View Full Version : Mini Research Project (Crackme) - 25/Sept - 11/Oct
aikon987654321
September 25th, 2004, 02:21
Dear All,
I am assisting in coordinating a mini research project on the topic of "Software Copy Protection Reverse Engineering".
This is a very simple experiment aiming to understand more about "software copy-protection reverse engineers".
Attached is a simple "crackme" written by the project team.
Even an amateur can attempt it. But participation from experts are also very much appreciated to make the experiment a success.
What you need to do:
(1) Read the description of the crackme program (Research_Crackme.txt)
(2) Break the software copy protection of the program (the level of difficulty is set to minimum to ensure optimum participation)
(3) Complete the questionnaire (Questionnaire.txt)
(4) Password protect (zip/rar) and attach your patcher/loader/keygen/serial & questionnaire. Then PM me the password (so that others cannot see your answer/response).
If you have questions about the experiment, you can post it here. But if you have questions about the crackme, please PM me instead so that you will not confuse/influence the thought process of other participants.
Thank you for your time.
sna
September 25th, 2004, 04:45
Hi.
Could you please provide some more information on the experiment and its purpose?
Who do you represent, what is the overall goal, how will results be compiled and presented etcetera.
Regards, sna
naides
September 25th, 2004, 07:16
We need a legally binding informed consent, with a confidentiallity clause.
We also need tangible proof that you are who you say you are. . .
By the way, who are you?
Neitsa
September 25th, 2004, 08:01
Hello,
I agree with Sna and Naides. It seems that you're awaiting something for reversers without providing much infos on who you are, at least, who you are representing...
What will be the result of all gathered informations. Will you publish something ? Does it will help your company to make a stronger protection ? Will you make a blacklist of all nicknames ? Will you enforce protection against tools we use ? ...
well many questions without an answer....
Regards, Neitsa.
aikon987654321
September 25th, 2004, 10:06
Dear All,
My apologies for not providing more information.
I'm not representing any companies. The purpose of the research is to gather statistics via a controlled experiment on the topic of software copy protection reverse engineering, for a final year project (university). The aim is to understand the behaviour and "thinking process" of a reverse engineer.
If you need more information, I can provide via PM. The reason for not disclosing publicly is also not to turn the research into something high profile.
In the final report, only the number of participants will be mentioned, and the results from the experiment (e.g. tools that are commonly used, methods that are preferred, etc.). Although this information can be found on the web, they cannot be substantiated without a formal controlled experiment. I'm sure many of us who have graduated know this fact.
You do not need to disclose any information about yourself other than your nick name.
I hope I have answered most of the questions.
Apologies & regards.
dELTA
September 25th, 2004, 11:39
Why is the nickname needed?

aikon987654321
September 25th, 2004, 11:51
hi
dELTA,
Any nickname is accepted. It is to "identify" the participant in the experiment. If you choose to be completely anonymous, then we will just give it a number, e.g. participant001.
Appreciate all the feedback. We are really sincere about this mini research. Hope that you can participate (and help us graduate)

.
Thank you.
Silver
September 25th, 2004, 13:09
If we do choose to participate, how do we return the rar to you? I doubt woodmann will want a load of attachments on a forum thread that no-one can open because they're password protected
Also, can I ask exactly what you're hoping to achieve from the questions you ask in the questionnaire? They don't seem to be targeted enough IMO. You're going to come out with x people with x years experience used tools x, y and z. That's not going to provide you with any inisght to the thought process, because you have already admitted that the protection is trivial (I've not looked at it myself yet, BTW). The only conclusions you'll make are that most reverse engineers use similar techniques of a, b and c to achieve their goals, a conclusion that will hold true only for the type of reverse engineering required for this crackme.
I'm just having trouble seeing why/how the results of this "experiment" are going to help you with a final project...
aikon987654321
September 25th, 2004, 19:51
hi Silver
Thank you for the feedback. After the experiment is over, I will post the discussion/solution/findings for everyone's benefit. The main reason is not to influence the thought process of others.
Actually, this experiment is only a small part of the project. The thought process needs to be inferred from the final results (based on the experience, what method is preferred, e.g. to prove or disprove that those with less experience may not write keygens etc).
Whilst the conclusions will hold true only for this crackme, generalisations are also made based on other research and findings.
This forum is a good avenue, because it reaches out to more people. Interviewing face-to-face is time consuming and limited to people whom you know.
I know this may not be very convincing, but it does contribute to the project.
I hope you can participate too.
tq & regards.
----------------
So far, I have received 10 participations, and had really good discussion with the participants. Really appreciate it. I hope I can get 30 participations to increase the credibility of the results.
----------------
NeO
September 27th, 2004, 09:03
I dont know but i got a felling that we are like ginny pigs in here,,
Maybe i was wrong.. He can be fbi agent colletiong infos about us
Bye NeOXQuiCk
NeO
September 27th, 2004, 09:12
What can i say.. maybe i was doing to much fuss over nothing .. but i can tell you guys this is too easy..2s of everyones time..
If this would be real protection i would surelly pay money for it..Its worth -100$

code something more interesting something more hard ..that you will involve ppl with good and bad knowledge ..with your crackme you cant really do a research since everyone can do it..
Bye,, everyone even guys that dont crack can get a light on this one
NeOXQuiCk

aikon987654321
September 27th, 2004, 09:24
Hi
NeO,
Thank you for your feedback.
Quote:
with your crackme you cant really do a research since everyone can do it.. |
You are right. The crackme should not be difficult for almost all who is a member of this forum.
But I would really appreciate if you could help by participating since it should not take a lot of your time, and yet it means a lot to the project team.
rgds.
Hopcode
September 27th, 2004, 13:19
NeO,
<flame>
You often brag about things beeing easy, while you fail on them. (then say it seems easy and you don't have time blabla)
Don't try to guess who i am, you won't find.
But please, stop bragging, because you really don't have the skills to do so..
And im sure you forgot most of the hidden checks..
</flame>
dELTA
September 27th, 2004, 16:53
Err, ok, let's be civil now...
aikon987654321
September 27th, 2004, 18:28
Hi SL0rd
Thank you for your point. But to clarify, no tutorial is required. Just to complete the questionnaire (and try to break the crackme).
I hope you can participate too.
regards.
Aimless
September 29th, 2004, 09:28
I am beginning to get thoroughly confused by the attitude of the crackers here.
Just a few posts in a different forum, has people falling at each other's feet (try reading INT 3) to help the protectionist make his protection better.
Here he is trying to get a university project (real or faked: don't care) and people are jumping on him, calling him names and general crap by bored crackers.
How comez the difference?
Have Phun
JimmyClif
September 29th, 2004, 10:01
Aimless, Hear, Hear!
I had a quick look at aikons little project and I can say I'm truly impressed. Maybe it's my fault that I have low expectations from people on Internet messageboards asking for university help (check out the homework threads at win32asmboard). Most people asking for help don't know a single thing and don't care about anything as long as someone does their work for them. Aikon here actually did research on tools used by most people here and added quite a couple of checks for them including SI detection. What I'm trying to say is that writing this sample prog was work, if someone doesn't want to do it fine, but there's no reason to beat him up for doing a survey.
Woodmann
September 29th, 2004, 14:45
Hold on here...........
The bus will be here to pick up a few of you people very soon
Here is a tip my dad used to give me. "If you dont have something nice to say, keep your fucking mouth shut".
That meant shut yer yappin pie hole before I smack it shut.
Here are a few more tips.
If the FBI or CIA or MI5 or KGB or Scotland Yard or BSA were really concerned about this place it would have been shutdown long ago.
Keep yer yappin pie hole shut.
I can adjust certain settings on this board that will automatically rate each user. If you want to continue to post "you suck, Lamer" and other such shit
including poor posts with no real value,
I will allow all the users to contribute to your removal from the board VIA voting. Keep yer yappin pie hole shut.
This same rating system can be used in a variety of ways.
Contribute or keep yer yappin pie hole shut.
Woodmann
aikon987654321
September 29th, 2004, 23:26
Thank you all for your support
In fact, I have also received many positive support via Private Messages (though not posted here on this thread).
If you have already spent time analysing the research_crackme.exe file, but have not completed the questionnaire, I hope you can just spend another few minutes to do so.
I will definitely share the preliminary findings on this thread when the experiment is over.

NeO
September 30th, 2004, 15:55
Ehh i need to replay on Hopcode :
You are right,, i am lameass but sometimes i can do it..
its just poor luck! i dont brag but sometime stuff are easy,,that all i was saying ..
And i didnt know i ofended you so much while i didnt want to look at your code !Next time i will!I am not skilled ,you are right about that i am not coder like you !So there for i dont pretend to do all!But if you looked at the stuff he coded i am sure you would agreed!If not then you are better then me ,,what can i say,...
So never the less i am not trying to quess who you are
NeO
esther
October 1st, 2004, 05:40
Wootmann,
You mean the driver is ORC? LOL
Woodmann
October 1st, 2004, 19:19
I think Kayaker was the one who said it.
The guy who drives the bus get's paid in cash so,
it is no matter to me what his name is.
Woodmann
%UNDEFINED%
October 5th, 2004, 20:58
Quote:
[Originally Posted by aikon987654321]
I am assisting in coordinating a mini research project on the topic of "Software Copy Protection Reverse Engineering".
This is a very simple experiment aiming to understand more about "software copy-protection reverse engineers".
|
Interesting I find it that you ask for a very short question are of the methods used to break the protection.
Yet you state your interest is in the "reverse engineers". Yet no census or psychological type questions are asked.
Such as:
What country we reside in?
What fields we work in?
Why we do this?
Etc...
The few questions that are asked are in relation to solving the protection.
If that is your interest in common methods of defeating anti-debugging tricks and general R.E. why post this thread?
Why not simply browse existing threads and make notes?
Or read the thousands of existing tutorials http://zor.org/krobar ("http://zor.org/krobar")
I don't mean to act like I am flaming you, I just don't understand.
aikon987654321
October 5th, 2004, 23:12
hi
%UNDEFINED%
Thank you for your feedback & interest in this thread.
Quote:
Why not simply browse existing threads and make notes?
Or read the thousands of existing tutorials http://zor.org/krobaram
I just don't understand. |
A few more days and the experiment will be over, and I would be able to answer your questions in more detail, as well as sharing the results.
I'm sorry if my explanation sounds rather not convincing. Those who have participated (
11 so far) would have understood my predicament. For those who have not participated, appreciate your patience.

stephenteh
October 6th, 2004, 07:29
y u guy are so panic to take part in the project ?
if u want to remain anonymous then u just dun put ur nick under the questionnaire...
( i think aikon987654321 dun care about the nick....)
and continue answering the remaining questions.....
SiGiNT
October 9th, 2004, 12:04
I don't know as much as what the newest newbie has already forgotten, but this one is stupid - it's a 1 byte fix.
SiGiNT
Kayaker
October 9th, 2004, 12:26
Quote:
[Originally Posted by sigint33]I don't know as much as what the newest newbie has already forgotten, but this one is stupid - it's a 1 byte fix.
SiGiNT |
Hi, you obviously miss the whole point, as well as not having understood the earlier posts in this thread. Instead of calling it stupid for absolutely no reason take it for what it is. At some point in your "newbie" career, you would have been completely lost at how to proceed. Now you're too cool for it. Well, that's great, but if you can't learn at least something from it, then you're doing it all wrong. Your contribution has been much more worthy, thanks. GEESH!
Kayaker
SiGiNT
October 9th, 2004, 12:47
Don't mis-understand me, my motto is "when you stop learning you start dying", I definitely learned from this one, not to be distracted by the obvious diversions, and thanx, (really!), for reminding me of that. No flames intended - the "stupid" remark was a reflection of my realization that I was being mis-lead by some of the code. I hope to make friends here and I don't need to give the wrong impression, if anything it was fun and gratifying when I found what I needed to do.
SiGiNT
Kayaker
October 9th, 2004, 13:13
Hi, that's a good motto
Kayaker
Silver
October 9th, 2004, 13:30
I'm looking forward to the closing of this crackme and aikon posting the results, as it raises some interesting questions...
aikon987654321
October 10th, 2004, 03:51
Ok, the experiment is over
To clarify some earlier queries:
(1) No, i'm not a lamer looking for "free" tutorials, this is in fact a serious research. But i'll always consider myself a newbie ...
(2) I've been doing reverse engineering since 1996. My first debugger was SoftICE 2.0, did my first keygen in 16-bit assembly ..
and about the experiment:
(1) The "real" aim is to see how effective it is to "mislead/trick" reverse engineers into thinking a copy-protection seems easy, using debugger detection methods to lead them to the decoy algorithm, rather than using offensive anti-debugging tricks
and the results:
(0) 12 participated - 4 amateurs, 6 intermediates, 2 experts
(a) All participants rated the copy-protection as “Easy”, but not one provided a completely working solution at first attempt (i.e. all was tricked into prematurely attacking the decoy algorithm). The participants were told to retry until they succeeded or opted-out.
(b) Only one provided a completely working “key generator” on the third attempt.
(c) Three provided serial numbers that only defeated the fake algorithm.
(d) The remaining eight provided patches; only 3 were completely working (2 to 6 attempts taken).
(e) Eight opted-out from the experiment after the first attempt on the reason that it would have taken them too much time to provide a working solution.
And, I have to specifically mention these 2 participants:
(1) N*****a - the one and only participant who did a completely working keygen => you have the BEST solution
(2) I******t - really respect your endurance, you did it in 6 attempts with a patch!
And for saying "thank you", I have 6 Gmail invites - those who have participated can ask for it if you're interested by sending me a PM
For those who have not participated, you can give it a try, now knowing that the crackme is "a little harder than easy" and is good for your brain
p/s: and those who said "this is just a 1-byte solution", you obviously fell for the fake algo. You need at least "2-bytes", if you know where to find them

SiGiNT
October 10th, 2004, 11:46
OOPS! just realized explaining my 1 byte fix would ruin the fun for others - deleted that info in this post. I've explained it in a PM to you Aiken - it does work, and opens, edits, and saves - fully functional.
SiGiNT
As it turns out, I didn't fully test the prog - print is not enabled, and Aikon tells me that opening files sequentially will disable some menu functions.
blabberer
December 9th, 2004, 11:43
well i read the read me after i double clicked the exe in w98

it crashes and takes the os along with a bsod
any way i loaded it the next time using ollydbg and see it working perfectly till int 41 it crashes on int 41 (w98 se) hope to look into it some time in w2k

posted this in the hope to elicit info if some one has successfully ran it in w98 se
SiGiNT
December 9th, 2004, 20:07
Disable int41 it's a debugger trap.
SiGiNT
blabberer
December 10th, 2004, 04:51
dear sigint,
thanks for reply
yes i know int41 is checking for debugger
Code:
AX = 004Fh
Return:AX = F386h if debugger is present
See Also: INT 68/AX=4400h
the point i was raising was why should it crash the os and also corrupt the stack in w98 se i can understand if the return value 0xF386 was used to manipulate but just by executing int 41 the stack gets corrupt and eip is changed to some absurd value so when a ret is processed it returns to
some doomsday palace and takes the os along i was hoping for an explanation to this peculiarity
yes i can disbale int 41 or disable the whole SetUnhandledExceptionFilter crap and jump directly to WinMain
any way thanks for reply and still hope for an explanation
btw int41 does not crash in w2k even after execution as i patched the SetUnhandled it returns to the winmain via unhandled handler in w2k
is int 41 supposed to crash w 98 se on its own even when run without a debugger any tips,links are welcome thanks again
Neitsa
December 10th, 2004, 09:03
Hello,
I have completely forgot this topic... Well, now it is up and the project is trully over, I can post the working keygen I've submitted to aikon if someone is interested :
It is coded in Asm, and little bit commented (this is not a tutorial).
Source code (radasm project) + binary file included
Just hope it could help...
Regards, Neitsa.
aikon987654321
December 15th, 2004, 00:59
Hi there
Neitsa
Very nice of you to share your great piece of work.
I didn't expect that it would generate any further interest ..., since most of us know that the trick is not to get tricked

Neitsa
December 15th, 2004, 05:17
Hello,
Thanks a lot aikon987654321, but as you've say previously :
Quote:
(b) Only one provided a completely working “key generator” on the third attempt.
|
Three attempts to make a working keygen !

I'm definitely not a 'master of the art'.
Quote:
I didn't expect that it would generate any further interest ..., since most of us know that the trick is not to get tricked
|
Like, i think, many of the participants, I was fooled by the apparent simplicity of this crackme (I rated it "simple"

, but it was more tricky than it was looking at first sight.
BTW, it was fun
Will your project/research results will be available to everyone (maybe on the net) ?
Regards, Neitsa.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.