Log in

View Full Version : CrypKey Instant 6.x -> CrypKey Inc.


Crypto
June 10th, 2009, 18:07
This is the Protector:

Quote:
CrypKey Instant 6.x -> CrypKey Inc.
Big number :: 003A6207 :: 00C58207 <-- I seen this with a kanal scan. Thought I thro this in there.


Here is the exe uploaded to sendspace and rapidshare:
The size of this .rar is 21.98MB, Here is the link:

COMMERCIAL SOFTWARE - LINK DELETED BY MODERATOR

I have been to tuts4you forum, arteam forum, exetools forum, OpenRCE forums, Black Storm forum, and along with this forum. I have also searched google extensively and came up with this.

I know squidge here at RCE woodmans claims he has a unpacker for crypkey 6.x applications. But its not public.
I know that there is a Site Key Generator program. Along with another program called Isomething.

Anyway, It seems like everyone is flaming this protector, Lets see if anyone can unpack it. If you do unpack it let me know a few details on how you did unpack it. If you want to write a tutorial on this, that is ok too.

The forums and google came up with a few tutorials also which I have read for the most part:

I found this tutorial on cryptkey here:
http://www.woodmann.com/crackz/Tutorials/Crypkey1.htm ("http://anonym.to/?http://www.woodmann.com/crackz/Tutorials/Crypkey1.htm")

Along with lena151's tutorial:
snd-reversingwithlena-tutorial20

There is also a pdf and rtf file hanging around called:
CrypKey with Self-Debugger.pdf <-- I think i got this off the tuts4you main page.

There has been some promise with "CrypKey with Self-Debugger.pdf" tutorail. I have overlooked this part in it.

4. Reaching OEP in protected application

After rereading the tutorial I started to follow its steps. This is what i came up with:

Code:
0. Open 1st instance of olly and locate target.

1. Patch jump to oep to this CC EB FE 90 90 90

2. Place bp on CreateProcessA, then Run process till bp.

3. Locate and open .tmp file in a new instance of Olly.

4. Patch OEP to EB FE 00 00 00

5. Save Changes and close olly.

6. Goto Location 011856F3 in first olly instance and Patch to 6A FF 90 90 90

7. Hit Shift F9 to run .exe and attach the .tmp file in the 2nd instance of olly.

8. Open 3rd instance of olly and attach it to the first instance of ollydbg.exe that has the target open in it.

9. Place bp on WaitForDebugEvent, after breaking here retn to ollydbg code.

10. Patch TEST EAX, EAX with 68 C0 04 00 00 E8 65 0D 42 7C 90

11. The .tmp file olly instance should be the only one running at this point.

12. Hit Shift F9 and then F12 to land on OEP.

13. Patch OEP to E8 07 00 00 00 6A 00

14.More to come when I figure this out


I can't seem to get past step 10. I go into more detail in my post below this.

Crypto
June 10th, 2009, 18:08
I have been trying to reverse this program called Design * *a* 5 its a sheet metal layout program. It has a protector called CrypKey 6.x. With this protector there is a self-debugger protection that comes along with it. It is a cksX.tmp file that gets loaded into your temporary folder when you double click on the executable for your program. This cksX.tmp file is actually .exe that acts like a debugger so you cant attach another debugger like ollydbg to it.

So, the question I need to have answered here is, how do I attach a debugger to a process that already has a debugger attached to it?

Well I read a few good articles about this and one of them is:

Quote:
The Art of Unpacking
by: Mark Vincent Yason

Since the protected process is already being debugged, attaching a debugger via kernel32!DebugActiveProcess() will fail since the corresponding native API, ntdll!NtDebugActiveProcess() will return STATUS_PORT_ALREADY_SET. Internally, the failure of NtDebugActiveProcess() is due to the DebugPort field of the EPROCESS kernel structure being already set.

In order to attach a debugger to the protected process, a solution posted on several reversing forums involves invoking kernel32!DebugActiveProcessStop() in the context of the parent process. This can be done by attaching a debugger on the parent process, and setting a breakpoint inside kernel32!WaitForDebugEvent(), once the breakpoint is hit, a code to invoke DebugActiveProcessStop(ChildProcessPID) is then injected and executed, once the call succeeds, a debugger can be attached to the protected process.


Well from this article it states:

1. Invoke Kernal32!DebugActiveProcessStop() in the parent process.

The only way I know of doing this now is to open up our target in olly, which makes olly the parent and then open up another instance of olly and attach it to the 1st instance with our target.
Now we can debug or invoke DebugActiveProcessStop().

2. Setting a bp inside the WaitForDebugEvent().

Well we can do this inside our 2nd instance of olly. Once the bp is hit. We have to inject our own code into it somewhere. The tutorials Ive read dont really give a good indication on where this should be. But lets use there location. Here is there location:

Code:
00439622 68 C0040000 PUSH 4C0
00439627 E8 650D427C CALL kernel32.DebugActiveProcessStop
0043962C 90 NOP


This will override the VA at 00439622 with these opcodes 68 C0 04 00 00 E8 65 0D 42 7C 90
Well when I put these opcodes inside olly I am already at the VA 00439622. How will I know if these brand new lines of code will work? For somereason my ollydbg seems to lock up at this point and either say running or just doesnt respond.

Crypto
June 10th, 2009, 21:32
Step_5 - Detach CrypKey Debugger from Example.exe

14. BP WaitForDebugEvent <--- Tried this on the cksX.tmp instance and got this error
0013FEEC 00403080 ASCII "There was an error starting the program."

I seem to be getting it with this tutorial by CrypKey with Self-Debugger.
I guess the trick is this:

1. Open target.exe and edit file like steps above
2. Open cksX.tmp and edit file like steps above
3. Attach cksX.tmp
4. Attach ollydbg.exe to ollydgb.exe that has target.exe open in it <-- thats the sweet spot there.

so, this is how you debug a process that is already being debugged. But now I have that error now I have to get rid of.

Crypto
June 10th, 2009, 21:33
Ok got past that step up above.

Here is a snippet from the tutorial I'm following:

Quote:
Buffer in dump:

0012FF40 03 00 00 00 C0 04 00 00 A0 04 00 00 BC 07 00 00 ................
0012FF50 C0 07 00 00 C4 07 00 00 00 00 40 00 00 00 00 00 ..........@.....
0012FF60 00 00 00 00 00 F0 FD 7F 00 00 00 00 00 00 00 00 ................

This buffer holds event information. Check MS reference to understand it. My idea was to place conditional breakpoint, that will stop the program when CC byte (that I have placed instead OEP jump) is triggered. I have placed this conditional bp:

DWORD[edi+18]==00414C91

EDI points to buffer when WaitForDebugEvent is executed, and on +18 from that buffer start is address where exception occurred:

$ ==> >01 00 00 00 C0 04 00 00 A0 04 00 00 03 00 00 80 ................
$+10 >00 00 00 00 00 00 00 00 91 4C 41 00 03 00 00 00 .........LA.....

Now I know that all crypkey code in Example.exe is executed and OEP should be reached.


Here is my dump output at this point:

Code:
0013FF40 40 44 1B 89 00 44 1B 89 F0 F2 55 02 48 8C C3 B1 @D.DUHñ
0013FF50 67 21 4E 80 B8 44 1B 00 80 69 67 FF FF FF FF FF g!ND.ig
0013FF60 00 00 00 00 E8 44 1B 89 43 14 50 80 40 44 1B 89 ....DCP@D
0013FF70 6C 8C C3 B1 00 00 00 00 78 46 83 E8 00 00 00 00 lñ....xF....
0013FF80 E0 EF A0 85 E0 1F 00 00 00 44 1B 89 78 4A 83 E8 ...DxJ
0013FF90 01 00 00 00 00 00 00 00 08 04 00 00 00 00 00 00 .............
0013FFA0 0C 00 00 00 00 00 00 00 00 00 00 00 B5 B9 58 80 ............X
0013FFB0 9C DC 90 7C 64 70 81 00 48 0E 00 00 F0 FF 13 00 ܐ|dp.H...
0013FFC0 05 10 40 00 67 70 81 7C 18 00 00 00 10 00 00 00 @.gp|......
0013FFD0 00 E0 FD 7F FA 12 55 80 C8 FF 13 00 20 70 62 89 .U. pb
0013FFE0 FF FF FF FF C0 9A 83 7C 70 70 81 7C 00 00 00 00 |pp|....
0013FFF0 00 00 00 00 00 00 00 00 00 10 40 00 00 00 00 00 .........@.....


how do i find this spot DWORD[edi+18]==00414C91 in the dump?