Results 1 to 3 of 3

Thread: Gr. Crackme >>Prove_KongFuZi<<

  1. #1
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1

    Gr. Crackme >>Prove_KongFuZi<<

    Now instead, letz Prove KongFuZi :
    "To be wronged is nothing, unless you continue to remember it"

    BTW,
    I searched & found timed method for get rid of annoying brutterz!! soon they will cry ALL :P
    & this is just 1st step. More precise CPU/Timing coming t_Soon xD
    Attached Files Attached Files
    Last edited by evaluator; June 15th, 2010 at 08:21. Reason: attachment add

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    i discarded crackmes.de
    blah, now uploading here...
    Last edited by evaluator; June 15th, 2010 at 08:23.

  3. #3
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    smile more?

    I really like this CrackMe..Using timing as anti-singlestep trick is a most unique feature..
    I would like to go into details about the time I spent looking at this multi-process crackme..can I? :}

    Also note: I ask because I don't know the 'rules' involved in all this.. You know first Time I wanted 'test' my abilities.. I looked at other solutions to get a idea of what is required..It seems they don't want to completely document code(I do).. also I think the use of timing as a repeatable concept was genius..

    Some analyzed code.. still more to come..
    Code:
    00403000 >/$ 6A 01          PUSH 1                                   ; /Protect = PAGE_NOACCESS
    00403002  |. 68 00200000    PUSH 2000                                ; |AllocationType = MEM_RESERVE
    00403007  |. 68 00000100    PUSH 10000                               ; |Size = 10000 (65536.)
    0040300C  |. 6A 00          PUSH 0                                   ; |Address = NULL
    0040300E  |. FF15 6C104000  CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; \VirtualAlloc
    00403014  |. 85C0           TEST EAX,EAX                 ; Test if error
    00403016  |. 0F84 7D010000  JE Prove_Ko.00403199             ; If error exit process
    0040301C  |. 8BF0           MOV ESI,EAX                     ; Store base address in esi
    0040301E  |. 81C6 00100000  ADD ESI,1000                 ; add esi,4096
    00403024  |. 6A 04          PUSH 4                                   ; /Protect = PAGE_READWRITE
    00403026  |. 68 00100000    PUSH 1000                                ; |AllocationType = MEM_COMMIT
    0040302B  |. 68 00100000    PUSH 1000                                ; |Size = 1000 (4096.)
    00403030  |. 56             PUSH ESI                                 ; |Address
    00403031  |. FF15 6C104000  CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; \VirtualAlloc
    00403037  |. 85C0           TEST EAX,EAX                 ; Test if error
    00403039  |. 0F84 5A010000  JE Prove_Ko.00403199             ; if error exit processs 
    0040303F  |. 68 4B455900    PUSH 59454B                     ; ascii 'KEY.' as dword 
    00403044  |. 8BCC           MOV ECX,ESP                     ; mov ecx,KEY in esp 
    00403046  |. 6A 00          PUSH 0                                   ; /hTemplateFile = NULL
    00403048  |. 68 80000000    PUSH 80                                  ; |Attributes = NORMAL
    0040304D  |. 6A 02          PUSH 2                                   ; |Mode = CREATE_ALWAYS
    0040304F  |. 6A 00          PUSH 0                                   ; |pSecurity = NULL
    00403051  |. 6A 03          PUSH 3                                   ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
    00403053  |. 68 000000C0    PUSH C0000000                            ; |Access = GENERIC_READ|GENERIC_WRITE
    00403058  |. 51             PUSH ECX                                 ; |FileName
    00403059  |. FF15 70104000  CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
    0040305F  |. 5F             POP EDI                     ; clean stack
    00403060  |. 8BF8           MOV EDI,EAX                     ; mov handle to EDI    
    00403062  |. 40             INC EAX                                  ; junk or is it 'room'.
    00403063  |. 0F84 30010000  JE Prove_Ko.00403199             ; fail if error    
    00403069  |. FF15 74104000  CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount] Anti-Debug trick start
    0040306F  |. 8BD8           MOV EBX,EAX                     ; mov TickCount to ebx
    00403071  |. 81FB C0270900  CMP EBX,927C0                 ; 
    00403077  |. 76 58          JBE SHORT Prove_Ko.004030D1             ; jump below this or equal Close Handle
    00403079  |. 81FB 00CA9A3B  CMP EBX,3B9ACA00                 
    0040307F  |. 77 50          JA SHORT Prove_Ko.004030D1               ; jump above close Handle
    00403081  |. C706 94000000  MOV DWORD PTR DS:[ESI],94             ; write 94 to the area of page_readwrite memory
    00403087  |. 895E 04        MOV DWORD PTR DS:[ESI+4],EBX         ; write tick count to are of page_readwrite memory + 4
    0040308A  |. 6A 00          PUSH 0                                   ; /pOverlapped = NULL
    0040308C  |. 54             PUSH ESP                                 ; |pBytesWritten
    0040308D  |. 68 94000000    PUSH 94                                  ; |nBytesToWrite = 94 (148.)
    00403092  |. 56             PUSH ESI                                 ; |Buffer
    00403093  |. 57             PUSH EDI                                 ; |hFile
    00403094  |. FF15 78104000  CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile
    0040309A  |. 68 D0070000    PUSH 7D0                                 ; /Timeout = 2000. ms
    0040309F  |. FF15 7C104000  CALL DWORD PTR DS:[<&KERNEL32.Sleep>]    ; \Sleep
    004030A5  |. FF15 74104000  CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount
    004030AB  |. 2BC3           SUB EAX,EBX
    004030AD  |. 2D B80B0000    SUB EAX,0BB8                 ; eax should equal 0 
    004030B2  |. 77 1D          JA SHORT Prove_Ko.004030D1             ; if eax not less then zero close the handle to the key file..     
    004030B4  |. 6A 00          PUSH 0                                   ; /Origin = FILE_BEGIN
    004030B6  |. 6A 00          PUSH 0                                   ; |pOffsetHi = NULL
    004030B8  |. 6A 00          PUSH 0                                   ; |OffsetLo = 0
    004030BA  |. 57             PUSH EDI                                 ; |hFile
    004030BB  |. FF15 80104000  CALL DWORD PTR DS:[<&KERNEL32.SetFilePoi>; \SetFilePointer
    ; set the Key file pointer to 0
    004030C1  |. 6A 00          PUSH 0                                   ; /pOverlapped = NULL
    004030C3  |. 54             PUSH ESP                                 ; |pBytesRead
    004030C4  |. 68 94000000    PUSH 94                                  ; |BytesToRead = 94 
    004030C9  |. 56             PUSH ESI                                 ; |Buffer
    004030CA  |. 57             PUSH EDI                                 ; |hFile
    004030CB  |. FF15 84104000  CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; \ReadFile
    ; read first 94 bytes of key file 
    004030D1  |> 57             PUSH EDI                                 ; /hObject Key File Handle
    004030D2  |. FF15 88104000  CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
    004030D8  |. 2BC0           SUB EAX,EAX                     ; zero out eax    
    004030DA  |. 64:8308 FF     OR DWORD PTR FS:[EAX],FFFFFFFF           ; More fuzz??
    004030DE  |. 64:8B78 08     MOV EDI,DWORD PTR FS:[EAX+8]             ; mov edi stack start
    004030E2  |. 64:8B48 04     MOV ECX,DWORD PTR FS:[EAX+4]         ; mov ecx stack end
    004030E6  |. 2BCF           SUB ECX,EDI                     ; end - start    
    004030E8  |. C1E9 02        SHR ECX,2                     ; divide by 4    
    004030EB  |. FC             CLD                         ; Clear Direction flag..
    004030EC  |. F3:AB          REP STOS DWORD PTR ES:[EDI]             ; zero stack 
    004030EE  |. 81E4 00F0FFFF  AND ESP,FFFFF000
    004030F4  |. 81C4 00100000  ADD ESP,1000
    004030FA  |. 68 A4314000    PUSH Prove_Ko.004031A4;             ; push SEH handler
    004030FF  |. 6A FF          PUSH -1                     ; push ffffffff end of chain
    00403101  |. 64:8920        MOV DWORD PTR FS:[EAX],ESP                 
    00403104  |. 0F0B           UD2                         ; trigger exception
    00403106  |. 8D6C24 80      LEA EBP,DWORD PTR SS:[ESP-80]            ;return here after exception
    I'm working on this and so much other stuff...I hope to show your code in all its glory and maybe even really understand it,and if not I will at least know more about where I can improve. ..

    I am sorry if you think I would berate thee.. I only wish to see more of the light you keep hidden..so I may see it better.. Is that a wrong goal?
    Last edited by BanMe; April 23rd, 2011 at 21:30.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. VM Crackme
    By Kayaker in forum Mini Project Area
    Replies: 10
    Last Post: July 5th, 2008, 15:42
  2. Crackme #6
    By javelin in forum Mini Project Area
    Replies: 0
    Last Post: February 27th, 2002, 05:54
  3. Crackme #5
    By javelin in forum Mini Project Area
    Replies: 0
    Last Post: January 12th, 2002, 18:47
  4. Crackme #3
    By javelin in forum Mini Project Area
    Replies: 2
    Last Post: November 28th, 2001, 23:49
  5. Crackme #4
    By javelin in forum Mini Project Area
    Replies: 3
    Last Post: November 25th, 2001, 17:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •