[CrackMe] NoREpls - Part 3

assembly
crackme
reverseengineering
windows

#1

Backstory

edgyReggie is very thankful for those very, very, very few people (probably his parents :sweat_smile:) who bought him some coffee to get him through his days in university. As a means of saying Thanks!, he has implemented something that shows the customer’s name on the software after it has been registered. Something that’s really been frustrating him is how people keep managing to tamper with his serial numbers so hardcoding them is no longer an option and believes that his new validation method will be harder with which to mess around. The more complex the validation, the harder to crack, right? But by the looks of things, he’s in a state of conflict and has doubts that just changing the verification method will not be enough to stop crackers from pirating his software…

Difficulty

Author Assigned Level: Newbie

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters


Goal

  • Your goal is to achieve the “full” version of the software, i.e. removing all nags that you see and unlocking all features of the program.
  • Your secondary (optional) goal is to generate a working name-serial pair if possible.
  • Bonus points to the most elegant solutions (minimal byte patching).

Rules of Engagement

None.


Research Material

Potential spoilers in here!

Binary

NOTE: Please remove all “License.lic” files in the same directory before executing.

Preview (look and design may not be accurate):

  • Now supports file drag and drop into the text box!

MediaFire - http://www.mediafire.com/file/hsry0ed1zbbzx6m/NoREpls1.3.exe

VirusTotal - https://www.virustotal.com/en/file/9ca7db2d4500c88452e4bd7fc0e532dcece299417d5699dfd05ed4a6e01f4cc6/analysis/1500635220/ Woo! Finally no detections! :grin:

Good luck!


Challenge Collection: Reverse Engineering and CrackMe
#2

Top-notch anti-debugging measures

EDIT: Holy crap, Windows troubleshooter fixed it o_O
Double edit: Nope, crashes again. And my color scheme has switched to about 2.5 colors, what have you done
Oh baby, a triple edit: ay, it works again


#4

Once again thank you.

My aim was to patch your program with up to two bytes and create “valid” License.lic file for this patch.
Function (0x00401d20) for validating serial key and name combination is expected to returns value 1 for valid license. So I change it in that way. Below is code executed for invalid combinations:

0x00401daa         mov        ecx, dword [ebp+var_4]
0x00401dad         xor        al, al
0x00401daf         pop        edi
0x00401db0         pop        esi
0x00401db1         xor        ecx, ebp
0x00401db3         pop        ebx
0x00401db4         call       sub_402273 ;stack smashing protecton
0x00401db9         mov        esp, ebp
0x00401dbb         pop        ebp
0x00401dbc         ret
0x00401dbd         db         3 dup (0xcc)

I want to set eax=1. Because I decided to patch up to two bytes, I would like to put instruction “inc eax” somewhere in this code. With all functionality and stack protection working, I can use “free” space after return (INT3 instructions, 0xcc bytes), so I move ret instruction by one byte and put “inc eax” instead of original “ret”. So the patched code looks like:

0x00401dbc         inc        eax
0x00401dbd         ret
0x00401dbe         db         2 dup (0xcc)

How to patch:

echo -ne "\x40\xc3" | dd of=NoREpls1.3_patch.exe bs=1 seek=4540 count=2 conv=notrunc

And after that, I create “License.lic” with following content (or simply fill-in this content using Register dialog):

SERIAL=NOREPLS-0000-0000-0000-0000
NAME=lacike

This is enough for unlock full version :slight_smile:


#5

Patching the program was easy, same solution as the last one, but whoever wrote that serial checking code needs to get a holy water IV and seek the nearest pope because an exorcist will only make things worse.


#6


#7

I just made it up on the spot in 10 seconds. I don’t even know if it works or not :wink:


#8

I’m a bit late here but I thought this would be interesting to add. I looked into the serial checking code as well and it seems that the serial check completely ignores the contents of the given serial. It only performs a ton of complicated operations on the username. It ends up putting the result of these operations in the ebx register. The ebx register is then compared with an arbitrary number. When ebx is larger than that number, the registration is successful. So, as long as the serial has the correct format, everything is fine. The only thing that matters is if the username is correct. At least, this is what I found after digging around in the code. It could very well be that I missed something very obvious.


(Full Snack Developer) #9

Man, those edits were a rollercoaster of emotion


(Dark Sider) #10

Signed up just to say that I accomplished this;

By jumping the loop setup after incorrectly inputting a key
Found the initial point of the loop, set to jnz return_equal therefore allowed access. This in turn created the Licence.lic with the key for me with the 'accepted key 'inside.

Not a very manipulated way or pretty Cracked <3 (Always love that), but this ‘series’ has taught me more about reversing in the last hour than I’ve ever dreamt of before. Just gotta find how to add that in!

Every day is a school day, even when you don’t know any programming language!