RDGMax Posted September 5, 2022 Posted September 5, 2022 View File RDG EnableMe 2022 RDG Enable Me 2022 vb6 password:crackme Difficulty 3 / 10 Compiler: Microsoft Visual Basic v6.0 Anti Tracing:No Anti Debugger: No Anti Newby: Si Obfuscated: Si (RDG vb6 Obfuscator) Anti Virtual Machine: No Anti SandBox: No Harmful Payload: NO! Internet Validation: No CRC on Disk: No CRC en Memory: No Admin Required: No Support Windows XP to Windows 11 Goal: Enable button and get Congratulations Message rdgmax@gmail.com rdgmax@rdgsoft.net www.rdgsoft.net Submitter RDGMax Submitted 09/04/2022 Category CrackMe 1
Luca91 Posted December 4, 2022 Posted December 4, 2022 I've never reversed a vb6 bin, so even if this is rated 3/10 I'm finding this challanging. I've still to crack this one, but I'll share what I've found so far so others can benefit from my findings. First of all: this binary crash every disassemblers except IDA Free. The reason is a messed up Import Table. Fixing this is really easy, you can do this by manually cleaning the IT, or if you are lazy (like me), just put a bp at the entry point and dump the process with Scylla and let it create a new section with a cleaned up IT. Now you can successfully load it in your prefered disassembler (since I'm italian, I used REDasm ofc :P). You can also open it in VbReformer now (no more crash at startup), but when you will try to open the main form, it will crash. This crackme populates the "rdgsoft" section with the actual pcode (as far as I can tell). Using any "button enablers" will fail (I suspended all the spawned threads too, just to be sure). This is where I'm stuck atm. Interesting reads: 1) https://www.vb-decompiler.org/pcode_decompiling.htm 2) https://r3mrum.wordpress.com/2017/06/07/defeating-the-vb5-packer/ 3) https://www.youtube.com/watch?v=ylWInOcQy2s Thank you, Luca 1
CodeExplorer Posted December 10, 2022 Posted December 10, 2022 Numega Smartcheck: dxckm (Form) created - main form fc.Enabled <-- False (Boolean) 050852 Address=01100000 01150830 . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+0x8] 01150833 . 33D2 XOR EDX,EDX 01150835 . 83B9 88000000 00 CMP DWORD PTR DS:[ECX+0x88],0x0 ; this one 0115083C . 0F95C2 SETNE DL 0115083F . F7DA NEG EDX 01150841 . 52 PUSH EDX 01150842 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+0x8] 01150845 . 8B48 10 MOV ECX,DWORD PTR DS:[EAX+0x10] 01150848 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+0x8] 0115084B . 8B42 10 MOV EAX,DWORD PTR DS:[EDX+0x10] 0115084E . 8B10 MOV EDX,DWORD PTR DS:[EAX] 01150850 . 51 PUSH ECX 01150851 . FF92 94000000 CALL DWORD PTR DS:[EDX+0x94] 2
RDGMax Posted December 10, 2022 Author Posted December 10, 2022 Thank you very much for your interest. Later. I will show you how to solve the issue 😉
Luca91 Posted December 11, 2022 Posted December 11, 2022 (edited) Hi again, I was not aware about the existance of SmartCheck (NuMega FTW!) until I've read Visual_Basic.chm by CodeExplorer a couple of days ago. Today I decided to give another try at this crackme, and while I'm still not entirely convinced (read till the end for the reason), I'm going to post a detailed tutorial of what I did (again, as a reference for future reversers that want to crack this challange). PLEASE NOTE: all the credits goes to CodeExplorer (for both his previous post and for the Visual_Basic.chm reference). Ok, here we go: 1) You need to fix the IT problem before proceding to Smartcheck (otherwise, at least in my case, it missed all events), check my previous post for a quick solution. 2) Load the executable in SmartCheck, run it, open the _ReadProperties menu and head over fc.Enabled. In the right window you will see that the Boolean Value is False. 3) Take not of the address (upper line), it is executable_name.exe!00050852, the important part is ofcourse 00050852 4) Open the crackme in x32dbg, go to memory map and check where it is loaded. The address is 01100000. Now sum 01100000+00050852 to obtain the address we are interested in: 1150852 5) Go to this address in x32dbg (the correct address is 1150851, idk why it is one byte earlier, maybe a bug of SmartCheck??), scroll up by some lines and you will find the compare: cmp dword ptr ds:[ecx+88],0 Ok now you have 2 possible ways to fix this: memory patching or file patching. Memory patching: 1) just right click on that cmp and select show in dump -> ECX+88 2) change the dword from 00 00 00 00 to FF FF FF FF (check the Visual_Basic.chm as a reference File patching: 1) I patched the setne dl instruction (right after the cmp) to inc dl 2) this wasn't enough as there is another check, so I've put an hw breakpoint on access to 0015D098 (ECX+88) DWORD, and I've found that the check is located at 01125D8A. You can patch the conditional jump at 01125D8E. That's all. Now, why I'm not entierely sure that this is actually done? Because I don't get any message when I click on the now-unlocked button. So probably there is more to be found here! PS: it is quite amusing how all modern tools failed on this crackme. Edited December 11, 2022 by Luca91 1 1
RDGMax Posted December 11, 2022 Author Posted December 11, 2022 If you agree, will I post the solution? Or do you want to try a little more? 😄
Luca91 Posted December 11, 2022 Posted December 11, 2022 25 minutes ago, RDGMax said: If you agree, will I post the solution? Or do you want to try a little more? 😄 Even if I'm very interested in the solution to this crackme (never reversed a vb6 bin, so I have all to learn from your solution), I think that we should wait for CodeExplorer's reply as he might be interested in another try. 1
CodeExplorer Posted December 12, 2022 Posted December 12, 2022 I will not try more one this one. I can't find the congratulation message! A solution will be great. 1
Solution RDGMax Posted December 12, 2022 Author Solution Posted December 12, 2022 Solution: Put on a flash drive or removable drive named "key" then a file called "license.dat" with the content "RDGMax~RDGSoFT" Thank you very much for your interest
CodeExplorer Posted December 12, 2022 Posted December 12, 2022 @RDGMax: Doesn't seem to work. Are you sure that this is the solution?
RDGMax Posted December 12, 2022 Author Posted December 12, 2022 1st Run the Crackme. USB Drive: label = KEY put the license.dat inside the USB drive. step 2: insert the USB Drive Again license.dat
Luca91 Posted December 12, 2022 Posted December 12, 2022 7 hours ago, RDGMax said: Solution: Put on a flash drive or removable drive named "key" then a file called "license.dat" with the content "RDGMax~RDGSoFT" Thank you very much for your interest I might be wrong but... shouldn't this be rated a bit higher than a 3/10? There is no mention to the "hardware" needed in the description, is this the so called "security through obscurity"?! (I'm just kidding ofcourse). Anyway the "solution" is not working for me neither. Tried on a Windows XP VM with a virtual usb (32GB/FAT32) with "KEY" as label and your license.dat file.
RDGMax Posted December 12, 2022 Author Posted December 12, 2022 2 hours ago, Luca91 said: I might be wrong but... shouldn't this be rated a bit higher than a 3/10? There is no mention to the "hardware" needed in the description, is this the so called "security through obscurity"?! (I'm just kidding ofcourse). Anyway the "solution" is not working for me neither. Tried on a Windows XP VM with a virtual usb (32GB/FAT32) with "KEY" as label and your license.dat file. Has been tested on xp -7- 10 & 11
Luca91 Posted December 12, 2022 Posted December 12, 2022 26 minutes ago, RDGMax said: Has been tested on xp -7- 10 & 11 Just tried it on a Windows 10 VM, still doesn't work. The button is still disabled. The USB drive have "KEY" as label. In the root of the usb there is your license.dat file. Maybe it is just a problem with my VMs. Anyway thanks for this challange!
CodeExplorer Posted February 8, 2023 Posted February 8, 2023 Just for info: https://stackoverflow.com/questions/286534/enumerating-all-available-drive-letters-in-windows I got it working, your should start the program. you have to eject flash drive and reinsert it, I have no clue how it detects new flash drives. It uses GetVolumeInformationW here: 01155451 . 50 PUSH EAX 01155452 . E8 5947FBFF CALL 01109BB0 ; RDG_Enab.01109BB0
CodeExplorer Posted February 10, 2023 Posted February 10, 2023 When new USB flash drive inserted - check drive label: 0110FABB 813D 60901501 E9000000 CMP DWORD PTR DS:[0x1159060],0xE9 0110FAC5 0F85 06010000 JNZ RDG_Enab.0110FBD1 ; should not jump, DWORD PTR DS:[0x1159060] should be 0xE9 DWORD PTR DS:[0x1159060] results from drive label 0115550B . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-0x2C] 0115550E . 50 PUSH EAX 0115550F . 8D4D A8 LEA ECX,DWORD PTR SS:[EBP-0x58] 01155512 . 51 PUSH ECX 01155513 . E8 B8000000 CALL RDG_Enab.011555D0 01155518 . 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-0x58] 0115551B . 52 PUSH EDX 0115551C . FF15 A0111001 CALL DWORD PTR DS:[0x11011A0] ; MSVBVM60.__vbaI4Var 01155522 . A3 60901501 MOV DWORD PTR DS:[0x1159060],EAX When you click on "Enable Me" button 0114F5FB 813D 60901501 E9000000 CMP DWORD PTR DS:[0x1159060],0xE9 0114F605 75 17 JNZ SHORT RDG_Enab.0114F61E When you click on "Enable Me" button license.dat file is checked: 0114F51A 0F84 FE000000 JE RDG_Enab.0114F61E ; should not jump, check the contents of license.dat license.dat should exist on flash drive, plus you have to eject flash drive and reinsert it: I can't solve those yet.
RDGMax Posted March 4, 2023 Author Posted March 4, 2023 On 2/10/2023 at 10:30 AM, CodeExplorer said: When new USB flash drive inserted - check drive label: 0110FABB 813D 60901501 E9000000 CMP DWORD PTR DS:[0x1159060],0xE9 0110FAC5 0F85 06010000 JNZ RDG_Enab.0110FBD1 ; should not jump, DWORD PTR DS:[0x1159060] should be 0xE9 DWORD PTR DS:[0x1159060] results from drive label 0115550B . 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-0x2C] 0115550E . 50 PUSH EAX 0115550F . 8D4D A8 LEA ECX,DWORD PTR SS:[EBP-0x58] 01155512 . 51 PUSH ECX 01155513 . E8 B8000000 CALL RDG_Enab.011555D0 01155518 . 8D55 A8 LEA EDX,DWORD PTR SS:[EBP-0x58] 0115551B . 52 PUSH EDX 0115551C . FF15 A0111001 CALL DWORD PTR DS:[0x11011A0] ; MSVBVM60.__vbaI4Var 01155522 . A3 60901501 MOV DWORD PTR DS:[0x1159060],EAX When you click on "Enable Me" button 0114F5FB 813D 60901501 E9000000 CMP DWORD PTR DS:[0x1159060],0xE9 0114F605 75 17 JNZ SHORT RDG_Enab.0114F61E When you click on "Enable Me" button license.dat file is checked: 0114F51A 0F84 FE000000 JE RDG_Enab.0114F61E ; should not jump, check the contents of license.dat license.dat should exist on flash drive, plus you have to eject flash drive and reinsert it: I can't solve those yet. Not Easy to crack seems 😛
CodeExplorer Posted March 5, 2023 Posted March 5, 2023 Yeap, not easy. @RDGMax: Will be great if you will post information on how new flash drives are detected.
RDGMax Posted March 7, 2023 Author Posted March 7, 2023 On 3/5/2023 at 8:52 AM, CodeExplorer said: Yeap, not easy. @RDGMax: Will be great if you will post information on how new flash drives are detected. I only use a Global hook Bro
CodeExplorer Posted March 7, 2023 Posted March 7, 2023 12 hours ago, RDGMax said: I only use a Global hook Bro I don't get it!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now