[Crackme] Virt by neon

Iniciado por fary, 17 Enero 2019, 21:35 PM

0 Miembros y 1 Visitante están viendo este tema.

fary

Este crackme es jodido... yo todavía no lo he resuelto la verdad... trabaja con excepciones CREO.

A ver si alguno de vosotros es capaz de meterle mano y nos  ilumina a los pobres.

http://ge.tt/9hMpkyt2

Lo descargue de crackmes.one en la página lo catalogan como nivel 4 'hard'

saludos!!
Un byte a la izquierda.

apuromafo CLS

Aquí algo para ayudar
CitarSerial válido: howyoudidit?


tutorial es de  alex_ls
Citar******************************************
      * Target: Virt by NeoN                   *
      * Release date: 26. Aug, 2007            *
      * Solution by: alex_ls                   *
      * Coded in: C++                          *
      * Difficulty: 6                          *
      * Protection: Obfuscated code       *
      * Tools: Just softice and a little brain *     
      ******************************************

-         VALID SERIAL IS "howyoudidit?"



-             I part (How I did it?)

I tried to dissasemble this crackme but the code is very obfuscated
and I had no time to work on it,
So let's set breakpoint at GetDlgItemTextA, input random serial and click "Check" button.
Let's trace it from 004016b9

.text:004016B9                 push    offset String     ; our random string
.text:004016BE                 push    100h
.text:004016C3                 push    offset word_403000;offset to VM tab
.text:004016C8                 call    CheckSerial    ;main function
.text:004016CD                 or      eax, eax          ; check for exit type
.text:004016CF                 jnz     short loc_4016E1
.text:004016D1                 push    10h             ; uType
.text:004016D3                 push    0               ; lpCaption
.text:004016D5                 push    offset aSorryWrongKeyT ; lpText
.text:004016DA                 push    0               ; hWnd
.text:004016DC                 call    MessageBoxA

The main function that realises Virtual Machine algorythm is - call CheckSerial(.text:004016C8)
Tracing this function it becomes clear that VM-algo is based on the table by the address(403000)
So I'll describe some nodes of the table:

.403190 28F3FFFFFF   - opcode:Our Key length + F3FFFFFF
.40319F 29A9010000      - opcode:If Our Key Length !=0 Jump to .4031a4
.4031a4 2600000000   - opcode:Exit

Analyzing this stuff I got the valid length of the serial:
SERIALLENGTH-0XD=0 so the length of the serial must be 0Ch, because
algo uses the end of the string - 0h.

After reversing some instructions, I've got the main table nodes (28h,2ch,29h,26h) with
the opcodes:
- 28h - adding stuff
- 2ch - substruction stuff
- 29h - checking for 0
- 26h - exit

I set the breakpoints at opcodes that processing this nodes:

opcode .401388 (node - 29h)
opcode .401457 (node - 28h)

And I've got the final string for 20 minutes!

   word1=0xb75ede4e-0x23432342-0x98304283-0x82740921;
   word2=0x46bb1982-0x34283203-0xa92e7210;
   word3=0x453ab788-0xd3a329e2-0x32232442;

where word1="howy",word2="oudi",word3="dit?"

OUR SERIAL:
      howyoudidit?

And the last message string:

         word1+=0xc0fbf1e8;
   word2+=0x0904e0b1;
   word3+=0x2ced0c10;

OUR MESSAGE:
      Pas: Virtual
   

-             II part (CONCLUSION )

OK, we have a valid serial -  howyoudidit?
So try it to check if it works!

-
I liked the VM algorythm, but the opcode table is very short.
In particular I've resolved it for 2 hours!!!
-

My greetings to all!
(В особенности Neon-у и всем хакерам из стран СНГ!)

CitarCrt2Base
//----------------------------------------------
// Crt2Base - extract text from Dino2's hlam!!!
//----------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

//----------------------
//Name: Main()
//----------------------
int main(int argc,char *argv[])
{
   char p_name[0xC];
   
   DWORD word1,word2,word3;
   
   word1=0xb75ede4e-0x23432342-0x98304283-0x82740921;
   word2=0x46bb1982-0x34283203-0xa92e7210;
   word3=0x453ab788-0xd3a329e2-0x32232442;

   strncpy(p_name+0,(char*)&word1,4);
   strncpy(p_name+4,(char*)&word2,4);
   strncpy(p_name+8,(char*)&word3,4);
   
   p_name[0xc]=0;
   printf("Serial Key is:   %s\n", p_name);
   
   word1+=0xc0fbf1e8;
   word2+=0x0904e0b1;
   word3+=0x2ced0c10;
   
   strncpy(p_name+0,(char*)&word1,4);
   strncpy(p_name+4,(char*)&word2,4);
   strncpy(p_name+8,(char*)&word3,4);
   
   p_name[0xc]=0;
   printf("Final String is: %s\n",p_name);
   
   printf("\npress any key for exit!\n");
   getchar();

   return 0;
}