Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

New FUN REversign challenge ESET 2013

Interesting low-level stuff, operating system related issues, packer/vx acrobatics, drivers and non-newbie programming in general, including win32 assembly and whatever else.
Locked
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

New FUN REversign challenge ESET 2013

Post by NeOXOeN »

New task for programmers and new crackme 2013:

http://joineset.com/

Bye NeO'X'QuiCk
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

This module do nothing(see procmon) lol :devil:
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

Anubis:

Orig("Timeout", wait for input): http://anubis.iseclab.org/?action=result&task_id=184daca9179ccf94479bbbd99f7d2e54f&format=html

Mod(loader, "All tracked processes have exited"): http://anubis.iseclab.org/?action=result&task_id=138e93b5cb62a6174f5c1f37222a63549&format=html

[ATTACH]2791[/ATTACH]

Apparently this is a non working dropper.
Attachments
Eset.zip
(283.56 KiB) Downloaded 145 times
Inliferty
Junior Member
Posts: 4
Joined: Wed Jun 05, 2013 6:08 pm

Post by Inliferty »

You are right, this is not a dropper.
Nevertheless you should not ignore the hint they give when you start the program :)

Code: Select all

* Program code can contain hidden files, texts, conditional tasks, debugging *
* protection and so on. Do not hesitate to send us your results even if      *
* they're only partial. You can also attach a step-by-step analysis so that  *
...
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

This is dropper. So is an application that downloads and run the code. There is UrlDownloadToFile & ShellExecute(). This is dropper. Non working crap. Typical for aver's.
Program code can contain hidden files, texts, conditional tasks, debugging *
You poke his nose into the log !?

Image

It doesn't do anything, pagan aver's!1

NeOXOeN

Are you the author ??
Inliferty
Junior Member
Posts: 4
Joined: Wed Jun 05, 2013 6:08 pm

Post by Inliferty »

You ran an automated System onto an Executable. Wow congratulations ...

Code: Select all

* Hidden part #1. Text picked from the following URL:
* http://www.virusradar.com/en/Win32_Virut.E/description

O noon of life! O time to celebrate!
O summer garden!
Relentlessly happy and expectant, standing: -
Watching all day and night, for friends I wait:
Where are you, friends? Come! It is time! It's late!

* Hidden part #2. Text picked from the following URL:
* http://www.virusradar.com/en/Win32_Ridnu.NAA/description

DEAR MY PRINCESS
WHEN THE STARS FILL THE SKY I WILL MEET YOU MY LOVELY PRINCESS
I MISS YOU SO MUCH MY PRINCESS
IN MY DEAREST MEMORY I SEE YOU REACHING OUT TO ME
I WILL REMEMBER YOU AS LONG AS YOU REMEMBER ME
IN YOUR DEAREST MEMORY DO YOU REMEMBER LOVING ME
PLEASE DO NOT FORGET OUR PAST
DID YOU KNOW THAT I HAD MIND ON YOU
I NEVER WISH TO LOSE YOU AGAIN
SHALL I BE THE ONE FOR YOU
I WANNA TAKE YOU TO MY PALACE
I WILL TAKE YOU TO OUR UTOPIA
I AM FALLING IN LOVE WITH YOU
I WILL BE WAITING FOR YOU
I DO NOT WANT TO SAY GOOD BYE TO YOU
PLEASE DO NOT FORGET YOUR PRINCE
I SAW YOU SMILING AT ME WAS IT REAL OR JUST MY FANTASY
YOU WILL ALWAYS IN MY HEART
YOU ALWAYS IN MY DREAMS
I ALWAYS SEE YOU IN MY DREAMS
I HAVE BEEN POISONED BY YOUR LOVE
I MISS YOU I AM STILL LOOKING FOR YOU
I WILL BE THERE I WILL BE WAITING FOR YOU
PLEASE COME BACK TO OUR BEAUTY ISLAND
I MISS YOUR CUTE SMILE

* Hidden part #3.

Continue with the next ESET crackme here:
<Secret Link>
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

sorry guys i am not the coder of this .. found it on tuts forum so i thought i would post it here also.. didnt its junky:P


bye NEO
dion
Member
Posts: 61
Joined: Tue Jul 31, 2007 8:38 am

Post by dion »

i did some boring checks, compare the modified upx stub with every known version of upx.
comparing routines at the end of stub, found that upx version used >= v1.95
comparing one opcode (sar eax, 1 somewhere), found that upx version used < v1.20.
so, none of them produce same stub, it's wierd.
i also found in the beginning the [or ebp, -1, which is used in might be all version of upx] is omitted. i read the source but i don't quite understand what it used for.
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

InDy: Your goal is to perform an analysis of the code of this executable. The analysis of the code should produce information about the payload of the program, conditions necessary for the execution of certain actions, etc.
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

It does not work. What other analysis lol :devil:

Aver's fucked again :whoops:

Robert Šuman(ESET) reply:
[virus probably unknown WIN32 virus] EsetCrackme2013
They are idiots.
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

maybe you want working droppper:P or virus ;)
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

yes, opensource lool))
NeOXOeN
Member
Posts: 95
Joined: Sun Feb 05, 2006 9:33 pm

Post by NeOXOeN »

hehehe ;)
Inliferty
Junior Member
Posts: 4
Joined: Wed Jun 05, 2013 6:08 pm

Post by Inliferty »

I already posted the hidden Output (only removed the Link to the next CrackMe) of the program and you still say it is not working ... Clearly you must do something wrong or miss a (debug) check.
Locked