Page 1 of 2 12 LastLast
Results 1 to 15 of 27

Thread: PatchMe / KeygenMe

  1. #1

    PatchMe / KeygenMe

    Here is a crackme. It is not really mine as it is composed of 'stuff' taken from this forum.
    As I'm not an experienced reverser I have no idea how difficult it is. I guess it is easy to patch but I think it will be more difficult to make a keygen (except for blabberer...doh that was my first hint )
    CrackMe.zip

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Nice one niaren! The heart of it reminds me of a certain conference RE Challenge from this Spring that was mentioned here, and which one of our members posted a nice explanation for, that should be obscure enough...

    Oh yes, this looks fun and challenging
    In fact, I think patching would be more difficult than keygenning...

  3. #3
    hi kayaker I tried to open up the file in IDA and I was surprised to see how much code visual studio inserts into the executable. The source code (build with VS2010) consists of quite few lines of code but the exe file is huge compared to that. So VS2010 does a very good job of providing a first layer of obfuscation/obscurity The code that I know of starts at VA 0x401000 all the code executed from the entry point to that address is something visual studio is responsible fore.

    I'm not sure which conference you're referring to

  4. #4
    Quote Originally Posted by Kayaker View Post
    In fact, I think patching would be more difficult than keygenning...
    I have thought about this and maybe you are indeed correct. This must mean you already know what have been done
    I thought about keygenning as 'fishing' out the true code and build the keygen using that but maybe your suggestion is simpler.
    I will try to see if I can find a patch later, not even sure how many bytes need to be patched.
    I would like to ask you a question but will wait a couple of days just in case others want to have a look. Then I can also disclose how the exe was made.

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    I tried to open up the file in IDA and I was surprised to see how much code visual studio inserts into the executable.
    it is called c runtime support code aptly named WinMainCrtStartUp (source code for that is available with your visual studio setup (look for crtexe.c)
    it sets up console / exception / tls / exit / heap / garbage collectors / constructors / destructors /terminate handlers etc and calls WinMain or wmain which is the code you wrote and when your code returns cleans up and returns back to system it is quiet standard and for the trained eye th complete code will be neglected in one go so no obfuscation there

    the byte comparison and vm like code gen is good

  6. #6
    Thanks blabblerer! If you just knew how many times I have landed in this crtexe.c file whenever debugging in Visual Studio..and despite of this it has never occured to me that the code in that file is build into my application. I will definately google that file and learn more about its functionality. Then I can also find out if it is possible to stop visual studio from linking crtexe into the exe.

    hehe, I think you know what is going on. Can you show a valid key
    I found that this post/blog http://www.woodmann.com/forum/entry.php?167-VMprotect-VM_logic-%28in-v1-8-demo%29 seems very similar to what is going on in the crackme...that is a very strong hint!

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    you dont have to google for that file if you have installed visual studio completely it should be available in crt\src folder
    if it is not available repair install vs to install all components

    Code:
    C:\>dir  /s /b "c:\Program Files\Microsoft Visual Studio 10.0"\crtexe.c
    c:\Program Files\Microsoft Visual Studio 10.0\VC\crt\src\crtexe.c
    
    C:\>
    no you cant avoid vs from linking with that as it is necessary component without it no console support will be available
    you cant use printf or stdio.h

    if you do not care about console mode and are interested in Windows Mode Only
    you can avoid crt code from being linked

    copy paste to foo.bat and run this bat file for an example

    Code:
    pushd ..
    @call "C:\Program Files\Microsoft Visual Studio 10.0\VC\vcvarsall.bat" x86
    popd
    echo #include ^<windows.h^> > test.cpp
    echo int main (void) { MessageBoxA(NULL,"Hi","Hello",NULL); ExitProcess(0);}; >> test.cpp
    cl test.cpp /link /SUBSYSTEM:Windows /ENTRY:main user32.lib kernel32.lib
    didn't i post vm like code earlier you got your key with that reply

  8. #8
    Quote Originally Posted by Kayaker View Post
    In fact, I think patching would be more difficult than keygenning...
    Hi kayaker, is it possible that you can tell exactly what made you first conclude that this is VM? To a trained eye I guess it is obvious but I'm just curious to learn what first got you thinking that this is VM?
    Did it just 'stink' of VM from the beginning?
    Was it the dispatcher loop from 40C3F2 to 40C41E that revealed the VM?
    Was it some particular call flow or special instruction sequence?

    It's not that easy to find a patch. Changing a jnz instruction into jz is not straight forward as their VM opcodes are of different length!
    If the byte at file offset 7DDF is changed from C3->C0 any key of length 23 is accepted.

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    can a virtual patch be called patching ?

    Attachment 2899
    Attached Images Attached Images  

  10. #10
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    In fact, I think patching would be more difficult than keygenning...
    Imho, not this time. Understanding the protection routine is quite easy but a patch on the fly is really easy.

    The dispatcher loop is always a good tip in a VM recognition process!
    The VM is easy, it has few specific instructions and it's able to emulate x86 instructions.

    It's not that easy to find a patch. Changing a jnz instruction into jz is not straight forward as their VM opcodes are of different length!
    It's possible to register the crackme with any 23 bytes length serial patching a single byte of the original exe, you only have to understand VM bytecode 0x00.

    Offset 0x7DDF contains the single byte check and... good luck
    A mind is like a parachute. It doesnt work if it's not open.

  11. #11
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    That was a very cool minimalist VM I managed to make a 1 byte patch like ZaiRoN did and might look into keygenning if I have time after lunch.

    Cheers!

    -rendari

  12. #12
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    I might be understanding this wrong, but can you even generate a key for this that is valid ascii characters?

    -rendari

  13. #13
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    Heheh blabberer, that's almost exactly the same conditional breakpoint virtual patch I came up with, except I was going to maybe change the opcode bytes to 'cmp al, al' or something rather than flipping the zero flag, just for fun.

    I wasn't sure yet if the 'cmp al, bl' instruction was generated from the same location in the byte sequence beginning at 40c000, or whether there were multiple instances. If just the one, then yes I guess a 1-byte patch is possible.

    What this reminded me of immediately was the Athcon 2013 RE Challenge and which Zairon nicely ripped apart

    http://zairon.wordpress.com/2013/06/11/athcon-2013-re-challenge/

  14. #14
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Quote Originally Posted by rendari View Post
    I might be understanding this wrong, but can you even generate a key for this that is valid ascii characters?
    First of all try to answer this question: are you able to get the first valid char of the serial?
    A mind is like a parachute. It doesnt work if it's not open.

  15. #15
    Quote Originally Posted by blabberer View Post
    can a virtual patch be called patching ?
    That is another very nice windbg command
    bp 40c32a ".if( (wo(40c32d)==c33a) ) {bp /1 40c32f \"r @al,@bl;r zf = 1;gc\";gc} .else {gc}";

    bp 40c32a
    First set a conditional break on the address right before the VM is going to execute the cmp instruction

    .if( (wo(40c32d)==c33a) ) .else {gc}";
    only break if the instruction to be executed is cmp al,bl

    "bp /1 40c32f" ;gc
    if the instruction is the cmp al,bl then set a one-time BP on the instruction right after the cmp al,bl instruction and continue

    r @al,@bl;r zf = 1;gc
    when windbg breaks at 40c32f, print out the contents of al and bl registers and force zero flag to be set such that the keygen computation continues.

    This part of the command bp /1 40c32f \"r @al,@bl;r zf = 1;gc is slightly confusing
    There is a gc at the end but is that because the 'outer' BP is a conditional BP? it also works if it is just g....

    blabberer, do you know if it possible to set breakpoints on all instructions from some start address to some end address, programatically in windbg? I've tried to google but have not found out if it is possible. It is possible to set BPs on multiple functions at a time by using wildcards.

Similar Threads

  1. New KeygenMe: Darkelf KeygenMe #2
    By Darkelf in forum Mini Project Area
    Replies: 0
    Last Post: July 20th, 2012, 16:20
  2. Just a KeygenMe...
    By Darkelf in forum Mini Project Area
    Replies: 18
    Last Post: February 29th, 2012, 19:56
  3. ARTeam: Bypass the Obfuscation scheme of Benladan's PatchMe v1.1
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: December 21st, 2009, 10:35
  4. Easy KeygenMe !!
    By kami13x in forum Mini Project Area
    Replies: 17
    Last Post: March 7th, 2006, 20:54
  5. My New KeygenMe --- Give it a try ;-)
    By GodsJiva in forum Mini Project Area
    Replies: 27
    Last Post: September 1st, 2002, 18:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •