DaXXoR 101's FreakDropper Series #1
| Download FreakDropper_v0.9a.zip, 2 kb (password: crackmes.de) Browse contents of FreakDropper_v0.9a.zip Packed with my own monster :: FreakDropper v0.9a
Difficulty: 7 - Very hard | Send a message to DaXXoR 101 » View profile of DaXXoR 101 » |
Solutions
Solution by _HellDashX_, published 22. aug, 2005; download (13 kb), password: crackmes.de or browse.
_HellDashX_ has rated this crackme as quite nice.
Solution by deroko, published 22. aug, 2005; download (7 kb), password: crackmes.de or browse.
deroko has rated this crackme as awesome.
Discussion and comments
| deroko 20. Aug 2005 | very very nice =) So objetive is only to dump it? |
|---|---|
| deroko 20. Aug 2005 | yah, got it, submitted solution + dumped file =) |
| Knight 20. Aug 2005 | Deroko, what unpacked exe should do? I unpacked it but it seems it does nothing useful. |
| deroko 20. Aug 2005 | it just prints message(dialog): This exe is protected with: FreakDropper Version 0.9a... |
| _HellDashX_ 20. Aug 2005 | I unpacked it but the crackme have a little problem, the user32 imports dont works, :( Because it, the crackme dont show any dialog as deroko said, i try it without debbuging and dont show anything too, :( Perhaps is a bug? I use Windows XP SP2 |
| deroko 20. Aug 2005 | I have winxp sp2, and it works fine =) have no idea what is causing problems =( |
| _HellDashX_ 20. Aug 2005 | Weird, sometimes works, sometimes dont work...well, i will submit my solution, :) |
| code_inside 20. Aug 2005 | At offset 00401002 it tries to call (I think) GetModuleHandleA, but the offset to this API is hardcoded in the .exe, and so are some other API's... :) |
| TQN 21. Aug 2005 | I patched two string: "software\uCF2000" and "software\UInC", and on my machine, XP SP1, it does not show anythings. Seem it open explorer.exe process, read 5 bytes at 0x4A80B6. Sorry if I wrong ! |
| Knight 22. Aug 2005 | I think there's a bug in protector. That program doesn't run on my machine. Somekind problems with imports. I see that deroko's dump have DialogBoxIndirectParamA, when for me it points to nowhere (not really, somewhere near CreateIconFromResource). And it's probably not dumping problem since even original file doesn't runs properly (at first i thought that it maybe detects some of my tools, but after cleaning registry nothing have changed). I'm using WinXP sp2 with newest updates. |
| deroko 22. Aug 2005 | well it has fixed imports from user32, actually hardcoded addresses so it might cause a problem =( I have sp2 too, but no latest updates =) |
| _HellDashX_ 22. Aug 2005 | Yes, in my first dump, it dont work, but i need fix the user32 imports by hand, :( Now, works perfect. I am using Windows XP SP2 with the las t updates too |
| Knight 22. Aug 2005 | Deroko, the problem is not in your dump, it works fine. Problem is in packer itself, since i can't run protected file (nor dump done by myself). When i run it, simply nothing happens (at very begining i thought that it might be because it detects some tools in my system, and now i know it's because mess with IT). I just want to say that DaXXor 101 should fix his packer/protector compatibility issues in future versions. BTW DaXXor will u share your packer with public? |
| deroko 22. Aug 2005 | yap I know, all user32 apis are hardcoded in packer =) When I said fixed I meant hardcoded =) Well english isn't my native language =) |
| DaXXoR 101 Author 22. Aug 2005 | Good Solutions :) Sorry about the hardcoded API bug. I have fixed it for the next version. As for sharing the protector with the public, it is not a normal protector. It is actually a set of tools that will crypt and split the sections of an exe and put them in an .asm file with decryption and protection code. So really it is a way of protecting an exe manually. I will probably write a tutorial on how to do that, but not share the programs themselves. In the next crackme I will include the source code for the previous packed exe. |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.