Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Crack me help

First timers and new learners, this forum is for you. Please use the search function to see if your question has already been answered.
TB10
Junior Member
Posts: 8
Joined: Sun Dec 22, 2013 10:22 am

Post by TB10 »

Thanks to blabberer and kayaker !, thats my intention, to learn by trying, the hard thing is to find the right point in the tons oft code, so the hints for "look at xxxxxx" and the thing with the SETE is helpfull, thats excatly what im lookin for !, changing a register flag on some position, but the lot of jumps and rtn. confusing me.(like a ping pong game)
Hm, there a some SETE opcodes...hm, i suspect someone of this enables the grayed out "next" Button.
I will check this.

thank you for opcode map !, also find a good web page with detailed opcode descripton.
User avatar
Aimless
Senior Member
Posts: 869
Joined: Thu Sep 13, 2001 3:11 am

Post by Aimless »

Kayaker wrote:
btw, excellent resolution on the PNG file blabberer. Reverser was bang on! We need to enforce that somehow :)

Nooooo.....!!!! Et Tu, Brutus????

What thus happens to my jpgs? My preciousssss.s.s......

Have Phun
Blame Microsoft, get l337 !!
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

blabberer wrote:@niaren the address does not hold hashed output take a look again and for start of the hash you are off by another 4 bytes
look at crackZ hint a very superb hint there ( i just latched into it that is all)
i didnt do anything except finding out who calls the function and then latch into kayakers second hint of one byte patch
Hi blabberer
What I meant was that in general if you take any address you see in the debugger and its in the heap somewhere then I'm unsure if it is straight forward to decompose it into base + offset like you did in the windbg command...the reason I'm asking is that there could be a vast amount of memory allocations and deallocations in a program.

For the setup.exe there is an alternative (and also easy) way to get to the interesting code as shown by crackz. IDA shows two references to GetWindowTextA. The one at 00408851 is most interesting. Setting a BP there (windbg will break immediately), stepping out one time (gu) and we land here

[ATTACH]2885[/ATTACH]

Unfortunately, I have spent a couple of hours trying to work out the keygen both in assembly and in octave. Unless I have made some bugs (which is most likely :p ) it seems that no input string can map to the expected hash string :sneaky:
Attachments
idaview.png
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

This script generates 3000+ valid keys

Code: Select all

%00992698 17 00 00 00 50 58 31 51 47  ....PX1QG
%009926a1 54 54 45 55 3c 53 37 3f 3c  TTEU<S7?<
%009926aa 39 54 34 33 33 38 37 4d 33  9T43387M3

hash = {'50', '58' '31' '51' '47' '54' '54' '45' '55' '3c',...
    '53' '37' '3f' '3c' '39' '54' '34' '33' '33' '38' '37' '4d' '33'};
hash2 = hex2dec(hash);

Nkeys = 0;
L = 23;
minkey = 48;
maxkey = 90;
key  = minkey*ones(1,L);
accs = zeros(1,L);
i = 1;
M = 2^32;
while(i>0 & i<=L)
    Li = L-i;
    acc = accs(i);
    c = key(i);
    t = rem(acc*Li,M);
    acc = rem(acc + t,M) + c;
    y = rem(acc*c,M) + i;
    y = rem(y,90);
    if(y<48)
        y = y+48;
    end
    while(y<48 | y>90)
        y = rem(y,90);
        if(y<48)
            y = y+48;
        end
    end

    if(y == hash2(i))
        if(i==23)
            Nkeys = Nkeys +1;
            char(key)
            key(i) = c + 1;
            if(key(i) > maxkey)
                key(i) = minkey;
                i = i - 1;
                if(i>0)
                    key(i) = key(i) + 1;
                end
            end
        else
            i = i +1;
            accs(i) = acc;
        end
    else
        key(i) = c + 1;
        if(key(i) > maxkey)
            key(i) = minkey;
            i = i - 1;
            if(i>0)
                key(i) = key(i) + 1;
            end
        end
    end
end
Nkeys
The first key generated is:[email protected]:K0
The last key generated is: OX4SGJIKLX<1=:0RU?1<H?K

Many more keys can be generated if the range of input chars is expanded.
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Hi blabberer,

Code: Select all

:\>windbg  -c "bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26a0;ba w1 @$t1;g;
db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('V'*'V'+1)%'Z'+30;g" Setup.exe

Code: Select all

bp KERNEL32!VirtualAlloc;g;
Set BP on that function and let the debugger run. Somehow you found out that the first call to this function allocates the memory (for program instance or some other large object) that contains the target hash string. We need to save the address returned here in order to set BP on the VA of some byte in the target hash string.

Code: Select all

gu;
Let VirtualAlloc return, eax holds the base address of the allocated memory.

Code: Select all

bc *;
Clear all BPs, we need no further breaks on VirtualAlloc.

Code: Select all

r $t1= @eax+26a0;
Store the VA of some byte into the target hash string into the pseudo register $t1. We need to store this address because this address is used to set a BP.

Code: Select all

ba w1 @$t1;g;
Set a BP which will stop the debugger when the byte at the address in register $t1 is written to. I don't know why but it seems that windbg also accepts this command "ba w1 $t1" without the @ in front of $t1. Also windbg will break at exactly the same place if the BP is written "ba w4 @$t1;" with dword access. Then make the debugger run. The debugger will break at address 403cc8 inside some LStrSetLength function. Eax holds the start address of the target hash string which is offset 269c. offset 26a0 is thus the 4th byte of the string.

Code: Select all

db @eax
dump the memory (byte-wise) starting at offset 269c. It will show the first 3 characters of the target hash string.

Code: Select all

bc *;
Clear all BPs again.

Code: Select all

ba r1 @$t1-8;g;g;
Set a BP which will stop the debugger when the byte at offset 2698h is read. The length of the target hash string is stored in this dword. I guess the idea of setting a read BP here is that when the program is going to compare the target hash string to the input hash string this BP is hit. Then make the debugger run. First time the debugger stops it is at address 403928 inside some LStrCat function. Second time the debugger stops it is at address 403cc4 inside the LStrSetLength function.

Code: Select all

bd *;
disable all BPs

Code: Select all

db esi
esi does not contain a valid address at this moment so this command will show a bunch of question marks. Pressing g one or two additional times esi contains a valid address near the target hash string and a part of the target hash string is shown in the memory dump.

Code: Select all

? ('V'*'V'+1)%'Z'+30
Clearly you know how the program computes the hash from the input :) The command ? means that windbg is running the command in 'calculator mode' instead of in 'command mode'. If the first char in the input is 'V' this expression gives the first char in the hash string. However, 'V' is not an acceptable first char in the input in my setup. Could it be that the crackme expects different keys when run on different machines? :thinking:
TB10
Junior Member
Posts: 8
Joined: Sun Dec 22, 2013 10:22 am

Post by TB10 »

Could it be that the crackme expects different keys when run on different machines?
Definitely not, the password ist always the same, no matter on what computer system the crackme runs, thats one of the few things i now about, and it is build with "smart install maker" i found out.
User avatar
CrackZ
Posts: 339
Joined: Wed Dec 06, 2000 8:00 am
Contact:

Post by CrackZ »

I concur entirely with niaren. An interesting exercise might be to narrow the range of valid input chars to just the alphanumeric set; a look through the valid results might uncover the authors actual password as opposed to those that work ;-).
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Keygenning in Matlab niaren? That's different ;)
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

TB10 wrote:Definitely not, the password ist always the same, no matter on what computer system the crackme runs, thats one of the few things i now about, and it is build with "smart install maker" i found out.
It seems that the password is the same in that it reads the target hash from the file at offset 0x1E4DF. Maybe you can check if you read the same string at that address in your setup.exe

[ATTACH]2886[/ATTACH]

By the way, is it possible that you can reveal where you got the crackme from?
Attachments
tarhash.png
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Kayaker wrote:Keygenning in Matlab niaren? That's different ;)
Hi Kayaker, I almost fell of my chair laughing when I saw your comment :p I'm a little embarrased about the Matlab thing but I hoped that nobody would recognize Matlab :) to a hammer everything looks like...... ;)
From blabberers post I learned about the ? command. That is very interesting. Because I also saw that it supports loops. Then maybe it is possible to keygen in windbg :)
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

CrackZ wrote:I concur entirely with niaren. An interesting exercise might be to narrow the range of valid input chars to just the alphanumeric set; a look through the valid results might uncover the authors actual password as opposed to those that work ;-).
Hi CrackZ, I did try that but have not found anything obvious. Constraining the valid input chars to the alphanumeric set including lower and uppper letters ([0-9A-Za-z]) the keygen generates more than 7.000.000 possible keygens.
Considering only lower letters ([a-z])the keygen produces 6 possible keys
whdklposvbnaazjdqscrzua
whdklposvbnaazjdqscrzui
whdklposvbnaazjdqscrzup
whdklposvbnaaztrwwttzua
whdklposvbnaaztrwwttzui
whdklposvbnaaztrwwttzup
Considering only Upper letters or Upper letters in combination with digits the keygen is not able to generate any valid keys. Dunno what else to try..
TB10
Junior Member
Posts: 8
Joined: Sun Dec 22, 2013 10:22 am

Post by TB10 »

It seems that the password is the same in that it reads the target hash from the file at offset 0x1E4DF
Bingo !, thats the ENCRYPTED password !, sorry, unfortunately i do not remember exactly the adress where i got this crackme, buuuut i simply try the tool with which it was created !, the "smart install maker", nice programm to create installers, so i build one exe. with my own password to look on the same position in hex editor, and find that it shows really the encrypted password just tried to change the LENGTH of it to compare)so, next step i simply copy the password of my own exe. to the crackme(and replace original), the length MUST be equal ! in hex editor, an tried my luck, and it works fine !
Ok, thats indeed not a really smart reverser solution, but easy for an newbie, and a good learning step.But it intrests me how the encryption works and is there a way to decrypt that thing in ollydbg(or other) it seems that the encryption algorythm is not randomize, that means, for example 123 results always in same encrypted letters, but it depends on the whole combination of the Password, not on single letters.
The keygen stuff sounds interesting, but how how can that work on custom (not generated) passwords ?

i´ve created the screenshot as PNG but upload Manager changed it to (bad) JPEG :( , only external filehoster for PNG ?
Attachments
install_1.jpg
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

@niaren
nice to see you crack the windbg encryption :)
you use @ in windbg when playing with registers or pseudo registers to eliminate symbol resolving time
windbg interprets @Ecx as pointing to register ECX not to some symbol named ecx many a times you can get away with $t1 but once in a while it will bite you and start loading infinite no of symbols and downlaod infinite number of pdbs and then will print out error symbol ecx not resolved
iirc this behaviour is documented i think but i made it a habit to do poi(@ecx) poi(@esp+4) instead of poi(eax)

yes you can keygen in windbg :)

as to resolving to base+offset yes it should hold true if you break and trap the return

just let loose L= 23 in your script :)

for starters this password

Code: Select all

 CX2g!F%q9&gf6R1D11ssdr4442222222226 
should get you the first 8 of the hash constantly


EAX 009B40F4 ASCII "PX1QGTTEO>:0ERPZHY7C36UVI<3L3R;>YN="
ECX 00000000
EDX 009926A8 ASCII "PX1QGTTEU<S7?<9T43387M3"
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

TB10 wrote:i´ve created the screenshot as PNG but upload Manager changed it to (bad) JPEG :( , only external filehoster for PNG ?
That's fine, vBulletin automatically converts PNG to JPG if it's over a certain size (currently set at 1024x768).

Preciousssss is safe from the sneaky little hobbitses...
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

@niaren there is a typo address should be 26b0 and not 26A0

when you run the command windbg should print the first 8 letters of the hardcoded hash and continue till you input a letter in the edit box
when you enter a letter it should dump the result as well as the answer for the expression
'V' is just a letter if you input C in edit box windbg should show you the dump and answer like below corresponding to the first letter

Code: Select all

[B]Processing initial command 'bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26b0;ba w1 @$t1;g;db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('C'*'C'+1)%'Z'+30;g'[/B]0:000> bp KERNEL32!VirtualAlloc;g;gu;bc *;r $t1= @eax+26b0;ba w1 @$t1;g;db @eax;bc *;ba r1 @$t1-8;g;g;bd *;db esi;? ('C'*'C'+1)%'Z'+30;g
Breakpoint 0 hit  < valloc break
Breakpoint 0 hit  < ba w1 break
009926a8  50 58 31 51 47 54 54 00-00 00 00 00 00 00 00 00  PX1QGTT.........
009926b8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009926c8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009926d8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009926e8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009926f8  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00992708  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00992718  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
[B]Breakpoint 0 hit <------ ba r1 break and continue with g to start running the crackme;
Breakpoint 0 hit <------ ba r1 second break when you input a charecter in edit box[/B]
[B]009b40c4  50 [/B]00 00 00 f8 b5 41 00-f8 b5 41 00 34 3f 00 00  P.....A...A.4?..
009b40d4  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009b40e4  00 00 00 00 00 00 00 00-00 00 00 00 20 9e 40 00  ............ [email protected]
009b40f4  00 00 00 00 00 00 00 00-00 00 00 00 00 80 01 00  ................
009b4104  00 01 00 00 00 00 00 00-00 00 ff ff ff ff 00 00  ................
009b4114  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
009b4124  00 00 00 00 00 00 00 00-00 00 00 00 f8 b5 41 00  ..............A.
009b4134  f8 b5 41 00 cc 3e 00 00-30 00 00 00 01 00 01 00  ..A..>..0.......
[B]Evaluate expression: 128 = 00000080[/B]

if you want to test the generation and try your hand at bruteforcing till you can keygen

put this in a txt file and run windbg like this

Code: Select all

windbg -c "$$>a< setuppw.txt" Setup.exe
here are the commands

Code: Select all

bp /1 KERNEL32!VirtualAlloc;
g;
gu;
r $t1= @eax+26b0;
ba w1 /1 @$t1;
g;
r $t2 = @eax;
db @$t2;
ba r1 @$t1-8;
g;
g;
bs 0 "db /c 20 @esi L20;db /c 20 @$t2 L20;.echo ================;gc";
g;
Locked