hello all,

i think i got something for you to work on.
i coded a rather easy crackme.
the goal is to enter a serial and to get the good boy message..
however , it is not as easy as it seems
i never seen such a crackme, and i wonder how would you guys
use your reversing skill to complete that one
NO PATCH allowed :-P
use your brain and have fun ;-)
every one can try it and it is not that hard
i will give some hints if needed ;o)

file : http://www.abfiles.cjb.net/weird.zip

regards,

the analyst / ucf

ps: as strange as it may look, this crackme introduces you guys at something that many reverse engineers do nowadays
good hunt

Hello All...

Oki... Lets give it a try...
But This iz wierd =)

indeed
i just wonder how you guys are going to face that app
i once thought about writing such a protection.
but there are many things to test to make a good protection out of this .
you will see what i mean once you try it
it is not obvious to see my point anyway.
hope this is not too boring for everyone, but try it to see

regards,

the analyst

Hi Analyst,

Damnit, why did you use that Borland crap ? ;D

Hmm..... first is fake..... Second lot's o checks heh
err... ?

Cya...

CoDe_InSiDe

Very clever scheme analyst!

I think I had a bit of an unfair advantage in solving this one though as I read a book on the subject recently

Interesting to finally be able to get a feel for how one of these things actually works.

Thanks!

PS: a rather cryptic hint - The weakness of the code is it's strength

how far are you mate ?
heh u gotta love those checks
later,

the analyst

hehehe
the code is quite small isn't it ?
hmm mail me ur solution , i wonder how you did it
i may have a different way to crack it
regards,

the analyst

I have solved too It was really fun.There is more serial than you can imagine

i know
heh, this is my all days work btw
for those who succeed, write me a mail , and show me how you did it
it is nice to see that reversers use their knowledge to face not so common problems

regards,

the analyst

hint : "c'est la goute qui a fait deborder le vase"
go figure it out ;-)

hey guys

i got only 2 answers..
2 guys succeed.. no questions ...
is my project not interesting ?
it introduces to one of the most used form of RE in the application side btw
get your hand on it..
if yu got some questions , i can answer..

best regards,

the analyst

Downloaded your project. I first used get file type on this and learned it was a dos executable and not packed. I then ran the program using inctrl5 and learned nothing of interest there. Using wdasm,I noticed delphia and attempted to use dede, had trouble opening it, proceeded anyway and noticed a run time package(?). Nothing under any of the headings using dede was found.Under wdasm is a good boy string message with some possible patch points noted but this was not the intended way to go. Also used apispy on this. Broke in sice on hmencpy but could not f12 into the program or code. Will attempt to use sice and break on api's noted in the apispy program. Used procdump, looked at sections and nothing rang a bell. So you see that two reversers solved this but this newbie had no luck. Perhaps some hints are in order or perhaps I am way off base. Thanks for your time and effort in bringing the project to us. This beginner is always learning something new, although I am lost here.

Raven58

Interesting one... thanks analyst. I also have been reading about the subject so it hit me pretty quickly.

Maybe a hint: if you load this into IDA there seems to be no way to get to the congrats message... so how can you make a way without a patch?

regards,

tony

ok mate,

this doesn't use delphi.
but borland C++
you saw a good boy string , but if you look around, you see that there aren't any references to it .
so what ?
let me give some helpful hints :

look the size of the max name length.
play with name length.

i will publish a solution later i guess.
do i need to publish it already ? or you prefer me to do it on monday?

best regards,

the analyst

ehe
you got it too im sure
i wish more ppl would have looked this one.
it is either too weird, or maybe not interesting
the best hint ever is :
"c'est la goute qui fait deborder le vase"

it is way enuf to get it

regards,
the analyst

Its interesting but its also hard to find the right one ...because the the analyst made a good job by doing it... and like we all know he is good at a lot of thing ... i think that most of ppl are quite because they are trying like me ..

Lenght you say... i will see about that ...

NeO'X'QuiCk

hey,

lenght indeed
i will post my solution on monday, and also the ones from others
till that day, keep trying and work well
regards,

the analyst

hello reversers ;-)

im actually writing a little text for this project, and i will publish it here in a few hours.
im trying to explain every step, not to loose newbies along the road
i coulda done something smaller tho, but it is not the goal of the board.
for now, regards and have fun

the analyst

Hi the analyst,

Hey, appreciate the project, and the tut. But you know what? I'm still kind of intrigued by the project and don't really want to know the answer quite yet.

I know, I know, I don't have to read it, but...you know

Your project's only been up for a few days and I only got the chance to have a good look at it last night. It's up to you, but I'd just like to see another teaser hint. I'm sure there's several people given up on it, eagerly awaiting your explanation. To hell with them I say ^_^, make 'em wait or make 'em work.

I think the project is different enough from the norm that it deserves to be an open-ended challenge. At least for now

"Shut up Kayaker", I hear several people yelling, "I want the friggin' answer!"

OK, whatever, I'm just having fun. Post it if you want, I'm sure the answer will be intriguing.

I think I've figured out the "c'est la goute qui fait deborder le vase" analogy, but on my system le vase tomber avec un grand fracas chaque fois il debordement

Bifurcation of variables? Might this be the principle behind it?

Cheers,
Kayaker

hehe
heya kayaker !
actually , the vase doesn't break here ;-)
i'd like to publish the solution, in order to make them learn something from it, but you are also right, that they should better try from their own
i might wait till tomorow evening ?
the tutorial will be quite detailed and i hope it will help ppls to finish that one.
i only got 3 valid answers yet, not that big imho.
hey guys? where are you atm ? )
don't hide under your desktop and give it a try
shake ur brain it is not only used to unpack asprotect ,is it ?
ok for a hint :

"c'est la goute qui fait deborder le vase"
"mais ne perdons pas l'eau qui deborde ;-)"
"recuperons la plutot et utilisons la "

i can't say much, it is so easy reading those sentenced

work well, and don't only focus on common cracking technics coz they are helpless ))

regards,

the analyst

work well, and don't only focus on common cracking technics coz they are helpless ))

I concede to the Analyst


I cant find an online translator worth a shit

I got all pissed off trying to figure it out so I decided to be lazy and try to patch it.

Needless to say I got it to do some funky things before I nuked it.
I will d/l it again and wait for an answer.
The best part is my interest is coming back to me as far as protection schemes
Thanks to you Analyst.

Peace, Woodmann

The fact that you got it to do some funky things is a better hint than almost anything else we could give you

cryptic hint #2: It's a long road to the point of no return, so you had better change your destination.

hey
hint 2 is way too clear ;-)
i have almost finished the solution, and i think that i will post it this evening
or tomorow morning, depends of my lazyness ;-)

"it's the drop that made the vase overflow "
fucking hell, no more help now :-)

regards,

the analyst

(First part )
Hello all, here comes my solution for my little crackme.
I didn't receive much answers, but i hope you will try it with this solution.
i think that it is not needed to wait anymore , coz you are all prolly too damn lazy and just waiting one or two days more won't change it
so here it goes, have fun:


tools used :

- IDA mostly
- Soft ice
- hexeditor (optional)

1) study of the crackme


ok, i first ran it to see what appened:


-- The analyst's weird crackme --
---------------------------------
enter your serial please:


ok, alright, i enter a serial such as : IOWNU
once you press Enter, nothing happens.If we press again, it closes for good.
ok let's use IDA and disassemble our weird.exe.It takes a lil while and then we
see that :


CODE:00401108 push ebp
CODE:00401109 mov ebp, esp
CODE:0040110B add esp, 0FFFFFFB4h ; char
CODE:0040110E push offset aTheAnalystSWei ; __va_args
CODE:00401113 call _printf ; print some text.
CODE:00401118 pop ecx
CODE:00401119 push offset asc_40C097 ; __va_args
CODE:0040111E call _printf ; same
CODE:00401123 pop ecx
CODE:00401124 push offset aEnterYourSeria ; __va_args
CODE:00401129 call _printf ; same again
CODE:0040112E pop ecx
CODE:0040112F lea eax, [ebp+s] ; buffer
CODE:00401132 push eax ; s
CODE:00401133 call _gets ; get entered serial
CODE:00401138 pop ecx
CODE:00401139 nop
CODE:0040113A lea edx, [ebp+s]
CODE:0040113D push edx ; s
CODE:0040113E call _strlen ; get his length
CODE:00401143 pop ecx
CODE:00401144 mov edx, eax
CODE:00401146 cmp edx, 19h ; is it less than 25?
CODE:00401149 jl short loc_401182 ; yeah
CODE:0040114B cmp edx, 78h ; is it more than 120?
CODE:0040114E jg short loc_401182 ; yeah
CODE:00401150 mov eax, 1 ; eax = 1 , initialise loop
CODE:00401155 cmp edx, eax ; did all chars?
CODE:00401157 jl short loc_40115E ; no let's jump
CODE:00401159
CODE:00401159 loc_401159: ; CODE XREF: _main+54j
CODE:00401159 inc eax ; eax = eax + 1
CODE:0040115A cmp edx, eax ; did all chars?
CODE:0040115C jge short loc_401159 ; no let's loop
CODE:0040115E
CODE:0040115E loc_40115E: ; CODE XREF: _main+4Fj
CODE:0040115E mov eax, 7A69h ; eax = 31337
CODE:00401163 test eax, eax
CODE:00401165 jnz short loc_401182 ; jump quit
CODE:00401167 cmp eax, 1388h
CODE:0040116C jl short loc_401182 ; jump quit
CODE:0040116E cmp eax, 3A98h
CODE:00401173 jg short loc_401182 ; jump quit
CODE:00401175 jmp short loc_401182 ; jump quit
CODE:00401177 ; ---------------------------------------------------------------------------
CODE:00401177 push offset aWooCongrats ; __va_args ; good boy message
CODE:0040117C call _printf
CODE:00401181 pop ecx
CODE:00401182
CODE:00401182 loc_401182: ; CODE XREF: _main+41j
CODE:00401182 ; _main+46j ...
CODE:00401182 call _getch ; wait till a key is pressed
CODE:00401187 xor eax, eax
CODE:00401189 mov esp, ebp
CODE:0040118B pop ebp
CODE:0040118C retn


A quick look show us that there is NO x-ref to our good boy message, but rather some jumps that go directly to the
end of the crackme.
Quite weird, isn't it ? oh isn't it the name of my crackme?
Let's have a look at the goal of that crackme to see what we have to do.
lemme past my 1st post on the message board:


"the goal is to enter a serial and to get the good boy message..
however , it is not as easy as it seems
i never seen such a crackme, and i wonder how would you guys
use your reversing skill to complete that one
NO PATCH allowed "



ok goal is to get the good boy message, without patching it
just enter a serial. interesting, but how can we do it, without patching when there is no jump to the good
boy message?


i see no way except a nice buffer overflow ;-)
wtf? this is pretty new, isn't it ? in crackme at least.
ok, first, what is a buffer overflow ?

A buffer overflow happens when the string that we enter is bigger than our buffer.
so it overflows. the values that are over the buffer might get executed.
If we put some random values, the program crashes, but if we put good ones then the code is executed!
Once you have read that tutorial, i advise you to get your hand on some nice tutorials, such as 'smashing the stack',
and other nice ones in phrack magazine.
Phrack 55 has a nice tutorial about Win32 buffer overflow, that i advise you to read.
ok let's continue now.

2)overflowing the beast


ok, First of all, we have to check if there is a buffer and its size.



CODE:0040112E pop ecx
CODE:0040112F lea eax, [ebp+s] ; buffer
CODE:00401132 push eax ; s
CODE:00401133 call _gets ; get entered serial
CODE:00401138 pop ecx
CODE:00401139 nop
CODE:0040113A lea edx, [ebp+s]
CODE:0040113D push edx ; s


ok, this is obvious.eax is pushed on the stack, just before a call to the 'gets' function.
lemme put some C code to demonstrate it

--------------------------------------------------------------------------------

#include <stdio.h>
#include <string.h>
#include <conio.h>
#include <iostream.h>

int main(){

unsigned char name[50];

gets(name);

--------------------------------------------------------------------------------

As we can see, there is a buffer called 'name' which is 50 bytes long.
then, we use 'gets'. our input goes into 'name'.
We defined it as 50 chars long. but what happen if we type 100 chars in ? a nice overflow
I hope you are folloing me.


let's continue.
We have to check how big is our buffer.According to IDA it is 75 chars long.

First, we look our stack parameters:

CODE:00401108 s = byte ptr -4Ch
CODE:00401108 argc = dword ptr 8
CODE:00401108 argv = dword ptr 0Ch
CODE:00401108 envp = dword ptr 10h
CODE:00401108 arg_11 = dword ptr 19h

see 's' ?
run softice and do :
? ~-4C
it gives us 75 )

For me it looks pretty much that the max size of the buffer is 75 chars.
Let's test and enter something like 80 chars :

-- The analyst's weird crackme --
---------------------------------
enter your serial please:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


our program crashes nicely , no wonder ;-)
we entered a string of 80 chars, which is 4 chars more than the max size of the buffer.
Having a look at the registers, i can see that EBP=41414141.
Interesting isn't it ? where are those 41h coming from ?
41h is the hexadecimal ascii value of "A" )
so we just overwrote EBP.. ok nice, but the best thing would be to overwrite EIP )
Once EIP is overwritten, we can execute any code we want!
ok, lets enter 84 chars to see what happens now :

**** read the next part ****

(2nd part)


-- The analyst's weird crackme --
---------------------------------
enter your serial please:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ok now our app still crash, but we get :
instruction at the address 41414141h uses the memory address at 41414141h. memory cannot be read.
it in fact , tries to execute code at VA : 41414141h.
ok now i *HOPE* you know what to do !

what about replacing our return address with something different than 41414141h ?
say, something like the good boy message location ?

CODE:00401177 push offset aWooCongrats ; __va_args ; good boy
CODE:0040117C call _printf


hmm, ok we have to put '401177' as our return address and it will obvisously print it on our screen
ok, just before to do that, let's try to enter a different serial such as :

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1234

why ? just to see what is the return address now.we might have to reverse the byte's order.


here we go, it crashes at address "34333231h". so we have to inverse our return address.
now we have : 771140. this is "w@" in ascii

let's try to enter it :

C:\attente>weird
-- The analyst's weird crackme --
---------------------------------
enter your serial please:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAw^Q@

wOO! congrats



WOO! it worked!
note: there is still the pause that wait till we press a key, but when we press that key, EIP
get executed and we land at the good boy message!

here we go.
as i said, it was not that difficult, but rather new for a crackme
i hope you learnt something from it, and i advise you to read some essays from phrack magazine.
Such as "Smashing the stack", and the one on win32 buffer overflow (phrack 55).


3) source of my lame weird crackme (coded in 15 secondes)


#include <stdio.h>
#include <string.h>
#include <conio.h>
#include <iostream.h>

int main(){
int i,len,temp;

unsigned char name[75];





unsigned long check=0;

printf("-- The analyst's weird crackme --
";
printf("---------------------------------
";
printf("enter your serial please:
";

gets(name);
asm{ nop};

len=strlen(name);

//cout << len;
if (len < 25) goto theend;
if (len > 120 ) goto theend;
for (i=1; i <= len ; i++)
{
temp += name[I] ;
}

if (temp = 31337) goto theend;
if (temp < 5000) goto theend;
if (temp > 15000) goto theend;

goto theend;

printf("wOO! congrats
";

theend:

getch();
return 0;
}


greetings go to :

duelist,dimedrol,ivanopulo,nu,CrackZ,G-Rom,iceman,spath,frog's print,Warezpup,corn,tin,
llama,quantico,carpathia,pain, yoshi.
i just can't be arsed to type every goddamn nicks, so greetings to my pals in #cracking4newbies, #ol,#u**.


copyright pissed away, all right reversed

tHE ANALYST [UCF/HERT]

Excellent !!!!!

thx mate
it was not hard, was it ;-)

Excellent indeed. No, no, that's not the phrase I want. F***ing A. Yeah, that's it

I could see EBP being overwritten by the buffer overflow and figured that was the end of that line of questioning. So I started concentrating on the ReadConsoleInputA call following that in the 2nd input line (the 1st uses ReadFile to read in the characters), thinking there was some way to enter more than 1 character. But to do this I had to change the INPUT_RECORD structure of the call, but to do this I had to change the WINDOW_BUFFER_SIZE_RECORD structure, but to do this I had to...

Off on a tangent ;p

Weird. But interesting. Probably implementable in a commercial scheme if the programmer knew what he was doing. Say instead of jumping to the wOOhoo message you jumped to a routine (just the fact that you're here means the right s/n was entered, read in from a lic file, or whatever) which enabled some demo function by repairing some code, then fixed up the stack which was just corrupted, and then control was returned to the calling thread. Sure makes tracing for a good s/n difficult if the app keeps crashing on wrong entries.

Phrack mag you say? Sounds like some interesting bedtime reading. Congrats on an interesting challenge.

Regards,
Kayaker

hehe )
yeah, phrack is a good resource for knowledge indeed.
i didn't learn it from there tho.

http://packetstormsecurity.org/mag/phrack/phrack55/P55-15
win32 buffer overflows

and a general one :
http://www.shmoo.com/phrack/Phrack49/p49-14

buffer overflows are a part of my work actually ;-)
this said, a protection could use it someway yeah.
i will check that later ;-)
nice thing you did btw but a bit complicated he?
ok, now i hope that i will get some feedbacks, and i want to know if ppl tried to make it work
another challenge coming somedays
ie : writing a real exploits for some FTPd ;-)
which is more challenging that my easy weird crackme

best regards,

the analyst

Hello analyst

Actually I saw a solution that includes overflowing the crackme in another crackme, but that solution just overwritten the checksum code compared to a hash generated on few characters of the password...

hmmm is java vulnerable to buffer overflows?

personal msg to analyst: was that somehow linked to your recent paper covering the 'caramail' webchat protocol? =)

-r2

duh, a quick google search reported me that:

'For example, buffer overflow attacks are impossible in a Java program, because Java* automatically checks that an array index is within the proper bounds.*Unfortunately,* full-blown range checking in C is* impossible, because of the dichotomy between arrays and pointers'

www.mcs.csuhayward.edu/~simon/security/boflo.html

(nice links there)

again, nice crackme analyst

hello all

im back now
i have been away for sometimes, coz i was getting engaged
had a nice party and drank a lot ;]]
wish me good luck heh

anyway, im gonna read that page, thx for the link r2
what do u mean with my paper on the web chat protocol ?
i did not overflow anything there )
tell me more

to death :

ah, in fact i got that crackme done for something like 1 year and a half on my had
i wrote it for some tests at work, when i was doing (and i still do) vulnerability research..
i did modify it a bit to add some fake checks tho
just to piss some boys off
feel free to mail me in case of need

regards all

the analyst (now engaged *doh* )

Hey Analyst

First of all, congrats on the engagement hehe, better get all your RE studying in now while you still can!

Second, what kind of vulnerability research have you done? More on buffer overflows like this, or other areas as well? Plz mail me if you can, as your crackme has gotten me curious about these types of things

nothing, i was just wondering if your bof research was to discover new holes in caranewchat.jad =) (for those who didnt read analysts tut: its the webchat client)

but i found my answer when i saw java had his own bounds checking (bah that makes me hate java even more than before =), jk).