RCE Messageboard's Regroupment

[Discussion] Do you have an analysis format?

Zerith — Thu, 09 Feb 2012 16:36:50 GMT

Hey everyone.

When reversing targets, I have always been writing my findings & comments on the analysis of the target on a sheet of Notepad++ file. It is really messy and Only I (if at all) can understand it.

Furthermore, I've noticed that If i deal with a really large target with a lot of analysis required, and I'd pause and come back to the target like a week later, I'd forget all the things I've learned about the target, and my messy analysis comments on Notepad++ would be of little help to understand what the hell i was doing.

If i were to try and cooperate with someone to reverse a target, It would be almost impossible for me and him to understand each other's comments without some kind of fixed format.

So, my question is to you: Do you have your own Format for writing your Analysis, thoughts and ideas about the target you're reversing?

Please post an example format if you have one.

Thanks for any comments!

crackmes.de is back!

Darkelf — Wed, 08 Feb 2012 16:38:37 GMT

Hi there,

I just saw that crackmes.de is back in the ring.
A day to celebrate - at least for me since I like the site very much.

Regards
darkelf

OllyDbg v1.10 And Hardware Breakpoints

walied — Tue, 07 Feb 2012 23:16:23 GMT

While playing with OllyDbg v1.10, i came across a weird behavior of OllyDbg v1.10, which was fixed in the latest version. The problem lies in the way OllyDbg sets hardware breakpoints.

At 0x4D8D70, there is an array of four structures of type, t_hardbpoint.

Each structure in this array holds information about each hardware breakpoint. Information includes hardware breakpoint address, type, and size. When you manually set a hardware breakpoint, this structure is filled, but the breakpoint is not immediately activated.

On the other hand, when an EXCEPTION_SINGLE_STEP or EXCEPTION_BREAKPOINT is received, information in the structures at 0x4D8D70 is copied to DR0 through DR3 overwriting old values in them, if there are any. The point here is that if you programmatically set a hardware breakpoint, single stepping will be enough to cause debug registers to be cleared.

N.B. IDA pro and OllyDbg v2.0 behave normally with this scenario.

An executable demonstrating how to use this strange behavior to detect OllyDbg v1.10 can be found here.
http://ollytlscatch.googlecode.com/files/demo_hwbp.exe

Original topic here.
http://waleedassar.blogspot.com/2012/02/ollydbg-v110-and-hardware-breakpoints.html

Help with flexlm 10.1 license

naragorn — Tue, 07 Feb 2012 02:57:12 GMT

Hey, ive read a lot lately, but havent found my type of license which goes like this(this is a cracked license i found on web):

FEATURE Urien_S2k MAPTEK 1.000 01-jan-2013 uncounted AC8FC346E630 \
VENDOR_STRING=2100000mk>j[FXWFGAEgTX_KA6G_qqBDR[CO?;EXK7BGM:PelqN6MF HOSTID=ANY

So the questions are:

- How do i generate a license that contains Vendor:String,
- Is there a way to decrypt vendr string?

Another issue im having is that i cant find features, i know i can search for "lm_ckout" and then i find lc_checkout, but where exactly should i look to get the feature names. (Ive tried enabling FLExlm diagnostics, it doesnt work.

Hope someone can help me, thx in advance

what are differences between a packer and a crypter?????

kbt0000 — Sat, 04 Feb 2012 00:31:31 GMT

As far as i know, packer is partly for anti reversing and crypter is to bypass anti virus program. So what are differences between them , if have???Can anybody tell some basic princples of them??? Thank in advance

Free tool for tree disassembly?

Sunk — Fri, 03 Feb 2012 18:02:02 GMT

I'm a little familiar with linear disassembly with something like Olly, but am wondering if there is free software that does tree disassembly other than the free version of IDA. I've searched but haven't found anything so far.

Writing a pure Native DLL

cpuZ — Mon, 30 Jan 2012 23:47:00 GMT

Does anyone have a small sample of how to do this? I'd like to write a native DLL which doesn't link to anything other than ntdll.lib, is this possible and will the entrypoint be executed when loaded by a Win32 process? I don't need to export any routines or anything, just wanting to write a native DLL since I never have seen this done exactly. Thanks

Regards,
cpuZ

Hackforums.net down????

dotuanvn1977 — Mon, 30 Jan 2012 12:16:29 GMT

anyone know what s happened to famed hackforums.net.In recent days, i could not access it and received 403 forbidden page. Is it in trouble with police like megaupload??sorry for my bad question, but i do not know where to ask

OllyDbg trace gets "lost" in OS code

romkyns — Sat, 28 Jan 2012 12:00:24 GMT

I'm trying to trace through a piece of code in two different situations and see the point at which the execution traces diverge.

For some reason, however, my traces seem to get lost while executing OS code: Olly traces on and on through a system DLL and then all of a sudden it finds itself on a breakpoint back in user code, having skipped a large number of instructions. For example:

Code:

004036A3 Main     push    0

004036A5 Main     call    

00403698 Main     jmp     [dword <&user32.GetKeyboardType>]

GetKeyboardType   mov     edi, edi

75A29AC6 Main     push    ebp

75A29AC7 Main     mov     ebp, esp

...

... snip 20 thousand instructions

...

77801003 Main     call    [dword fs:C0]

73A92320 Main     jmp     far 0033:73A9271E

759E60E2 Main     add     esp, 4

    Breakpoint at mycode.00575E5E

00575E5E Main     mov     ebp, esp

See what happens there at the end: the trace stops at the "add" for some reason, after successfully tracing quite a bunch of OS code, and never really resumes until it hits a breakpoint.

Why is this happening and how can I fix this?

CoreRestore alternative?

Sunk — Thu, 26 Jan 2012 23:25:05 GMT

I've heard good things about CoreRestore, but I can't find it anymore... so are there any alternatives hardware solutions for easily restoring a hard drive to a previous state?

x64 Memory Mapped File Execution Issue

cpuZ — Tue, 24 Jan 2012 01:59:31 GMT

Hello all,

I am wondering why my example code below works perfectly fine on x86 Windows NT OS (XP SP2 and above) compiled as a 32-bit binary and when compiled as a 64-bit binary it does not work on x64 OS (Testing with Windows 7 Ultimate x64). It appears that doing this causes a seg fault in x64, removing stdcall also has no effect. Oddly enough, if I were to point to a native API such as NtClose it works perfectly on x64 but not other functions in other DLL modules. Anyone know what is going on here with this 64-bit difference?

Code:

#define FILE_MAP_EXECUTE 0

        

        

  LPVOID __stdcall MapModuleToMemory(LPCSTR lpFileName) 

  {

        HANDLE hFile = CreateFile(lpFileName, GENERIC_READ | GENERIC_EXECUTE,

                FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, 0);



        if (hFile == INVALID_HANDLE_VALUE)

                    return NULL;



        HANDLE hMappedFile = CreateFileMapping(hFile, NULL, SEC_IMAGE | PAGE_EXECUTE_READ,

                0, 0, NULL);



        CloseHandle(hFile);



        if (!hMappedFile)

                      return NULL;



        LPVOID lpMap = MapViewOfFile(hMappedFile, FILE_MAP_READ | FILE_MAP_EXECUTE, 0,

                0, 0);



        CloseHandle(hMappedFile);



        return lpMap;

}







typedef void (__stdcall *PSleep )(ULONG Milliseconds);



    PSleep MySleep = NULL;







int main(int argc, char *argv[])

{

    char Buf[1024] = {0};

    GetSystemDirectory(Buf, MAX_PATH);

    lstrcat(Buf, "\\kernel32.dll");

    

    LPVOID lpMapBase = MapModuleToMemory(Buf);

    if (lpMapBase)

    {          

     ULONG_PTR SleepPtr = (ULONG_PTR)GetProcAddress(GetModuleHandle(Buf), "Sleep");

     SleepPtr -= (ULONG_PTR)GetModuleHandle(Buf);

     MySleep = (PSleep)(SleepPtr + (ULONG_PTR)lpMapBase);  

     printf("H");

     MySleep(500); 

     printf("E");

     MySleep(500); 

     printf("L");

     MySleep(500); 

     printf("L");

     MySleep(500); 

     printf("0\n\n");     

     UnmapViewOfFile(lpMapBase);

    } 

   else

    printf("Error: Could not map module!"); 

    

    getchar();

    return 0;

}

Regards,
cpuZ

.net String decryption

KarlK — Mon, 23 Jan 2012 07:34:00 GMT

I am trying to reverse a key verification. The target is written in .net and obfuscated with a to me unknown obfuscator. All the method, class names etc. got renamed to some weired unicode characters. The Strings an encrypted in a similar matter. This is what I got so far:
Verification works like this:

Read Code from registry and check if valid (generating a valid key is not my problem, that was a no-brainer)
Read Email from registry
Read hash from registry
Generate hash like md5(const String + email + const String + code + const String) and compare both

The last thing is where I get stuck. I can't get the Strings (at lest two) to plaintext. The hash is sent initially by a server on activation. The decryption Class looks like this:

There is also a small addon program which uses the same license/obfuscator and Class but the String_0 is different there.
So every time a String is used, it uses the function Class2.smethod_0(weired unicode, integer). I just copied the the smethod_0 to my key-generator and strangely some values get decrytped right but the most of them do not. For example:
decodestring("\uf78e\uf78c\uf79b\uf786\uf799\uf78e\uf79b\uf786\uf780\uf781\uf7b0\uf78c\uf780\uf78b\u f78a", 0xf7ef) returns "activation_code" which is right
decodestring("\uf31a\uf318\uf30f\uf312\uf30d\uf31a\uf30f\uf312\uf314\uf315\uf324\uf31e\uf316\uf31a\u f312\uf317", 0xf369) should return "activation_email" but it does not.
I got the right values from watching the process via ProcMon trying to access the registry.
Any help would be greatly appreciated.

Yet Another Anti-Debug Trick

walied — Sun, 22 Jan 2012 16:31:50 GMT

I have recently come up with a new anti-debug trick, which can be useful only if the "Break on new thread" option is set. The trick has been tried on OllyDbg v1.10 and Immunity Debugger v1.83 in WOW64 running on Windows 7. Actually, i am not sure if someone else has already found it.

In any affected debugger, if CREATE_THREAD_DEBUG_EVENT is received and the "Break on new thread" option is set, the debugger places an int3 software breakpoint on the lpStartAddress. There is a narrow time window between setting the int3 software breakpoint and recovering the original byte and this is what we are going to exploit.

N.B. The next few lines are only for demonstration. More complicated methods may evolve out of them.

Having two threads in an application, the first thread does almost nothing and the second one checks the first byte of the first thread's entrypoint, we can simply detect the debugger. See the image below.

Here are the demo and its source code.
http://ollytlscatch.googlecode.com/files/demo.exe
https://docs.google.com/document/d/1kd-Fw110lbK9h-i6Jc2fs57LUjdU2sYji97XCLTTawE/edit

An XP-compatible demo and its source code.
http://ollytlscatch.googlecode.com/files/demo_xp.exe
https://docs.google.com/document/d/1G-6VSCrqM9KI_t82kPTGdo05cmaqyoVZG23o304Pk_o/edit

The original topic.
http://waleedassar.blogspot.com/2012/01/yet-another-anti-debug-trick.html

PETools

OHPen — Thu, 19 Jan 2012 08:59:37 GMT

Hi all,

while playing with a library of mine, dealing with different file formats, i usually use tools like peid, petools and co for revalidation my results and so i saw, that PETools has a bug in deserialization of load config table data directory. it seems that is processing all field with 8 byte size are considered to be 4 bytes only, what is wrong, specificationwise....

maybe somebody who knows NEOx, tell him to fix it ;))))

Regards,
OHPen

Reversing NUTCracker.exe

Holmes.Sherlock — Thu, 19 Jan 2012 01:57:15 GMT

Hi All,

I am new to RCE, however a long back I studied a bit on it & cracked/reversed a few CrackMe/KeyGenMe exercises. Recently, I have come across another cracking exercise, a binary called "NUTCracker.exe". The challenge is to extract a key out of it. With my present knowledge & expertise, I am unable to solve it. Can you please guide me to crack the challenge as well as learn the tricks & techniques?

The binary is here.