Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

DirectX crackme

A classroom run by newbies for newbies. Gain valuable reversing experience & skills as we explain the in's and out's of RCE.
Silver
Posts: 570
Joined: Thu May 06, 2004 11:48 am

DirectX crackme

Post by Silver »

UPDATE: Crackme released, scroll down for URL and info.


After the discussion in the other forum I'm just putting the final touches to a DirectX crackme; I don't think there are many (if any) of these around, so hopefully it will give people a target to play with.

Before I release it would anyone like to volunteer to analyze/crack it for me just to make sure I haven't left anything wildly obvious open to exploit? It should be ready today or tomorrow. I could also do with making sure it works on a couple of machines, DirectX being the lovely compatible system that it is....

Cheers!
Still here...
Silkut
Senior Member
Posts: 579
Joined: Fri Mar 31, 2006 11:29 am

Post by Silkut »

Hi Silver, I'm interested in your DX crackme.
I am volunteer, but as i'm not an expert in cracking/reversing I can't certify about bugs.
Though I can test it on my machine.
XP SP2 w/DXSDK & DX9
Please consider donating to help Woodmann.com staying online (here is why).
Any amount greatly appreciated. Thank you.
User avatar
Maximus
Posts: 481
Joined: Mon Sep 19, 2005 3:09 am
Location: NDA

Post by Maximus »

evil evil evil idea....
are you using ... ...shaders? :D

"OMG" :D
I want to know God's thoughts ...the rest are details.
(A. Einstein)
--------
..."a shellcode is a command you do at the linux shell"...
Silkut
Senior Member
Posts: 579
Joined: Fri Mar 31, 2006 11:29 am

Post by Silkut »

Um, no HDR please =)
I forgot to mention that my gfx card was a nvFX5900XT.
Please consider donating to help Woodmann.com staying online (here is why).
Any amount greatly appreciated. Thank you.
Silver
Posts: 570
Joined: Thu May 06, 2004 11:48 am

Post by Silver »

Cheers guys, I have a couple of volunteers now...

Maximus :D now that *is* evil. I haven't done that this time, but you've given me a great idea...
Still here...
User avatar
Maximus
Posts: 481
Joined: Mon Sep 19, 2005 3:09 am
Location: NDA

Post by Maximus »

I am evil :D

I would suggest to place your solution along a 3d Lattice* ( :D ) and use shaders to perform ... oooh ....
ok, a new lvl 9 crackme, I would say, eheh
I want to know God's thoughts ...the rest are details.
(A. Einstein)
--------
..."a shellcode is a command you do at the linux shell"...
Silver
Posts: 570
Joined: Thu May 06, 2004 11:48 am

Post by Silver »

mmmm! That would be seriously difficult to crack, if you passed in data to the shader (texcoords or whatever can be used easily), packed the result into DWORDs then wrote the result out to a surface using the DWORD as the ARGB for each pixel. All the reverser would see is magic data going in, magic data coming out and no direct way to debug the shader.... Nasty!
Still here...
Silver
Posts: 570
Joined: Thu May 06, 2004 11:48 am

Post by Silver »

Okay, the crackme has been dispatched to my willing victi...uh, testers :D

If everything is ok I'll post it publicly shortly.
Still here...
Silkut
Senior Member
Posts: 579
Joined: Fri Mar 31, 2006 11:29 am

Post by Silkut »

It is fully working here.
Despite the fact that i'm a beginner I think this would give pleasure to advanced reversers.

Silver, no direct way to debug the shader, even using stuff like NV(ShaderPerf|PerfHUD) ? Is it depending on the way the shader is used (i mean compiled with the application) ?
Please consider donating to help Woodmann.com staying online (here is why).
Any amount greatly appreciated. Thank you.
Silver
Posts: 570
Joined: Thu May 06, 2004 11:48 am

Post by Silver »

Silkut, debugging shaders without the original source would be a total nightmare. I'm trying to think it through now. The only reason you can debug shaders at the moment is because Visual Studio and DX etc have shader debugging extensions. But if you're reversing an app you won't have the app source to load into Visual Studio and take advantage of the debugger. That means you'll have to extract the shader code from the app directly - that's not a problem because you can use shader simulators, but then what do you do with it? If all the input to the shader is coming from the app you'd have to code your own app that simulates the exact same input to be able to debug it. You can't just break in the middle of the shader because it's simply dumped to the GPU, which you have no direct access to. As far as I know there's no way to read a shader program back from a gpu...

As maximus has said, this would probably be even harder for vertex shaders than for pixel shaders. At least with pixel shaders you're translating across the surface one pixel at a time, but with vertex shaders you're being passed the vertex data directly. So not only would you somehow have to debug the shader code, you'd also have to understand how the data (say, the license key or whatever is being processed) is packed into the vertex data. Now imagine the final transformed position of the vertex is important to the protection in some way, such as a simple depth test.

I'd go so far as to say a protection like this would be very close to impossible to break from a pure protection point of view (ie: assuming the rest of the app didn't do anything silly like have individual goodboy/badboy jmp's). You wouldn't even need any goodboy tests, the app would run exactly the same but the end result of the shader would control what was displayed. Ouch.
Still here...
User avatar
Maximus
Posts: 481
Joined: Mon Sep 19, 2005 3:09 am
Location: NDA

Post by Maximus »

I know...
It is a free dongle installed in each PC ;)
...and much more powerful and evil of every existant dongle, I would say :D

...but let's not suggest too many evil ideas to protectionists...
I want to know God's thoughts ...the rest are details.
(A. Einstein)
--------
..."a shellcode is a command you do at the linux shell"...
Silkut
Senior Member
Posts: 579
Joined: Fri Mar 31, 2006 11:29 am

Post by Silkut »

Ok I think I get the point.
Anyway this kind of challenge require more than reverse skills.
Please consider donating to help Woodmann.com staying online (here is why).
Any amount greatly appreciated. Thank you.
User avatar
Maximus
Posts: 481
Joined: Mon Sep 19, 2005 3:09 am
Location: NDA

Post by Maximus »

eheh I'm late with 2 articles, 2 special 'crackmes', REA and what's more? :thinking:
Oh, yeah, my nephew's fresh new vgame don't run with DT installed...
and work, clearly ...but I'm terribly curious :D

Maybe it's time to remove all the dust from my DX knowledge :)
I want to know God's thoughts ...the rest are details.
(A. Einstein)
--------
..."a shellcode is a command you do at the linux shell"...
Silver
Posts: 570
Joined: Thu May 06, 2004 11:48 am

Post by Silver »

Okay, thanks to my victims including Silkut and Zairon, the crackme is ready for public release.

Download from here: http://www.savefile.com/files/206121
Crackmes.de mirror: http://www.crackmes.de/users/silver/sil ... crackme_1/

Original MD5 for the .zip for your peace of mind:
4B3FE5E0F7D14762F234EB9956044385


Please be sure to read the readme carefully before you begin - it will potentially save you a lot of time.

When someone has beaten this crackme & published a solution I'll release a cut down version that concentrates purely on DirectX stuff, which will hopefully give people a playground for DX reversing with no other distractions.

Let me know how you get on!
Still here...
Silver
Posts: 570
Joined: Thu May 06, 2004 11:48 am

Post by Silver »

Just thought I'd bump this and see if anyone is working on it? I know Mr Squeers is, and it's had a bunch of downloads at crackmes.de but as yet no discussion or solution.
Still here...
Locked