EvOlUtIoN's CrackMe #3
| Download crackme_#3_By_EvOlUtIoN.zip, 4 kb (password: crackmes.de) Browse contents of crackme_#3_By_EvOlUtIoN.zip --------------------------
Difficulty: 2 - Needs a little brain (or luck) | RatingWaiting for at least 3 votes View profile of EvOlUtIoN » |
Solutions
Solution by sd333221, published 28. oct, 2007; download (92 kb), password: crackmes.de or browse.
sd333221 has not rated this crackme yet.
Discussion and comments
| sd333221 23. Oct 2007 | I already dumped the first layer and the fake-layer (Msg-box Application)... Maybe i got soon time to take a deeper look |
|---|---|
| sd333221 23. Oct 2007 | I see.... Hidden calls to WriteProcessMemory.... Very tricky... I replaced the missing parts (FF FF FF FF in program) but my dump doesn't want to run :-( |
| sd333221 23. Oct 2007 | Got the working dump now :-) Was a missing instruction to patch! I am writing a solution. Nice unpackme |
| EvOlUtIoN Author 23. Oct 2007 | Great! I'm waiting for your solution... |
| sd333221 23. Oct 2007 | I didn't mention it in my solution I just submitted. But there is a very advanced Anti-Debug technique you used in this one: You use a dummy-Process to debug the main Process to avoid attaching of a debugger. That is indeed very clever! :-) |
| EvOlUtIoN Author 23. Oct 2007 | Nah it is not very advanced! There are tons of crackme that debugs child process! Did you noticed in your solution how to make it working on all s.o.? |
| sd333221 23. Oct 2007 | Yes, it's quite short but I noticed the patch-table you used. |
| El_PuPaZzArO 28. Oct 2007 | The solution of sd333221 is NOT working.. (XP sp2) |
| sd333221 28. Oct 2007 | I use xp-sp2 and it works for me :-/ Try to follow tutorial. |
| Ox87k 28. Oct 2007 | It doesn't work for me too, XP Sp2! Try my dumped here: http://www.mediafire.com/?bdnnimwoq1w |
| TiGa 28. Oct 2007 | I tested them in a VM under XP-SP2 and they run without problems. They don't work in my real OS. |
| EvOlUtIoN Author 29. Oct 2007 | Yes, it is not working... It is because of i inserted simple antidump based on direct API calls...value of api addresses are sent by debugger so sd333221 didn't do correct patches... Here is the reason i told it should work on all pc's...and solution published will work only on pc's with same API addresses of s.o. which dumped it. Solution not rellay complete. |
| sd333221 29. Oct 2007 | Ok I am sorry, maybe someone will do it in his solution. |
| saytos 31. Jan 2008 | I am change message without unwrap file ;-) And solution work on xp sp2 ;) |
| hardcoder 01. Feb 2008 | This is amazing, I don't know why the auther rated it only 2 if I were the author I would definitely have rated it above 2. As far as my understanding, Process A creates process B, process B creates C and starts debuging it. All the logics are built inside B , antidump, obfuscations, (IAT entry -2) :)) Evolution you know what I am talking about Evolution , This is a very wonderful gift from reverser like me. hope to solve it by tonight. |
| hardcoder 01. Feb 2008 | Typo * for reversers like us . |
| Ox87k 01. Feb 2008 | hardcoder, to be honest i find 2 as right level. I solved it sometime ago but i remember it took me less than 10 minuts! |
| EvOlUtIoN Author 04. Apr 2008 | 0x87k, i'm not totally agree... It may be placed as level 3, i just took level2 but it can be raised up. I think 10 minutes is not possible, maybe you are talking about previous ones, i think most skilled presns can d it in about 25 minutes. |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.