PDA

View Full Version : Have S-ICE detection, Need Help. Am Confused.


Aimless
November 2nd, 2000, 00:16
Hullo,

As you know, I am a complete newbie, and am slowly trying to crawl my way up to the 'higher' levels. However, in my quest for 'higher' cracking proggies, I encountered a small proggie (about 19KB), which I am trying.

This is, obviously, having a time check ("Your trial period expired". My findings are:

1. It has got Anti-Disasm code. IDA does not disasm properly (IDA 4.04, BTW). W32dsm simply falls apart (havn't tried with Sourcer: yet.)
2. It has got anti-debugging code (IDT int 01, 03, 05) detection codes
3. It has got anti-Sice code (Interrupt Detection for int 03).
4. It also has an additional section (.yado) which is obviously, user made, and the entry-point goes there.
5. Its packed and/or encrypted.

Whew!

Now, the issue is I am trying to tackle things one-by-one. My aim here is to first prise the anti debugging/software code. Note that here, TRW2000 and SICE 4.05 (w9x), just hang! I have to re-boot to get it working.

However, a very good s-ice and anti-debugger hooks was revealed to me by FrogsICE (god bless him!) in FrogICE's return codes 05 and codes 00.

Therefore, after all these explanations, my questions:

(1): Frog's print has accurately shown me the op-code and the cs:eip where this occurs. The problem is nopping/bypassing the instruction does not help at all. Therefore, what is the next logical step to follow ?
(2): I have not yet tried dumping the active process. But would that be helpful ? COnsidering these extra protections, I am sure there would be an anti-dumping thingy too.

Any reponses shall be gratefully appreciated.

As ever

Aimless
November 2nd, 2000, 00:19
Thx

Int19
November 2nd, 2000, 08:54
If it's the yado's kripton2 crackme It took me about 10 days to crack it. I've mantained a log of all "malicious" locations.
There are many check anti-si on int1 int3 and debug registers, 2 checksum check and the file is crypted with the checksum value. And it crashes your machine if something goes wrong.
I'll send you my logs if you want.

tsehp
November 2nd, 2000, 14:31
Can you post it here ? That could be interesting for people that wants
to try their skills on this crackme.
TIA

tsehp

Int19
November 2nd, 2000, 15:34
Here's the Yado's Krypton2 crackme, inside the zip file there's also the version patched by me.

kr
November 2nd, 2000, 19:30
i annoyed the creator of this crackme.. i kinda lost touch with reality and blamed him for crashing my pc 100 times whilst i was debuggin it.. even though after the first time it locked up my pc, the other 99 times i ran it knowing this would happen..

he 'forgot' to put in the readme that it DIDNT run on win95, and WOULD crash your computer..

it got cracked, ida & tasm helped me code a decryptor for it.. eventually it was win95 compatable..

anyway, win95 users, beware of this dodgy product..

Aimless
November 3rd, 2000, 03:04
Dear Int19.

THank you very much for the encouraging responses. Yes, it is indeed krypton2, from lockless.com by Yado.

I totally agree with you that your logs would be excellent. However, what I need, is the "strategy" to break it.

I mean, where is the starting point. WHere does the beginning begin ?

Thanks in advance.

xOANINO [UCF]
November 3rd, 2000, 06:02
Eheheh .... lame krypton 2 .....
here in Italy everybody said it was a hell to crack ....
I looked at it with IDA while chatting on IRC, and personally i think its nothing more than a collection of lame wellknown antidebugging tricks, without nothing particular......
All i can remember is that it uses INT 5 to switch ring0, and the next layer decrypter is executed there.
So to succesfully decrypt it (should be 2-3 layers) trace into the INT 5 handler. There's also lame crc checks around ,to prevent you patched the code.
All this was done months ago, so maybe the info are not completely correct.... but it remember clearly that INT 5 thing.

xOANINO
[UCF]

Int19
November 3rd, 2000, 14:48
First make sure that you're clean (INT 1 and INT 3 MUSTN'T point to K2)
If you have already executed K2 with Softice loaded in memory, probably they point to K2 code
and you will be soon on "the middle of nowhere". I'm a newbie like you and only solution that I could
found is reboot my pc :-P

Question: Can anyone tell me how to restore IDT after that K2 has changed it?

Start to stepping INSIDE every call that you encounter, after some time you'll be familiar
with those istructions because are repeated very often and in the same order, are only junk istructions and the only usefull istruction is after the jnz of every "junk circle".
These are the initial istructions:
SIDT [4073d3]
mov ebx, [3073d5]
add ebx, 8
...

As said by xoa all the crackme is a collection of "lame Anti-SI tricks", but from "newbie side" I suggest this crackme to every other newbie like me because It has been very usefull to improve my skills on Anti-SI and Exceptions.

Sorry but I'm now a very well English writer, bye.

Int19

kill3xx
November 3rd, 2000, 16:31
Quote:
xOANINO [UCF] (11-02-2000 07:02 p.m.):
XOANINO
^^^^^
[UCF]



my leim detector has raised an unhandled leim post exeception on this

muwahahahaah

cu on irc.
ur favorite leim,

kill3xx

Yado
November 6th, 2000, 13:01
Hi
well well ... , i'm here only to say a think.
krypton2 was born from an idea a my idea to help newbies on some nice tricks (maybe old) anti sice and antidebug code.
I've done it on win98 and i've wrong i known this , i have not tested it under win95 ... it's a my fault sorry.
But i'm happy becouse a lot of people found it usefull.
Xoa.. well you are right , but this crackme is not made for a target of people like you , but for newbies , so please dont waste me.While for all the others that want to ask somethink , about krypton2 , feel free to contat me , if i can i'll answer.
P.s.:if you dont like it , simple do somethink else , there a lot of crackme that are coded better.Excuse me for my english.
Byez .... Yado of Lockless