NeOXOeN
August 12th, 2013, 05:19
New task for programmers and new crackme 2013:
http://joineset.com/
Bye NeO'X'QuiCk
http://joineset.com/
Bye NeO'X'QuiCk
View Full Version : New FUN REversign challenge ESET 2013
Indy
August 12th, 2013, 07:07
This module do nothing(see procmon) lol 
Indy
August 12th, 2013, 11:02
Anubis:
Orig("Timeout", wait for input): http://anubis.iseclab.org/?action=result&task_id=184daca9179ccf94479bbbd99f7d2e54f&format=html ("http://anubis.iseclab.org/?action=result&task_id=184daca9179ccf94479bbbd99f7d2e54f&format=html")
Mod(loader, "All tracked processes have exited"
: http://anubis.iseclab.org/?action=result&task_id=138e93b5cb62a6174f5c1f37222a63549&format=html ("http://anubis.iseclab.org/?action=result&task_id=138e93b5cb62a6174f5c1f37222a63549&format=html")
2791
Apparently this is a non working dropper.
Orig("Timeout", wait for input): http://anubis.iseclab.org/?action=result&task_id=184daca9179ccf94479bbbd99f7d2e54f&format=html ("http://anubis.iseclab.org/?action=result&task_id=184daca9179ccf94479bbbd99f7d2e54f&format=html")
Mod(loader, "All tracked processes have exited"
: http://anubis.iseclab.org/?action=result&task_id=138e93b5cb62a6174f5c1f37222a63549&format=html ("http://anubis.iseclab.org/?action=result&task_id=138e93b5cb62a6174f5c1f37222a63549&format=html")2791
Apparently this is a non working dropper.
Inliferty
August 12th, 2013, 12:19
You are right, this is not a dropper.
Nevertheless you should not ignore the hint they give when you start the program
Nevertheless you should not ignore the hint they give when you start the program
Code:
* Program code can contain hidden files, texts, conditional tasks, debugging *
* protection and so on. Do not hesitate to send us your results even if *
* they're only partial. You can also attach a step-by-step analysis so that *
...
Indy
August 12th, 2013, 16:17
This is dropper. So is an application that downloads and run the code. There is UrlDownloadToFile & ShellExecute(). This is dropper. Non working crap. Typical for aver's.
You poke his nose into the log !?
http://s020.radikal.ru/i713/1308/f5/6afe973387fc.png (http://radikal.ru/fp/5527ed38482e46c19a25f4dc7b71186e)
It doesn't do anything, pagan aver's!1
NeOXOeN
Are you the author ??
Quote:
| Program code can contain hidden files, texts, conditional tasks, debugging * |
You poke his nose into the log !?
http://s020.radikal.ru/i713/1308/f5/6afe973387fc.png (http://radikal.ru/fp/5527ed38482e46c19a25f4dc7b71186e)
It doesn't do anything, pagan aver's!1
NeOXOeN
Are you the author ??
Inliferty
August 12th, 2013, 17:48
You ran an automated System onto an Executable. Wow congratulations ...
Code:
* Hidden part #1. Text picked from the following URL:
* http://www.virusradar.com/en/Win32_Virut.E/description
O noon of life! O time to celebrate!
O summer garden!
Relentlessly happy and expectant, standing: -
Watching all day and night, for friends I wait:
Where are you, friends? Come! It is time! It's late!
* Hidden part #2. Text picked from the following URL:
* http://www.virusradar.com/en/Win32_Ridnu.NAA/description
DEAR MY PRINCESS
WHEN THE STARS FILL THE SKY I WILL MEET YOU MY LOVELY PRINCESS
I MISS YOU SO MUCH MY PRINCESS
IN MY DEAREST MEMORY I SEE YOU REACHING OUT TO ME
I WILL REMEMBER YOU AS LONG AS YOU REMEMBER ME
IN YOUR DEAREST MEMORY DO YOU REMEMBER LOVING ME
PLEASE DO NOT FORGET OUR PAST
DID YOU KNOW THAT I HAD MIND ON YOU
I NEVER WISH TO LOSE YOU AGAIN
SHALL I BE THE ONE FOR YOU
I WANNA TAKE YOU TO MY PALACE
I WILL TAKE YOU TO OUR UTOPIA
I AM FALLING IN LOVE WITH YOU
I WILL BE WAITING FOR YOU
I DO NOT WANT TO SAY GOOD BYE TO YOU
PLEASE DO NOT FORGET YOUR PRINCE
I SAW YOU SMILING AT ME WAS IT REAL OR JUST MY FANTASY
YOU WILL ALWAYS IN MY HEART
YOU ALWAYS IN MY DREAMS
I ALWAYS SEE YOU IN MY DREAMS
I HAVE BEEN POISONED BY YOUR LOVE
I MISS YOU I AM STILL LOOKING FOR YOU
I WILL BE THERE I WILL BE WAITING FOR YOU
PLEASE COME BACK TO OUR BEAUTY ISLAND
I MISS YOUR CUTE SMILE
* Hidden part #3.
Continue with the next ESET crackme here:
<Secret Link>
NeOXOeN
August 12th, 2013, 18:00
sorry guys i am not the coder of this .. found it on tuts forum so i thought i would post it here also.. didnt its junky:P
bye NEO
bye NEO
dion
August 13th, 2013, 07:08
i did some boring checks, compare the modified upx stub with every known version of upx.
comparing routines at the end of stub, found that upx version used >= v1.95
comparing one opcode (sar eax, 1 somewhere), found that upx version used < v1.20.
so, none of them produce same stub, it's wierd.
i also found in the beginning the [or ebp, -1, which is used in might be all version of upx] is omitted. i read the source but i don't quite understand what it used for.
comparing routines at the end of stub, found that upx version used >= v1.95
comparing one opcode (sar eax, 1 somewhere), found that upx version used < v1.20.
so, none of them produce same stub, it's wierd.
i also found in the beginning the [or ebp, -1, which is used in might be all version of upx] is omitted. i read the source but i don't quite understand what it used for.
NeOXOeN
August 13th, 2013, 07:33
InDy: Your goal is to perform an analysis of the code of this executable. The analysis of the code should produce information about the payload of the program, conditions necessary for the execution of certain actions, etc.
Indy
August 13th, 2013, 08:01
It does not work. What other analysis lol
Aver's fucked again
Robert Šuman(ESET) reply:
They are idiots.
Aver's fucked again
Robert Šuman(ESET) reply:
Quote:
| [virus probably unknown WIN32 virus] EsetCrackme2013 |
They are idiots.
NeOXOeN
August 13th, 2013, 08:03
maybe you want working droppper:P or virus
Indy
August 13th, 2013, 08:07
yes, opensource lool))
NeOXOeN
August 13th, 2013, 08:08
hehehe
Inliferty
August 13th, 2013, 11:14
I already posted the hidden Output (only removed the Link to the next CrackMe) of the program and you still say it is not working ... Clearly you must do something wrong or miss a (debug) check.
Powered by vBulletin® Version 4.2.2 Copyright © 2020 vBulletin Solutions, Inc. All rights reserved.