Patchme: genass3's Patch protect lite

Download here: https://crackmes.one/crackme/68d8731a224c0ec5dcedc3be
MD5: 4bbf3e44dc54b708a94e6ee1fd0be214
SHA1: 79e4ffa8820c7473887f43375745869e3f10b4dc
SHA256: 9d7448664d99560a6914589e6643736da72cb8c600d41bf7a5a37756e28e8085

This is listed as a C/C++ x64 executable with a difficulty rating of 3.0. The author is genass3 and the executable is written for Windows.

The authors description:

The diff between other versions: - Rewrited pass verification algorithm (removed the hash algorithm) - Improved string encryption - Rewrited some obfuscation things (make it easier) Your main goal is to find the password, for every user password will be different.

I enjoyed the authors previous patchme so I'm really looking forward to tackling this revamped version.

Just like their previous patchme, this is implemented as a console application. It was created using Microsoft Visual Studio 2022. The binary does not appear to be packed.

Taking a look at the strings, we see some familiar function names. If these don't look familiar, I definitely suggest you read meticulously through my previous post and take copious notes... I guess it would be fine if you just skim over it too. Whatever.


One notable change is the lack of most strings. The "failed to load user32.dll", which we saw in the previous application, lead me to believe that those surrounding strings of characters are the now encoded output strings.


I won't be too in depth in the parts that I covered in my previous post but there are some unique twists in this one. Strings are no longer readily available except for the string that lets us know the program was unable to load user32. Instead, there is a function that accepts the encoded string and a decoded string buffer. It follows the same code flow as the previous sample so we have a pretty good idea of what is going on so we won't be analyzing it any further. The really unique thing to note here is that the password is now generated based off your CPU. The ghidra decompiler struggled hard with this so you'll have to analyze the disassembly to figure out how. It involved the cpuid instruction with leaf 1 and bit manipulation.

Now that we got the nerd stuff out of the way, let's take a moment of silence for the Beep call. It was taken from us too soon. That functionality has been offloaded to the MB_ICONHAND and I hate it!
#justice for Beep.

As for the solution, it's the same approach as last time. Look for the call to CreateThread and go to lpStartAddress(the function that the thread will execute). Click on the threads tab and suspend all the threads, then patch the jumps to the bad boy code sections.



Then all we have to do is make one simple patch from JE to JMP and we get the good boy message. Because of ASLR, I didn't bother including the virtual addresses but look for the instructions around it to see where the patch needs to be made.



Seeing as how the password will be different for everyone, there is no point in trying to extract the password. However, depending on how I feel tomorrow, I may try and create a keygen.

Comments

Post a Comment

Popular posts from this blog

Crackme: atherusti's First C program

Image
Download here: https://crackmes.one/crackme/68c96889224c0ec5dcedc063 MD5: fdb187c953ae9e0e98e18b1fc0683ef1 SHA1: e1f4f4a1e0629ba38cfa567c45cbee6092aabf0a SHA256: 03832f7e8e8fdfd6ee87ef4efb3eab52252edbfe246c9d2bfdd39166a27c9e30 This is listed as a C/C++ x64 executable with a difficulty rating of 2.0. The author is atherusti and the executable is written for Windows. The authors description: never coded before making this crackme, get the password That's a really interesting first programming project but I'm all for it. Let's tear this bad boy apart and see how they did. The first thing that immediately jumps out to me is seeing that it is actually an x86 executable. No big deal but its something to keep in mind. Our calling conventions are going to change. I also don't expect to see a shadow stack. One final note, this is a console application. Taking a look at the string entries doesn't really reveal anything. I find that a little strange. They must be encoded/encry...
Read more

Crackme: antilagvip's medium crackme

Image
Download here: https://crackmes.one/crackme/68e6377b2d267f28f69b7447 MD5: 406af7cd43808f1de221d36d8c7d12d6 SHA1:  736c3fee49a93c60731a2f137545b75311646f9f SHA256: 588211672f26f28731da0d30f2691f23542ea7a825f553a5edc9087dbf52b86e This is listed as a C/C++ x64 executable with a difficulty rating of 3.0. The author is antilagvip and the executable is written for Windows.   The authors description: the right key get the code.. sounds simple right?   This was a fun challenge. I went through the motions. I loaded this in Detect it Easy. It isn't packed. It's a console application. Strings aren't encoded/encrypted. I also loaded it into PE Bear and just looked around. Nothing interesting jumped out at me.   I've talked about how to find the main function in previous posts so I'm just going jump in and say that it is located at 0x140001180. Pretty basic stuff, it prompts you for a key and waits for input. It calls a function that validates whether your key is valid and ...
Read more

Crackme: Meist's Passfind Crackme

Image
  Today we're going to be solving "meist's passfind" crackme. It is described as the most easy crackme that the author could come up with. One simply needs to find the password and enter it. Great! Available here: https://crackmes.one/crackme/68be3593224c0ec5dcedbe2d MD5: f7215afaac27af81c31362fe09b0e17d SHA1: f4fbe3a9d2afad8cf4b31aac2b5fe308d0d1e3f8 SHA256:  752ed87f3783e8ba14f1585152a6abf4f8e174ca3635b705a7a9c0f88b6405e5 Running Detect it Easy, we can see that the executable is compiled as an x64 PE console application but we're unable to determine what compiler was used or what language it was written in. Taking a look at the strings, it's possible that this was compiled using the mingw compiler and possibly written in assembly. That would explain why DIE had so little information on the binary.   Dropping the executable in Ghidra and running all the defaults, we're greeted with this:   Let's take this step by step. I took a look inside of the __mai...
Read more