downloadbrowselena151's ReverseMe#8 by lena151

Download ReverseMe#8_by_lena151.zip, 64 kb (password: crackmes.de)
Browse contents of ReverseMe#8_by_lena151.zip

ReverseMe#8bylena151 is my challenge 2007
Can you beat this one?

Goal is to register the ReverseMe. This is visualised if it says at startup "REGISTERED to:" followed by the name you registered it for.

Mostly byte coded in assembler (masm).

Not packed.

You may either patch, fish or keygen. More info in About box. (Obviously, no aesthetic-patching-only!)

On a sidenote: it was also a challenge for me as I had never byte coded such a long part in one target. Don't be surprised when you see the disassembled file in a debugger!

Info: it's not the algo that makes the challenge! The algo is short and easy, the real challenge lies elsewhere! I take my hat off and bow deep for those bringing a valid solution! Please explain how you did it.

Success and have fun!

Regards,
lena151.

Difficulty: 6 - Hard, for very professionals only
Platform: Windows
Language: Assembler

Published: 17. May, 2007
Downloads: 630

Rating

No votes yet.
Rate this crackme:

Send a message to lena151 »

View profile of lena151 »

Solutions

Solution by lena151, published 24. jun, 2007; download (2091 kb), password: crackmes.de or browse.

lena151 has not rated this crackme yet.

Submit your solution »

Discussion and comments

fjlj
18. May 2007		could you fill me in on the new lingo.... what is aesthetic-patching ?
Zaphod
18. May 2007		lena151: I assume you are the lena151 who made those 36 videos on cracking. Well, I take my hat off and bow deeply for that! What a marvellous deed! Thank you!
Your crackme is probably too hard for me, but I'll give it a try...
Zaphod
18. May 2007		Oh well, you are the right lena151 - I wrote the above before I downloaded the crackme :)
lena151
Author
18. May 2007		@Zaphod: yep, that's me. Thanks. Euhm, FYIO, has become 39 videos meanwhile LOL

@fjlj: aesthetic patching means not to patch through the registration scheme but for example by plain stupidly opening the ReverseMe in a resource editor and changing the "UNREGISTERED" into "REGISTERED to: fjlj" which doesn't effectively register anything. Right?

Success!
lena151.
Zaphod
18. May 2007		I'll hurry and get the last 3 videos - I have learned a lot from the first 36!
neox.fx
18. May 2007		hey lena151,
sent the patched one.... btw, the real edit box was under another resource and moved it little down [hope you dont mind ;-)]
btw, you'll see two "Registered to Neox" messages, and you know why ;-)
thE Cur!ouZ
18. May 2007		I give u a hint folks.... just bpx DialogboxparamA..and use IDA to Or u can debug with IDA in same tome use C button de make the code clear.... ;-)
lena151
Author
18. May 2007		A remark though: any patching from the resources is not acceptable as a valid solution. You really should patch (though I prefer a Keygen) the registration scheme to make it accept (at that time invalid) data. I will warn you that there is lots of decoy code, so any patching of this is falsely "registering" too.

@neox.fx: sorry, but what you see as the real editbox is NOT the real edit box. The reverseme needs to display the registration status in the edit box that is visible.
Hint: ReverseMe#8bylena151.dat is bogus code! You really must go dig deeper!
profdracula
19. May 2007		You must bypass hw/sw, debugger detections otherwise you'll be lost in deep-woods :) A better way is to use IDA and understand how to make a valid keyfile!
lena151
Author
19. May 2007		Exactly!
I will fill you in on some details to make your reversing less difficult: the ReverseMe makes extensive use of
-code obfuscation
-code destruction
-decoy code and decoy strings
-machine specific algo
-selfmodifying/polymorphic code
-string decryption/re-encryption
-algo hiding
to make your life miserable. However, the deadly traps are that it has
-anti-tracing
-HW BP detection
-Software BP detection
-ring0/ring3 debugger detection
-anti-patching

and if any of the last 5 are detected ... the real algo is never run and you are sent into the woods to go play with Robin Hood.

My advice: find the traps first and eliminate them to be able to find the real algo!

Success!
thE Cur!ouZ
19. May 2007		Well...
I use IDA 5 for analyse this sweet ReverseMe (Thanks lena)..

1-BP DialogBoxParamA
when u r inside this API... Trace with F8..., the nice box with music appear...., push Exit buttom.....u return in inside the API, continue tracing with F8 Buttom...u return inside the code of ReversMe at:

.text:00402630
u see this piece of code:

.text:004024E8 dd 6051BDB8h, 0FA39791Ch, 0B82E71D1h, 3B82D1BDh, 3C4C3939h, 0BDB83A4Dh
.text:004024E8 dd 35493AD1h, 5FD13FD2h, 0D1BDB8D1h, 0D229493Ah, 0D15FD13Ch, 0A3D1BDB8h
.text:004024E8 dd 4D39393Bh, 0B83B4C3Dh, 80CB0BDh, 0D2397989h, 0BDB8D13Ah, 393CB65Dh
.text:004024E8 dd 0D2393939h, 4CBDB83Bh, 0D13B4D30h, 0D13A4D7Eh, 8851BDB8h, 0FA39791Ch
.text:004024E8 dd 0B82E71D1h, 0FDBA69BDh, 0D13CD23Dh, 0BDB8D15Fh, 791A9981h, 0D23D4C39h
.text:004024E8 dd 0B3BDB83Bh, 79A9BE24h, 203AD239h, 42E88481h, 75000002h, 81027404h, 92183084h
.text:004024E8 dd 0C305EB42h, 848102EBh, 17BEE8h, 74047500h, 92848102h, 220E8h, 3603EB00h
.text:004024E8 dd 0D03D8481h, 7C004025h, 8102EBCDh, 68006A84h, 403E71h, 848102EBh, 0E968006Ah
.text:004024E8 dd 0EB000003h, 0FF848102h, 40ABD035h, 0E804EB00h, 0E8E88481h, 4CEAh
.text:00402630 ; ---------------------------------------------------------------------------
.text:00402630 jmp short loc_402635
.text:00402630 ; ---------------------------------------------------------------------------
.text:00402632 db 0E8h ; F
.text:00402633 db 81h ; ü
.text:00402634 db 84h ; ä
.text:00402635 ; ---------------------------------------------------------------------------

Put ur cursor at offsett of this piece:

.text:004024E8 dd 6051BDB8h, 0FA39791Ch, 0B82E71D1h, 3B82D1BDh, 3C4C3939h, 0BDB83A4Dh
.text:004024E8 dd 35493AD1h, 5FD13FD2h, 0D1BDB8D1h, 0D229493Ah, 0D15FD13Ch, 0A3D1BDB8h
.text:004024E8 dd 4D39393Bh, 0B83B4C3Dh, 80CB0BDh, 0D2397989h, 0BDB8D13Ah, 393CB65Dh
.text:004024E8 dd 0D2393939h, 4CBDB83Bh, 0D13B4D30h, 0D13A4D7Eh, 8851BDB8h, 0FA39791Ch
.text:004024E8 dd 0B82E71D1h, 0FDBA69BDh, 0D13CD23Dh, 0BDB8D15Fh, 791A9981h, 0D23D4C39h
.text:004024E8 dd 0B3BDB83Bh, 79A9BE24h, 203AD239h, 42E88481h, 75000002h, 81027404h, 92183084h
.text:004024E8 dd 0C305EB42h, 848102EBh, 17BEE8h, 74047500h, 92848102h, 220E8h, 3603EB00h
.text:004024E8 dd 0D03D8481h, 7C004025h, 8102EBCDh, 68006A84h, 403E71h, 848102EBh, 0E968006Ah
.text:004024E8 dd 0EB000003h, 0FF848102h, 40ABD035h, 0E804EB00h, 0E8E88481h, 4CEAh
.text:00402630 ; ---------------------------------------------------------------------------
and push the U buttom to make it undifined, for make it easy to analyse.
Aftet that u got this listing:I give only a small part of code

.text:00402616 db 68h ; h
.text:00402617 db 0E9h ; T
.text:00402618 db 3
.text:00402619 db 0
.text:0040261A db 0
.text:0040261B db 0EBh ; d
.text:0040261C db 2
.text:0040261D db 81h ; ü
.text:0040261E db 84h ; ä
.text:0040261F db 0FFh
.text:00402620 db 35h ; 5
.text:00402621 db 0D0h ; -
.text:00402622 db 0ABh ; ½
.text:00402623 db 40h ; @
.text:00402624 db 0
.text:00402625 db 0EBh ; d
.text:00402626 db 4
.text:00402627 db 0E8h ; F
.text:00402628 db 81h ; ü
.text:00402629 db 84h ; ä
.text:0040262A db 0E8h ; F
.text:0040262B db 0E8h ; F
.text:0040262C db 0EAh ; O
.text:0040262D db 4Ch ; L
.text:0040262E db 0
.text:0040262F db 0

put the cursor at 0040262B and push the buttom C to make the code clear ...u see after, this nice CODE:
.text:00402628 db 81h ; ü
.text:00402629 db 84h ; ä
.text:0040262A db 0E8h ; F
.text:0040262B ; ---------------------------------------------------------------------------
.text:0040262B call DialogBoxParamA
.text:00402630 jmp short loc_402635
.text:00402630 ; ---------------------------------------------------------------------------
.text:00402632 db 0E8h ; F
.text:00402633 db 81h ; ü
.text:00402634 db 84h ; ä

This is a smal hint for making the code easy to analyse and to find the OEP for dumping the true code.

Another Hint: betwin every 81h84h or ??h81h84h??h there is a code to make it clear with C buttom.

Good luk for everyone...and thanx a lot for lena.
deskyet
22. May 2007		I am learning a lot too of your vids lena, now I am watching video 18 and you learn REALLY SO MUCH... btw, because of your vids I made my first keygen for 'moofs keygenme'.
mrmag
28. May 2007		Hi Lena, hi everybody.

This is a very nice ReverseMe which kept me busy for several hours now. I thought I had it, but then I figured I am might still be playing with Robin Hood, because to continue the algorithm wants to execute code from INSIDE the keyfile. Therefore my question: how to figure out which are the correct (probably 7 bytes) from the keyfile (because all I know right now is the sum of their opcodes)...

So, my question is -- am I still in 'the woods'? ;)


Regards,

MrMAG (aka DuaneD)
lena151
Author
28. May 2007		Good work MrMag!
No, you are NOT in the woods anymore. Keep going, almost there! The algo DOES indeed execute code from inside the keyfile itself.....
And I am sure that if you figured this out so far, you'll figure out the rest too!
Thanks for your time, I really appreciate it.
Hint: I said the algo is short and easy, and that is really true. So, make it plain simple ....
Best regards,
lena151.
lena151
Author
24. Jun 2007		Seeing that there were quite a few people having difficulties solving this ReverseMe, and though it's not customary that the author writes a solution him/herself, I have made a solution myself in the form of a tutorial in flash. Hopefully, it can shed a little light on things ...

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.