|
Título: [Crackme] Virt by neon Publicado por: fary en 17 Enero 2019, 21:35 pm Este crackme es jodido... yo todavía no lo he resuelto la verdad... trabaja con excepciones CREO.
A ver si alguno de vosotros es capaz de meterle mano y nos ilumina a los pobres. http://ge.tt/9hMpkyt2 Lo descargue de crackmes.one en la página lo catalogan como nivel 4 'hard' saludos!! Título: Re: [Crackme] Virt by neon Publicado por: apuromafo CLS en 18 Enero 2019, 00:27 am Aquí algo para ayudar
Citar Serial válido: howyoudidit? tutorial es de alex_ls Citar ****************************************** * Target: Virt by NeoN * * Release date: 26. Aug, 2007 * * Solution by: alex_ls * * Coded in: C++ * * Difficulty: 6 * * Protection: Obfuscated code * * Tools: Just softice and a little brain * ****************************************** - VALID SERIAL IS "howyoudidit?" - I part (How I did it?) I tried to dissasemble this crackme but the code is very obfuscated and I had no time to work on it, So let's set breakpoint at GetDlgItemTextA, input random serial and click "Check" button. Let's trace it from 004016b9 .text:004016B9 push offset String ; our random string .text:004016BE push 100h .text:004016C3 push offset word_403000;offset to VM tab .text:004016C8 call CheckSerial ;main function .text:004016CD or eax, eax ; check for exit type .text:004016CF jnz short loc_4016E1 .text:004016D1 push 10h ; uType .text:004016D3 push 0 ; lpCaption .text:004016D5 push offset aSorryWrongKeyT ; lpText .text:004016DA push 0 ; hWnd .text:004016DC call MessageBoxA The main function that realises Virtual Machine algorythm is - call CheckSerial(.text:004016C8) Tracing this function it becomes clear that VM-algo is based on the table by the address(403000) So I'll describe some nodes of the table: .403190 28F3FFFFFF - opcode:Our Key length + F3FFFFFF .40319F 29A9010000 - opcode:If Our Key Length !=0 Jump to .4031a4 .4031a4 2600000000 - opcode:Exit Analyzing this stuff I got the valid length of the serial: SERIALLENGTH-0XD=0 so the length of the serial must be 0Ch, because algo uses the end of the string - 0h. After reversing some instructions, I've got the main table nodes (28h,2ch,29h,26h) with the opcodes: - 28h - adding stuff - 2ch - substruction stuff - 29h - checking for 0 - 26h - exit I set the breakpoints at opcodes that processing this nodes: opcode .401388 (node - 29h) opcode .401457 (node - 28h) And I've got the final string for 20 minutes! word1=0xb75ede4e-0x23432342-0x98304283-0x82740921; word2=0x46bb1982-0x34283203-0xa92e7210; word3=0x453ab788-0xd3a329e2-0x32232442; where word1="howy",word2="oudi",word3="dit?" OUR SERIAL: howyoudidit? And the last message string: word1+=0xc0fbf1e8; word2+=0x0904e0b1; word3+=0x2ced0c10; OUR MESSAGE: Pas: Virtual - II part (CONCLUSION ) OK, we have a valid serial - howyoudidit? So try it to check if it works! - I liked the VM algorythm, but the opcode table is very short. In particular I've resolved it for 2 hours!!! - My greetings to all! (В особенности Neon-у и всем хакерам из стран СНГ!) Citar Crt2Base //---------------------------------------------- // Crt2Base - extract text from Dino2's hlam!!! //---------------------------------------------- #include <stdio.h> #include <stdlib.h> #include <windows.h> //---------------------- //Name: Main() //---------------------- int main(int argc,char *argv[]) { char p_name[0xC]; DWORD word1,word2,word3; word1=0xb75ede4e-0x23432342-0x98304283-0x82740921; word2=0x46bb1982-0x34283203-0xa92e7210; word3=0x453ab788-0xd3a329e2-0x32232442; strncpy(p_name+0,(char*)&word1,4); strncpy(p_name+4,(char*)&word2,4); strncpy(p_name+8,(char*)&word3,4); p_name[0xc]=0; printf("Serial Key is: %s\n", p_name); word1+=0xc0fbf1e8; word2+=0x0904e0b1; word3+=0x2ced0c10; strncpy(p_name+0,(char*)&word1,4); strncpy(p_name+4,(char*)&word2,4); strncpy(p_name+8,(char*)&word3,4); p_name[0xc]=0; printf("Final String is: %s\n",p_name); printf("\npress any key for exit!\n"); getchar(); return 0; } |