Crack me help

[TB10]

Thanks to blabberer and kayaker !, thats my intention, to learn by trying, the hard thing is to find the right point in the tons oft code, so the hints for "look at xxxxxx" and the thing with the SETE is helpfull, thats excatly what im lookin for !, changing a register flag on some position, but the lot of jumps and rtn. confusing me.(like a ping pong game)
Hm, there a some SETE opcodes...hm, i suspect someone of this enables the grayed out "next" Button.
I will check this.

thank you for opcode map !, also find a good web page with detailed opcode descripton.

[Aimless]

btw, excellent resolution on the PNG file blabberer. Reverser was bang on! We need to enforce that somehow

Nooooo.....!!!! Et Tu, Brutus????

What thus happens to my jpgs? My preciousssss.s.s......

Have Phun

[niaren]

@niaren the address does not hold hashed output take a look again and for start of the hash you are off by another 4 bytes
look at crackZ hint a very superb hint there ( i just latched into it that is all)
i didnt do anything except finding out who calls the function and then latch into kayakers second hint of one byte patch

Hi blabberer
What I meant was that in general if you take any address you see in the debugger and its in the heap somewhere then I'm unsure if it is straight forward to decompose it into base + offset like you did in the windbg command...the reason I'm asking is that there could be a vast amount of memory allocations and deallocations in a program.

For the setup.exe there is an alternative (and also easy) way to get to the interesting code as shown by crackz. IDA shows two references to GetWindowTextA. The one at 00408851 is most interesting. Setting a BP there (windbg will break immediately), stepping out one time (gu) and we land here

[ATTACH]2885[/ATTACH]

Unfortunately, I have spent a couple of hours trying to work out the keygen both in assembly and in octave. Unless I have made some bugs (which is most likely ) it seems that no input string can map to the expected hash string

[niaren]

This script generates 3000+ valid keys

Code: Select all

%00992698 17 00 00 00 50 58 31 51 47  ....PX1QG
%009926a1 54 54 45 55 3c 53 37 3f 3c  TTEU<S7?<
%009926aa 39 54 34 33 33 38 37 4d 33  9T43387M3

hash = {'50', '58' '31' '51' '47' '54' '54' '45' '55' '3c',...
    '53' '37' '3f' '3c' '39' '54' '34' '33' '33' '38' '37' '4d' '33'};
hash2 = hex2dec(hash);

Nkeys = 0;
L = 23;
minkey = 48;
maxkey = 90;
key  = minkey*ones(1,L);
accs = zeros(1,L);
i = 1;
M = 2^32;
while(i>0 & i<=L)
    Li = L-i;
    acc = accs(i);
    c = key(i);
    t = rem(acc*Li,M);
    acc = rem(acc + t,M) + c;
    y = rem(acc*c,M) + i;
    y = rem(y,90);
    if(y<48)
        y = y+48;
    end
    while(y<48 | y>90)
        y = rem(y,90);
        if(y<48)
            y = y+48;
        end
    end

    if(y == hash2(i))
        if(i==23)
            Nkeys = Nkeys +1;
            char(key)
            key(i) = c + 1;
            if(key(i) > maxkey)
                key(i) = minkey;
                i = i - 1;
                if(i>0)
                    key(i) = key(i) + 1;
                end
            end
        else
            i = i +1;
            accs(i) = acc;
        end
    else
        key(i) = c + 1;
        if(key(i) > maxkey)
            key(i) = minkey;
            i = i - 1;
            if(i>0)
                key(i) = key(i) + 1;
            end
        end
    end
end
Nkeys

The first key generated is:[email protected]:K0
The last key generated is: OX4SGJIKLX<1=:0RU?1<H?K

Many more keys can be generated if the range of input chars is expanded.

[niaren]

Hi blabberer,

Code: Select all

:\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe

Code: Select all

bp KERNEL32!VirtualAlloc;g;

Set BP on that function and let the debugger run. Somehow you found out that the first call to this function allocates the memory (for program instance or some other large object) that contains the target hash string. We need to save the address returned here in order to set BP on the VA of some byte in the target hash string.

Code: Select all

gu;

Let VirtualAlloc return, eax holds the base address of the allocated memory.

Code: Select all

bc *;

Clear all BPs, we need no further breaks on VirtualAlloc.

Code: Select all

r $t1= @eax+26a0;

Store the VA of some byte into the target hash string into the pseudo register $t1. We need to store this address because this address is used to set a BP.

Code: Select all

ba w1 @$t1;g;

Set a BP which will stop the debugger when the byte at the address in register $t1 is written to. I don't know why but it seems that windbg also accepts this command "ba w1 $t1" without the @ in front of $t1. Also windbg will break at exactly the same place if the BP is written "ba w4 @$t1;" with dword access. Then make the debugger run. The debugger will break at address 403cc8 inside some LStrSetLength function. Eax holds the start address of the target hash string which is offset 269c. offset 26a0 is thus the 4th byte of the string.

Code: Select all

db @eax

dump the memory (byte-wise) starting at offset 269c. It will show the first 3 characters of the target hash string.

Code: Select all

bc *;

Clear all BPs again.

Code: Select all

ba r1 @$t1-8;g;g;

Set a BP which will stop the debugger when the byte at offset 2698h is read. The length of the target hash string is stored in this dword. I guess the idea of setting a read BP here is that when the program is going to compare the target hash string to the input hash string this BP is hit. Then make the debugger run. First time the debugger stops it is at address 403928 inside some LStrCat function. Second time the debugger stops it is at address 403cc4 inside the LStrSetLength function.

Code: Select all

bd *;

disable all BPs

Code: Select all

db esi

esi does not contain a valid address at this moment so this command will show a bunch of question marks. Pressing g one or two additional times esi contains a valid address near the target hash string and a part of the target hash string is shown in the memory dump.

Code: Select all

? ('V'*'V'+1)%'Z'+30

Clearly you know how the program computes the hash from the input The command ? means that windbg is running the command in 'calculator mode' instead of in 'command mode'. If the first char in the input is 'V' this expression gives the first char in the hash string. However, 'V' is not an acceptable first char in the input in my setup. Could it be that the crackme expects different keys when run on different machines?

[TB10]

Could it be that the crackme expects different keys when run on different machines?

Definitely not, the password ist always the same, no matter on what computer system the crackme runs, thats one of the few things i now about, and it is build with "smart install maker" i found out.

[CrackZ]

I concur entirely with niaren. An interesting exercise might be to narrow the range of valid input chars to just the alphanumeric set; a look through the valid results might uncover the authors actual password as opposed to those that work ;-).

[Kayaker]

Keygenning in Matlab niaren? That's different

[niaren]

Definitely not, the password ist always the same, no matter on what computer system the crackme runs, thats one of the few things i now about, and it is build with "smart install maker" i found out.

It seems that the password is the same in that it reads the target hash from the file at offset 0x1E4DF. Maybe you can check if you read the same string at that address in your setup.exe

[ATTACH]2886[/ATTACH]

By the way, is it possible that you can reveal where you got the crackme from?

[niaren]

Keygenning in Matlab niaren? That's different

Hi Kayaker, I almost fell of my chair laughing when I saw your comment I'm a little embarrased about the Matlab thing but I hoped that nobody would recognize Matlab to a hammer everything looks like......
From blabberers post I learned about the ? command. That is very interesting. Because I also saw that it supports loops. Then maybe it is possible to keygen in windbg

[niaren]

I concur entirely with niaren. An interesting exercise might be to narrow the range of valid input chars to just the alphanumeric set; a look through the valid results might uncover the authors actual password as opposed to those that work ;-).

Hi CrackZ, I did try that but have not found anything obvious. Constraining the valid input chars to the alphanumeric set including lower and uppper letters ([0-9A-Za-z]) the keygen generates more than 7.000.000 possible keygens.
Considering only lower letters ([a-z])the keygen produces 6 possible keys
whdklposvbnaazjdqscrzua
whdklposvbnaazjdqscrzui
whdklposvbnaazjdqscrzup
whdklposvbnaaztrwwttzua
whdklposvbnaaztrwwttzui
whdklposvbnaaztrwwttzup
Considering only Upper letters or Upper letters in combination with digits the keygen is not able to generate any valid keys. Dunno what else to try..

[TB10]

It seems that the password is the same in that it reads the target hash from the file at offset 0x1E4DF

Bingo !, thats the ENCRYPTED password !, sorry, unfortunately i do not remember exactly the adress where i got this crackme, buuuut i simply try the tool with which it was created !, the "smart install maker", nice programm to create installers, so i build one exe. with my own password to look on the same position in hex editor, and find that it shows really the encrypted password just tried to change the LENGTH of it to compare)so, next step i simply copy the password of my own exe. to the crackme(and replace original), the length MUST be equal ! in hex editor, an tried my luck, and it works fine !
Ok, thats indeed not a really smart reverser solution, but easy for an newbie, and a good learning step.But it intrests me how the encryption works and is there a way to decrypt that thing in ollydbg(or other) it seems that the encryption algorythm is not randomize, that means, for example 123 results always in same encrypted letters, but it depends on the whole combination of the Password, not on single letters.
The keygen stuff sounds interesting, but how how can that work on custom (not generated) passwords ?

i´ve created the screenshot as PNG but upload Manager changed it to (bad) JPEG , only external filehoster for PNG ?

[blabberer]

@niaren
nice to see you crack the windbg encryption
you use @ in windbg when playing with registers or pseudo registers to eliminate symbol resolving time
windbg interprets @Ecx as pointing to register ECX not to some symbol named ecx many a times you can get away with $t1 but once in a while it will bite you and start loading infinite no of symbols and downlaod infinite number of pdbs and then will print out error symbol ecx not resolved
iirc this behaviour is documented i think but i made it a habit to do poi(@ecx) poi(@esp+4) instead of poi(eax)

yes you can keygen in windbg

as to resolving to base+offset yes it should hold true if you break and trap the return

just let loose L= 23 in your script

for starters this password

Code: Select all

 CX2g!F%q9&gf6R1D11ssdr4442222222226 

should get you the first 8 of the hash constantly


EAX 009B40F4 ASCII "PX1QGTTEO>:0ERPZHY7C36UVI<3L3R;>YN="
ECX 00000000
EDX 009926A8 ASCII "PX1QGTTEU<S7?<9T43387M3"

[Kayaker]

i´ve created the screenshot as PNG but upload Manager changed it to (bad) JPEG , only external filehoster for PNG ?

That's fine, vBulletin automatically converts PNG to JPG if it's over a certain size (currently set at 1024x768).

Preciousssss is safe from the sneaky little hobbitses...

[blabberer]

@niaren there is a typo address should be 26b0 and not 26A0

when you run the command windbg should print the first 8 letters of the hardcoded hash and continue till you input a letter in the edit box
when you enter a letter it should dump the result as well as the answer for the expression
'V' is just a letter if you input C in edit box windbg should show you the dump and answer like below corresponding to the first letter

Code: Select all

[B]Processing initial command 'bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26b0;ba w1 @$t1;g;db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('C'*'C'+1)%'Z'+30;g'[/B]0:000> bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26b0;ba w1 @$t1;g;db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('C'*'C'+1)%'Z'+30;g
Breakpoint 0 hit  < valloc break
Breakpoint 0 hit  < ba w1 break
009926a8  50 58 31 51 47 54 54 00-00 00 00 00 00 00 00 00  PX1QGTT.........
009926b8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009926c8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009926d8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009926e8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009926f8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00992708  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00992718  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
[B]Breakpoint 0 hit <------ ba r1 break and continue with g to start running the crackme;
Breakpoint 0 hit <------ ba r1 second break when you input a charecter in edit box[/B]
[B]009b40c4  50 [/B]00 00 00 f8 b5 41 00-f8 b5 41 00 34 3f 00 00  P.....A...A.4?..
009b40d4  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009b40e4  00 00 00 00 00 00 00 00-00 00 00 00 20 9e 40 00  ............ [email protected]
009b40f4  00 00 00 00 00 00 00 00-00 00 00 00 00 80 01 00  ................
009b4104  00 01 00 00 00 00 00 00-00 00 ff ff ff ff 00 00  ................
009b4114  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009b4124  00 00 00 00 00 00 00 00-00 00 00 00 f8 b5 41 00  ..............A.
009b4134  f8 b5 41 00 cc 3e 00 00-30 00 00 00 01 00 01 00  ..A..>..0.......
[B]Evaluate expression: 128 = 00000080[/B]

if you want to test the generation and try your hand at bruteforcing till you can keygen

put this in a txt file and run windbg like this

Code: Select all

windbg -c "$$>a< setuppw.txt" Setup.exe

here are the commands

Code: Select all

bp /1 KERNEL32!VirtualAlloc;
g;
gu;
r $t1= @eax+26b0;
ba w1 /1 @$t1;
g;
r $t2 = @eax;
db @$t2;
ba r1 @$t1-8;
g;
g;
bs 0 "db /c 20 @esi L20;db /c 20 @$t2 L20;.echo ================;gc";
g;