive of this CrackMe is get the good boy message and not a "mal-decrypted" one.

Edit: For no waste much time, Address of the button function:
005C8800   .  55            PUSH    EBP

 

Spoiler

 

Full Tutorial has been uploaded.

Cracking the CrackMe v1.1 by reasen - 0x90.pdf

Edited January 21, 2016 by 0xNOP
Full tutorial uploaded.

[Reasen]

21 hours ago, 0xNOP said:

 

  Reveal hidden contents

 

Full Tutorial has been uploaded.

Cracking the CrackMe v1.1 by reasen - 0x90.pdf

Well you edited the location of the string from where read the string from the condition,
was not all i wanted, i wanted to see how would be posible bypass the itself check but i need to take this valid i think.

will do a improved version with that issue fixed for avoid more confusions in the objetive of the crackme. (Difficulty was +5 for some reason uh)

Edited January 21, 2016 by reasen

[0xNOP]

1 hour ago, reasen said:

Well you edited the location of the string from where read the string from the condition,
was not all i wanted, i wanted to see how would be posible bypass the itself check but i need to take this valid i think.

will do a improved version with that issue fixed for avoid more confusions in the objetive of the crackme. (Difficulty was +5 for some reason uh)

Alright, sorry for the misunderstanding as you mentioned you only wanted the Reverse engineer to get to the Good Boy message, again, will be waiting eagerly for the improved version.

[SmilingWolf]

Funny
I hope my solution is close to what you wanted to see

Delphi.itself.checks.Version.1.1.7z

Edited May 25, 2016 by SmilingWolf

[Reasen]

9 hours ago, SmilingWolf said:

Funny
I hope my solution is close to what you wanted to see

Delphi.itself.checks.Version.1.1.7z

That's what i was searching for, thank you!

Now i can study it easyly.

Edited May 26, 2016 by Reasen

[camilo]

I have done a liitle codecave patch for you. It is my solution.

Simply patch in a zone not selfchecked.

Just having a look at the code and trying the CC breakpoint on the button function revealed the function itself should be unpatchable, so why not make a tunelling (codecave) in the function called before the JNZ that decides good or bad boy???

After tracing that function a bit from the start of the program was clear the spot to insert the tunel in.

Have fun.

 

 

I Cracked you ;).rar

Edited May 26, 2016 by camilo

[camilo]

005C8800  /. 55             PUSH EBP
005C8801  |. 8BEC           MOV EBP,ESP
005C8803  |. B9 04000000    MOV ECX,0x4
005C8808  |> 6A 00          /PUSH 0x0
005C880A  |. 6A 00          |PUSH 0x0
005C880C  |. 49             |DEC ECX
005C880D  |.^75 F9          \JNZ SHORT I_Cracke.005C8808
005C880F  |. 51             PUSH ECX
005C8810  |. 53             PUSH EBX
005C8811  |. 33C0           XOR EAX,EAX
005C8813  |. 55             PUSH EBP
005C8814  |. 68 55895C00    PUSH I_Cracke.005C8955
005C8819  |. 64:FF30        PUSH DWORD PTR FS:[EAX]
005C881C  |. 64:8920        MOV DWORD PTR FS:[EAX],ESP
005C881F  |. B3 01          MOV BL,0x1
005C8821  |. 8D45 FC        LEA EAX,DWORD PTR SS:[EBP-0x4]
005C8824  |. BA 70895C00    MOV EDX,I_Cracke.005C8970                ;  UNICODE "CrackMe v1.1"
005C8829  |. E8 7E12E4FF    CALL I_Cracke.00409AAC
005C882E  |. B8 00885C00    MOV EAX,I_Cracke.005C8800
005C8833  |. E8 BCF9FFFF    CALL I_Cracke.005C81F4
005C8838  |. B8 F4815C00    MOV EAX,I_Cracke.005C81F4                ;  Entry address
005C883D  |. E8 B2F9FFFF    CALL I_Cracke.005C81F4
005C8842  |. B8 A47E5C00    MOV EAX,I_Cracke.005C7EA4                ;  Entry address
005C8847  |. E8 A8F9FFFF    CALL I_Cracke.005C81F4
005C884C  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-0x4]
005C884F  |. BA 98895C00    MOV EDX,I_Cracke.005C8998                ;  UNICODE "omg"
005C8854  |. E8 FF1CE4FF    CALL I_Cracke.0040A558
005C8859  |. 75 4C          JNZ SHORT I_Cracke.005C88A7
005C885B  |. 80FB 01        CMP BL,0x1
005C885E  |. 75 47          JNZ SHORT I_Cracke.005C88A7
005C8860  |. 8D55 F0        LEA EDX,DWORD PTR SS:[EBP-0x10]
005C8863  |. B8 AC895C00    MOV EAX,I_Cracke.005C89AC                ;  ASCII "1zed0Axt83bu7zr1xNs5fGY="
005C8868  |. E8 37FBFFFF    CALL I_Cracke.005C83A4
005C886D  |. 8B45 F0        MOV EAX,DWORD PTR SS:[EBP-0x10]
005C8870  |. 50             PUSH EAX
005C8871  |. 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-0x14]
005C8874  |. 8B15 BC765D00  MOV EDX,DWORD PTR DS:[0x5D76BC]          ;  I_Cracke.005DD784
005C887A  |. 8B12           MOV EDX,DWORD PTR DS:[EDX]
005C887C  |. B9 00000000    MOV ECX,0x0
005C8881  |. E8 DA16E4FF    CALL I_Cracke.00409F60
005C8886  |. 8B55 EC        MOV EDX,DWORD PTR SS:[EBP-0x14]
005C8889  |. 8D4D F4        LEA ECX,DWORD PTR SS:[EBP-0xC]
005C888C  |. 58             POP EAX
005C888D  |. E8 F2F3FFFF    CALL I_Cracke.005C7C84
005C8892  |. 8B55 F4        MOV EDX,DWORD PTR SS:[EBP-0xC]
005C8895  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-0x8]
005C8898  |. E8 EF19E4FF    CALL I_Cracke.0040A28C
005C889D  |. 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-0x8]
005C88A0  |. E8 B3A8F7FF    CALL I_Cracke.00543158
005C88A5  |. EB 45          JMP SHORT I_Cracke.005C88EC
005C88A7  |> 8D55 E0        LEA EDX,DWORD PTR SS:[EBP-0x20]
005C88AA  |. B8 D4895C00    MOV EAX,I_Cracke.005C89D4                ;  ASCII "wzWFmGM/3Hrxqgew/Z8="
005C88AF  |. E8 F0FAFFFF    CALL I_Cracke.005C83A4
005C88B4  |. 8B45 E0        MOV EAX,DWORD PTR SS:[EBP-0x20]
005C88B7  |. 50             PUSH EAX
005C88B8  |. 8D45 DC        LEA EAX,DWORD PTR SS:[EBP-0x24]
005C88BB  |. 8B15 BC765D00  MOV EDX,DWORD PTR DS:[0x5D76BC]          ;  I_Cracke.005DD784
005C88C1  |. 8B12           MOV EDX,DWORD PTR DS:[EDX]
005C88C3  |. B9 00000000    MOV ECX,0x0
005C88C8  |. E8 9316E4FF    CALL I_Cracke.00409F60
005C88CD  |. 8B55 DC        MOV EDX,DWORD PTR SS:[EBP-0x24]
005C88D0  |. 8D4D E4        LEA ECX,DWORD PTR SS:[EBP-0x1C]
005C88D3  |. 58             POP EAX
005C88D4  |. E8 ABF3FFFF    CALL I_Cracke.005C7C84
005C88D9  |. 8B55 E4        MOV EDX,DWORD PTR SS:[EBP-0x1C]
005C88DC  |. 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-0x18]
005C88DF  |. E8 A819E4FF    CALL I_Cracke.0040A28C
005C88E4  |. 8B45 E8        MOV EAX,DWORD PTR SS:[EBP-0x18]
005C88E7  |. E8 6CA8F7FF    CALL I_Cracke.00543158
005C88EC  |> B2 01          MOV DL,0x1
005C88EE  |. B8 F8895C00    MOV EAX,I_Cracke.005C89F8
005C88F3  |. E8 30ABE5FF    CALL I_Cracke.00423428
005C88F8  |. 84C0           TEST AL,AL
005C88FA  |. 74 12          JE SHORT I_Cracke.005C890E
005C88FC  |. 8B15 BC765D00  MOV EDX,DWORD PTR DS:[0x5D76BC]          ;  I_Cracke.005DD784
005C8902  |. 8B12           MOV EDX,DWORD PTR DS:[EDX]
005C8904  |. B8 088A5C00    MOV EAX,I_Cracke.005C8A08
005C8909  |. E8 AAF4FFFF    CALL I_Cracke.005C7DB8
005C890E  |> A1 BC765D00    MOV EAX,DWORD PTR DS:[0x5D76BC]
005C8913  |. E8 6C0DE4FF    CALL I_Cracke.00409684
005C8918  |. 33C0           XOR EAX,EAX
005C891A  |. 5A             POP EDX
005C891B  |. 59             POP ECX
005C891C  |. 59             POP ECX
005C891D  |. 64:8910        MOV DWORD PTR FS:[EAX],EDX
005C8920  |. 68 5C895C00    PUSH I_Cracke.005C895C
005C8925  |> 8D45 DC        LEA EAX,DWORD PTR SS:[EBP-0x24]
005C8928  |. BA 03000000    MOV EDX,0x3
005C892D  |. E8 E20DE4FF    CALL I_Cracke.00409714
005C8932  |. 8D45 E8        LEA EAX,DWORD PTR SS:[EBP-0x18]
005C8935  |. E8 4A0DE4FF    CALL I_Cracke.00409684
005C893A  |. 8D45 EC        LEA EAX,DWORD PTR SS:[EBP-0x14]
005C893D  |. BA 03000000    MOV EDX,0x3
005C8942  |. E8 CD0DE4FF    CALL I_Cracke.00409714
005C8947  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-0x8]
005C894A  |. BA 02000000    MOV EDX,0x2
005C894F  |. E8 900DE4FF    CALL I_Cracke.004096E4
005C8954  \. C3             RET

 

As you can see button function is intact.

005C8854  |. E8 FF1CE4FF    CALL I_Cracke.0040A558

First time stopped after return from this call, so EIP was in the first JNZ, letting the program flow run on its way showed the conditional jmp will be taken, so i decided to put EIP after some bytes efectively bypassing the two JNZ, and the result was good boy

Now the trick to automate it by patching.... Follow the previous call to see what is going on.

0040A558    /$ 39D0           CMP EAX,EDX
0040A55A    |. 74 30          JE SHORT I_Cracke.0040A58C
0040A55C    |. 85D0           TEST EAX,EDX
0040A55E    |. 74 22          JE SHORT I_Cracke.0040A582
0040A560    | 8B48 FC        MOV ECX,DWORD PTR DS:[EAX-0x4]
0040A563    |. 3B4A FC        CMP ECX,DWORD PTR DS:[EDX-0x4]
0040A566    |. 75 24          JNZ SHORT I_Cracke.0040A58C
0040A568    |. 01C9           ADD ECX,ECX
0040A56A    |. 01C8           ADD EAX,ECX
0040A56C    |. 01CA           ADD EDX,ECX
0040A56E    |. F7D9           NEG ECX
0040A570    |. 53             PUSH EBX
0040A571    |> 8B1C01         /MOV EBX,DWORD PTR DS:[ECX+EAX]
0040A574    |. 3B1C11         |CMP EBX,DWORD PTR DS:[ECX+EDX]
0040A577    |. 75 07          |JNZ SHORT I_Cracke.0040A580
0040A579    |. 83C1 04        |ADD ECX,0x4
0040A57C    |.^78 F3          \JS SHORT I_Cracke.0040A571
0040A57E    |. 31C0           XOR EAX,EAX
0040A580    |> 5B             POP EBX
0040A581    |. C3             RETN

Curiosly the function is called from many places not only button press function, but seems only when called from what interests us it reaches

0040A560    | 8B48 FC        MOV ECX,DWORD PTR DS:[EAX-0x4]
0040A563    |. 3B4A FC        CMP ECX,DWORD PTR DS:[EDX-0x4]

This is where i decided to put out tunnel/hook/codecave. Put in practice was easy, just...

0040A558    /$ 39D0           CMP EAX,EDX
0040A55A    |. 74 30          JE SHORT I_Cracke.0040A58C
0040A55C    |. 85D0           TEST EAX,EDX
0040A55E    |. 74 22          JE SHORT I_Cracke.0040A582
0040A560    |> E8 CB4C1C00    CALL I_Cracke.005CF230            <---- HOOK!!
0040A565    |. 90             NOP
0040A566    |. 75 24          JNZ SHORT I_Cracke.0040A58C
0040A568    |. 01C9           ADD ECX,ECX
0040A56A    |. 01C8           ADD EAX,ECX
0040A56C    |. 01CA           ADD EDX,ECX
0040A56E    |. F7D9           NEG ECX
0040A570    |. 53             PUSH EBX
0040A571    |> 8B1C01         /MOV EBX,DWORD PTR DS:[ECX+EAX]
0040A574    |. 3B1C11         |CMP EBX,DWORD PTR DS:[ECX+EDX]
0040A577    |. 75 07          |JNZ SHORT I_Cracke.0040A580
0040A579    |. 83C1 04        |ADD ECX,0x4
0040A57C    |.^78 F3          \JS SHORT I_Cracke.0040A571
0040A57E    |. 31C0           XOR EAX,EAX
0040A580    |> 5B             POP EBX
0040A581    |. C3             RETN

And then assembled the Magic in 0x%CF230

005CF230    /$ 9C             PUSHFD
005CF231    |. 817C24 08 5988>CMP DWORD PTR SS:[ESP+0x8],I_Cracke.005C8859
005CF239    |. 74 08          JE SHORT I_Cracke.005CF243
005CF23B    |. 9D             POPFD
005CF23C    |. 8B48 FC        MOV ECX,DWORD PTR DS:[EAX-0x4]
005CF23F    |. 3B4A FC        CMP ECX,DWORD PTR DS:[EDX-0x4]
005CF242    |. C3             RETN
005CF243    |> 834424 08 06   ADD DWORD PTR SS:[ESP+0x8],0x6
005CF248    |. 9D             POPFD
005CF249    |. 8B48 FC        MOV ECX,DWORD PTR DS:[EAX-0x4]
005CF24C    |. 3B4A FC        CMP ECX,DWORD PTR DS:[EDX-0x4]
005CF24F    \. C3             RETN

Magic is self explanatory, save flags cause i will mess with them, check the magic was called from the button pressed function based on the return address, and on positive result simply add 6 bytes (the JNZ code we bypassed in the first run to get good boy) to the return address on stack, so we return directly to goodboy, if return address not match the desired one restore flags, make ECX stuff and return to the hooked function.

 

That's it.