downloadbrowsewarrantyVoider's The Amazing Picture Downloader

Download crackme.zip, 158 kb (password: crackmes.de)
Browse contents of crackme.zip

Patch this program to enable the disabled third download function.

(Regular program packed with homemade packer,
this is the successor to the two "Amazing Unit Converter" crackmes)

IMPORTANT:
=> You will need msvcr71.dll and mfc71.dll (http://www.dll-files.com/)
=> Windows XP only

Difficulty: 6 - Hard, for very professionals only
Platform: Windows 2000/XP only
Language: C/C++

Published: 20. Nov, 2005
Downloads: 1050

Rating

Votes: 5
Crackme is quite nice.

Rate this crackme:

Send a message to warrantyVoider »

View profile of warrantyVoider »

Solutions

Solution by deroko, published 05. jan, 2006; download (182 kb), password: crackmes.de or browse.

deroko has rated this crackme as quite nice.

Submit your solution »

Discussion and comments

deroko
21. Nov 2005
works on win2k, only section attributes should be fixed =)
bigboss1988
22. Nov 2005
Doesn't work on Sp2 !!?
warrantyVoider
Author
22. Nov 2005
bigboss, I´m sorry to hear that. Are you sure you have the two libraries? It will crash or hang without them.

If all else fails I have created a new version for you where I have removed two tricks that I believe could be problematic. You can get it here: http://pickup.mofile.net/18518449998126081894

Everybody else who has problems with the original file please use the simplified version, although you are missing out on a really dirty antidebugging trick ;-)
zairon
Moderator
22. Nov 2005
Works on both xp sp1 and sp2
bigboss1988
22. Nov 2005
i think this problem cuz i have windows vista!! it is a problem?
warrantyVoider
Author
22. Nov 2005
I don't know, I don't have Vista, but of course it´s possible. XP has a compatibility mode where you can pretend to run a file on w2k or w9x. Maybe Vista has something similar?

If you can´t get either file to work I fear we are out of luck, sorry.
Tenshi
28. Nov 2005
ohhh, virus alert with mcafee.....
warrantyVoider
Author
28. Nov 2005
Hi Tenshi, AV software seems particularly interested in the first few instruction of a program. My packer is polymorphic so those instructions vary every time. The first crackme using this packer (http://crackmes.de/users/warrantyvoider/the_amazing_unit_converter_patchme/) was "detected" as execryptor, etc.

Those heuristic seem to work a bit like probabilistic spam filters. They tick off items in their list: Execution doesn´t start in the "code" section, "illogical" controlflow, we write into the section we execute, no known packer signature => probability of this being a normal legal app does towards zero => and we flag it as suspicious.

Thinking about it, being moderator on crackmes.de is quite a responsibility. I mean someone can anonymously upload .EXE files and hundreds of people will run them...
deroko
30. Dec 2005
finally got time to write where I've stuck =)
dumped at oep, found all realtives, fixed anti-attach trick but I'm too lazy to code my own tracer plugin for import reconstruction. maybe I will code that sooner or later =)
warrantyVoider
Author
31. Dec 2005
Hey deroko, I hope you finish it some day so we can read your solution. Happy new year!
deroko
01. Jan 2006
tnx mate, you have a lots of great anti-debug there. currently I'm devloping nonintrusive debug plugin for importrec, and it took me a while till I've figured what is wrong with it, now I hope that it is fixed but I'll have to run it on every single suspicious api =) for the record I've defeated anti-attach trick(was the first thing to do when I've downloaded this crackme) and my plugin works fine with your lock:cmpxchg8b eax or lock int 1h seh during api call =)

I hope I will fix it sooner or later so you can see what headache was this crackme =) anyway great unpackme =)
deroko
01. Jan 2006
hxxp://deroko.headcoders.net/warranty3/
partialy fixed. with nonintrusive plugin for importrec but threre is more to fix (eg. jmp -> jmp -> jmp [obsfucated_api] that gives me a little headache) =))
deroko
02. Jan 2006
hoho =) is task to change it so it downloads pictures of some cute chicks instead of that old grandma?
warrantyVoider
Author
02. Jan 2006
Careful, deroko, this grandma runs my country ;-)

Man, you rule! This plugin of yours really seems to be quite a weapon.
deroko
03. Jan 2006
sorry didn't know. Patched to downlaod pics of Angeline Jolie =)

Well solution submitted and I hope that it will be approved, probably my longest solution, mostly I'm talking about coding nonintrusive plugin for importrec to defeat api obsfucation.
DeepBlue
03. Jan 2006
Im so excited =)
nice work deroko!
good lord i was crying trying to reverse this one :F
deroko
03. Jan 2006
@DeepBlue : I must admit unpacking and dumping wasn't any easy task but it was enjoyable =)
theMyth
05. Jan 2006
Sir deroko, where did you patch Olly to avoid those annoyed message (dangerous command)? I'm stuck at making the crackme run fully with Olly. And what's that attach defend? I couldn't attach it. Really hard crackme.
deroko
05. Jan 2006
Olly patch:
.00434C5E: 90 nop
.00434C5F: B806000000 mov eax,6
.00434C64: 90 nop
and more nops

attach defend is obsfucated NtContinue =)
theMyth
06. Jan 2006
Maybe i'm not lucky but the patched Olly still terminate when run this crackme. Sir deroko, can you upload your Olly version. Many thanks.
deroko
06. Jan 2006
well it works with olly, but due to many messages thrown by olly because of lock cmpxchg8b it is anoying to trace it till oep in olly=)
code_inside
06. Jan 2006
Nice solution Deroko :)
(And nice CrackMe ;) )
TheBigMan
10. Jan 2006
Damn Merkel!
nice cm! :)

You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.