[CrackMe] NoREpls - Part 1

crackme
obfuscation
windows
reverseengineering

(dominic pace) #21

looked up the xref to the message box and scrolled up till i found this:


looked like base64 so tried it and found this: https://i.imgur.com/3GTVLWX.png


#22

<img

Used debugger and static analysis to find out how the key was stored and decoded it


(Vatsal Jain) #23

Hey, i have cracked your software with the help of ollydbg and bypassed the Invalid registration issue. if want required screenshote of that than i will send uh…
Thank you


#24

Hah, I facepalmed when I realized what was going on.

Serial is NOREPLS-MEKI-30H2-AMN3-49JF. It was base64 encoded, and I only first realized this when I saw that the text I was entering as test data had ‘==’ appended to it, which is super common for base64 data to do. I just erronously assumed that CryptBinaryToStringA was going to be more complicated than it turned out to be since it had an intimidating name. That’s what I get for making assumptions when new to windows RE. Haha. :smiley:

For persistence I re-routed the load-up routine that loads the ‘demo’ strings and such and made it jump into the post-successful-registration routine by nopping the ‘registration’ dialog popup that came before it , which means every startup it automatically goes through the registration procedure for you, pretty much. :slight_smile:


#25

Hey, I did it in radare2.

After having a look at the functions I printed all the strings the .data section with iz | more. With that I found some that looked interesting:

974 0x0000fd90 0x00410b90  36  37 (.rdata) ascii Tk9SRVBMUy1NRUtJLTMwSDItQU1OMy00OUpG
975 0x0000fdb8 0x00410bb8  23  48 (.rdata) utf16le Registration Successful

That suggested that might it might use that first string to authenticate, so with :slight_smile:

 [0x004019f2]> axt @ str.Tk9SRVBMUy1NRUtJLTMwSDItQU1OMy00OUpG
sub.USER32.dll_GetDlgItemTextA_3b0 0x40142d [DATA] push str.Tk9SRVBMUy1NRUtJLTMwSDItQU1OMy00OUpG

It gives me the address 0x40142d to step into with confirming that it indeed compares user input encrypted with CryptBinaryToStringA, to that first string.

Before stepping into the function, I tried to decrypt it with some common encryptions, starting with

echo "Tk9SRVBMUy1NRUtJLTMwSDItQU1OMy00OUpG" | base64 -D
NOREPLS-MEKI-30H2-AMN3-49JF

Thanks :smiley:. Going to try the other goals now.