Results 1 to 15 of 27

Thread: PatchMe / KeygenMe

Hybrid View

  1. #1

    PatchMe / KeygenMe

    Here is a crackme. It is not really mine as it is composed of 'stuff' taken from this forum.
    As I'm not an experienced reverser I have no idea how difficult it is. I guess it is easy to patch but I think it will be more difficult to make a keygen (except for blabberer...doh that was my first hint )
    CrackMe.zip

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Nice one niaren! The heart of it reminds me of a certain conference RE Challenge from this Spring that was mentioned here, and which one of our members posted a nice explanation for, that should be obscure enough...

    Oh yes, this looks fun and challenging
    In fact, I think patching would be more difficult than keygenning...

  3. #3
    hi kayaker I tried to open up the file in IDA and I was surprised to see how much code visual studio inserts into the executable. The source code (build with VS2010) consists of quite few lines of code but the exe file is huge compared to that. So VS2010 does a very good job of providing a first layer of obfuscation/obscurity The code that I know of starts at VA 0x401000 all the code executed from the entry point to that address is something visual studio is responsible fore.

    I'm not sure which conference you're referring to

  4. #4
    Quote Originally Posted by Kayaker View Post
    In fact, I think patching would be more difficult than keygenning...
    I have thought about this and maybe you are indeed correct. This must mean you already know what have been done
    I thought about keygenning as 'fishing' out the true code and build the keygen using that but maybe your suggestion is simpler.
    I will try to see if I can find a patch later, not even sure how many bytes need to be patched.
    I would like to ask you a question but will wait a couple of days just in case others want to have a look. Then I can also disclose how the exe was made.

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    I tried to open up the file in IDA and I was surprised to see how much code visual studio inserts into the executable.
    it is called c runtime support code aptly named WinMainCrtStartUp (source code for that is available with your visual studio setup (look for crtexe.c)
    it sets up console / exception / tls / exit / heap / garbage collectors / constructors / destructors /terminate handlers etc and calls WinMain or wmain which is the code you wrote and when your code returns cleans up and returns back to system it is quiet standard and for the trained eye th complete code will be neglected in one go so no obfuscation there

    the byte comparison and vm like code gen is good

  6. #6
    Thanks blabblerer! If you just knew how many times I have landed in this crtexe.c file whenever debugging in Visual Studio..and despite of this it has never occured to me that the code in that file is build into my application. I will definately google that file and learn more about its functionality. Then I can also find out if it is possible to stop visual studio from linking crtexe into the exe.

    hehe, I think you know what is going on. Can you show a valid key
    I found that this post/blog http://www.woodmann.com/forum/entry.php?167-VMprotect-VM_logic-%28in-v1-8-demo%29 seems very similar to what is going on in the crackme...that is a very strong hint!

  7. #7
    Quote Originally Posted by Kayaker View Post
    In fact, I think patching would be more difficult than keygenning...
    Hi kayaker, is it possible that you can tell exactly what made you first conclude that this is VM? To a trained eye I guess it is obvious but I'm just curious to learn what first got you thinking that this is VM?
    Did it just 'stink' of VM from the beginning?
    Was it the dispatcher loop from 40C3F2 to 40C41E that revealed the VM?
    Was it some particular call flow or special instruction sequence?

    It's not that easy to find a patch. Changing a jnz instruction into jz is not straight forward as their VM opcodes are of different length!
    If the byte at file offset 7DDF is changed from C3->C0 any key of length 23 is accepted.

  8. #8
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    can a virtual patch be called patching ?

    Attachment 2899
    Attached Images Attached Images  

  9. #9
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    In fact, I think patching would be more difficult than keygenning...
    Imho, not this time. Understanding the protection routine is quite easy but a patch on the fly is really easy.

    The dispatcher loop is always a good tip in a VM recognition process!
    The VM is easy, it has few specific instructions and it's able to emulate x86 instructions.

    It's not that easy to find a patch. Changing a jnz instruction into jz is not straight forward as their VM opcodes are of different length!
    It's possible to register the crackme with any 23 bytes length serial patching a single byte of the original exe, you only have to understand VM bytecode 0x00.

    Offset 0x7DDF contains the single byte check and... good luck
    A mind is like a parachute. It doesnt work if it's not open.

  10. #10
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    That was a very cool minimalist VM I managed to make a 1 byte patch like ZaiRoN did and might look into keygenning if I have time after lunch.

    Cheers!

    -rendari

  11. #11
    Quote Originally Posted by ZaiRoN View Post
    The dispatcher loop is always a good tip in a VM recognition process!
    One way to maybe add in some initial confusion if the VM'ed code is not huge or time critical etc could be to unroll the dispatcher loop or maybe take it one step further by simply inlining the VM handlers (then there is no dispatcher at all)....


    Quote Originally Posted by ZaiRoN View Post
    It's possible to register the crackme with any 23 bytes length serial patching a single byte of the original exe, you only have to understand VM bytecode 0x00.
    Offset 0x7DDF contains the single byte check and... good luck
    I can see from the link that kayaker provided that you have done some serious VM reversing! I'm personally impressed that you could determine the purpose of the 00 opcode/bytecode so quickly. It took me half a day looking at the source to figure out exactly how that handler worked. for quite some time I thought that most of the instructions in that handler were garbage...

    Another 'attack' point of VMs is that there must be two handlers, one handler that transform the X86 state to VM state and vice versa.

  12. #12
    Quote Originally Posted by blabberer View Post
    can a virtual patch be called patching ?
    That is another very nice windbg command
    bp 40c32a ".if( (wo(40c32d)==c33a) ) {bp /1 40c32f \"r @al,@bl;r zf = 1;gc\";gc} .else {gc}";

    bp 40c32a
    First set a conditional break on the address right before the VM is going to execute the cmp instruction

    .if( (wo(40c32d)==c33a) ) .else {gc}";
    only break if the instruction to be executed is cmp al,bl

    "bp /1 40c32f" ;gc
    if the instruction is the cmp al,bl then set a one-time BP on the instruction right after the cmp al,bl instruction and continue

    r @al,@bl;r zf = 1;gc
    when windbg breaks at 40c32f, print out the contents of al and bl registers and force zero flag to be set such that the keygen computation continues.

    This part of the command bp /1 40c32f \"r @al,@bl;r zf = 1;gc is slightly confusing
    There is a gc at the end but is that because the 'outer' BP is a conditional BP? it also works if it is just g....

    blabberer, do you know if it possible to set breakpoints on all instructions from some start address to some end address, programatically in windbg? I've tried to google but have not found out if it is possible. It is possible to set BPs on multiple functions at a time by using wildcards.

  13. #13
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    Quote Originally Posted by niaren View Post

    bp 40c32a
    First set a conditional break on the address right before the VM is going to execute the cmp instruction
    the cmp al,bl is generated on the fly so cant set bp on exact address as it will always be overwitten
    so bp is set on stable address few bytes above Self modifying code


    This part of the command bp /1 40c32f \"r @al,@bl;r zf = 1;gc is slightly confusing
    There is a gc at the end but is that because the 'outer' BP is a conditional BP? it also works if it is just g....
    both bps are conditional breakpoints

    inner bp is an one time conditional bp (there is no explicit condition but a command needs to be executed on break so it is an implicit conditional break)
    commmand executed prints al,bl and sets the zf flag so needs to go from condition
    outer bp checks for cmp al,bl and on success sets a bp so needs to go from condition
    blabberer, do you know if it possible to set breakpoints on all instructions from some start address to some end address, programatically in windbg? I've tried to google but have not found out if it is possible. It is possible to set BPs on multiple functions at a time by using wildcards.
    what do you mean by programmatically ? writing a debugger extension ?
    if yes then i think you can code something thats simply start disassembling to find the lenght of instruction
    and set bps succesively on each instruction

    if it is from windbg command line i havent needed it yet so havent thought of anything
    now that you ask ill update this thread if i find a hack that sets bps from 401000 to 401010
    like
    bp 401000
    bp 401005
    bp 401006
    bp 40100d
    quit


    update

    here is a hack that sets breakpoints on 10 instruction / 2 instructions in winxp sp3 calc.exe
    sed should be available in environment path for this to work

    [code]
    0:000> bl
    0:000> .shell type c:\setbp.txt
    Code:
    .foreach ( place {  .block  { .shell -ci "u ${$arg1} ${$arg2}"  sed -e 1d -e s/" ".*//g } }  ) {r $t0 = place; bp @$t0 }
    0:000> $$>a< c:\setbp.txt calc!WinMain l10

    0:000> bl
    0 e 01001f51 0001 (0001) 0:**** calc!WinMain
    1 e 01001f56 0001 (0001) 0:**** calc!WinMain+0x5
    2 e 01001f5b 0001 (0001) 0:**** calc!WinMain+0xa
    3 e 01001f61 0001 (0001) 0:**** calc!WinMain+0x10
    4 e 01001f62 0001 (0001) 0:**** calc!WinMain+0x11
    5 e 01001f63 0001 (0001) 0:**** calc!WinMain+0x12
    6 e 01001f64 0001 (0001) 0:**** calc!WinMain+0x13
    7 e 01001f67 0001 (0001) 0:**** calc!WinMain+0x16
    8 e 01001f69 0001 (0001) 0:**** calc!WinMain+0x18
    9 e 01001f6a 0001 (0001) 0:**** calc!WinMain+0x19
    10 e 01001f6c 0001 (0001) 0:**** calc!WinMain+0x1b
    11 e 01001f6e 0001 (0001) 0:**** calc!WinMain+0x1d
    12 e 01001f75 0001 (0001) 0:**** calc!WinMain+0x24
    13 e 01001f7b 0001 (0001) 0:**** calc!WinMain+0x2a
    14 e 01001f7d 0001 (0001) 0:**** calc!WinMain+0x2c
    15 e 01001f7f 0001 (0001) 0:**** calc!WinMain+0x2e
    0:000> bc *
    0:000> bl
    0:000> $$>a< c:\setbp.txt calc!WinMain calc!WinMain+8


    0:000> bl
    0 e 01001f51 0001 (0001) 0:**** calc!WinMain
    1 e 01001f56 0001 (0001) 0:**** calc!WinMain+0x5
    Last edited by blabberer; January 14th, 2014 at 15:49.

  14. #14
    The crackme was formed in two stages. First the raw/original crackme source file (see below) was build using VS2010 pro. The heart of the crackme is the keygen computation which was outright stolen from blabberer in this thread http://www.woodmann.com/forum/showthread.php?15414-Crack-me-help. That is the inline asm part in the source file. In the second stage the inline asm part was VM'ed by 'VMLite' (don't know its real name) as provided here http://www.woodmann.com/forum/showthread.php?15276-x86-Code-Virtualizer-Src.

    I don't think it caused any problems to you but I manually renamed the added section (the one with the opcodes) .reloc

    crackme.c.zip
    (just remove the .zip part of filename)

Similar Threads

  1. New KeygenMe: Darkelf KeygenMe #2
    By Darkelf in forum Mini Project Area
    Replies: 0
    Last Post: July 20th, 2012, 16:20
  2. Just a KeygenMe...
    By Darkelf in forum Mini Project Area
    Replies: 18
    Last Post: February 29th, 2012, 19:56
  3. ARTeam: Bypass the Obfuscation scheme of Benladan's PatchMe v1.1
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: December 21st, 2009, 10:35
  4. Easy KeygenMe !!
    By kami13x in forum Mini Project Area
    Replies: 17
    Last Post: March 7th, 2006, 20:54
  5. My New KeygenMe --- Give it a try ;-)
    By GodsJiva in forum Mini Project Area
    Replies: 27
    Last Post: September 1st, 2002, 18:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •