Jump to content
Tuts 4 You

Crack Me 32x64


32x64

Recommended Posts

That binary is made in Visual Basic, not C#. Just a detail I thought I'd mention.

Spoiler

 

It was first packed by a rather simple packer, so I unpacked that first to get to a second, in-memory module. I threw that one in de4dot to make the symbol names more readable and analyzed the code to see what it did.

It calls 2 methods in its main: an initializing method and a real main. The initializing method takes the current assembly's location, reads it, and then splits it by a string to get 5 different values. The first one is the PE executable, the second one is some Base64-encoded data, the third one is another random string and the fourth and fifth are the string values "False". It will then take the second value, unbase64 it and pass it to a decryption method along with a key. At this point you can dump these bytes and skip the next paragraph since they contain a third assembly, but I decided to look what the other method did too.

The second method takes the assembly from before and does some stuff to it. First of all, it will use delegate proxy methods to store various PInvoke calls to later use. The rest of the method involves editing of the decrypted assembly/PE file, so some of these details may be wrong. From what I can tell, it creates a new process of the current (main) assembly, paused, and then copies over the section tables from the decrypted assembly. This should effectively replace all IL methods. You can see something similar in ConfuserEx's AntiTamper, which I documented here. It then resumes the process, which will start JITting its methods like normal.

ljbMiQG.png

2lzU76a.png

The "real" assembly is only protected with basic symbol name and string protection, from what I can tell. It has a timer that panics if any well-known tool is opened and it seems there is some HWID code in Form1_Load in the "YGIUH" class. Further, there is a class called AntiDump too, which gets called in the Load functions of any form. A very quick inspection tells me that it's most likely copy/pasted from ConfuserEx, but the string decryptor seems new to me.

qtx5xMd.png

I was too lazy to code up a string decryptor, but it's very basic. I just changed some IL to stop the timer from panicking the application and patched what seemed like the HWID check, and got the following messageboxes on launch:

nBJABI7.png

AkbaIId.png

I don't speak Turkish, but luckily Google Translate does and it seems that this is the desired message :)

 

Overal this was a pretty interesting crackme, since it does indeed seem to be custom. Sadly most of the protection can be bypassed easily.

A final thing to note: I noticed there are 2 forms, and I only worked with 1. Perhaps there is some code that calls the second one that I missed, but I still consider this crackme solved.

Unpacked

  • Like 2
  • Thanks 1
Link to comment
Share on other sites

4 hours ago, HoLLy said:

That binary is made in Visual Basic, not C#. Just a detail I thought I'd mention.

  Reveal hidden contents

 

It was first packed by a rather simple packer, so I unpacked that first to get to a second, in-memory module. I threw that one in de4dot to make the symbol names more readable and analyzed the code to see what it did.

It calls 2 methods in its main: an initializing method and a real main. The initializing method takes the current assembly's location, reads it, and then splits it by a string to get 5 different values. The first one is the PE executable, the second one is some Base64-encoded data, the third one is another random string and the fourth and fifth are the string values "False". It will then take the second value, unbase64 it and pass it to a decryption method along with a key. At this point you can dump these bytes and skip the next paragraph since they contain a third assembly, but I decided to look what the other method did too.

The second method takes the assembly from before and does some stuff to it. First of all, it will use delegate proxy methods to store various PInvoke calls to later use. The rest of the method involves editing of the decrypted assembly/PE file, so some of these details may be wrong. From what I can tell, it creates a new process of the current (main) assembly, paused, and then copies over the section tables from the decrypted assembly. This should effectively replace all IL methods. You can see something similar in ConfuserEx's AntiTamper, which I documented here. It then resumes the process, which will start JITting its methods like normal.

ljbMiQG.png

2lzU76a.png

The "real" assembly is only protected with basic symbol name and string protection, from what I can tell. It has a timer that panics if any well-known tool is opened and it seems there is some HWID code in Form1_Load in the "YGIUH" class. Further, there is a class called AntiDump too, which gets called in the Load functions of any form. A very quick inspection tells me that it's most likely copy/pasted from ConfuserEx, but the string decryptor seems new to me.

qtx5xMd.png

I was too lazy to code up a string decryptor, but it's very basic. I just changed some IL to stop the timer from panicking the application and patched what seemed like the HWID check, and got the following messageboxes on launch:

nBJABI7.png

AkbaIId.png

I don't speak Turkish, but luckily Google Translate does and it seems that this is the desired message :)

 

Overal this was a pretty interesting crackme, since it does indeed seem to be custom. Sadly most of the protection can be bypassed easily.

A final thing to note: I noticed there are 2 forms, and I only worked with 1. Perhaps there is some code that calls the second one that I missed, but I still consider this crackme solved.

Unpacked

It was a very nice solution thanks :)

Link to comment
Share on other sites

  • 1 month later...

Steps : 

Spoiler

The program runs in 3 steps : 
• the provided exe (let's call it Stub) works like MPress stub i.e decompress and invoke the entrypoint of the embedded exe
• the embedded exe (a RunPE) works only if invoked by Stub then : 
    - read some strings from Stub
    - the strings are an encrypted exe (let's call it CrackMe) and the key
    - decrypt the CrackMe and inject it in a new process
• the CrackMe :
    - set a 1 second timer to kill the process (patch it)
    - calculates the hash of processorId + volumeSerial + motherBoardID + macaddress and compares it to the correct one (patch the branch)
    - if the hash is correct shows another form that use the timer trick and check the hash (patch both of them)
    


    Screenshot:

Spoiler


   screenshot.png.d40c08d120cf9a0cfcd96608e131c3b8.png

 

cracked.rar

Link to comment
Share on other sites

  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...