Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
32x64

Crack Me 32x64

Question

32x64

Difficulty : 2
Language : C#
Platform : Windows
OS Version : All
Packer / Protector : No, My own method

Description:

License audit

Screenshot(s):

dddd.PNG.bd5c06b61b7c216a0a96c4136ddfc5b6.PNG

Download

Crackme_32x64 (1) .rar

 

Good luck... :)

Edited by 32x64 (see edit history)

Share this post


Link to post

5 answers to this question

Recommended Posts

  • 3
HoLLy

That binary is made in Visual Basic, not C#. Just a detail I thought I'd mention.

Spoiler

 

It was first packed by a rather simple packer, so I unpacked that first to get to a second, in-memory module. I threw that one in de4dot to make the symbol names more readable and analyzed the code to see what it did.

It calls 2 methods in its main: an initializing method and a real main. The initializing method takes the current assembly's location, reads it, and then splits it by a string to get 5 different values. The first one is the PE executable, the second one is some Base64-encoded data, the third one is another random string and the fourth and fifth are the string values "False". It will then take the second value, unbase64 it and pass it to a decryption method along with a key. At this point you can dump these bytes and skip the next paragraph since they contain a third assembly, but I decided to look what the other method did too.

The second method takes the assembly from before and does some stuff to it. First of all, it will use delegate proxy methods to store various PInvoke calls to later use. The rest of the method involves editing of the decrypted assembly/PE file, so some of these details may be wrong. From what I can tell, it creates a new process of the current (main) assembly, paused, and then copies over the section tables from the decrypted assembly. This should effectively replace all IL methods. You can see something similar in ConfuserEx's AntiTamper, which I documented here. It then resumes the process, which will start JITting its methods like normal.

ljbMiQG.png

2lzU76a.png

The "real" assembly is only protected with basic symbol name and string protection, from what I can tell. It has a timer that panics if any well-known tool is opened and it seems there is some HWID code in Form1_Load in the "YGIUH" class. Further, there is a class called AntiDump too, which gets called in the Load functions of any form. A very quick inspection tells me that it's most likely copy/pasted from ConfuserEx, but the string decryptor seems new to me.

qtx5xMd.png

I was too lazy to code up a string decryptor, but it's very basic. I just changed some IL to stop the timer from panicking the application and patched what seemed like the HWID check, and got the following messageboxes on launch:

nBJABI7.png

AkbaIId.png

I don't speak Turkish, but luckily Google Translate does and it seems that this is the desired message :)

 

Overal this was a pretty interesting crackme, since it does indeed seem to be custom. Sadly most of the protection can be bypassed easily.

A final thing to note: I noticed there are 2 forms, and I only worked with 1. Perhaps there is some code that calls the second one that I missed, but I still consider this crackme solved.

Unpacked

  • Like 2
  • Thanks 1

Share this post


Link to post
  • 1
cob_258

Steps : 

Spoiler

The program runs in 3 steps : 
• the provided exe (let's call it Stub) works like MPress stub i.e decompress and invoke the entrypoint of the embedded exe
• the embedded exe (a RunPE) works only if invoked by Stub then : 
    - read some strings from Stub
    - the strings are an encrypted exe (let's call it CrackMe) and the key
    - decrypt the CrackMe and inject it in a new process
• the CrackMe :
    - set a 1 second timer to kill the process (patch it)
    - calculates the hash of processorId + volumeSerial + motherBoardID + macaddress and compares it to the correct one (patch the branch)
    - if the hash is correct shows another form that use the timer trick and check the hash (patch both of them)
    


    Screenshot:

Spoiler


   screenshot.png.d40c08d120cf9a0cfcd96608e131c3b8.png

 

cracked.rar

Share this post


Link to post
  • 0
32x64
4 hours ago, HoLLy said:

That binary is made in Visual Basic, not C#. Just a detail I thought I'd mention.

  Reveal hidden contents

 

It was first packed by a rather simple packer, so I unpacked that first to get to a second, in-memory module. I threw that one in de4dot to make the symbol names more readable and analyzed the code to see what it did.

It calls 2 methods in its main: an initializing method and a real main. The initializing method takes the current assembly's location, reads it, and then splits it by a string to get 5 different values. The first one is the PE executable, the second one is some Base64-encoded data, the third one is another random string and the fourth and fifth are the string values "False". It will then take the second value, unbase64 it and pass it to a decryption method along with a key. At this point you can dump these bytes and skip the next paragraph since they contain a third assembly, but I decided to look what the other method did too.

The second method takes the assembly from before and does some stuff to it. First of all, it will use delegate proxy methods to store various PInvoke calls to later use. The rest of the method involves editing of the decrypted assembly/PE file, so some of these details may be wrong. From what I can tell, it creates a new process of the current (main) assembly, paused, and then copies over the section tables from the decrypted assembly. This should effectively replace all IL methods. You can see something similar in ConfuserEx's AntiTamper, which I documented here. It then resumes the process, which will start JITting its methods like normal.

ljbMiQG.png

2lzU76a.png

The "real" assembly is only protected with basic symbol name and string protection, from what I can tell. It has a timer that panics if any well-known tool is opened and it seems there is some HWID code in Form1_Load in the "YGIUH" class. Further, there is a class called AntiDump too, which gets called in the Load functions of any form. A very quick inspection tells me that it's most likely copy/pasted from ConfuserEx, but the string decryptor seems new to me.

qtx5xMd.png

I was too lazy to code up a string decryptor, but it's very basic. I just changed some IL to stop the timer from panicking the application and patched what seemed like the HWID check, and got the following messageboxes on launch:

nBJABI7.png

AkbaIId.png

I don't speak Turkish, but luckily Google Translate does and it seems that this is the desired message :)

 

Overal this was a pretty interesting crackme, since it does indeed seem to be custom. Sadly most of the protection can be bypassed easily.

A final thing to note: I noticed there are 2 forms, and I only worked with 1. Perhaps there is some code that calls the second one that I missed, but I still consider this crackme solved.

Unpacked

It was a very nice solution thanks :)

Share this post


Link to post
  • 0
Dxer

I try,thank you

Share this post


Link to post
  • -2
32x64
21 hours ago, 32x64 said:

Difficulty : 2
Language : .Net
Platform : Windows
OS Version : All
Packer / Protector : No, My own method

Description:

License audit

Screenshot(s):

dddd.PNG.bd5c06b61b7c216a0a96c4136ddfc5b6.PNG

Download

Crackme_32x64 (1) .rar

 

Good luck... :)

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...