Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Gr. Crackme >>Prove_KongFuZi<<

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
Locked
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Gr. Crackme >>Prove_KongFuZi<<

Post by evaluator »

Now instead, letz Prove KongFuZi :
"To be wronged is nothing, unless you continue to remember it"

BTW,
I searched & found timed method for get rid of annoying brutterz!! soon they will cry ALL :P
& this is just 1st step. More precise CPU/Timing coming t_Soon xD
Attachments
Prove_KongFuZi.zip
(4.99 KiB) Downloaded 178 times
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

i discarded crackmes.de
blah, now uploading here...
User avatar
BanMe
Posts: 515
Joined: Mon Oct 27, 2008 11:05 am
Location: Farmington NH

smile more?

Post by BanMe »

I really like this CrackMe..Using timing as anti-singlestep trick is a most unique feature..
I would like to go into details about the time I spent looking at this multi-process crackme..can I? :}

Also note: I ask because I don't know the 'rules' involved in all this.. You know first Time I wanted 'test' my abilities.. I looked at other solutions to get a idea of what is required..It seems they don't want to completely document code(I do).. also I think the use of timing as a repeatable concept was genius..

Some analyzed code.. still more to come.. :)

Code: Select all

00403000 >/$ 6A 01          PUSH 1                                   ; /Protect = PAGE_NOACCESS
00403002  |. 68 00200000    PUSH 2000                                ; |AllocationType = MEM_RESERVE
00403007  |. 68 00000100    PUSH 10000                               ; |Size = 10000 (65536.)
0040300C  |. 6A 00          PUSH 0                                   ; |Address = NULL
0040300E  |. FF15 6C104000  CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; \VirtualAlloc
00403014  |. 85C0           TEST EAX,EAX                 ; Test if error
00403016  |. 0F84 7D010000  JE Prove_Ko.00403199             ; If error exit process
0040301C  |. 8BF0           MOV ESI,EAX                     ; Store base address in esi
0040301E  |. 81C6 00100000  ADD ESI,1000                 ; add esi,4096
00403024  |. 6A 04          PUSH 4                                   ; /Protect = PAGE_READWRITE
00403026  |. 68 00100000    PUSH 1000                                ; |AllocationType = MEM_COMMIT
0040302B  |. 68 00100000    PUSH 1000                                ; |Size = 1000 (4096.)
00403030  |. 56             PUSH ESI                                 ; |Address
00403031  |. FF15 6C104000  CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; \VirtualAlloc
00403037  |. 85C0           TEST EAX,EAX                 ; Test if error
00403039  |. 0F84 5A010000  JE Prove_Ko.00403199             ; if error exit processs 
0040303F  |. 68 4B455900    PUSH 59454B                     ; ascii 'KEY.' as dword 
00403044  |. 8BCC           MOV ECX,ESP                     ; mov ecx,KEY in esp 
00403046  |. 6A 00          PUSH 0                                   ; /hTemplateFile = NULL
00403048  |. 68 80000000    PUSH 80                                  ; |Attributes = NORMAL
0040304D  |. 6A 02          PUSH 2                                   ; |Mode = CREATE_ALWAYS
0040304F  |. 6A 00          PUSH 0                                   ; |pSecurity = NULL
00403051  |. 6A 03          PUSH 3                                   ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00403053  |. 68 000000C0    PUSH C0000000                            ; |Access = GENERIC_READ|GENERIC_WRITE
00403058  |. 51             PUSH ECX                                 ; |FileName
00403059  |. FF15 70104000  CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
0040305F  |. 5F             POP EDI                     ; clean stack
00403060  |. 8BF8           MOV EDI,EAX                     ; mov handle to EDI    
00403062  |. 40             INC EAX                                  ; junk or is it 'room'.
00403063  |. 0F84 30010000  JE Prove_Ko.00403199             ; fail if error    
00403069  |. FF15 74104000  CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount] Anti-Debug trick start
0040306F  |. 8BD8           MOV EBX,EAX                     ; mov TickCount to ebx
00403071  |. 81FB C0270900  CMP EBX,927C0                 ; 
00403077  |. 76 58          JBE SHORT Prove_Ko.004030D1             ; jump below this or equal Close Handle
00403079  |. 81FB 00CA9A3B  CMP EBX,3B9ACA00                 
0040307F  |. 77 50          JA SHORT Prove_Ko.004030D1               ; jump above close Handle
00403081  |. C706 94000000  MOV DWORD PTR DS:[ESI],94             ; write 94 to the area of page_readwrite memory
00403087  |. 895E 04        MOV DWORD PTR DS:[ESI+4],EBX         ; write tick count to are of page_readwrite memory + 4
0040308A  |. 6A 00          PUSH 0                                   ; /pOverlapped = NULL
0040308C  |. 54             PUSH ESP                                 ; |pBytesWritten
0040308D  |. 68 94000000    PUSH 94                                  ; |nBytesToWrite = 94 (148.)
00403092  |. 56             PUSH ESI                                 ; |Buffer
00403093  |. 57             PUSH EDI                                 ; |hFile
00403094  |. FF15 78104000  CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile
0040309A  |. 68 D0070000    PUSH 7D0                                 ; /Timeout = 2000. ms
0040309F  |. FF15 7C104000  CALL DWORD PTR DS:[<&KERNEL32.Sleep>]    ; \Sleep
004030A5  |. FF15 74104000  CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount
004030AB  |. 2BC3           SUB EAX,EBX
004030AD  |. 2D B80B0000    SUB EAX,0BB8                 ; eax should equal 0 
004030B2  |. 77 1D          JA SHORT Prove_Ko.004030D1             ; if eax not less then zero close the handle to the key file..     
004030B4  |. 6A 00          PUSH 0                                   ; /Origin = FILE_BEGIN
004030B6  |. 6A 00          PUSH 0                                   ; |pOffsetHi = NULL
004030B8  |. 6A 00          PUSH 0                                   ; |OffsetLo = 0
004030BA  |. 57             PUSH EDI                                 ; |hFile
004030BB  |. FF15 80104000  CALL DWORD PTR DS:[<&KERNEL32.SetFilePoi>; \SetFilePointer
; set the Key file pointer to 0
004030C1  |. 6A 00          PUSH 0                                   ; /pOverlapped = NULL
004030C3  |. 54             PUSH ESP                                 ; |pBytesRead
004030C4  |. 68 94000000    PUSH 94                                  ; |BytesToRead = 94 
004030C9  |. 56             PUSH ESI                                 ; |Buffer
004030CA  |. 57             PUSH EDI                                 ; |hFile
004030CB  |. FF15 84104000  CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; \ReadFile
; read first 94 bytes of key file 
004030D1  |> 57             PUSH EDI                                 ; /hObject Key File Handle
004030D2  |. FF15 88104000  CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
004030D8  |. 2BC0           SUB EAX,EAX                     ; zero out eax    
004030DA  |. 64:8308 FF     OR DWORD PTR FS:[EAX],FFFFFFFF           ; More fuzz??
004030DE  |. 64:8B78 08     MOV EDI,DWORD PTR FS:[EAX+8]             ; mov edi stack start
004030E2  |. 64:8B48 04     MOV ECX,DWORD PTR FS:[EAX+4]         ; mov ecx stack end
004030E6  |. 2BCF           SUB ECX,EDI                     ; end - start    
004030E8  |. C1E9 02        SHR ECX,2                     ; divide by 4    
004030EB  |. FC             CLD                         ; Clear Direction flag..
004030EC  |. F3:AB          REP STOS DWORD PTR ES:[EDI]             ; zero stack 
004030EE  |. 81E4 00F0FFFF  AND ESP,FFFFF000
004030F4  |. 81C4 00100000  ADD ESP,1000
004030FA  |. 68 A4314000    PUSH Prove_Ko.004031A4;             ; push SEH handler
004030FF  |. 6A FF          PUSH -1                     ; push ffffffff end of chain
00403101  |. 64:8920        MOV DWORD PTR FS:[EAX],ESP                 
00403104  |. 0F0B           UD2                         ; trigger exception
00403106  |. 8D6C24 80      LEA EBP,DWORD PTR SS:[ESP-80]            ;return here after exception
I'm working on this and so much other stuff...I hope to show your code in all its glory and maybe even really understand it,and if not I will at least know more about where I can improve. .. :)

I am sorry if you think I would berate thee.. I only wish to see more of the light you keep hidden..so I may see it better.. Is that a wrong goal?
No hate for the lost children;
more love for the paths we walk,
'words' shatter the truth we seek.
from the heart and mind of Me
me, to you.. down and across

No more words from me, to you...
Hate and love shatter the heart and Mind of Me.
For the Lost Children;For the paths we walk; the real truth we seek!
Locked