Jump to content
Tuts 4 You

[Don't touch ME] - Part 2


Recommended Posts

Posted

Difficulty : NAN
Language : Delphi
Platform : Windows x64
OS Version : Windows 7
Packer / Protector : None

Description :

Challenge : Your solution should be able to report whenever the message box appears in the victim.

Here are the challenge rules :

 

1 - No patching is allowed, It doesn't matter how you solve it as long as the SHA-1 of the original file stays "9F1CCEBBDAB4A0CEEC30C61F1D64C4B1DEAE8CBE"

2 - If your solution includes any coding then it should only be C#.

3 - Writing a simple tutorial is obligatory, don't post your solution if you don't want to write a tutorial.

4 - Don't use dUP / uPPP or similar tools but you can write your own tools if needed.

5 - If you modify the process memory then your solution is only allowed to modify 2 bytes at max. not more !

2016-09-21_172439.png

 

 

 

Part 2.rar

Posted

it looks exactly the same to me,

Spoiler

VkTKCYbFROvi_93fbcffebebc3d298d09a8.png

 

Posted

Maybe you didn't understand the purpose of this challenge .. " Your solution should be able to report whenever the message box appears in the victim. "

besides you have modified more than 2 bytes as I can see in this image.

Posted

oooh, I just opened part 1 and 2 and I saw the same SHA-1 so I thought you probably forgot to change stuff you wanted to, alright :P

Posted
On 2016-09-23 at 4:06 PM, Kurapica said:

2 - If your solution includes any coding then it should only be C#.

Sorry had to break it, included delphi source (x32/delphi7)

Loader.rar

  • Like 1
Posted

Sorry but your solution is invalid, it's not supposed to stop the message box, your solution should be

able to know when the message box appears.

check my solution.

 

Posted

You cannot solve your own challenges! :D

I plan to work on it after FLARE-ON CTF but you made it before XD

Posted

I thought no one was interested so I released the solution for educational purposes.

  • Like 2
Posted (edited)

Bro @Kurapica : Am not really a programmer (I usually can "break" down programs :D pretty well though - Malware Analysis) -but was thinking along the lines of (maybe) hooking the call to MessageBox so that everytime before the MessageBox is shown, it would also create some sort of notification message...

But your conditions that it was to be coded in C# and only 2 bytes change allowed made me put it off for later this week..

Otherwise I would simply INJECT my own dll - problem solved !

Did not have the time to look at your solution yet. Must be something pretty intelligent :)

Hope to better my learning and understanding from your solutions !

Please keep them coming.

Your Fan :)

 

 

 

Edited by Techlord
  • Like 1
Posted

Thanks for the nice words :D

I wanna add a little explanation on those 2 bytes ...

Quote

 

The reason I used these 2 bytes EB FE is that the new instruction will elicit a jump back to itself.

They translates literally to "Jump ahead -2 bytes from the start of the next instruction."

Since this instruction is itself 2 bytes long, the jump destination will be the jump instruction itself.

So we are stuck at this location and we can later know that the target is looping these by checking the EIP which

we can acquire by using GetThreadContext.

 

 

  • Like 2
Posted

The EB FE substitution reminds me of the  Softice days when we had to replace the OEP of some unpacked files with the EB FE opcodes before dumping it with LordPE or something :)

The good old days before Olly was mainstream... Reminded me also of the Break-and-Enter technique using LordPE/PETools that was so common in those days ...

Finally got a chance tonight to take a quick look at your code (the solution). A very smart and innovative way to make use of the EB FE opcodes and the GetTYhreadContext for solving this crackme ...

Was planning to break my head looking into various options involving hooking, that would not violate your 2-byte condition, over this weekend... haha. Probably would have failed to achieve it without modifying more than 2 bytes !

Keep 'em coming !

 

  • Like 1
Posted

Thanks for the nice words ... I really appreciate it although they make me feel so old :D !

I think I am old now !!!

  • Like 1
Posted

@Kurapica: You'll be old when you reach 60. Now you have just grown up. ;) 

  • Like 1
Posted
5 hours ago, Techlord said:

Probably would have failed to achieve it without modifying more than 2 bytes !

Inject an exception handler, set some debug registers and you can do it with 0 bytes :thumbsup:

  • Like 3
  • Thanks 1
Posted

Good luck implementing exception handler in 0 bytes. Or 2 bytes, for that matter. :thumbsup:

  • Like 2
Posted

so the good old deadlock (jmp $-5 could be done too) -> GetThreadContext -> sleep a bit, check if eip = previous eip.. do so incrimenting some threshold.. once threshold is reached then the deadlock is hit... used to do that on safedisc and securom a hell of a lot in my tools :)

  • Like 2
Posted

yeah  EB FE i used that ages ago alot ,) to break ;)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...