[CrackMe] NoREpls - Part 2

assembly
crackme
reverseengineering
windows

#1

Backstory

edgyReggie has looked over the previous thread once again and has thought that using such an easy encoding method just isn’t going to cut it. He has created a new serial number and obfuscated it yet again, and is confident that nobody can find it. He has also noticed that people have been complaining about the lack of persistence of the registration and has addressed the issue. One thing that edgyReggie is very concerned about is that crackers are defacing his software and removing his name, thus destroying even his reputation on top of his earnings! He will be thinking very hard for a solution to fix this problem…

Difficulty

Author Assigned Level: Newbie

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters


Goal

Your goal is to achieve the “full” version of the software, i.e. removing all nags that you see and unlocking all features of the program.
Your secondary (optional) goal is to discover the new serial number.


Rules of Engagement

None.


Research Material

Potential spoilers in here!

Binary

Preview (look and design may not be accurate):

Revised version 1.2.1

MediaFire - http://www.mediafire.com/file/jk4oe2ky3kpq3zm/NoREpls1.2.1.exe

VirusTotal - https://www.virustotal.com/en/file/3300de4dbec0b91bdcc08a16a1f3e459937dcfcde8a00ec0ff7579b2cae2504a/analysis/1500552281/

Previous version 1.2

[MediaFire - http://www.mediafire.com/file/nv5f8zs117gpusm/NoREpls1.2.exe](http://www.mediafire.com/file/nv5f8zs117gpusm/NoREpls1.2.exe)

VirusTotal - https://www.virustotal.com/en/file/e044fb6d5973aabba1159bc83973eec78f590fd958b3f423829bc5399b231101/analysis/1500547918/

Good luck!


Challenge Collection: Reverse Engineering and CrackMe
#2

Well, finding the serial wasn’t hard as it shows up as soon as you enter the function which checks the entered key:


#3

I’ve updated a newer version if you’d like to try.


#4

Bah, I already started cracking the old one the proper way :stuck_out_tongue:

Upon starting, a dialog box shows up, which makes us wait for 5 seconds before the program actually starts. Same thing happens when you try to close it. Let’s find the string “Please wait… 5 seconds”.


It appears two times as expected. Let’s follow the first one:

Looks like this is the function which pops up the dialog and starts the timer. We can search for references to 013B1680:

Again appears two times, we shall follow the first one again:

Going up the call chain again:

Now this is interesting. There’s a function call to something in the program, a test instruction, and a jump over the assembly which creates our wait dialog. The license check must be happening in “sub_D219E0”!

Bingo! The function opens a file called “License.lic” and reads it’s contents!
If that files does not exist, execution jumps to the end of the function and we get the annoying popup. Let’s make that file and see what happens.

The code goes through a few functions until we arrive at this. Looks suspicious. We could attempt to decode it and check if it looks like a serial number…

…Or let the program do it for us. It appears edgyReggie has craftily hidden the serial by XORing it. Sneaky!
The serial is: NOREPLS-809J-NAS9-83H0-3NS9
After that the code goes deeper but I frankly can’t be bothered to follow it. Let’s get to patching!

We need remove that call to the license check.

A simple MOV fits snugly. At last, the full version is ours, permanently!

EDIT: Woo, done!


#5

Hi, thanks for part 2.

I just figure out the mechanism behind checking the serial number, but for now I have no luck with cracking your license key. So I have modified your binary for accepting my serial number. Sorry, edgyReggie :wink:

Yes, the serial number provided by user during registration is hashed by MD5 and result is compared with value “deab67dde2001dc1a078456015765ed6”. So I replace this value with my own:

echo -n "NOREPLS-0000-0000-0000-0000" | md5sum | tr -d '\n \-' | dd of=NoREpls1.2.1.exe bs=1 seek=76216 count=32 conv=notrunc

Edit: added another modification for accepting all the serial keys.

During validation of registration there is a call to function strncmp at address “0x4028c0” (highlighted in the picture). This function returns 0 if both the strings are equal and 1 otherwise. So I modified the later case by replacing instruction “or eax, 1” with “and eax, 0” at address “0x405dd2” (highlighted in the bottom picture).

echo -ne "\xe0\x00" | dd of=NoREpls1.2.1.exe bs=1 seek=20947 count=2 conv=notrunc

After this patch all the license key are valid and after first registration there is created file “License.lic” with entered serial number. After each restart serial key from License.lic is validating and compared using our patched strncmp, so this patch achieve permanent full version of software after first registration with any serial number.


#6

Love this regular content!

Like always, some string editing.
Also small patch to change the “JNE” to “JMP”. (That’s the point where the program does stuff depending on licence file existence and correctness, so this modification basically makes existing and non-existing and correct and not-correct license accepted => licence checking disabled)

Patch position (just search for the intermodular call DialogBoxParamW, also ShowWindow is pretty close ):

CPU Disasm
Address   Hex dump          Command                                  Comments
010D15B0   $  55            PUSH EBP                                 ; NoREpls1_2_1_original.010D15B0(guessed Arg1,Arg2,Arg3,Arg4)
010D15B1   .  8BEC          MOV EBP,ESP
010D15B3   .  83EC 1C       SUB ESP,1C
010D15B6   .  FF15 00F00D01 CALL DWORD PTR DS:[<&COMCTL32.#17>]
010D15BC   .  E8 AF130000   CALL 010D2970
010D15C1   .  84C0          TEST AL,AL
010D15C3   .  75 18         JNE SHORT 010D15DD         ; <================ REPLACE THIS WITH JMP!
010D15C5   .  6A 00         PUSH 0                                   ; /InitParam = 0
010D15C7   .  68 E0260D01   PUSH 010D26E0                            ; |DialogProc = NoREpls1_2_1_original.10D26E0
010D15CC   .  6A 00         PUSH 0                                   ; |hParent = NULL
010D15CE   .  6A 6F         PUSH 6F                                  ; |TemplateName = 6F
010D15D0   .  6A 00         PUSH 0                                   ; |hInst = NULL
010D15D2   .  A2 80670E01   MOV BYTE PTR DS:[10E6780],AL             ; |
010D15D7   .  FF15 84F10D01 CALL DWORD PTR DS:[<&USER32.DialogBoxPar ; \USER32.DialogBoxParamW

#7

Hi !
Thanks for the challenge again!


But I can’t find the serial :confused:


#8

Well, one more achieved :slight_smile:

Md5 is too long to bruteforce so, I just nop the jump instruction


(Hakan Oruc) #9

Not found in DB … help?


#10

Nice try but you gotta dig deeper into the software this time. :wink:


#11

Really enjoyed the challenge!

[spoiler]I managed to crack it with a single byte change.

Changing the “test eax, eax” to “test edi, eax” forced the application to accept incorrect serials as it invalidated the test.
I spent a good deal of time trying to figure out the encryption, but I couldn’t figure it out unfortunately.

With a License.lic file containing “SERIAL=NOREPLS-0000-0000-0000-0000” it starts up in registered mode.
[/spoiler]


#12

Don’t worry about it, you’d probably have never gotten it anyway due to its nature. Good job nevertheless! :wink:


(Rasty) #13

Hello, this post seems really really old but hope you will see this and reply. I’m new with re and currently using IDA pro. I’m curious which dissasembler do you use? and how were you able to get decrypt version of license. Since as I understand it encrypts the user input and compares it to deab67dde2001dc1a078456015765ed6. Your answer would really help :). thanks in advance.


#14

Hiya, I use x64dbg with the xAnalyzer plugin. As to revealing the serial, I just kinda stepped through the code and it popped up at some point. Got lucky I guess.


#15

Greetings.

I’m new in this art, so here is my solution for this challenge.

I saw the stack that compare the serial vs real serial and I change the values to jmp and nop.


I found the real serial key inside of stack that I changed.

I tried to decrypt as base64 with not success.
So I tried as MD5 and was success.

NOREPLS-0892-H43O-19JG-3UAN
(hash = deab67dde2001dc1a078456015765ed6)

Thank you very much for part 2.