32x64 Posted January 21, 2018 Posted January 21, 2018 (edited) Difficulty : 2 Language : C# Platform : Windows OS Version : All Packer / Protector : No, My own method Description: License audit Screenshot(s): Download Crackme_32x64 (1) .rar Good luck... Edited January 21, 2018 by 32x64
32x64 Posted January 22, 2018 Author Posted January 22, 2018 21 hours ago, 32x64 said: Difficulty : 2 Language : .Net Platform : Windows OS Version : All Packer / Protector : No, My own method Description: License audit Screenshot(s): Download Crackme_32x64 (1) .rar Good luck...
HoLLy Posted January 28, 2018 Posted January 28, 2018 That binary is made in Visual Basic, not C#. Just a detail I thought I'd mention. Spoiler It was first packed by a rather simple packer, so I unpacked that first to get to a second, in-memory module. I threw that one in de4dot to make the symbol names more readable and analyzed the code to see what it did. It calls 2 methods in its main: an initializing method and a real main. The initializing method takes the current assembly's location, reads it, and then splits it by a string to get 5 different values. The first one is the PE executable, the second one is some Base64-encoded data, the third one is another random string and the fourth and fifth are the string values "False". It will then take the second value, unbase64 it and pass it to a decryption method along with a key. At this point you can dump these bytes and skip the next paragraph since they contain a third assembly, but I decided to look what the other method did too. The second method takes the assembly from before and does some stuff to it. First of all, it will use delegate proxy methods to store various PInvoke calls to later use. The rest of the method involves editing of the decrypted assembly/PE file, so some of these details may be wrong. From what I can tell, it creates a new process of the current (main) assembly, paused, and then copies over the section tables from the decrypted assembly. This should effectively replace all IL methods. You can see something similar in ConfuserEx's AntiTamper, which I documented here. It then resumes the process, which will start JITting its methods like normal. The "real" assembly is only protected with basic symbol name and string protection, from what I can tell. It has a timer that panics if any well-known tool is opened and it seems there is some HWID code in Form1_Load in the "YGIUH" class. Further, there is a class called AntiDump too, which gets called in the Load functions of any form. A very quick inspection tells me that it's most likely copy/pasted from ConfuserEx, but the string decryptor seems new to me. I was too lazy to code up a string decryptor, but it's very basic. I just changed some IL to stop the timer from panicking the application and patched what seemed like the HWID check, and got the following messageboxes on launch: I don't speak Turkish, but luckily Google Translate does and it seems that this is the desired message Overal this was a pretty interesting crackme, since it does indeed seem to be custom. Sadly most of the protection can be bypassed easily. A final thing to note: I noticed there are 2 forms, and I only worked with 1. Perhaps there is some code that calls the second one that I missed, but I still consider this crackme solved. Unpacked 2 1
32x64 Posted January 28, 2018 Author Posted January 28, 2018 4 hours ago, HoLLy said: That binary is made in Visual Basic, not C#. Just a detail I thought I'd mention. Reveal hidden contents It was first packed by a rather simple packer, so I unpacked that first to get to a second, in-memory module. I threw that one in de4dot to make the symbol names more readable and analyzed the code to see what it did. It calls 2 methods in its main: an initializing method and a real main. The initializing method takes the current assembly's location, reads it, and then splits it by a string to get 5 different values. The first one is the PE executable, the second one is some Base64-encoded data, the third one is another random string and the fourth and fifth are the string values "False". It will then take the second value, unbase64 it and pass it to a decryption method along with a key. At this point you can dump these bytes and skip the next paragraph since they contain a third assembly, but I decided to look what the other method did too. The second method takes the assembly from before and does some stuff to it. First of all, it will use delegate proxy methods to store various PInvoke calls to later use. The rest of the method involves editing of the decrypted assembly/PE file, so some of these details may be wrong. From what I can tell, it creates a new process of the current (main) assembly, paused, and then copies over the section tables from the decrypted assembly. This should effectively replace all IL methods. You can see something similar in ConfuserEx's AntiTamper, which I documented here. It then resumes the process, which will start JITting its methods like normal. The "real" assembly is only protected with basic symbol name and string protection, from what I can tell. It has a timer that panics if any well-known tool is opened and it seems there is some HWID code in Form1_Load in the "YGIUH" class. Further, there is a class called AntiDump too, which gets called in the Load functions of any form. A very quick inspection tells me that it's most likely copy/pasted from ConfuserEx, but the string decryptor seems new to me. I was too lazy to code up a string decryptor, but it's very basic. I just changed some IL to stop the timer from panicking the application and patched what seemed like the HWID check, and got the following messageboxes on launch: I don't speak Turkish, but luckily Google Translate does and it seems that this is the desired message Overal this was a pretty interesting crackme, since it does indeed seem to be custom. Sadly most of the protection can be bypassed easily. A final thing to note: I noticed there are 2 forms, and I only worked with 1. Perhaps there is some code that calls the second one that I missed, but I still consider this crackme solved. Unpacked It was a very nice solution thanks
cob_258 Posted March 1, 2018 Posted March 1, 2018 Steps : Spoiler The program runs in 3 steps : • the provided exe (let's call it Stub) works like MPress stub i.e decompress and invoke the entrypoint of the embedded exe • the embedded exe (a RunPE) works only if invoked by Stub then : - read some strings from Stub - the strings are an encrypted exe (let's call it CrackMe) and the key - decrypt the CrackMe and inject it in a new process • the CrackMe : - set a 1 second timer to kill the process (patch it) - calculates the hash of processorId + volumeSerial + motherBoardID + macaddress and compares it to the correct one (patch the branch) - if the hash is correct shows another form that use the timer trick and check the hash (patch both of them) Screenshot: Spoiler cracked.rar
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now