jE!'s jE!_CRC_DRx
| Download jE!_CRC_DRx.zip, 4 kb (password: crackmes.de) Browse contents of jE!_CRC_DRx.zip U must buid KEY-file, which forces cr0ckme to show msgbox:
Difficulty: 7 - Very hard | RatingVotes: 5 View profile of jE! » |
Solutions
Solution by andrewl.us, published 02. dec, 2008; download (28 kb), password: crackmes.de or browse.
andrewl.us has not rated this crackme yet.
Discussion and comments
| andrewl.us Moderator 13. Nov 2008 | Any hints on this one? I can't get this to pass: 004030C5 add ecx, esi <--- always 0x171B6, ZF=1 004030C7 mov esp, fs:[edx] 004030CA pop dword ptr fs:[edx] 004030CD jz short loc_4030DB <--- never taken (calls ExitProcess) Are the DRx registers used only for computation, or are we actually supposed to get a value in there so that an exception happens upon memory read? (you set DR7 to 0x155 at 4013171, is it to mislead?) Is ANY of this crap ever supposed to be executed: 00403000 jmp short near ptr 402FEDh 00403002 Exit1: 00403002 add esp, 0Ch 00403005 jmp eax 00403007 jmp near ptr 0EA2A19F5h 0040300C 0040300C Exit2: 0040300C mov [esp+14h], eax 00403010 add esp, 0Ch 00403013 retn Thinking the first write of DRx to memory can be used to control main thread's exception record. But this would leave 4 dwords from KEY file unprocessed... is this the right thinking? |
|---|---|
| JoKa 13. Nov 2008 | andrewl.us: I suppose ecx+esi depends on KEY file. Try, for example, decrease byte at offset 00000013h by 1. I think ecx+esi would change. |
| andrewl.us Moderator 13. Nov 2008 | Exception handler @00403281: ECX = sum of bytes (exit code from thread == 0x171B6) ECX = ECX - context.ESI context.ECX = ECX On the main thread side @4030C5: ECX = ECX + ESI (result 0x171B6) In other words, it does 0x171B6 - ESI + ESI ...which is always 0x171B6 and doesn't depend on any bytes from KEY. |
| JoKa 14. Nov 2008 | Sorry. I was wrong. Sum depends on breakpoints set. Does not depends on KEY file. When no breakpoint are set, sum is equal to 0x17187 (I checked value two times in different ways). I suppose it is possible substitute return address in exception handler using first pass: 0040323A lea edi,dword [ebx+4] 0040323D mov ecx,3 00403242 rep movs dword [edi],dword [esi] second pass: 00403261 lea esi,dword [ebx+4] 00403264 mov ecx,3 00403269 rep movs dword [edi],dword [esi] |
| JoKa 14. Nov 2008 | andrewl.us: Copy bytes from original file starting from offset [1000h] till EOF to text file. There are story and source code of crackme. |
| JoKa 14. Nov 2008 | Exit2 is used after LoadLibrary to pass argument for GetProcAddress Exit1 is used after GetProcAddress to call MessageBox I can now pass to 4030db But I don't know how can I push 'user32' and 'MessageBoxA' in stack. |
| andrewl.us Moderator 14. Nov 2008 | Yes, I think that is inserted by RosASM IDE, but jE!'s English alone can be considered a level 9 crypto crackme. Naming the dwords read from file into stack memory dword0...dword9 then the two writes we get are: &dword5 + dword4 = mix(sum, dword0..dword3) &dword9 + dword8 = mix(sum, dword5..dword7) Notice SEH handler link is at &dword0 - 8. U need fUntaziE+LogiQ, have U!? fun is fun, but what for U!? :) :) |
| andrewl.us Moderator 15. Nov 2008 | to get MessageBoxA without "MessageBoxA" string: HANDLE h = LoadLibrary("user32"); PVOID p = GetProcAddress((HMODULE)h, (LPCSTR)477); |
| andrewl.us Moderator 15. Nov 2008 | Can you get to 4030DB while still allowing second pass to execute? If I overwrite exception record on stack on second pass, there is not remaining another exception to invoke my new handler. |
| JoKa 17. Nov 2008 | andrewl.us: I overwrite 3 dwords in Context structure (regEip=004030CA, regCs=0000001B, regFlag=00000246) on second pass to get to 4030CA. I did'nt found that first write uses calculation based on (dword0..dword3). It can be used to push 'user32'. |
| jE! Author 24. Nov 2008 | guys! don't make things harder! you must NOT affect program execution in NO way. only KEYfile can do this! read inside SRC, first meditate about howto call MSGbox. imagine you jumped @4030DB OK!?!? so how then there call MSGbox? |
| JoKa 25. Nov 2008 | first 9 dwords of KEYfile are used to write 2 x (3 dwords). We can use it to write 'user32' and 'MessageBoxA' to necessary places in stack. Last dword of KEYfile is used to set up calling MessageBoxA (it must be 340c2800 in file order or 00280c34 in reverse order). It is clear. Can we jump to 4030DB (or 4030CA) using KEYfile? Yes, we can use second of two writes for overwriting regEip context structure. But in this case we can't write both 'user32' and 'MessageBoxA' to stack. Is there another way to jump to 4030DB without patching exe-file and using one of two writes? I still think that we can't do this. |
| jE! Author 25. Nov 2008 | how you can overwrite regEip? interesting, but i not coded such thing. show you variant of keyfile. go here for better upld http://www.woodmann.com/forum/showthread.php?t=12038 |
| JoKa 25. Nov 2008 | 64 16 6d 00 01 00 00 00 1c 55 6e 72 01 00 00 00 28 00 00 00 f3 b9 78 00 a1 14 35 00 93 b4 59 00 c0 fd ff ff 34 0c 28 00 To run inside OllyDbg remove all breakpoints, then breakpoint GetCurrentThread, then run, after breakpoint plays, set breakpoint at 4030CA, after breakpoint plays you can step over to see how program works. |
| jE! Author 25. Nov 2008 | ok, there is not MsgBox API.. |
| andrewl.us Moderator 25. Nov 2008 | Do you mean that there is not string "MessageBoxA" on the stack? Out of: 1) pass "jz 4030DB" 2) put "user32" 3) put "messageboxa" JoKa's key file demonstrates that we can only choose two out of the three. |
| andrewl.us Moderator 25. Nov 2008 | (and his chose 1 and 2) |
| jE! Author 26. Nov 2008 | BUT I SAID: (LAST REPEAT) >imagine you jumped @4030DB OK!?!? >& meditate about howto call MSGbox. fully discover it; then meditate on JZ ..that is magic of crackme 1)+2)+3) |
| JoKa 03. Dec 2008 | andrewl.us: Good solution. Thanks for reference, but I don't think that I can add something new. |
| main 31. Mar 2010 | Holy shit... This is some serious stuff. Really nice solution guys! |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.