Log in

View Full Version : DirectX crackme


Silver
October 27th, 2006, 06:00
UPDATE: Crackme released, scroll down for URL and info.


After the discussion in the other forum I'm just putting the final touches to a DirectX crackme; I don't think there are many (if any) of these around, so hopefully it will give people a target to play with.

Before I release it would anyone like to volunteer to analyze/crack it for me just to make sure I haven't left anything wildly obvious open to exploit? It should be ready today or tomorrow. I could also do with making sure it works on a couple of machines, DirectX being the lovely compatible system that it is....

Cheers!

Silkut
October 27th, 2006, 07:57
Hi Silver, I'm interested in your DX crackme.
I am volunteer, but as i'm not an expert in cracking/reversing I can't certify about bugs.
Though I can test it on my machine.
XP SP2 w/DXSDK & DX9

Maximus
October 27th, 2006, 08:37
evil evil evil idea....
are you using ... ...shaders?

"OMG"

Silkut
October 27th, 2006, 11:36
Um, no HDR please =)
I forgot to mention that my gfx card was a nvFX5900XT.

Silver
October 28th, 2006, 09:07
Cheers guys, I have a couple of volunteers now...

Maximus now that *is* evil. I haven't done that this time, but you've given me a great idea...

Maximus
October 28th, 2006, 13:54
I am evil

I would suggest to place your solution along a 3d Lattice* ( ) and use shaders to perform ... oooh ....
ok, a new lvl 9 crackme, I would say, eheh

Silver
October 29th, 2006, 11:30
mmmm! That would be seriously difficult to crack, if you passed in data to the shader (texcoords or whatever can be used easily), packed the result into DWORDs then wrote the result out to a surface using the DWORD as the ARGB for each pixel. All the reverser would see is magic data going in, magic data coming out and no direct way to debug the shader.... Nasty!

Silver
October 29th, 2006, 14:46
Okay, the crackme has been dispatched to my willing victi...uh, testers

If everything is ok I'll post it publicly shortly.

Silkut
October 30th, 2006, 10:46
It is fully working here.
Despite the fact that i'm a beginner I think this would give pleasure to advanced reversers.

Silver, no direct way to debug the shader, even using stuff like NV(ShaderPerf|PerfHUD) ? Is it depending on the way the shader is used (i mean compiled with the application) ?

Silver
October 30th, 2006, 11:14
Silkut, debugging shaders without the original source would be a total nightmare. I'm trying to think it through now. The only reason you can debug shaders at the moment is because Visual Studio and DX etc have shader debugging extensions. But if you're reversing an app you won't have the app source to load into Visual Studio and take advantage of the debugger. That means you'll have to extract the shader code from the app directly - that's not a problem because you can use shader simulators, but then what do you do with it? If all the input to the shader is coming from the app you'd have to code your own app that simulates the exact same input to be able to debug it. You can't just break in the middle of the shader because it's simply dumped to the GPU, which you have no direct access to. As far as I know there's no way to read a shader program back from a gpu...

As maximus has said, this would probably be even harder for vertex shaders than for pixel shaders. At least with pixel shaders you're translating across the surface one pixel at a time, but with vertex shaders you're being passed the vertex data directly. So not only would you somehow have to debug the shader code, you'd also have to understand how the data (say, the license key or whatever is being processed) is packed into the vertex data. Now imagine the final transformed position of the vertex is important to the protection in some way, such as a simple depth test.

I'd go so far as to say a protection like this would be very close to impossible to break from a pure protection point of view (ie: assuming the rest of the app didn't do anything silly like have individual goodboy/badboy jmp's). You wouldn't even need any goodboy tests, the app would run exactly the same but the end result of the shader would control what was displayed. Ouch.

Maximus
October 30th, 2006, 12:53
I know...
It is a free dongle installed in each PC
...and much more powerful and evil of every existant dongle, I would say

...but let's not suggest too many evil ideas to protectionists...

Silkut
October 30th, 2006, 13:12
Ok I think I get the point.
Anyway this kind of challenge require more than reverse skills.

Maximus
October 30th, 2006, 14:30
eheh I'm late with 2 articles, 2 special 'crackmes', REA and what's more?
Oh, yeah, my nephew's fresh new vgame don't run with DT installed...
and work, clearly ...but I'm terribly curious

Maybe it's time to remove all the dust from my DX knowledge

Silver
November 2nd, 2006, 08:56
Okay, thanks to my victims including Silkut and Zairon, the crackme is ready for public release.

Download from here: http://www.savefile.com/files/206121
Crackmes.de mirror: http://www.crackmes.de/users/silver/silvers_dx_crackme_1/

Original MD5 for the .zip for your peace of mind:
4B3FE5E0F7D14762F234EB9956044385


Please be sure to read the readme carefully before you begin - it will potentially save you a lot of time.

When someone has beaten this crackme & published a solution I'll release a cut down version that concentrates purely on DirectX stuff, which will hopefully give people a playground for DX reversing with no other distractions.

Let me know how you get on!

Silver
November 18th, 2006, 09:48
Just thought I'd bump this and see if anyone is working on it? I know Mr Squeers is, and it's had a bunch of downloads at crackmes.de but as yet no discussion or solution.

Silkut
December 28th, 2006, 08:00
Hmm, I have a question.
When I try to quit the application using ALT+F4 it crashes (not using Escape). You specified this on crackmes.de

Quote:
Silver
Author
09. Dec, 15:48 One month on, nobody beaten it yet! A reply to people who have asked, if the crackme crashes while you're working on it this is not a bug, it's deliberate.


Is it related ? Because I had no tools loaded.
Still no discussion about it nor solutions..hard time.

Silver
December 28th, 2006, 11:28
Silkut, when you start the crackme does it load perfectly, switch to full-screen mode, then show a couple of lines of text with a text entry box, a Submit button and a rotating texturemapped cube in the background?

If it shows all these things then the crackme is working on your computer, however it does seem like you've found a legitimate bug if it crashes on Alt-F4.

If you quit using Escape, does it exit properly with no crash? If so then yes, this is a bug, I probably forgot to release an interface when handling the window closing. Apologies for this, please ignore the crash and only use Escape to quit. This is not part of the protection.

The comment on crackmes.de was referring to cracking actions - in other words if you start reversing the app and it starts crashing, this is deliberate and part of the protection.

I think Mr Squeers may be about to provide us with a solution

Silkut
December 28th, 2006, 12:08
Yeah all of those things are working, as I said in my report inPM (if you remember i choose to be a victim, with zairon).

_Fullscreen+bouncing.box+entryform+button = Ok
_Quit = Ok
_alt+f4 = crash

Maybe it is possible to provide more information, but I can't use the JIT debugger (because I'm using a student version of VisualStudio blah..) too bad =/

No problem about the bug =) *Damn it's not a part of the protection*

Maximus
December 28th, 2006, 19:52
? Set Olly as JIT debugger. You can find the option somewhere in menu (much better than IDE, for me...)

Silkut
December 29th, 2006, 06:53
Maximus> Thanks for the hint, a moment I forgot that the JIT debugger could be another one that Microsoft's r3 one

Here is the instruction where I'm stuck using Olly as JIT debugger.
Code:

00402805 |> /F60401 80 /TEST BYTE PTR DS:[ECX+EAX],80

DS:[00000000]=???
Jump from 0040280F

Access violation when reading [00000000]..

Silver
December 29th, 2006, 12:18
Oh, yep, that's COM interface reference count fun. I'm going to re-release the crackme with a fix for the backbuffer format (see blabberer's posts), so I'll fix that too.

ZaiRoN
January 8th, 2007, 17:02
Waxfordsqueers did it
Enjoy his solution: http://www.crackmes.de/users/silver/silvers_dx_crackme_1/solutions/waxfordsqueers

Silkut
January 9th, 2007, 13:22
Brilliant ! As I thought it was..hu kinda hard.
But still interesting, now i'm waiting Silver's pure DX thingy.

Silver
January 13th, 2007, 11:58
Ok, here's the pure DX version. Absolutely no extra protection, it's 100% vanilla code. Your task is to PATCH the crackme so it always tells you you've beaten it. The only encryption is for the crackme password, to stop people fishing it.

If a few people could check it works, I think I fixed the caps crash problem and the alt-f4 issue. If it's ok I'll upload it to crackmes.

Cheers guys!

Silkut
January 13th, 2007, 16:35
It works well here, no bugs afaik.
I'll try to solve it =].

countryman
January 13th, 2007, 20:13
I Think that your crackme has password..
Teach me your crackme password~~~ plz...
Have a nice day.
good luck...

Silkut
January 14th, 2007, 04:06
Hello,
Did you read the .nfo coming with the .zip ?

ZaiRoN
April 11th, 2007, 05:17
I got another solution at crackmes.de, enjoy:
http://www.crackmes.de/users/silver/silvers_dx_crackme_1/solutions/thecolonial

Silver
April 11th, 2007, 07:36
Thanks Zairon, I'll go take a look now!

TheColonial
February 7th, 2012, 07:19
Hi everyone,

I realise I'm bringing back to life a thread that has been dormant for the last 4 to 5 years, but I'm hoping that someone here can help me.

I wrote the tutorial/solution to Silver's crackme back in 2007 and published it as a PDF on the crackmes.de website (I blogged about it here ("http://buffered.io/posts/reversing-directx-blowfish/")). Since then, thanks to various backup failures and issues with webhosts, I have lost my copy of the document.

I tried to get another copy from crackmes.de, but as we all know that site has been taken down. I found a few locations that claimed to have backups/mirrors of the solutions, but none of those online archives are complete and I wasn't able to get my solution from them.

I have tried to scrounge copies from archive.org and from google's cache but to no avail. The last hope that I have is this forum!

Do any of you still happen to have a copy of my solution lying around on their harddrives? I'm not worried about anything else, just the PDf that I wrote as I'd really like to retain a copy and stick it back up on my webserver for other people to digest.

Any help would be greatly appreciated. Thanks to all for listening.

TheColonial.

Kayaker
February 7th, 2012, 17:30
Hmm, I was going to suggest in the meantime you might check the crackmes.de mirror

http://malwarereversing.wordpress.com/2011/05/13/crackmes-de-mirror/

but it seems that all those upload site links are dead as well. Which is too bad because I was going to download the packages and mirror them safely on this server before they disappeared (too late...).

Is there any chance anyone has the mirror files and can make them accessible so we can preserve them on the woodmann server?

Kayaker

TheColonial
February 7th, 2012, 17:37
Hi Kayaker,

Thanks for the response. I have already managed to acquire a copy of that mirror from a few different locations on the web. Unfortunately these "mirrors" are not complete. Almost all of the solutions and crackmes posted after 2005 don't exist in that archive. Mine is one of those that is missing.

I made every effort to find copies out on the open web prior to coming here as I didn't want to have anyone wasting time searching public-domain locations themselves on my behalf.

I think the last place to look is on people's individual machines or backups hidden away from the open Internet. This was the motivation for my post.

Thank you again for the response, I appreciate your efforts.

TheColonial.

Darkelf
February 8th, 2012, 12:26
Since crackmes.de is back, you can get your solution from there:

http://www.crackmes.de/users/silver/silvers_dx_crackme_1/solutions/

Regards
darkelf

TheColonial
February 8th, 2012, 14:49
Thanks Darkelf! I didn't know the site was back. That must have been a recent change.

I am happy to finally have a copy again.

TheColonial.