downloadbrowseRa$cal's Ra$cal crackme N3 with vm

Download CrackMe_3.zip, 16 kb (password: crackmes.de)
Browse contents of CrackMe_3.zip

Crackme with simple vm. Key check algorithm is simple, so main target - vm.
difficult of pcode is growing from start to end. first part seems like emulator, but then it looks like like machine with another logic, registers, commands =)
Good luck and have fun.

Difficulty: 4 - Needs special knowledge
Platform: Windows
Language: C/C++

Published: 11. Jun, 2008
Downloads: 545

Rating

Votes: 4
Crackme is quite nice.

Rate this crackme:

Send a message to Ra$cal »

View profile of Ra$cal »

Solutions

Solution by andrewl.us, published 20. jun, 2008; download (114 kb), password: crackmes.de or browse.

andrewl.us has rated this crackme as awesome.

Submit your solution »

Discussion and comments

costy
15. Jun 2008		After someone solve this... could you send me the source please??
obnoxious
15. Jun 2008		ye yes same here!!!!!!!!!!!!!!!!!!!
andrewl.us
Moderator
15. Jun 2008		It is very difficult for me to solve. The instructions are variable length and many contain obfuscated operands. This appears true about all instructions, though:

instr[00h..01h] == opcode
instr[02h..05h] == jump label
instr[06h] = size of instruction - 0Fh
instr[07h..0Ah] == next instruction's jump label

07 00 is unconditional jump
02 00 is conditional
01 00 calls various functions

00407193: [01 00] 25 37 1F 41 08 F6 AD BA 05 00 00 00 00 !C3 C8 DA CE! 00 00 40 00 // kernel32!lstrlenA
00407236: [01 00] 9C 73 60 B7 08 30 F0 3C CE 00 00 00 00 !C3 C8 DA CE! 00 00 40 00 // kernel32!lstrlenA
004075FA: [01 00] A5 66 98 CF 08 10 23 0E 2F 00 00 00 00 !C0 C8 DA CE! 00 00 40 00 // kernel32!GetComputerNameA
0040BE60: [01 00] 8E E4 22 78 08 48 26 AA F2 00 00 00 00 !C6 C8 DA 8E! 00 00 40 00 // user32!SetDlgItemTextA
0040BF3A: [01 00] 81 1E C8 56 08 00 58 CF E4 00 00 00 00 !C7 C8 DA 8E! 00 00 40 00 // user32!SetDlgItemIntA
0040C031: [01 00] B0 56 11 29 08 60 1B 86 4C 00 00 00 00 !C6 C8 DA 4E! 00 00 40 00 // user32!MessageBoxA
0040737C: [01 00] C2 AA 49 45 08 3C CD 1E 5D 00 00 00 00 !C6 C8 DA 4E! 00 00 40 00 // user32!MessageBoxA

The DWORD marked with !'s is obfuscated address of import thunk.

There appears to be two context-like structures pointed to by pointers at at 405338h and 405340h:

Context structure:

+--------------------+
| EFLAGS
+--------------------+ <-- +20h
| EAX
+--------------------+ <-- +1Ch
| ECX
+--------------------+ <-- +18h
| EDX
+--------------------+ <-- +14h
| EBX
+--------------------+ <-- +10h
| ESP
+--------------------+ <-- +0Ch
| EBP
+--------------------+ <-- +08h
| ESI ?
+--------------------+ <-- +04h
| ESI ?
+--------------------+ <-- +00h

Here is list of VM instructions and addresses:

http://andrewl.us/rascalvm/all_instrs.txt

Here is diagram of VM instruction flow for when incorrect serial is entered:

http://andrewl.us/rascalvm/full_trace.txt

Maybe someone can use these to get further than I can.
Ra$cal
Author
16. Jun 2008		andrewl.us - very good =)
Ra$cal
Author
24. Dec 2008		http://rapidshare.com/files/176473964/blabla.rar.html
sources. but with russian comments.
cryostat13
04. Jul 2013		please reupload source code
andrewl.us
Moderator
09. Jul 2013		http://andrewl.dreamhosters.com/crackmes/ra$cal_VM_N3_src.rar
cryostat13
11. Jul 2013		thanks andrewl.us

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.