Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
Kurapica

[Don't touch ME] - Part 2

Question

Kurapica

Difficulty : NAN
Language : Delphi
Platform : Windows x64
OS Version : Windows 7
Packer / Protector : None

Description :

Challenge : Your solution should be able to report whenever the message box appears in the victim.

Here are the challenge rules :

 

1 - No patching is allowed, It doesn't matter how you solve it as long as the SHA-1 of the original file stays "9F1CCEBBDAB4A0CEEC30C61F1D64C4B1DEAE8CBE"

2 - If your solution includes any coding then it should only be C#.

3 - Writing a simple tutorial is obligatory, don't post your solution if you don't want to write a tutorial.

4 - Don't use dUP / uPPP or similar tools but you can write your own tools if needed.

5 - If you modify the process memory then your solution is only allowed to modify 2 bytes at max. not more !

2016-09-21_172439.png

 

 

 

Part 2.rar

Share this post


Link to post

17 answers to this question

Recommended Posts

  • 0
dex73r

it looks exactly the same to me,

Spoiler

VkTKCYbFROvi_93fbcffebebc3d298d09a8.png

 

Share this post


Link to post
  • 0
Kurapica

Maybe you didn't understand the purpose of this challenge .. " Your solution should be able to report whenever the message box appears in the victim. "

besides you have modified more than 2 bytes as I can see in this image.

Share this post


Link to post
  • 0
dex73r

oooh, I just opened part 1 and 2 and I saw the same SHA-1 so I thought you probably forgot to change stuff you wanted to, alright :P

Share this post


Link to post
  • 0
_pusher_
On 2016-09-23 at 4:06 PM, Kurapica said:

2 - If your solution includes any coding then it should only be C#.

Sorry had to break it, included delphi source (x32/delphi7)

Loader.rar

  • Like 1

Share this post


Link to post
  • 0
Kurapica

Sorry but your solution is invalid, it's not supposed to stop the message box, your solution should be

able to know when the message box appears.

check my solution.

 

Share this post


Link to post
  • 0
crystalboy

You cannot solve your own challenges! :D

I plan to work on it after FLARE-ON CTF but you made it before XD

Share this post


Link to post
  • 0
Kurapica

I thought no one was interested so I released the solution for educational purposes.

  • Like 2

Share this post


Link to post
  • 0
Techlord

Bro @Kurapica : Am not really a programmer (I usually can "break" down programs :D pretty well though - Malware Analysis) -but was thinking along the lines of (maybe) hooking the call to MessageBox so that everytime before the MessageBox is shown, it would also create some sort of notification message...

But your conditions that it was to be coded in C# and only 2 bytes change allowed made me put it off for later this week..

Otherwise I would simply INJECT my own dll - problem solved !

Did not have the time to look at your solution yet. Must be something pretty intelligent :)

Hope to better my learning and understanding from your solutions !

Please keep them coming.

Your Fan :)

 

 

 

Edited by Techlord (see edit history)
  • Like 1

Share this post


Link to post
  • 0
Kurapica

Thanks for the nice words :D

I wanna add a little explanation on those 2 bytes ...

Quote

 

The reason I used these 2 bytes EB FE is that the new instruction will elicit a jump back to itself.

They translates literally to "Jump ahead -2 bytes from the start of the next instruction."

Since this instruction is itself 2 bytes long, the jump destination will be the jump instruction itself.

So we are stuck at this location and we can later know that the target is looping these by checking the EIP which

we can acquire by using GetThreadContext.

 

 

  • Like 2

Share this post


Link to post
  • 0
Techlord

The EB FE substitution reminds me of the  Softice days when we had to replace the OEP of some unpacked files with the EB FE opcodes before dumping it with LordPE or something :)

The good old days before Olly was mainstream... Reminded me also of the Break-and-Enter technique using LordPE/PETools that was so common in those days ...

Finally got a chance tonight to take a quick look at your code (the solution). A very smart and innovative way to make use of the EB FE opcodes and the GetTYhreadContext for solving this crackme ...

Was planning to break my head looking into various options involving hooking, that would not violate your 2-byte condition, over this weekend... haha. Probably would have failed to achieve it without modifying more than 2 bytes !

Keep 'em coming !

 

  • Like 1

Share this post


Link to post
  • 0
Kurapica

Thanks for the nice words ... I really appreciate it although they make me feel so old :D !

I think I am old now !!!

  • Like 1

Share this post


Link to post
  • 0
kao

@Kurapica: You'll be old when you reach 60. Now you have just grown up. ;) 

  • Like 1

Share this post


Link to post
  • 0
mrexodia
5 hours ago, Techlord said:

Probably would have failed to achieve it without modifying more than 2 bytes !

Inject an exception handler, set some debug registers and you can do it with 0 bytes :thumbsup:

  • Like 3

Share this post


Link to post
  • 0
kao

Good luck implementing exception handler in 0 bytes. Or 2 bytes, for that matter. :thumbsup:

  • Like 2

Share this post


Link to post
  • 0
evlncrn8

so the good old deadlock (jmp $-5 could be done too) -> GetThreadContext -> sleep a bit, check if eip = previous eip.. do so incrimenting some threshold.. once threshold is reached then the deadlock is hit... used to do that on safedisc and securom a hell of a lot in my tools :)

  • Like 2

Share this post


Link to post
  • 0
sirp

yeah  EB FE i used that ages ago alot ,) to break ;)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...