warrantyVoider's The Amazing Picture Downloader
| Download crackme.zip, 158 kb (password: crackmes.de) Browse contents of crackme.zip Patch this program to enable the disabled third download function.
Difficulty: 6 - Hard, for very professionals only | Send a message to warrantyVoider » View profile of warrantyVoider » |
Solutions
Solution by deroko, published 05. jan, 2006; download (182 kb), password: crackmes.de or browse.
deroko has rated this crackme as quite nice.
Discussion and comments
| deroko 21. Nov 2005 | works on win2k, only section attributes should be fixed =) |
|---|---|
| bigboss1988 22. Nov 2005 | Doesn't work on Sp2 !!? |
| warrantyVoider Author 22. Nov 2005 | bigboss, I´m sorry to hear that. Are you sure you have the two libraries? It will crash or hang without them. If all else fails I have created a new version for you where I have removed two tricks that I believe could be problematic. You can get it here: http://pickup.mofile.net/18518449998126081894 Everybody else who has problems with the original file please use the simplified version, although you are missing out on a really dirty antidebugging trick ;-) |
| zairon Moderator 22. Nov 2005 | Works on both xp sp1 and sp2 |
| bigboss1988 22. Nov 2005 | i think this problem cuz i have windows vista!! it is a problem? |
| warrantyVoider Author 22. Nov 2005 | I don't know, I don't have Vista, but of course it´s possible. XP has a compatibility mode where you can pretend to run a file on w2k or w9x. Maybe Vista has something similar? If you can´t get either file to work I fear we are out of luck, sorry. |
| Tenshi 28. Nov 2005 | ohhh, virus alert with mcafee..... |
| warrantyVoider Author 28. Nov 2005 | Hi Tenshi, AV software seems particularly interested in the first few instruction of a program. My packer is polymorphic so those instructions vary every time. The first crackme using this packer (http://crackmes.de/users/warrantyvoider/the_amazing_unit_converter_patchme/) was "detected" as execryptor, etc. Those heuristic seem to work a bit like probabilistic spam filters. They tick off items in their list: Execution doesn´t start in the "code" section, "illogical" controlflow, we write into the section we execute, no known packer signature => probability of this being a normal legal app does towards zero => and we flag it as suspicious. Thinking about it, being moderator on crackmes.de is quite a responsibility. I mean someone can anonymously upload .EXE files and hundreds of people will run them... |
| deroko 30. Dec 2005 | finally got time to write where I've stuck =) dumped at oep, found all realtives, fixed anti-attach trick but I'm too lazy to code my own tracer plugin for import reconstruction. maybe I will code that sooner or later =) |
| warrantyVoider Author 31. Dec 2005 | Hey deroko, I hope you finish it some day so we can read your solution. Happy new year! |
| deroko 01. Jan 2006 | tnx mate, you have a lots of great anti-debug there. currently I'm devloping nonintrusive debug plugin for importrec, and it took me a while till I've figured what is wrong with it, now I hope that it is fixed but I'll have to run it on every single suspicious api =) for the record I've defeated anti-attach trick(was the first thing to do when I've downloaded this crackme) and my plugin works fine with your lock:cmpxchg8b eax or lock int 1h seh during api call =) I hope I will fix it sooner or later so you can see what headache was this crackme =) anyway great unpackme =) |
| deroko 01. Jan 2006 | hxxp://deroko.headcoders.net/warranty3/ partialy fixed. with nonintrusive plugin for importrec but threre is more to fix (eg. jmp -> jmp -> jmp [obsfucated_api] that gives me a little headache) =)) |
| deroko 02. Jan 2006 | hoho =) is task to change it so it downloads pictures of some cute chicks instead of that old grandma? |
| warrantyVoider Author 02. Jan 2006 | Careful, deroko, this grandma runs my country ;-) Man, you rule! This plugin of yours really seems to be quite a weapon. |
| deroko 03. Jan 2006 | sorry didn't know. Patched to downlaod pics of Angeline Jolie =) Well solution submitted and I hope that it will be approved, probably my longest solution, mostly I'm talking about coding nonintrusive plugin for importrec to defeat api obsfucation. |
| DeepBlue 03. Jan 2006 | Im so excited =) nice work deroko! good lord i was crying trying to reverse this one :F |
| deroko 03. Jan 2006 | @DeepBlue : I must admit unpacking and dumping wasn't any easy task but it was enjoyable =) |
| theMyth 05. Jan 2006 | Sir deroko, where did you patch Olly to avoid those annoyed message (dangerous command)? I'm stuck at making the crackme run fully with Olly. And what's that attach defend? I couldn't attach it. Really hard crackme. |
| deroko 05. Jan 2006 | Olly patch: .00434C5E: 90 nop .00434C5F: B806000000 mov eax,6 .00434C64: 90 nop and more nops attach defend is obsfucated NtContinue =) |
| theMyth 06. Jan 2006 | Maybe i'm not lucky but the patched Olly still terminate when run this crackme. Sir deroko, can you upload your Olly version. Many thanks. |
| deroko 06. Jan 2006 | well it works with olly, but due to many messages thrown by olly because of lock cmpxchg8b it is anoying to trace it till oep in olly=) |
| code_inside 06. Jan 2006 | Nice solution Deroko :) (And nice CrackMe ;) ) |
| TheBigMan 10. Jan 2006 | Damn Merkel! nice cm! :) |
You may leave your comment, thoughts and discuss this crackme with other reversers here.
Acting childish will not be tolerated.
HTML and such will be left as-is, so don't try.