I really like this CrackMe..Using timing as anti-singlestep trick is a most unique feature..
I would like to go into details about the time I spent looking at this multi-process crackme..can I? :}
Also note: I ask because I don't know the 'rules' involved in all this.. You know first Time I wanted 'test' my abilities.. I looked at other solutions to get a idea of what is required..It seems they don't want to completely document code(I do).. also I think the use of timing as a repeatable concept was genius..
Some analyzed code.. still more to come..
Code:
00403000 >/$ 6A 01 PUSH 1 ; /Protect = PAGE_NOACCESS
00403002 |. 68 00200000 PUSH 2000 ; |AllocationType = MEM_RESERVE
00403007 |. 68 00000100 PUSH 10000 ; |Size = 10000 (65536.)
0040300C |. 6A 00 PUSH 0 ; |Address = NULL
0040300E |. FF15 6C104000 CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; \VirtualAlloc
00403014 |. 85C0 TEST EAX,EAX ; Test if error
00403016 |. 0F84 7D010000 JE Prove_Ko.00403199 ; If error exit process
0040301C |. 8BF0 MOV ESI,EAX ; Store base address in esi
0040301E |. 81C6 00100000 ADD ESI,1000 ; add esi,4096
00403024 |. 6A 04 PUSH 4 ; /Protect = PAGE_READWRITE
00403026 |. 68 00100000 PUSH 1000 ; |AllocationType = MEM_COMMIT
0040302B |. 68 00100000 PUSH 1000 ; |Size = 1000 (4096.)
00403030 |. 56 PUSH ESI ; |Address
00403031 |. FF15 6C104000 CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; \VirtualAlloc
00403037 |. 85C0 TEST EAX,EAX ; Test if error
00403039 |. 0F84 5A010000 JE Prove_Ko.00403199 ; if error exit processs
0040303F |. 68 4B455900 PUSH 59454B ; ascii 'KEY.' as dword
00403044 |. 8BCC MOV ECX,ESP ; mov ecx,KEY in esp
00403046 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
00403048 |. 68 80000000 PUSH 80 ; |Attributes = NORMAL
0040304D |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS
0040304F |. 6A 00 PUSH 0 ; |pSecurity = NULL
00403051 |. 6A 03 PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00403053 |. 68 000000C0 PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00403058 |. 51 PUSH ECX ; |FileName
00403059 |. FF15 70104000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
0040305F |. 5F POP EDI ; clean stack
00403060 |. 8BF8 MOV EDI,EAX ; mov handle to EDI
00403062 |. 40 INC EAX ; junk or is it 'room'.
00403063 |. 0F84 30010000 JE Prove_Ko.00403199 ; fail if error
00403069 |. FF15 74104000 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount] Anti-Debug trick start
0040306F |. 8BD8 MOV EBX,EAX ; mov TickCount to ebx
00403071 |. 81FB C0270900 CMP EBX,927C0 ;
00403077 |. 76 58 JBE SHORT Prove_Ko.004030D1 ; jump below this or equal Close Handle
00403079 |. 81FB 00CA9A3B CMP EBX,3B9ACA00
0040307F |. 77 50 JA SHORT Prove_Ko.004030D1 ; jump above close Handle
00403081 |. C706 94000000 MOV DWORD PTR DS:[ESI],94 ; write 94 to the area of page_readwrite memory
00403087 |. 895E 04 MOV DWORD PTR DS:[ESI+4],EBX ; write tick count to are of page_readwrite memory + 4
0040308A |. 6A 00 PUSH 0 ; /pOverlapped = NULL
0040308C |. 54 PUSH ESP ; |pBytesWritten
0040308D |. 68 94000000 PUSH 94 ; |nBytesToWrite = 94 (148.)
00403092 |. 56 PUSH ESI ; |Buffer
00403093 |. 57 PUSH EDI ; |hFile
00403094 |. FF15 78104000 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile
0040309A |. 68 D0070000 PUSH 7D0 ; /Timeout = 2000. ms
0040309F |. FF15 7C104000 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
004030A5 |. FF15 74104000 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; [GetTickCount
004030AB |. 2BC3 SUB EAX,EBX
004030AD |. 2D B80B0000 SUB EAX,0BB8 ; eax should equal 0
004030B2 |. 77 1D JA SHORT Prove_Ko.004030D1 ; if eax not less then zero close the handle to the key file..
004030B4 |. 6A 00 PUSH 0 ; /Origin = FILE_BEGIN
004030B6 |. 6A 00 PUSH 0 ; |pOffsetHi = NULL
004030B8 |. 6A 00 PUSH 0 ; |OffsetLo = 0
004030BA |. 57 PUSH EDI ; |hFile
004030BB |. FF15 80104000 CALL DWORD PTR DS:[<&KERNEL32.SetFilePoi>; \SetFilePointer
; set the Key file pointer to 0
004030C1 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
004030C3 |. 54 PUSH ESP ; |pBytesRead
004030C4 |. 68 94000000 PUSH 94 ; |BytesToRead = 94
004030C9 |. 56 PUSH ESI ; |Buffer
004030CA |. 57 PUSH EDI ; |hFile
004030CB |. FF15 84104000 CALL DWORD PTR DS:[<&KERNEL32.ReadFile>] ; \ReadFile
; read first 94 bytes of key file
004030D1 |> 57 PUSH EDI ; /hObject Key File Handle
004030D2 |. FF15 88104000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
004030D8 |. 2BC0 SUB EAX,EAX ; zero out eax
004030DA |. 64:8308 FF OR DWORD PTR FS:[EAX],FFFFFFFF ; More fuzz??
004030DE |. 64:8B78 08 MOV EDI,DWORD PTR FS:[EAX+8] ; mov edi stack start
004030E2 |. 64:8B48 04 MOV ECX,DWORD PTR FS:[EAX+4] ; mov ecx stack end
004030E6 |. 2BCF SUB ECX,EDI ; end - start
004030E8 |. C1E9 02 SHR ECX,2 ; divide by 4
004030EB |. FC CLD ; Clear Direction flag..
004030EC |. F3:AB REP STOS DWORD PTR ES:[EDI] ; zero stack
004030EE |. 81E4 00F0FFFF AND ESP,FFFFF000
004030F4 |. 81C4 00100000 ADD ESP,1000
004030FA |. 68 A4314000 PUSH Prove_Ko.004031A4; ; push SEH handler
004030FF |. 6A FF PUSH -1 ; push ffffffff end of chain
00403101 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00403104 |. 0F0B UD2 ; trigger exception
00403106 |. 8D6C24 80 LEA EBP,DWORD PTR SS:[ESP-80] ;return here after exception
I'm working on this and so much other stuff...I hope to show your code in all its glory and maybe even really understand it,and if not I will at least know more about where I can improve. ..
I am sorry if you think I would berate thee.. I only wish to see more of the light you keep hidden..so I may see it better.. Is that a wrong goal?
