[Don't touch ME] - Part 2

[Kurapica]

Difficulty : NAN
Language : Delphi
Platform : Windows x64
OS Version : Windows 7
Packer / Protector : None

Description :

Challenge : Your solution should be able to report whenever the message box appears in the victim.

Here are the challenge rules :

 

1 - No patching is allowed, It doesn't matter how you solve it as long as the SHA-1 of the original file stays "9F1CCEBBDAB4A0CEEC30C61F1D64C4B1DEAE8CBE"

2 - If your solution includes any coding then it should only be C#.

3 - Writing a simple tutorial is obligatory, don't post your solution if you don't want to write a tutorial.

4 - Don't use dUP / uPPP or similar tools but you can write your own tools if needed.

5 - If you modify the process memory then your solution is only allowed to modify 2 bytes at max. not more !

 

 

 

Part 2.rar

[dex73r]

it looks exactly the same to me,

Spoiler

 

[Kurapica]

Maybe you didn't understand the purpose of this challenge .. " Your solution should be able to report whenever the message box appears in the victim. "

besides you have modified more than 2 bytes as I can see in this image.

[dex73r]

oooh, I just opened part 1 and 2 and I saw the same SHA-1 so I thought you probably forgot to change stuff you wanted to, alright

[Kurapica]

This is the solution ...

SmartLoader.zip

[_pusher_]

On 2016-09-23 at 4:06 PM, Kurapica said:

2 - If your solution includes any coding then it should only be C#.

Sorry had to break it, included delphi source (x32/delphi7)

Loader.rar

[Kurapica]

Sorry but your solution is invalid, it's not supposed to stop the message box, your solution should be

able to know when the message box appears.

check my solution.

 

[crystalboy]

You cannot solve your own challenges!

I plan to work on it after FLARE-ON CTF but you made it before XD

[Kurapica]

I thought no one was interested so I released the solution for educational purposes.

[Techlord]

Bro @Kurapica : Am not really a programmer (I usually can "break" down programs pretty well though - Malware Analysis) -but was thinking along the lines of (maybe) hooking the call to MessageBox so that everytime before the MessageBox is shown, it would also create some sort of notification message...

But your conditions that it was to be coded in C# and only 2 bytes change allowed made me put it off for later this week..

Otherwise I would simply INJECT my own dll - problem solved !

Did not have the time to look at your solution yet. Must be something pretty intelligent

Hope to better my learning and understanding from your solutions !

Please keep them coming.

Your Fan

 

 

 

Edited September 27, 2016 by Techlord

[Kurapica]

Thanks for the nice words

I wanna add a little explanation on those 2 bytes ...

Quote

 

The reason I used these 2 bytes EB FE is that the new instruction will elicit a jump back to itself.

They translates literally to "Jump ahead -2 bytes from the start of the next instruction."

Since this instruction is itself 2 bytes long, the jump destination will be the jump instruction itself.

So we are stuck at this location and we can later know that the target is looping these by checking the EIP which

we can acquire by using GetThreadContext.

 

 

[Techlord]

The EB FE substitution reminds me of the  Softice days when we had to replace the OEP of some unpacked files with the EB FE opcodes before dumping it with LordPE or something

The good old days before Olly was mainstream... Reminded me also of the Break-and-Enter technique using LordPE/PETools that was so common in those days ...

Finally got a chance tonight to take a quick look at your code (the solution). A very smart and innovative way to make use of the EB FE opcodes and the GetTYhreadContext for solving this crackme ...

Was planning to break my head looking into various options involving hooking, that would not violate your 2-byte condition, over this weekend... haha. Probably would have failed to achieve it without modifying more than 2 bytes !

Keep 'em coming !

 

[Kurapica]

Thanks for the nice words ... I really appreciate it although they make me feel so old !

I think I am old now !!!

[kao]

@Kurapica: You'll be old when you reach 60. Now you have just grown up.  

[mrexodia]

5 hours ago, Techlord said:

Probably would have failed to achieve it without modifying more than 2 bytes !

Inject an exception handler, set some debug registers and you can do it with 0 bytes 

[kao]

Good luck implementing exception handler in 0 bytes. Or 2 bytes, for that matter. 

[evlncrn8]

so the good old deadlock (jmp $-5 could be done too) -> GetThreadContext -> sleep a bit, check if eip = previous eip.. do so incrimenting some threshold.. once threshold is reached then the deadlock is hit... used to do that on safedisc and securom a hell of a lot in my tools

[sirp]

yeah  EB FE i used that ages ago alot ,) to break