Custom protect

[Nickitee]

Difficulty : 10
Language :  .NET
Platform : Windows x86
OS Version : All
Packer / Protector : Custom protect (with native packaging)

Challenge : Figure out the correct string for the textbox.

 

Crack_me_2_protected.exe

Edited January 27, 2017 by Nickitee

[atom0s]

I suck with .NET related things anymore, haven't kept up with all the new things people do. But here is the actual crack me file removed from the protector (native code). Bypassing the protector is fairly easy. I wrote a simple loader that hooks VirtualProtect (this protect heavily relies on it) and just changed all pages to be a PAGE_EXECUTE_READWRITE. This allows any dumping tool such as MegaDumper to get the original crackme within the protection.

So someone with .NET unpacking skills can handle it from here.

Crack_me.7z

[atom0s]

Ok finished.

Password is: SSSSSSSSSSHarp27012017

[atom0s]

Part 1. Bypassing Native Protection

This is rather simple, just write a loader that hooks VirtualProtect. You will want to force all pages being protected to use PAGE_EXECUTE_READWRITE instead. Once done and you have loaded the crackme with your loader, use a tool like MegaDumper to do a full .NET Dump which will yield the real Crack_Me.exe file.

Part 2. Obtaining the Password

More or less a cheap method, but this is just a normal if (str1 == str2) so open the real Crack_Me.exe inside of a .NET debugger tool such as dnSpy. Once open begin debugging and then navigate to mscorlib -> System -> String -> op_Equality. Set a breakpoint here.

Enter a string into the text box such as asdf1234, press the button. Walk through the breaks until the first param is your password, check second param for the real password.