Page 2 of 2 FirstFirst 12
Results 16 to 27 of 27

Thread: PatchMe / KeygenMe

  1. #16
    The crackme was formed in two stages. First the raw/original crackme source file (see below) was build using VS2010 pro. The heart of the crackme is the keygen computation which was outright stolen from blabberer in this thread http://www.woodmann.com/forum/showthread.php?15414-Crack-me-help. That is the inline asm part in the source file. In the second stage the inline asm part was VM'ed by 'VMLite' (don't know its real name) as provided here http://www.woodmann.com/forum/showthread.php?15276-x86-Code-Virtualizer-Src.

    I don't think it caused any problems to you but I manually renamed the added section (the one with the opcodes) .reloc

    crackme.c.zip
    (just remove the .zip part of filename)

  2. #17
    Quote Originally Posted by ZaiRoN View Post
    The dispatcher loop is always a good tip in a VM recognition process!
    One way to maybe add in some initial confusion if the VM'ed code is not huge or time critical etc could be to unroll the dispatcher loop or maybe take it one step further by simply inlining the VM handlers (then there is no dispatcher at all)....


    Quote Originally Posted by ZaiRoN View Post
    It's possible to register the crackme with any 23 bytes length serial patching a single byte of the original exe, you only have to understand VM bytecode 0x00.
    Offset 0x7DDF contains the single byte check and... good luck
    I can see from the link that kayaker provided that you have done some serious VM reversing! I'm personally impressed that you could determine the purpose of the 00 opcode/bytecode so quickly. It took me half a day looking at the source to figure out exactly how that handler worked. for quite some time I thought that most of the instructions in that handler were garbage...

    Another 'attack' point of VMs is that there must be two handlers, one handler that transform the X86 state to VM state and vice versa.

  3. #18
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    Quote Originally Posted by niaren View Post

    bp 40c32a
    First set a conditional break on the address right before the VM is going to execute the cmp instruction
    the cmp al,bl is generated on the fly so cant set bp on exact address as it will always be overwitten
    so bp is set on stable address few bytes above Self modifying code


    This part of the command bp /1 40c32f \"r @al,@bl;r zf = 1;gc is slightly confusing
    There is a gc at the end but is that because the 'outer' BP is a conditional BP? it also works if it is just g....
    both bps are conditional breakpoints

    inner bp is an one time conditional bp (there is no explicit condition but a command needs to be executed on break so it is an implicit conditional break)
    commmand executed prints al,bl and sets the zf flag so needs to go from condition
    outer bp checks for cmp al,bl and on success sets a bp so needs to go from condition
    blabberer, do you know if it possible to set breakpoints on all instructions from some start address to some end address, programatically in windbg? I've tried to google but have not found out if it is possible. It is possible to set BPs on multiple functions at a time by using wildcards.
    what do you mean by programmatically ? writing a debugger extension ?
    if yes then i think you can code something thats simply start disassembling to find the lenght of instruction
    and set bps succesively on each instruction

    if it is from windbg command line i havent needed it yet so havent thought of anything
    now that you ask ill update this thread if i find a hack that sets bps from 401000 to 401010
    like
    bp 401000
    bp 401005
    bp 401006
    bp 40100d
    quit


    update

    here is a hack that sets breakpoints on 10 instruction / 2 instructions in winxp sp3 calc.exe
    sed should be available in environment path for this to work

    [code]
    0:000> bl
    0:000> .shell type c:\setbp.txt
    Code:
    .foreach ( place {  .block  { .shell -ci "u ${$arg1} ${$arg2}"  sed -e 1d -e s/" ".*//g } }  ) {r $t0 = place; bp @$t0 }
    0:000> $$>a< c:\setbp.txt calc!WinMain l10

    0:000> bl
    0 e 01001f51 0001 (0001) 0:**** calc!WinMain
    1 e 01001f56 0001 (0001) 0:**** calc!WinMain+0x5
    2 e 01001f5b 0001 (0001) 0:**** calc!WinMain+0xa
    3 e 01001f61 0001 (0001) 0:**** calc!WinMain+0x10
    4 e 01001f62 0001 (0001) 0:**** calc!WinMain+0x11
    5 e 01001f63 0001 (0001) 0:**** calc!WinMain+0x12
    6 e 01001f64 0001 (0001) 0:**** calc!WinMain+0x13
    7 e 01001f67 0001 (0001) 0:**** calc!WinMain+0x16
    8 e 01001f69 0001 (0001) 0:**** calc!WinMain+0x18
    9 e 01001f6a 0001 (0001) 0:**** calc!WinMain+0x19
    10 e 01001f6c 0001 (0001) 0:**** calc!WinMain+0x1b
    11 e 01001f6e 0001 (0001) 0:**** calc!WinMain+0x1d
    12 e 01001f75 0001 (0001) 0:**** calc!WinMain+0x24
    13 e 01001f7b 0001 (0001) 0:**** calc!WinMain+0x2a
    14 e 01001f7d 0001 (0001) 0:**** calc!WinMain+0x2c
    15 e 01001f7f 0001 (0001) 0:**** calc!WinMain+0x2e
    0:000> bc *
    0:000> bl
    0:000> $$>a< c:\setbp.txt calc!WinMain calc!WinMain+8


    0:000> bl
    0 e 01001f51 0001 (0001) 0:**** calc!WinMain
    1 e 01001f56 0001 (0001) 0:**** calc!WinMain+0x5
    Last edited by blabberer; January 14th, 2014 at 15:49.

  4. #19
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Quote Originally Posted by niaren View Post
    could be to unroll the dispatcher loop or maybe take it one step further by simply inlining the VM handlers (then there is no dispatcher at all)....
    Sooner or later you will be able to recognize specific blocks because a VM is basically a sequence of code blocks. I would not use a VM to protect my program, as far as I've seen it's only able to slow down the reversing process... but it's just my personal opinion
    A mind is like a parachute. It doesnt work if it's not open.

  5. #20
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    Hey,

    @ZaiRoN: Come on mate! Are you serious !? ;D Nothing else than VM + obfuscation ( in VM + native ) combined with some nice crypto stuff is the way to go ( if you do not plan to include hardware in your protection ).

    Hehe. Slowing down the Reverse Engineering process !? Sure, thats what its all about. Look at the Game industry, they try to save their ass from release to release by trying to complicate ( slowing down. ) the analysis of new games. And as soon as a new game is out, and the previous ( version, update ) was not cracked in the that time frame, they have been successful.

    IMHO, this applies to almost every type of software i think..

    Nevertheless, there is still a lot of space for improvements of common vms today. No question they improved over the years, but they are still not at their end.

    @niaren: Don't listen to ZaiRoN, VMs are good !!!!!! Keep on enhancing your VM ;D

    OHPen
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  6. #21
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    @OHPen: we were talking about VM only, you put two more variables to the equation
    A mind is like a parachute. It doesnt work if it's not open.

  7. #22
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    @ZaiRoN: Agree, that was unfair , but I couldn't resist, hehe.
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  8. #23
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    @niaren

    this script will set breakpoints from some start address to some end address
    the usual use it with care / no control flow / can set breakpoints in data area warnings apply

    create a script xxx.txt with the following content
    you must have sed (stream editor in the path for this script to work)

    Code:
    .foreach ( place {  .block  { .shell -ci "u ${$arg1} ${$arg2}"  sed -e 1d -e s/" ".*//g } }  ) {r $t0 = place; bp @$t0 }
    the script can be run with either of the below syntax

    $$>a< xxx.txt <start address> < end address>

    $$>a< xxx.txt <start address> lenght

    i also updated the old answer with a copy paste of output

  9. #24
    Quote Originally Posted by blabberer View Post
    @blabbere
    Thanks blabberer, you're super hardcore
    I have one annoying issue with your script. It seems there is some minor difference in behavior with regards to the .shell command. Take a look at this

    Code:
    0:000> bl
    0:000> .shell -ci "*" type c:\rce\multbp.txt
    .foreach ( place {  .block  { .shell -ci "u ${$arg1} ${$arg2}"  sed -e 1d -e s/" ".*//g } }  ) {r $t0 = place; bp @$t0 }.shell: Process exited
    0:000> $$>a<c:\rce\multbp.txt notepad!WinMain notepad!WinMain+8
                   ^ Syntax error in 'r $t0 = .shell:; bp @$t0 '
    0:000> bl
     0 e 0028138d     0001 (0001)  0:**** notepad!WinMain
     1 e 0028138f     0001 (0001)  0:**** notepad!WinMain+0x2
     2 e 00281390     0001 (0001)  0:**** notepad!WinMain+0x3
     3 e 00281392     0001 (0001)  0:**** notepad!WinMain+0x5
     4 e 00281395     0001 (0001)  0:**** notepad!WinMain+0x8
    0:000> .shell -ci "*" type c:\rce\multbp2.txt
    .block  { .shell -ci "u ${$arg1} ${$arg2}"  sed -e 1d -e s/" ".*//g } .shell: Process exited
    0:000> $$>a<c:\rce\multbp2.txt notepad!WinMain notepad!WinMain+8
    0028138d
    0028138f
    00281390
    00281392
    00281395
    .shell: Process exited
    I have not found a way to suppress the ".shell: Process exited" message. Do you have an idea why you don't have this problem?

  10. #25
    Quote Originally Posted by ZaiRoN View Post
    Sooner or later you will be able to recognize specific blocks because a VM is basically a sequence of code blocks. I would not use a VM to protect my program, as far as I've seen it's only able to slow down the reversing process... but it's just my personal opinion
    Hi Zairon, I think I'm on the same page as you are. It should be possible to reverse the VM although it may require some serious effort. How about a VM inside a VM then? If I start thinking about VMs inside VMs I get dizzy

    @PHPen just for the record, it's not my VM!

  11. #26
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    no you cant avoid the .shell exited message
    in fact i had to use a pseudo register to suppress misbehaviour of disabling the last breakpoint due to a . (dot representing current instruction in .shell process exited)

    my initial script was just bp place
    but that misbehaved and disabled the first breakpoint
    so had to do r $t0 = place ; bp @$t0
    this prevented the misbehaviour and the error is now harmless

    these are some of the windbg quirks that you have to live with or file for a divorce

    Code:
    0:000> .shell  type c:\\setbp.txt
    .foreach ( place {  .block  { .shell -ci "u ${$arg1} ${$arg2}"  sed -e 1d -e s/" ".*//g } }  ) { bp place }
    .shell: Process exited
    Press ENTER to continue
    <.shell waiting 1 second(s) for process>
    <.shell process may need input>
    
    0:000> $$>a< c:\\setbp.txt windbg!wmain windbg!wmain+10
    Couldn't resolve error at 'shell: '
    0:000> bl
     0 e 010550f0     0001 (0001)  0:**** windbg!wmain
     1 e 010550f2     0001 (0001)  0:**** windbg!wmain+0x2
     2 e 010550f3     0001 (0001)  0:**** windbg!wmain+0x3
     3 e 010550f5     0001 (0001)  0:**** windbg!wmain+0x5
     4 e 010550fa     0001 (0001)  0:**** windbg!wmain+0xa
     5 e 010550ff     0001 (0001)  0:**** windbg!wmain+0xf
     6 d 7c90120e     0001 (0001)  0:**** ntdll!DbgBreakPoint
    0:000>  .shell  type c:\\setbp.txt
    .foreach ( place {  .block  { .shell -ci "u ${$arg1} ${$arg2}"  sed -e 1d -e s/" ".*//g } }  ) { r $t0 = place;bp place }
    .shell: Process exited
    Press ENTER to continue
    <.shell waiting 1 second(s) for process>
    <.shell process may need input>
    
    0:000> bc *
    0:000> bl
    0:000> $$>a< c:\\setbp.txt windbg!wmain windbg!wmain+10
                    ^ Syntax error in ' r $t0 = .shell:;bp .shell: '
    0:000> bl
     0 e 010550f0     0001 (0001)  0:**** windbg!wmain
     1 e 010550f2     0001 (0001)  0:**** windbg!wmain+0x2
     2 e 010550f3     0001 (0001)  0:**** windbg!wmain+0x3
     3 e 010550f5     0001 (0001)  0:**** windbg!wmain+0x5
     4 e 010550fa     0001 (0001)  0:**** windbg!wmain+0xa
     5 e 010550ff     0001 (0001)  0:**** windbg!wmain+0xf

  12. #27
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    How about a VM inside a VM then?
    Well, it's what Athcon_2013's crackme does...
    A mind is like a parachute. It doesnt work if it's not open.

Similar Threads

  1. New KeygenMe: Darkelf KeygenMe #2
    By Darkelf in forum Mini Project Area
    Replies: 0
    Last Post: July 20th, 2012, 16:20
  2. Just a KeygenMe...
    By Darkelf in forum Mini Project Area
    Replies: 18
    Last Post: February 29th, 2012, 19:56
  3. ARTeam: Bypass the Obfuscation scheme of Benladan's PatchMe v1.1
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: December 21st, 2009, 10:35
  4. Easy KeygenMe !!
    By kami13x in forum Mini Project Area
    Replies: 17
    Last Post: March 7th, 2006, 20:54
  5. My New KeygenMe --- Give it a try ;-)
    By GodsJiva in forum Mini Project Area
    Replies: 27
    Last Post: September 1st, 2002, 18:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •