Jump to content
Tuts 4 You

[Don't touch ME] - Part 2


Kurapica

Recommended Posts

Difficulty : NAN
Language : Delphi
Platform : Windows x64
OS Version : Windows 7
Packer / Protector : None

Description :

Challenge : Your solution should be able to report whenever the message box appears in the victim.

Here are the challenge rules :

 

1 - No patching is allowed, It doesn't matter how you solve it as long as the SHA-1 of the original file stays "9F1CCEBBDAB4A0CEEC30C61F1D64C4B1DEAE8CBE"

2 - If your solution includes any coding then it should only be C#.

3 - Writing a simple tutorial is obligatory, don't post your solution if you don't want to write a tutorial.

4 - Don't use dUP / uPPP or similar tools but you can write your own tools if needed.

5 - If you modify the process memory then your solution is only allowed to modify 2 bytes at max. not more !

2016-09-21_172439.png

 

 

 

Part 2.rar

Link to comment

Maybe you didn't understand the purpose of this challenge .. " Your solution should be able to report whenever the message box appears in the victim. "

besides you have modified more than 2 bytes as I can see in this image.

Link to comment

Sorry but your solution is invalid, it's not supposed to stop the message box, your solution should be

able to know when the message box appears.

check my solution.

 

Link to comment

Bro @Kurapica : Am not really a programmer (I usually can "break" down programs :D pretty well though - Malware Analysis) -but was thinking along the lines of (maybe) hooking the call to MessageBox so that everytime before the MessageBox is shown, it would also create some sort of notification message...

But your conditions that it was to be coded in C# and only 2 bytes change allowed made me put it off for later this week..

Otherwise I would simply INJECT my own dll - problem solved !

Did not have the time to look at your solution yet. Must be something pretty intelligent :)

Hope to better my learning and understanding from your solutions !

Please keep them coming.

Your Fan :)

 

 

 

Edited by Techlord
  • Like 1
Link to comment

Thanks for the nice words :D

I wanna add a little explanation on those 2 bytes ...

Quote

 

The reason I used these 2 bytes EB FE is that the new instruction will elicit a jump back to itself.

They translates literally to "Jump ahead -2 bytes from the start of the next instruction."

Since this instruction is itself 2 bytes long, the jump destination will be the jump instruction itself.

So we are stuck at this location and we can later know that the target is looping these by checking the EIP which

we can acquire by using GetThreadContext.

 

 

  • Like 2
Link to comment

The EB FE substitution reminds me of the  Softice days when we had to replace the OEP of some unpacked files with the EB FE opcodes before dumping it with LordPE or something :)

The good old days before Olly was mainstream... Reminded me also of the Break-and-Enter technique using LordPE/PETools that was so common in those days ...

Finally got a chance tonight to take a quick look at your code (the solution). A very smart and innovative way to make use of the EB FE opcodes and the GetTYhreadContext for solving this crackme ...

Was planning to break my head looking into various options involving hooking, that would not violate your 2-byte condition, over this weekend... haha. Probably would have failed to achieve it without modifying more than 2 bytes !

Keep 'em coming !

 

  • Like 1
Link to comment
5 hours ago, Techlord said:

Probably would have failed to achieve it without modifying more than 2 bytes !

Inject an exception handler, set some debug registers and you can do it with 0 bytes :thumbsup:

  • Like 3
Link to comment

so the good old deadlock (jmp $-5 could be done too) -> GetThreadContext -> sleep a bit, check if eip = previous eip.. do so incrimenting some threshold.. once threshold is reached then the deadlock is hit... used to do that on safedisc and securom a hell of a lot in my tools :)

  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...