Hello everyone,

I came across this lil crackme yesterday when someone pointed me to it. I didn't have time to work on it much because im finishing some other projects, but i thought you might be interested by its anti debugging features
On win9x, put a bpx and you computer freeze when you run it. same happens with a BPM..
if you trace it the wrong way, you freeze also..
it has bpx detection, and nice anti debugging features.
try to open it with IDA and it will complain with a message i had never seen yet.
You are not allowed to change the oep so it show the good boy message.. Read the readme carefully

Im going this week end, but i will have a better look next week. If you guys wanna play ;-)

oops forgot to add a lil url ;-)

h**p://www.lockless.com/products/Krypton2.zip

Best Regards,

tHE ANALYST

HI the_analyst !!!
nice to see another hard level project for this area

if you want to have an introduction to the protection used by the target, take a look at this thread:
http://www.woodmann.net/forum/showthread.php?threadid=1122&highlight=krypton

i have already resolved this crackme for which i will not participate to the project.
in any case i will be here in order to try to help you if you have some problem...

have fun!
regards,
ZaiRoN

i think analyst pretty much can manage on his own :P -> he is l33to )

lol Ben

my aid is not only turned to the_analyst but all the companions whom they will want to try this crackme

cya,
ZaiRoN

Ok, I look Lockless & dld from there.
Heh, I enjoed playing with krypton2 on XP! (i crazy man~

But seems, because of Ethic, we can't review this crackme here!
Because it is "official crackme" of Lockless.

Am I right!?

If yes, stop now

Hi evaluator
the official Lockless's crackme is Krypton #3.
if i remember well Krypton #2 was the old trial crackme so i think there are any problem on working together on it

have fun!!!
ZaiRoN

Hey

Ok, im back from the neat week end, and i will give this crackme a lil try.
I did check it quickly and i have it almost decrypted here.
So the goal of the crackme is to have a working executable that show some windows, and if you press some buttons, it must gives you the good boy message? am i correct ?

At the moment, the only part of the executable that seems still encrypted on my box is the ressources. I looked quickly, but didn't see anything that seems to uncrypt it yet. any hints?
i really didn't work a lot on it yet, but the goal of this mini project area is to share ideas, so ideas and comments are welcome.
Anyway, im curious in the method you guys used to decrypt it.

Did you trace the int handlers ? and is the final decrypted exe looking like this (at this VA at least) :


401000 : jmp some location

some location : call decrypt_datas
call some_bpx_detections_and_shites
a lil anti soft ice here.

does it look like this ? or is there anymore layers ?


i have all the dialogboxparam code in my dump, so i guess i did it well, but i still miss the ressources.

Ok, now it's time to go at work!
I will post when i got back if i got the chance to work on it again.

regards,

Analyst


ps : Bengaly, i ain't leet and moreover, im feeling rusty nowadays ) i didn't reverse a lot in the last few months, gotta do some exercices ;-)

Hi the_analyst

>Did you trace the int handlers ?
i suggest you to trace (new) int handler

>...i still miss the ressources.
ehhe...the previous answer will guide you to the resource.

regards,
ZaiRoN

>>Did you trace the int handlers ?
>i suggest you to trace (new) int handler

i, of course, did trace the new int handler
did i miss one ?
the one i traced when i looked quickly at the crackme was the one that decrypt .code section.
if you keep tracing, you come to a nice IRETD.
if you trace it you freeze ;-)

So, at this very moment, i did "r eip 401000"
and the .data decryption takes place.
Did i forgot some place ? i didn't see the ressources decryption.

>>...i still miss the ressources.
>ehhe...the previous answer will guide you to the >resource.

well i did trace the new handlers
which int handler is used for ressource ?

I can't try until i get back to home, so im posting this from memory.

I may be completely wrong since im rather rusty nowadays hehe. Although, my decrypted exe contains everything but ressources, so i shouldn't be that wrong.

Regards,

Analyst

Hi the_analyst,
i don't know if you have already seen it but the new_int5_handler is redefined not only one time
(dr register's check will guide you )

regards,
ZaiRoN

Heh!

It calls to GetSystemTime then compares to own value & not jumps to
good place.

Is this trick? (I assume so)
Or crockme just expired!?

on XP my un_crocked anyway not runs. W98 is GREATTT

What now? K3!??
Should I upload here my work for check-comparison or move to archive?

you are too fast eval
or maybe the target is too easy for you

k3 question: it's a trial crackme. we can't talk about it...

regards,
ZaiRoN

ps eval: you haven't answer to my question on uic strainer thread...

but I little not understand what exactly want Yado.
I simple unprotected target & found way for correct run.
Is this solution?
Or solution is InLine patch??

about K3 i joke

Hey

I had a quick look at it today, and i finally did it.
I was mistaking somewhere..
My bad.. not good to stop reversing for months.


>It calls to GetSystemTime then compares to own value & not >jumps to good place.
>Is this trick? (I assume so)
>Or crockme just expired!?

Well the crackme is some fake trial application.
So the expired thing is normal.
Although, I didn't even had to play with this ;-)


btw, R eip xx just rocks

Analyst

ps: Except Evaluator, Zairon and me. noone tried this one ?
it is funny

BTW, at same time I unpacked also K3.

I force it to play music. Is it all, ZaiRoN?

Or I also must show some DialogBoxParamA with logo in _rsrc?
Would you like, I send you unpacked?

hi eval,
i trust you, no need to send unpacked file
> Is it all, ZaiRoN?
btw, why the question was directed me? i'm only curious

best regards,
ZaiRoN

LOL zairon ))

would ever be a tutorial for this crypter?

were fine for all people who didnt manage to unpack it.

thanks

there will be a tutorial soon.
since i posted it on a french board, i don't want to spoil their fun.
Wait and some tutorials / notes will be released

Best Regards,

Analyst

Hi mambox,
i don't know if you have solved this crackme but in the meanwhile you can put here your doubts or questions.

regards,
ZaiRoN