Bang1338 Posted January 11 Posted January 11 View File NanoButton A follow up of TinyCrackMe Challenge: - Press the button "Hi" - If correctly bypass, a MessageBox with `:3` show up. Rules: 1. Patch? Here's a deal: - No patching if you're unpacked UPX, as final result! - Allowed patching if you're not unpacked UPX, as final result! - only patch-fix the flaw like missing stdc dll, or temporary byte patch to making loader or hook 2. Spoiling? Yes! (originally in crackmes.one is "no") 3. Keygen? useless. Because the goal is bypass it! 4. Hooking? Allowed! It's not a patch! 5. Loader? Allowed! It's just a mem patch, not file patch... 6. Any these above, do not use any tool to create stuff like Baymax or dUP2, but you can create your own one with coding. Happy Reversing :3 Submitter Bang1338 Submitted 01/11/2024 Category CrackMe
Sean the hard worker Posted January 12 Posted January 12 (edited) 1 hour ago, X0rby said: Extracting the tune~! It's xm. NanoButton.xm Regards. sean. Edited January 12 by windowbase editing some words. 1
boot Posted January 12 Posted January 12 This crackme can be resolved by exception handling without modifying the program. This means that nothing needs to be changed at the 0x00401427 address, which can be verified by debugger. - Hook NtCreateFile or ZwCreateFile function - Set a hardware execution breakpoint at 0x00401427 - Execute the Eip += 0x35 jump Note: Since you need to call Wow64SetThreadContext function, this dll applies only to 64-bit operating systems of Windows 7 and above. winmm - NanoButton.zip 2
Sean the hard worker Posted January 12 Posted January 12 (edited) 31 minutes ago, boot said: This crackme can be resolved by exception handling without modifying the program. This means that nothing needs to be changed at the 0x00401427 address, which can be verified by debugger. - Hook NtCreateFile or ZwCreateFile function - Set a hardware execution breakpoint at 0x00401427 - Execute the Eip += 0x35 jump Note: Since you need to call Wow64SetThreadContext function, this dll applies only to 64-bit operating systems of Windows 7 and above. winmm - NanoButton.zip 60.58 kB · 0 downloads @boot what are different your winmm.dll from one in the SysWOW64 directory of windows 10? Regards. sean. Edited January 12 by windowbase editing some words. 1
boot Posted January 12 Posted January 12 18 minutes ago, windowbase said: what are different... It is a proxy DLL that I compiled using VS2019 and can use to execute my functions...
Sean the hard worker Posted January 12 Posted January 12 (edited) 5 minutes ago, boot said: It is a proxy DLL that I compiled using VS2019 and can use to execute my functions... @boot Can you release the proxy dll source code for us? Regards. sean. Edited January 12 by windowbase editing some words. 1
HostageOfCode Posted January 12 Posted January 12 3 hours ago, windowbase said: @boot Can you release the proxy dll source code for us? Regards. sean. There are many hooking dll source files in github. You have to adjust it for the concrete target.
Sean the hard worker Posted January 12 Posted January 12 (edited) 31 minutes ago, HostageOfCode said: There are many hooking dll source files in github. You have to adjust it for the concrete target. @HostageOfCode I can't think out the appropriate search term. can you recommend one? proxy dll, hooking dll? Regards. sean. Edited January 12 by windowbase Editing words. 1
Sean the hard worker Posted January 12 Posted January 12 (edited) 4 hours ago, boot said: It is a proxy DLL that I compiled using VS2019 and can use to execute my functions... @boot why are the export functions are same as the original winmm.dll? I wonder about it. can you explain about it? Regards. sean. Edited January 12 by windowbase editing some words. 1
kao Posted January 12 Posted January 12 @windowbase: how about doing your own homework and reading what's already been written? There are literally hundreds of tutorials explaining DLL hijacking and DLL proxying. Also, there are dozens of Github projects that let you generate proxy DLLs. You could start, for example, here: https://itm4n.github.io/dll-proxying/ or here: https://cihansol.com/blog/index.php/2021/09/14/windows-dll-proxying-hijacking/, or (if you want to go really deep) here: https://www.netspi.com/blog/technical/adversary-simulation/adaptive-dll-hijacking/
Solution Bang1338 Posted January 12 Author Solution Posted January 12 (edited) Since a lot of solution in here, but I'll summarize all solution then mark as Solution, you guy are great! Inline patching(?) - @X0rby: 9 hours ago, X0rby said: DLL Hook/Hijack - @boot: 5 hours ago, boot said: This crackme can be resolved by exception handling without modifying the program. This means that nothing needs to be changed at the 0x00401427 address, which can be verified by debugger. - Hook NtCreateFile or ZwCreateFile function - Set a hardware execution breakpoint at 0x00401427 - Execute the Eip += 0x35 jump Note: Since you need to call Wow64SetThreadContext function, this dll applies only to 64-bit operating systems of Windows 7 and above. winmm - NanoButton.zip 60.58 kB · 2 downloads Edited January 12 by Bang1338 adding user + "Hijack" 1
Sean the hard worker Posted January 12 Posted January 12 14 minutes ago, kao said: @windowbase: how about doing your own homework and reading what's already been written? There are literally hundreds of tutorials explaining DLL hijacking and DLL proxying. Also, there are dozens of Github projects that let you generate proxy DLLs. You could start, for example, here: https://itm4n.github.io/dll-proxying/ or here: https://cihansol.com/blog/index.php/2021/09/14/windows-dll-proxying-hijacking/, or (if you want to go really deep) here: https://www.netspi.com/blog/technical/adversary-simulation/adaptive-dll-hijacking/ @kao Many thanks for commenting the references. Regards. sean. 1 1
Sean the hard worker Posted January 12 Posted January 12 5 hours ago, boot said: It is a proxy DLL that I compiled using VS2019 and can use to execute my functions... @boot Your method doesn't work if it is debugged. Regards. sean. 1
boot Posted January 12 Posted January 12 1 hour ago, windowbase said: why are the export functions are same as the original winmm.dll? This proxy DLL needs to declare the same export functions in order for CrackMe to prioritize loading my fake DLL at the current path... 37 minutes ago, windowbase said: doesn't work if it is debugged. I tested this DLL on Win7 x64 and it works... Video_2024-01-12_174540.mp4 1
Sean the hard worker Posted January 12 Posted January 12 (edited) @boot view this. anything wrong to me? Edition Windows 10 Enterprise Version 22H2 Installed on 31/05/2023 OS build 19045.3693 Experience Windows Feature Experience Pack 1000.19053.1000.0 64-bit operating system, x64-based processor Video_2024-01-12_190854.mp4 @boot In the ollydbg, it's okay. but not for x64dbg. or might depend on each plugin setting. Regards. sean. Edited January 12 by windowbase editing some words. 1
HostageOfCode Posted January 12 Posted January 12 4 hours ago, windowbase said: @HostageOfCode I can't think out the appropriate search term. can you recommend one? proxy dll, hooking dll? Regards. sean. I would use one of this: https://github.com/nelfo/PGHooker https://github.com/stevemk14ebr/PolyHook/blob/master/PolyHook/Tests.cpp https://github.com/vic4key/cpp-hooking and attach it to a library the target uses. In this case winmm.dll or msvcrt.dll 1 1
X0rby Posted January 12 Posted January 12 4 minutes ago, HostageOfCode said: I would use one of this: https://github.com/nelfo/PGHooker https://github.com/stevemk14ebr/PolyHook/blob/master/PolyHook/Tests.cpp https://github.com/vic4key/cpp-hooking and attach it to a library the target uses. In this case winmm.dll or msvcrt.dll Weak codes can't handle protections.
jackyjask Posted January 12 Posted January 12 6 hours ago, boot said: to prioritize loading my fake DLL at the current path... what are the means to defense against malwaring proxy dlls in current dir?
Sean the hard worker Posted January 12 Posted January 12 (edited) On 1/12/2024 at 9:47 PM, HostageOfCode said: attach it to a library the target uses. In this case winmm.dll or msvcrt.dll @HostageOfCode Many thanks. Regards. sean. Edited January 21 by windowbase editing some words. 1
Teddy Rogers Posted January 12 Posted January 12 1 hour ago, jackyjask said: what are the means to defense against malwaring proxy dlls in current dir? Install your application and DLL's to a Windows protected folder e.g. "C:\Program Files\"; Specify the system DLL search order/ path e.g. SetDefaultDllDirectories; Use fully qualified search paths to locate DLL's... Ted. 2
Bang1338 Posted January 15 Author Posted January 15 On 1/12/2024 at 7:47 AM, windowbase said: Extracting the tune~! It's xm. NanoButton.xm 4.01 kB · 3 downloads Regards. sean. https://modarchive.org/index.php?request=view_by_moduleid&query=199878 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now