Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

PatchMe / KeygenMe

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

PatchMe / KeygenMe

Post by niaren »

Here is a crackme. It is not really mine as it is composed of 'stuff' taken from this forum.
As I'm not an experienced reverser I have no idea how difficult it is. I guess it is easy to patch but I think it will be more difficult to make a keygen (except for blabberer...doh that was my first hint :p )
[ATTACH]2897[/ATTACH]
Attachments
CrackMe.zip
(15.66 KiB) Downloaded 206 times
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Nice one niaren! The heart of it reminds me of a certain conference RE Challenge from this Spring that was mentioned here, and which one of our members posted a nice explanation for, that should be obscure enough...

Oh yes, this looks fun and challenging :yay:
In fact, I think patching would be more difficult than keygenning...
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

hi kayaker :) I tried to open up the file in IDA and I was surprised to see how much code visual studio inserts into the executable. The source code (build with VS2010) consists of quite few lines of code but the exe file is huge compared to that. So VS2010 does a very good job of providing a first layer of obfuscation/obscurity :p The code that I know of starts at VA 0x401000 all the code executed from the entry point to that address is something visual studio is responsible fore.

I'm not sure which conference you're referring to :)
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Kayaker wrote:In fact, I think patching would be more difficult than keygenning...
I have thought about this and maybe you are indeed correct. This must mean you already know what have been done :)
I thought about keygenning as 'fishing' out the true code and build the keygen using that but maybe your suggestion is simpler.
I will try to see if I can find a patch later, not even sure how many bytes need to be patched.
I would like to ask you a question but will wait a couple of days just in case others want to have a look. Then I can also disclose how the exe was made.
blabberer
Senior Member
Posts: 1536
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

I tried to open up the file in IDA and I was surprised to see how much code visual studio inserts into the executable.
it is called c runtime support code aptly named WinMainCrtStartUp (source code for that is available with your visual studio setup (look for crtexe.c)
it sets up console / exception / tls / exit / heap / garbage collectors / constructors / destructors /terminate handlers etc and calls WinMain or wmain which is the code you wrote and when your code returns cleans up and returns back to system it is quiet standard and for the trained eye th complete code will be neglected in one go so no obfuscation there :)

the byte comparison and vm like code gen is good :)
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Thanks blabblerer! If you just knew how many times I have landed in this crtexe.c file whenever debugging in Visual Studio..and despite of this it has never occured to me that the code in that file is build into my application. I will definately google that file and learn more about its functionality. Then I can also find out if it is possible to stop visual studio from linking crtexe into the exe.

hehe, I think you know what is going on. Can you show a valid key :p
I found that this post/blog http://www.woodmann.com/forum/entry.php ... -8-demo%29 seems very similar to what is going on in the crackme...that is a very strong hint!
blabberer
Senior Member
Posts: 1536
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

you dont have to google for that file if you have installed visual studio completely it should be available in crt\src folder
if it is not available repair install vs to install all components

Code: Select all


C:\>dir  /s /b "c:\Program Files\Microsoft Visual Studio 10.0"\crtexe.c
c:\Program Files\Microsoft Visual Studio 10.0\VC\crt\src\crtexe.c

C:\>
no you cant avoid vs from linking with that as it is necessary component without it no console support will be available
you cant use printf or stdio.h

if you do not care about console mode and are interested in Windows Mode Only
you can avoid crt code from being linked

copy paste to foo.bat and run this bat file for an example

Code: Select all


pushd ..
@call "C:\Program Files\Microsoft Visual Studio 10.0\VC\vcvarsall.bat" x86
popd
echo #include ^<windows.h^> > test.cpp
echo int main (void) { MessageBoxA(NULL,"Hi","Hello",NULL); ExitProcess(0);}; >> test.cpp
cl test.cpp /link /SUBSYSTEM:Windows /ENTRY:main user32.lib kernel32.lib
didn't i post vm like code earlier :) you got your key with that reply :)
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

Kayaker wrote: In fact, I think patching would be more difficult than keygenning...
Hi kayaker, is it possible that you can tell exactly what made you first conclude that this is VM? To a trained eye I guess it is obvious but I'm just curious to learn what first got you thinking that this is VM?
Did it just 'stink' of VM from the beginning?
Was it the dispatcher loop from 40C3F2 to 40C41E that revealed the VM?
Was it some particular call flow or special instruction sequence?

It's not that easy to find a patch. Changing a jnz instruction into jz is not straight forward as their VM opcodes are of different length!
If the byte at file offset 7DDF is changed from C3->C0 any key of length 23 is accepted.
blabberer
Senior Member
Posts: 1536
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

can a virtual patch be called patching ?

[ATTACH]2899[/ATTACH]
Attachments
patch.PNG
User avatar
ZaiRoN
Posts: 922
Joined: Fri Oct 12, 2001 7:00 am
Location: Italy
Contact:

Post by ZaiRoN »

In fact, I think patching would be more difficult than keygenning...
Imho, not this time. Understanding the protection routine is quite easy but a patch on the fly is really easy.

The dispatcher loop is always a good tip in a VM recognition process!
The VM is easy, it has few specific instructions and it's able to emulate x86 instructions.
It's not that easy to find a patch. Changing a jnz instruction into jz is not straight forward as their VM opcodes are of different length!
It's possible to register the crackme with any 23 bytes length serial patching a single byte of the original exe, you only have to understand VM bytecode 0x00.

Offset 0x7DDF contains the single byte check and... good luck :)
A mind is like a parachute. It doesnt work if it's not open.
rendari
Senior Member
Posts: 217
Joined: Sat Dec 10, 2005 7:08 pm

Post by rendari »

That was a very cool minimalist VM :) I managed to make a 1 byte patch like ZaiRoN did and might look into keygenning if I have time after lunch.

Cheers!

-rendari
rendari
Senior Member
Posts: 217
Joined: Sat Dec 10, 2005 7:08 pm

Post by rendari »

I might be understanding this wrong, but can you even generate a key for this that is valid ascii characters?

-rendari
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Heheh blabberer, that's almost exactly the same conditional breakpoint virtual patch I came up with, except I was going to maybe change the opcode bytes to 'cmp al, al' or something rather than flipping the zero flag, just for fun.

I wasn't sure yet if the 'cmp al, bl' instruction was generated from the same location in the byte sequence beginning at 40c000, or whether there were multiple instances. If just the one, then yes I guess a 1-byte patch is possible.

What this reminded me of immediately was the Athcon 2013 RE Challenge and which Zairon nicely ripped apart

http://zairon.wordpress.com/2013/06/11/ ... challenge/
User avatar
ZaiRoN
Posts: 922
Joined: Fri Oct 12, 2001 7:00 am
Location: Italy
Contact:

Post by ZaiRoN »

rendari wrote:I might be understanding this wrong, but can you even generate a key for this that is valid ascii characters?
First of all try to answer this question: are you able to get the first valid char of the serial? ;)
A mind is like a parachute. It doesnt work if it's not open.
niaren
Member
Posts: 70
Joined: Thu Dec 10, 2009 3:16 pm

Post by niaren »

blabberer wrote: can a virtual patch be called patching ?
That is another very nice windbg command :)
bp 40c32a ".if( (wo(40c32d)==c33a) ) {bp /1 40c32f \"r @al,@bl;r zf = 1;gc\";gc} .else {gc}";

bp 40c32a
First set a conditional break on the address right before the VM is going to execute the cmp instruction

.if( (wo(40c32d)==c33a) ) .else {gc}";
only break if the instruction to be executed is cmp al,bl

"bp /1 40c32f" ;gc
if the instruction is the cmp al,bl then set a one-time BP on the instruction right after the cmp al,bl instruction and continue

r @al,@bl;r zf = 1;gc
when windbg breaks at 40c32f, print out the contents of al and bl registers and force zero flag to be set such that the keygen computation continues.

This part of the command bp /1 40c32f \"r @al,@bl;r zf = 1;gc is slightly confusing
There is a gc at the end but is that because the 'outer' BP is a conditional BP? it also works if it is just g....

blabberer, do you know if it possible to set breakpoints on all instructions from some start address to some end address, programatically in windbg? I've tried to google but have not found out if it is possible. It is possible to set BPs on multiple functions at a time by using wildcards.
Locked