Jump to content
Tuts 4 You

NanoButton

Bang1338

By Bang1338
in CrackMe

 Share
Go to solution Solved by Bang1338,

Recommended Posts

Bang1338

Bang1338

Posted
Posted
NanoButton

View File

NanoButton

A follow up of TinyCrackMe

Challenge:
- Press the button "Hi"
- If correctly bypass, a MessageBox with `:3` show up.

Rules:
1. Patch? Here's a deal:
- No patching if you're unpacked UPX, as final result!
- Allowed patching if you're not unpacked UPX, as final result!
- only patch-fix the flaw like missing stdc dll, or temporary byte patch to making loader or hook
2. Spoiling? Yes! (originally in crackmes.one is "no")
3. Keygen? useless. Because the goal is bypass it!
4. Hooking? Allowed! It's not a patch!
5. Loader? Allowed! It's just a mem patch, not file patch...
6. Any these above, do not use any tool to create stuff like Baymax or dUP2, but you can create your own one with coding.

Happy Reversing :3

 

Link to comment
Share on other sites
Sean Park - Lovejoy

Sean Park - Lovejoy

Posted
Posted (edited)
1 hour ago, X0rby said:

image.png.1f4dffcc3985e52d6df849adf45675d3.png

Extracting the tune~! It's xm.

NanoButton.xm

Regards.

sean.

Edited by windowbase
editing some words.
Link to comment
Share on other sites
boot

boot

Posted
Posted

This crackme can be resolved by exception handling without modifying the program. This means that nothing needs to be changed at the 0x00401427 address, which can be verified by debugger.

 - Hook NtCreateFile or ZwCreateFile function
 - Set a hardware execution breakpoint at 0x00401427
 - Execute the Eip += 0x35 jump

Note: Since you need to call Wow64SetThreadContext function, this dll applies only to 64-bit operating systems of Windows 7 and above.

winmm - NanoButton.zip

  • Like 2
Link to comment
Share on other sites
Sean Park - Lovejoy

Sean Park - Lovejoy

Posted
Posted (edited)
31 minutes ago, boot said:

This crackme can be resolved by exception handling without modifying the program. This means that nothing needs to be changed at the 0x00401427 address, which can be verified by debugger.

 - Hook NtCreateFile or ZwCreateFile function
 - Set a hardware execution breakpoint at 0x00401427
 - Execute the Eip += 0x35 jump

Note: Since you need to call Wow64SetThreadContext function, this dll applies only to 64-bit operating systems of Windows 7 and above.

winmm - NanoButton.zip 60.58 kB · 0 downloads

@boot what are different your winmm.dll from one in the SysWOW64 directory of windows 10?

Regards.

sean.

 

Edited by windowbase
editing some words.
Link to comment
Share on other sites
boot

boot

Posted
Posted
18 minutes ago, windowbase said:

what are different...

It is a proxy DLL that I compiled using VS2019 and can use to execute my functions...

Link to comment
Share on other sites
Sean Park - Lovejoy

Sean Park - Lovejoy

Posted
Posted (edited)
5 minutes ago, boot said:

It is a proxy DLL that I compiled using VS2019 and can use to execute my functions...

@boot 

Can you release the proxy dll source code for us?

Regards.

sean.

Edited by windowbase
editing some words.
Link to comment
Share on other sites
HostageOfCode

HostageOfCode

Posted
Posted
3 hours ago, windowbase said:

@boot 

Can you release the proxy dll source code for us?

Regards.

sean.

There are many hooking dll source files in github. You have to adjust it for the concrete target.

Link to comment
Share on other sites
Sean Park - Lovejoy

Sean Park - Lovejoy

Posted
Posted (edited)
31 minutes ago, HostageOfCode said:

There are many hooking dll source files in github. You have to adjust it for the concrete target.

@HostageOfCode

I can't think out the appropriate search term. can you recommend one?

proxy dll, hooking dll?

Regards.

sean.

Edited by windowbase
Editing words.
Link to comment
Share on other sites
Sean Park - Lovejoy

Sean Park - Lovejoy

Posted
Posted (edited)
4 hours ago, boot said:

It is a proxy DLL that I compiled using VS2019 and can use to execute my functions...

@boot why are the export functions are same as the original winmm.dll? I wonder about it. can you explain about it?

Regards.

sean.

Edited by windowbase
editing some words.
Link to comment
Share on other sites
kao

kao

Posted
Posted

@windowbase: how about doing your own homework and reading what's already been written? There are literally hundreds of tutorials explaining DLL hijacking and DLL proxying. Also, there are dozens of Github projects that let you generate proxy DLLs.

You could start, for example, here: https://itm4n.github.io/dll-proxying/ or here: https://cihansol.com/blog/index.php/2021/09/14/windows-dll-proxying-hijacking/, or (if you want to go really deep) here: https://www.netspi.com/blog/technical/adversary-simulation/adaptive-dll-hijacking/

 

Link to comment
Share on other sites
  • Solution
Bang1338

Bang1338

Posted
  • Author
  • Solution
Posted (edited)

Since a lot of solution in here, but I'll summarize all solution then mark as Solution, you guy are great!

Inline patching(?) - @X0rby:

9 hours ago, X0rby said:

image.png.1f4dffcc3985e52d6df849adf45675d3.png


DLL Hook/Hijack - @boot:

5 hours ago, boot said:

This crackme can be resolved by exception handling without modifying the program. This means that nothing needs to be changed at the 0x00401427 address, which can be verified by debugger.

 - Hook NtCreateFile or ZwCreateFile function
 - Set a hardware execution breakpoint at 0x00401427
 - Execute the Eip += 0x35 jump

Note: Since you need to call Wow64SetThreadContext function, this dll applies only to 64-bit operating systems of Windows 7 and above.

winmm - NanoButton.zip 60.58 kB · 2 downloads


 

Edited by Bang1338
adding user + "Hijack"
  • Like 1
Link to comment
Share on other sites
Sean Park - Lovejoy

Sean Park - Lovejoy

Posted
Posted
14 minutes ago, kao said:

@windowbase: how about doing your own homework and reading what's already been written? There are literally hundreds of tutorials explaining DLL hijacking and DLL proxying. Also, there are dozens of Github projects that let you generate proxy DLLs.

You could start, for example, here: https://itm4n.github.io/dll-proxying/ or here: https://cihansol.com/blog/index.php/2021/09/14/windows-dll-proxying-hijacking/, or (if you want to go really deep) here: https://www.netspi.com/blog/technical/adversary-simulation/adaptive-dll-hijacking/

 

@kao Many thanks for commenting the references.

Regards.

sean.

  • Thanks 1
Link to comment
Share on other sites
Sean Park - Lovejoy

Sean Park - Lovejoy

Posted
Posted
5 hours ago, boot said:

It is a proxy DLL that I compiled using VS2019 and can use to execute my functions...

@boot Your method doesn't work if it is debugged.

Regards.

sean.

Link to comment
Share on other sites
boot

boot

Posted
Posted
1 hour ago, windowbase said:

why are the export functions are same as the original winmm.dll?

This proxy DLL needs to declare the same export functions in order for CrackMe to prioritize loading my fake DLL at the current path...

37 minutes ago, windowbase said:

doesn't work if it is debugged.

I tested this DLL on Win7 x64 and it works...

 

 

  • Like 1
Link to comment
Share on other sites
Sean Park - Lovejoy

Sean Park - Lovejoy

Posted
Posted (edited)

@boot view this. anything wrong to me?

Edition    Windows 10 Enterprise
Version    22H2
Installed on    ‎31/‎05/‎2023
OS build    19045.3693
Experience    Windows Feature Experience Pack 1000.19053.1000.0

64-bit operating system, x64-based processor

@boot In the ollydbg, it's okay. but not for x64dbg. or might depend on each plugin setting.

Regards.

sean.

Edited by windowbase
editing some words.
Link to comment
Share on other sites
HostageOfCode

HostageOfCode

Posted
Posted
4 hours ago, windowbase said:

@HostageOfCode

I can't think out the appropriate search term. can you recommend one?

proxy dll, hooking dll?

Regards.

sean.

I would use one of this:

https://github.com/nelfo/PGHooker

https://github.com/stevemk14ebr/PolyHook/blob/master/PolyHook/Tests.cpp

https://github.com/vic4key/cpp-hooking

and attach it to a library the target uses. In this case winmm.dll or msvcrt.dll

 

 

  • Like 1
  • Thanks 1
Link to comment
Share on other sites
jackyjask

jackyjask

Posted
Posted
6 hours ago, boot said:

to prioritize loading my fake DLL at the current path...

what are the means to defense against malwaring proxy dlls in current dir?

Link to comment
Share on other sites
Sean Park - Lovejoy

Sean Park - Lovejoy

Posted
Posted (edited)
On 1/12/2024 at 9:47 PM, HostageOfCode said:

attach it to a library the target uses. In this case winmm.dll or msvcrt.dll

@HostageOfCode Many thanks.

Regards.

sean.

Edited by windowbase
editing some words.
Link to comment
Share on other sites
Teddy Rogers

Teddy Rogers

Posted
Posted
1 hour ago, jackyjask said:

what are the means to defense against malwaring proxy dlls in current dir?

  • Install your application and DLL's to a Windows protected folder e.g. "C:\Program Files\";
  • Specify the system DLL search order/ path e.g. SetDefaultDllDirectories;
  • Use fully qualified search paths to locate DLL's...

Ted.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...