Results 1 to 7 of 7

Thread: CRC_DRx crackme

  1. #1
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1

    CRC_DRx crackme

    ROSASM burnt yet another cr0ckme mit SRC!

    kill yO-self now! ~ = D

    edit:
    who will BRUTE, will LEAST PENsIL..
    Attached Files Attached Files
    Last edited by evaluator; August 31st, 2008 at 11:12.

  2. #2
    Avira reports it as a generic virus.

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    you should be banned for that Avira!

  4. #4
    andrewl
    Guest
    Nice crackme! You made so much trouble in such a small exe!
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    you kill me :(((:

    but remember! if you did brutus, then you killed yourself! (read first post)
    so i'm waiting for your paper on solution.. how you guess/find/logic/

    PS:
    should this solution treated as 2 man works!? (you + JoKa)
    Last edited by evaluator; November 29th, 2008 at 08:04.

  6. #6
    andrewl
    Guest
    No, you killed my time.

    There were other techniques tried also. To overwrite SEH. To make
    GetExitCodeThread() fail. To overwrite stack so that arg to
    WaitForSingleObject() and GetExitCode() causes return value of 0.
    Your comment of "here i kill Z-flag, which was from XOR EDX EDX..
    U'r move!" made me look at onBP for a long time, since it zeroes
    EDX. The onTRAP cleared ECX, so I was distracted for a long time
    to somehow control "add ecx, esi" at 4030C5. The fact that both
    onBP and onTRAP increment EIP by one made me try to find a
    vulnerable 1-byte instruction. It was frustrating that elast
    clears all DRx before calculating ECX for main thread.

    Finally I gave up with HW BP in exception handler (some values
    can crash crackme very well). This leaves actually only four
    possible instructions to target:

    Code:
    UD2              <-- onUD2 sets DRx
    UDpl: L2:
    add D$edx ebp
    loop L2
    mov ebp D$edx    <-- elast clears DRx
    Correct location is "mov ebp D$edx".

    Code:
    004030bf 012a            add     dword ptr [edx],ebp
    004030c1 e2fc            loop    image00400000+0x30bf (004030bf)
    004030c3 8b2a            mov     ebp,dword ptr [edx]             <--- HW BP here
    004030c5 03ce            add     ecx,esi                              invokes onTRAP
    004030c7 648b22          mov     esp,dword ptr fs:[edx]
    004030ca 648f02          pop     dword ptr fs:[edx]
    004030cd 740c            je      image00400000+0x30db (004030db)
    onTRAP does ECX=0, ZF=1, EIP++

    Code:
    004030c4 2a03            sub     al,byte ptr [ebx]
    004030c6 ce              into                                    <--- invokes onTRAP
    004030c7 648b22          mov     esp,dword ptr fs:[edx]
    004030ca 648f02          pop     dword ptr fs:[edx]
    004030cd 740c            je      image00400000+0x30db (004030db)
    onTRAP entered with EIP=4030C7 does ECX=0, ZF=1, EIP++

    this skips the "64" prefix for fs:[edx] (no AV) and makes it
    [edx] (AV with edx=0)

    Code:
    004030c8 8b22            mov     esp,dword ptr [edx]            <--- invokes elast
    004030ca 648f02          pop     dword ptr fs:[edx]
    004030cd 740c            je      image00400000+0x30db (004030db)
    elast does EIP+=2 and execution continues at 4030ca. ZF=1 so je taken.
    Last edited by andrewl; November 29th, 2008 at 14:19. Reason: s/ESI/EIP and add [CODE]
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    >>The fact that both onBP and onTRAP increment EIP by one made me try to
    >>find a vulnerable 1-byte instruction.

    OK, accepted your finding.

    IMHO logic must look so:
    1) if calculation happens in DRx, so HW_BP occurence can be guess;
    2) SEH_handler code has not strong check for ERR-code!
    3) +1 reg.EIP (you guess)

Similar Threads

  1. Need help with crackme
    By lucid_dream in forum The Newbie Forum
    Replies: 4
    Last Post: January 12th, 2005, 04:32
  2. help with this crackme
    By chitech in forum Mini Project Area
    Replies: 2
    Last Post: August 28th, 2002, 11:41
  3. try this crackme
    By SaNGa in forum Mini Project Area
    Replies: 11
    Last Post: June 4th, 2002, 20:13
  4. A little crackme
    By raven58 in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: February 14th, 2001, 18:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •