Log in

View Full Version : K-Protean v1.0: anti-bpm, anti-bpx, anti-traced, anti-frogsice...

ZaiRoN
March 25th, 2003, 18:42
Hi All,
I have found this interesting crackme and I think it's suitable for this area.

The crackme package contains 3 files: an exe, a dll and a VxD. As you will have already understood it's not the usual boring name/serial crackme and as I said in the title, it has some tricks to make hard our life.

The two goals of the crackme are:
- remove a nag
- write a working keygen

The algo used by the crackme is very simple but this is not the aim of the crackme, the aim is to learn how the various tricks work. You will see that the way to reach the name/serial routine it's not very easy :-)
The 3 files are not packed and I have made nearly all the job only using IDA because... you will understand!

This might be an occasion for most of us to learn how seh, vxd and some anti-sice tricks work. For the moment I will not tell you other, I hope to see a beautiful project.
Good luck!!!

ZaiRoN
the_analyst
March 25th, 2003, 20:08
Hello,

Its a bit late here, but im having a look at this crackme.
im running 2K, i cannot execute it, so im disassembling it.

So far i have seen one of the frog's ice detection code (if there are many, no idea yet), 2 or 3 parts of the name serial algo which as you mentioned, looks pretty straightforward.

I have seen something strange, but im too tired to think at the moment. (2am)

Regards,

Analyst
ZaiRoN
March 31st, 2003, 08:33
Hi All,
I am curious for nature and only wanted to know whether someone is working to this project? Is it too easy, too difficult, too boring?
What is wrong with it?

Regards,
ZaiRoN
FoolFox
March 31st, 2003, 09:35
Hello,

in fact i've some trouble to even make run it... and didn't
got so much free time those weeks, so didn't look for so
long....

I work on windows NT 4.... when I try to run it he gave
me: Process32Next entry point could not be found in
kernel32.dll.....

so i guess I would need either a w2k or a 98 to run it....

Regards
FoolFox
FoolFox
April 3rd, 2003, 10:12
Hi,

I'm trying with the death listing way......ahem.....

Just for curiosity, it look like to me that the _chkesp
function is just there to pass some debug info,
or does it have something to do with anti-debug ?
(waiting for an error on normal use, error have to be
handled to make the soft run correctly ??)


Code:


00401613 _chkespIfNotNull:                       ; CODE XREF: __chkespj

00401613   push    ebp

00401614   mov     ebp, esp

00401616   sub     esp, 0

00401619   push    eax

0040161A   push    edx

0040161B   push    ebx

0040161C   push    esi

0040161D   push    edi

0040161E   push    offset aTheValueOfEspW ; "The value of ESP was not properly saved"...

00401623   push    offset unk_420058 ; module name

00401628   push    2Ah             ; line number in source file

0040162A   push    offset aI386Chkesp_c ; name of source file

0040162F   push    1               ; report type

00401631   call    __CrtDbgReport

00401636   add     esp, 14h

00401639   cmp     eax, 1

0040163C   jnz     short loc_40163F

0040163E   int     3               ; Trap to Debugger

0040163F



Regards
FoolFox


I have only formatted the code for a best view
ZaiRoN
April 3rd, 2003, 17:37
Hi FoolFox,
chkesp function has nothing to do with the protection routine, it's not an anti-debug trick!
As suggested by the name, the function checks that esp is valid on function return. The crackme is written using msvc++ and the compiler lets you to use a particular option: /GZ (Enable Stack Frame Run-Time Error Checking). If this option is setted, the compiler will add this function after every call.

Regards,
ZaiRoN
evaluator
April 4th, 2003, 12:34
hi there..

after Dld, I become interesting, because it uses VXD & I expected
lot of crazy R0 trikO.. but then..
Oke, so this VXD just needed as BSOD-Messagebox

then I search&search for cryptor-decryptor code.. not found!
Then only I guess, calculation of Summ of input chars is decryptor??

IF (Summ of NOMRE's chars) - (Summ of CLAVE's) = 0A9h
THEN BSOD-registered

Or maybe there is some-any ultra-hidden check???
{Can't beleave dEar}

But very interesting is that VXDWriter! Where to find!?
FoolFox
April 8th, 2003, 06:14
Hello ZaiRoN,

I'm still trying to figure it using death listing approach (missing
my debugger), and I'm currently trying to locate the anti-debug tricks...

I've found a call that may be a catch for a breakpoint that
could be set on GetDlgItemTextA....

Code:


0040BF20 loc_40BF20:                             ; DATA XREF: .text:0040C0C7o

0040BF20                 mov     ecx, dword_4237BC

0040BF26                 push    ecx

0040BF27                 call    sub_401005	<- checking if BP set on API GetDlgItemTextA ??

0040BF2C                 add     esp, 4			(return eax=1 if bp set ??)

0040BF2F                 test    eax, eax

0040BF31                 jz      short ReadUserEntry

0040BF33                 mov     esi, esp



If that's the case, this could be easily defeated by either
changin the jz 401430 to jmp short 40142c, or change the
mov eax,1 to mov eax,0.....

Code:


0040142A                 jz      short loc_401430 

0040142C                 xor     eax, eax

0040142E                 jmp     short loc_401435	

00401430 ; ---------------------------------------------------------------------------

00401430 

00401430 loc_401430:                             ; CODE XREF: sub_40101E+40Cj

00401430                 mov     eax, 1



I see that loc_401400 save all registers, make room on stack,
probably trying to check if a trap to debugger is done...

Code:


00401400 loc_401400:                             ; CODE XREF: sub_401005j

00401400                 push    ebp

00401401                 mov     ebp, esp

00401403                 sub     esp, 44h

00401406                 push    ebx

00401407                 push    esi

00401408                 push    edi

00401409                 lea     edi, [ebp+var_44]

0040140C                 mov     ecx, 11h

00401411                 mov     eax, 0CCCCCCCCh

00401416                 repe stosd

00401418                 mov     esi, [ebp+arg_4]

0040141B                 mov     ah, 10h

0040141D                 add     ah, 9

00401420                 shl     ah, 3

00401423                 add     ah, 4

00401426                 mov     al, [esi]

00401428                 cmp     al, ah

0040142A                 jz      short loc_401430

0040142C                 xor     eax, eax

0040142E                 jmp     short loc_401435



but I can't figure how he catch this ??

Regards
FoolFox
ZaiRoN
April 8th, 2003, 10:27
Hi FoolFox/evaluator,

FoolFox:
you are right, he is checking if bpx is been setted on GetDlgItemTextA.
Look at this:
Code:
00401418 mov  esi, [ebp+8] ; esi -> address first byte of the function

0040141B mov  ah, 10h      ; eax = CCCC10CCh

0040141D add  ah, 9        ; eax = CCCC19CCh

00401420 shl  ah, 3        ; eax = CCCCC8CCh

00401423 add  ah, 4        ; eax = CCCCCCCCh, ah = CCh

00401426 mov  al, [esi]    ; al = first byte of function GetDlgItemTextA

00401428 cmp  al, ah       ; al = CCh ?

0040142A jz   short loc_401430

0040142C xor  eax, eax     ; bpx not present: eax=0

0040142E jmp  short loc_401435

00401430 mov  eax, 1       ; bpx is present: eax=1
He checks if the first byte of the GetDlgItemTextA routine is CCh. This byte is CCh if you have put a bpx on that function.

evaluator:
your analysis is correct. I know that it's too easy for you but don't you think it might be interesting for people with less experience?

Regards,
ZaiRoN
FoolFox
April 10th, 2003, 01:50
Thanks ZaiRoN,

much clearer now

Regards
FoolFox
ZaiRoN
May 24th, 2003, 14:12
Hi,
I have found the solution I wrote some times ago for the crackme site.
It's only a final explanation; if someone has resolved the crackme in different way, he(she) can posts its solution and/or criticize mine :-)

Ciao,
ZaiRoN