Results 1 to 11 of 11

Thread: K-Protean v1.0: anti-bpm, anti-bpx, anti-traced, anti-frogsice...

  1. #1
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17

    K-Protean v1.0: anti-bpm, anti-bpx, anti-traced, anti-frogsice...

    Hi All,
    I have found this interesting crackme and I think it's suitable for this area.

    The crackme package contains 3 files: an exe, a dll and a VxD. As you will have already understood it's not the usual boring name/serial crackme and as I said in the title, it has some tricks to make hard our life.

    The two goals of the crackme are:
    - remove a nag
    - write a working keygen

    The algo used by the crackme is very simple but this is not the aim of the crackme, the aim is to learn how the various tricks work. You will see that the way to reach the name/serial routine it's not very easy :-)
    The 3 files are not packed and I have made nearly all the job only using IDA because... you will understand!

    This might be an occasion for most of us to learn how seh, vxd and some anti-sice tricks work. For the moment I will not tell you other, I hope to see a beautiful project.
    Good luck!!!

    ZaiRoN
    Attached Files Attached Files

  2. #2
    the_analyst
    Guest
    Hello,

    Its a bit late here, but im having a look at this crackme.
    im running 2K, i cannot execute it, so im disassembling it.

    So far i have seen one of the frog's ice detection code (if there are many, no idea yet), 2 or 3 parts of the name serial algo which as you mentioned, looks pretty straightforward.

    I have seen something strange, but im too tired to think at the moment. (2am)

    Regards,

    Analyst
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi All,
    I am curious for nature and only wanted to know whether someone is working to this project? Is it too easy, too difficult, too boring?
    What is wrong with it?

    Regards,
    ZaiRoN

  4. #4
    FoolFox
    Guest
    Hello,

    in fact i've some trouble to even make run it... and didn't
    got so much free time those weeks, so didn't look for so
    long....

    I work on windows NT 4.... when I try to run it he gave
    me: Process32Next entry point could not be found in
    kernel32.dll.....

    so i guess I would need either a w2k or a 98 to run it....

    Regards
    FoolFox
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    FoolFox
    Guest
    Hi,

    I'm trying with the death listing way......ahem.....

    Just for curiosity, it look like to me that the _chkesp
    function is just there to pass some debug info,
    or does it have something to do with anti-debug ?
    (waiting for an error on normal use, error have to be
    handled to make the soft run correctly ??)


    Code:
    00401613 _chkespIfNotNull:                       ; CODE XREF: __chkespj
    00401613   push    ebp
    00401614   mov     ebp, esp
    00401616   sub     esp, 0
    00401619   push    eax
    0040161A   push    edx
    0040161B   push    ebx
    0040161C   push    esi
    0040161D   push    edi
    0040161E   push    offset aTheValueOfEspW ; "The value of ESP was not properly saved"...
    00401623   push    offset unk_420058 ; module name
    00401628   push    2Ah             ; line number in source file
    0040162A   push    offset aI386Chkesp_c ; name of source file
    0040162F   push    1               ; report type
    00401631   call    __CrtDbgReport
    00401636   add     esp, 14h
    00401639   cmp     eax, 1
    0040163C   jnz     short loc_40163F
    0040163E   int     3               ; Trap to Debugger
    0040163F


    Regards
    FoolFox


    I have only formatted the code for a best view
    Last edited by ZaiRoN; April 4th, 2003 at 04:32.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi FoolFox,
    chkesp function has nothing to do with the protection routine, it's not an anti-debug trick!
    As suggested by the name, the function checks that esp is valid on function return. The crackme is written using msvc++ and the compiler lets you to use a particular option: /GZ (Enable Stack Frame Run-Time Error Checking). If this option is setted, the compiler will add this function after every call.

    Regards,
    ZaiRoN

  7. #7
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    hi there..

    after Dld, I become interesting, because it uses VXD & I expected
    lot of crazy R0 trikO.. but then..
    Oke, so this VXD just needed as BSOD-Messagebox :(

    then I search&search for cryptor-decryptor code.. not found!
    Then only I guess, calculation of Summ of input chars is decryptor??

    IF (Summ of NOMRE's chars) - (Summ of CLAVE's) = 0A9h
    THEN BSOD-registered

    Or maybe there is some-any ultra-hidden check???
    {Can't beleave dEar}

    But very interesting is that VXDWriter! Where to find!?

  8. #8
    FoolFox
    Guest
    Hello ZaiRoN,

    I'm still trying to figure it using death listing approach (missing
    my debugger), and I'm currently trying to locate the anti-debug tricks...

    I've found a call that may be a catch for a breakpoint that
    could be set on GetDlgItemTextA....

    Code:
    0040BF20 loc_40BF20:                             ; DATA XREF: .text:0040C0C7o
    0040BF20                 mov     ecx, dword_4237BC
    0040BF26                 push    ecx
    0040BF27                 call    sub_401005	<- checking if BP set on API GetDlgItemTextA ??
    0040BF2C                 add     esp, 4			(return eax=1 if bp set ??)
    0040BF2F                 test    eax, eax
    0040BF31                 jz      short ReadUserEntry
    0040BF33                 mov     esi, esp

    If that's the case, this could be easily defeated by either
    changin the jz 401430 to jmp short 40142c, or change the
    mov eax,1 to mov eax,0.....

    Code:
    0040142A                 jz      short loc_401430 
    0040142C                 xor     eax, eax
    0040142E                 jmp     short loc_401435	
    00401430 ; ---------------------------------------------------------------------------
    00401430 
    00401430 loc_401430:                             ; CODE XREF: sub_40101E+40Cj
    00401430                 mov     eax, 1

    I see that loc_401400 save all registers, make room on stack,
    probably trying to check if a trap to debugger is done...

    Code:
    00401400 loc_401400:                             ; CODE XREF: sub_401005j
    00401400                 push    ebp
    00401401                 mov     ebp, esp
    00401403                 sub     esp, 44h
    00401406                 push    ebx
    00401407                 push    esi
    00401408                 push    edi
    00401409                 lea     edi, [ebp+var_44]
    0040140C                 mov     ecx, 11h
    00401411                 mov     eax, 0CCCCCCCCh
    00401416                 repe stosd
    00401418                 mov     esi, [ebp+arg_4]
    0040141B                 mov     ah, 10h
    0040141D                 add     ah, 9
    00401420                 shl     ah, 3
    00401423                 add     ah, 4
    00401426                 mov     al, [esi]
    00401428                 cmp     al, ah
    0040142A                 jz      short loc_401430
    0040142C                 xor     eax, eax
    0040142E                 jmp     short loc_401435

    but I can't figure how he catch this ??

    Regards
    FoolFox
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi FoolFox/evaluator,

    FoolFox:
    you are right, he is checking if bpx is been setted on GetDlgItemTextA.
    Look at this:
    Code:
    00401418 mov  esi, [ebp+8] ; esi -> address first byte of the function
    0040141B mov  ah, 10h      ; eax = CCCC10CCh
    0040141D add  ah, 9        ; eax = CCCC19CCh
    00401420 shl  ah, 3        ; eax = CCCCC8CCh
    00401423 add  ah, 4        ; eax = CCCCCCCCh, ah = CCh
    00401426 mov  al, [esi]    ; al = first byte of function GetDlgItemTextA
    00401428 cmp  al, ah       ; al = CCh ?
    0040142A jz   short loc_401430
    0040142C xor  eax, eax     ; bpx not present: eax=0
    0040142E jmp  short loc_401435
    00401430 mov  eax, 1       ; bpx is present: eax=1
    He checks if the first byte of the GetDlgItemTextA routine is CCh. This byte is CCh if you have put a bpx on that function.

    evaluator:
    your analysis is correct. I know that it's too easy for you but don't you think it might be interesting for people with less experience?

    Regards,
    ZaiRoN

  10. #10
    FoolFox
    Guest
    Thanks ZaiRoN,

    much clearer now

    Regards
    FoolFox
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi,
    I have found the solution I wrote some times ago for the crackme site.
    It's only a final explanation; if someone has resolved the crackme in different way, he(she) can posts its solution and/or criticize mine :-)

    Ciao,
    ZaiRoN
    Attached Files Attached Files

Similar Threads

  1. anti-ildasm
    By hackarman in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: June 1st, 2005, 06:36
  2. linux anti anti debugging tut
    By 0xf001 in forum Linux RCE
    Replies: 13
    Last Post: January 21st, 2005, 19:48
  3. pelock anti SI detection
    By +SplAj in forum Advanced Reversing and Programming
    Replies: 15
    Last Post: January 16th, 2003, 16:22
  4. anti-softice, armadillo
    By jllec in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: January 2nd, 2003, 21:30
  5. anti-gravage
    By The_Snake in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: May 1st, 2002, 17:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •