RDG EnableMe 2022

September 5, 2022

RDG EnableMe 2022

RDG Enable Me 2022 vb6

password:crackme

Difficulty 3 / 10
Compiler: Microsoft Visual Basic v6.0
Anti Tracing:No
Anti Debugger: No
Anti Newby: Si
Obfuscated: Si (RDG vb6 Obfuscator)
Anti Virtual Machine: No
Anti SandBox: No
Harmful Payload: NO!
Internet Validation: No
CRC on Disk: No
CRC en Memory: No
Admin Required: No

Support Windows XP to Windows 11

Goal: Enable button and get Congratulations Message

rdgmax@gmail.com
rdgmax@rdgsoft.net

www.rdgsoft.net

Submitter

RDGMax
Submitted

09/04/2022
Category

CrackMe

December 4, 2022

I've never reversed a vb6 bin, so even if this is rated 3/10 I'm finding this challanging.

I've still to crack this one, but I'll share what I've found so far so others can benefit from my findings.

First of all: this binary crash every disassemblers except IDA Free. The reason is a messed up Import Table.

Fixing this is really easy, you can do this by manually cleaning the IT, or if you are lazy (like me), just put a bp at the entry point and dump the process with Scylla and let it create a new section with a cleaned up IT.

Now you can successfully load it in your prefered disassembler (since I'm italian, I used REDasm ofc :P). You can also open it in VbReformer now (no more crash at startup), but when you will try to open the main form, it will crash.

This crackme populates the "rdgsoft" section with the actual pcode (as far as I can tell). Using any "button enablers" will fail (I suspended all the spawned threads too, just to be sure).

This is where I'm stuck atm.

Interesting reads:

1) https://www.vb-decompiler.org/pcode_decompiling.htm

2) https://r3mrum.wordpress.com/2017/06/07/defeating-the-vb5-packer/

3) https://www.youtube.com/watch?v=ylWInOcQy2s

Thank you,

Luca

December 10, 2022

Numega Smartcheck:

dxckm (Form) created
- main form

fc.Enabled <-- False (Boolean)
050852
Address=01100000

01150830   . 8B4D 08                MOV ECX,DWORD PTR SS:[EBP+0x8]
01150833   . 33D2                   XOR EDX,EDX
01150835   . 83B9 88000000 00       CMP DWORD PTR DS:[ECX+0x88],0x0 ; this one
0115083C   . 0F95C2                 SETNE DL
0115083F   . F7DA                   NEG EDX
01150841   . 52                     PUSH EDX
01150842   . 8B45 08                MOV EAX,DWORD PTR SS:[EBP+0x8]
01150845   . 8B48 10                MOV ECX,DWORD PTR DS:[EAX+0x10]
01150848   . 8B55 08                MOV EDX,DWORD PTR SS:[EBP+0x8]
0115084B   . 8B42 10                MOV EAX,DWORD PTR DS:[EDX+0x10]
0115084E   . 8B10                   MOV EDX,DWORD PTR DS:[EAX]
01150850   . 51                     PUSH ECX
01150851   . FF92 94000000          CALL DWORD PTR DS:[EDX+0x94]

December 10, 2022

Thank you very much for your interest.
Later. I will show you how to solve the issue

😉

December 11, 2022

Hi again,

I was not aware about the existance of SmartCheck (NuMega FTW!) until I've read Visual_Basic.chm by CodeExplorer a couple of days ago.
Today I decided to give another try at this crackme, and while I'm still not entirely convinced (read till the end for the reason), I'm going to post a detailed tutorial of what I did (again, as a reference for future reversers that want to crack this challange).
PLEASE NOTE: all the credits goes to CodeExplorer (for both his previous post and for the Visual_Basic.chm reference).

Ok, here we go:
1) You need to fix the IT problem before proceding to Smartcheck (otherwise, at least in my case, it missed all events), check my previous post for a quick solution.
2) Load the executable in SmartCheck, run it, open the _ReadProperties menu and head over fc.Enabled. In the right window you will see that the Boolean Value is False.
3) Take not of the address (upper line), it is executable_name.exe!00050852, the important part is ofcourse 00050852
4) Open the crackme in x32dbg, go to memory map and check where it is loaded. The address is 01100000. Now sum 01100000+00050852 to obtain the address we are interested in: 1150852
5) Go to this address in x32dbg (the correct address is 1150851, idk why it is one byte earlier, maybe a bug of SmartCheck??), scroll up by some lines and you will find the compare:
cmp dword ptr ds:[ecx+88],0
Ok now you have 2 possible ways to fix this: memory patching or file patching.

Memory patching:
1) just right click on that cmp and select show in dump -> ECX+88
2) change the dword from 00 00 00 00 to FF FF FF FF (check the Visual_Basic.chm as a reference

File patching:
1) I patched the setne dl instruction (right after the cmp) to inc dl
2) this wasn't enough as there is another check, so I've put an hw breakpoint on access to 0015D098 (ECX+88) DWORD, and I've found that the check is located at 01125D8A. You can patch the conditional jump at 01125D8E.

That's all.

Now, why I'm not entierely sure that this is actually done? Because I don't get any message when I click on the now-unlocked button.
So probably there is more to be found here!

PS: it is quite amusing how all modern tools failed on this crackme.

Edited December 11, 2022 by Luca91

December 11, 2022

If you agree, will I post the solution? Or do you want to try a little more? 😄

December 11, 2022

25 minutes ago, RDGMax said:

If you agree, will I post the solution? Or do you want to try a little more? 😄

Even if I'm very interested in the solution to this crackme (never reversed a vb6 bin, so I have all to learn from your solution), I think that we should wait for CodeExplorer's reply as he might be interested in another try.

December 12, 2022

I will not try more one this one. I can't find the congratulation message!
A solution will be great.

December 12, 2022

Solution:
Put on a flash drive or removable drive named "key"
then a file called "license.dat" with the content "RDGMax~RDGSoFT"

Thank you very much for your interest

December 12, 2022

@RDGMax: Doesn't seem to work. Are you sure that this is the solution?

December 12, 2022

1st Run the Crackme.

USB Drive: label = KEY

put the license.dat inside the USB drive.

step 2: insert the USB Drive Again

license.dat

December 12, 2022

7 hours ago, RDGMax said:

Solution:
Put on a flash drive or removable drive named "key"
then a file called "license.dat" with the content "RDGMax~RDGSoFT"

Thank you very much for your interest

I might be wrong but... shouldn't this be rated a bit higher than a 3/10? :rolleyes:

There is no mention to the "hardware" needed in the description, is this the so called "security through obscurity"?! (I'm just kidding ofcourse).

Anyway the "solution" is not working for me neither. Tried on a Windows XP VM with a virtual usb (32GB/FAT32) with "KEY" as label and your license.dat file.

December 12, 2022

2 hours ago, Luca91 said:

I might be wrong but... shouldn't this be rated a bit higher than a 3/10?

There is no mention to the "hardware" needed in the description, is this the so called "security through obscurity"?! (I'm just kidding ofcourse).

Anyway the "solution" is not working for me neither. Tried on a Windows XP VM with a virtual usb (32GB/FAT32) with "KEY" as label and your license.dat file.

Has been tested on xp -7- 10 & 11

December 12, 2022

26 minutes ago, RDGMax said:

Has been tested on xp -7- 10 & 11

Just tried it on a Windows 10 VM, still doesn't work. The button is still disabled. The USB drive have "KEY" as label. In the root of the usb there is your license.dat file. Maybe it is just a problem with my VMs.

Anyway thanks for this challange!

February 8, 2023

Just for info:
https://stackoverflow.com/questions/286534/enumerating-all-available-drive-letters-in-windows

I got it working, your should start the program. you have to eject flash drive and reinsert it,
I have no clue how it detects new flash drives.
It uses GetVolumeInformationW here:

01155451 . 50 PUSH EAX
01155452 . E8 5947FBFF CALL 01109BB0 ; RDG_Enab.01109BB0

February 10, 2023

When new USB flash drive inserted - check drive label:
0110FABB 813D 60901501 E9000000 CMP DWORD PTR DS:[0x1159060],0xE9
0110FAC5 0F85 06010000 JNZ RDG_Enab.0110FBD1
; should not jump, DWORD PTR DS:[0x1159060] should be 0xE9

DWORD PTR DS:[0x1159060] results from drive label
0115550B   . 8B45 D4                    MOV EAX,DWORD PTR SS:[EBP-0x2C]
0115550E   . 50                         PUSH EAX
0115550F   . 8D4D A8                    LEA ECX,DWORD PTR SS:[EBP-0x58]
01155512   . 51                         PUSH ECX
01155513   . E8 B8000000                CALL RDG_Enab.011555D0
01155518   . 8D55 A8       LEA EDX,DWORD PTR SS:[EBP-0x58]
0115551B   . 52            PUSH EDX
0115551C   . FF15 A0111001 CALL DWORD PTR DS:[0x11011A0]            ; MSVBVM60.__vbaI4Var
01155522   . A3 60901501   MOV DWORD PTR DS:[0x1159060],EAX

When you click on "Enable Me" button
0114F5FB 813D 60901501 E9000000 CMP DWORD PTR DS:[0x1159060],0xE9
0114F605 75 17 JNZ SHORT RDG_Enab.0114F61E

When you click on "Enable Me" button license.dat file is checked:
0114F51A 0F84 FE000000 JE RDG_Enab.0114F61E
; should not jump, check the contents of license.dat

license.dat should exist on flash drive, plus you have to eject flash drive and reinsert it: I can't solve those yet.

March 4, 2023

On 2/10/2023 at 10:30 AM, CodeExplorer said:

When new USB flash drive inserted - check drive label:
0110FABB     813D 60901501 E9000000     CMP DWORD PTR DS:[0x1159060],0xE9
0110FAC5     0F85 06010000              JNZ RDG_Enab.0110FBD1
; should not jump, DWORD PTR DS:[0x1159060] should be 0xE9

DWORD PTR DS:[0x1159060] results from drive label
0115550B   . 8B45 D4                    MOV EAX,DWORD PTR SS:[EBP-0x2C]
0115550E   . 50                         PUSH EAX
0115550F   . 8D4D A8                    LEA ECX,DWORD PTR SS:[EBP-0x58]
01155512   . 51                         PUSH ECX
01155513   . E8 B8000000                CALL RDG_Enab.011555D0
01155518   . 8D55 A8       LEA EDX,DWORD PTR SS:[EBP-0x58]
0115551B   . 52            PUSH EDX
0115551C   . FF15 A0111001 CALL DWORD PTR DS:[0x11011A0]            ; MSVBVM60.__vbaI4Var
01155522   . A3 60901501   MOV DWORD PTR DS:[0x1159060],EAX

When you click on "Enable Me" button
0114F5FB     813D 60901501 E9000000     CMP DWORD PTR DS:[0x1159060],0xE9
0114F605     75 17                      JNZ SHORT RDG_Enab.0114F61E

When you click on "Enable Me" button license.dat file is checked:
0114F51A     0F84 FE000000              JE RDG_Enab.0114F61E
; should not jump, check the contents of license.dat

license.dat should exist on flash drive, plus you have to eject flash drive and reinsert it: I can't solve those yet.

Not Easy to crack seems 😛

March 5, 2023

Yeap, not easy.
@RDGMax: Will be great if you will post information on how new flash drives are detected.

March 7, 2023

On 3/5/2023 at 8:52 AM, CodeExplorer said:

Yeap, not easy.
@RDGMax: Will be great if you will post information on how new flash drives are detected.

I only use a Global hook Bro

March 7, 2023

12 hours ago, RDGMax said:

I only use a Global hook Bro

I don't get it!

RDG EnableMe 2022

Recommended Posts

RDGMax