[CrackMe] NoREpls - Part 5

Backstory

edgyReggie and DownerDanny of edgeS0ft have reviewed the results of the cracking attempts in the previous thread and are quite happy that there is progress in deterring crackers’ attempts at pirating the software. edgyReggie has also noticed that people have been able to share registration information amongst each other to unlock the full program so as a response to this, he has removed the use of the licensing file entirely. Meanwhile, DownerDanny has been looking further into different ways he could protect easily recognisable and potentially information-sensitive information.

Difficulty

Author Assigned Level: Wannabe

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters


Goal

  • Your goal is to achieve the “full” version of the software, i.e. removing all nags that you see and unlocking all features of the program.
  • Your second goal is to ensure that your unlocked program works on different machines.
  • Your third (optional) goal is to generate a working name-serial pair if possible.
  • Bonus points to the most elegant solutions (minimal byte patching).

Rules of Engagement

Not really a rule but it would be a better learning experience if you disable all anti-anti plugins. I’m not forcing this onto you but I’d recommend leaving them until later.


Research Material

DEFINITE SPOILERS IN HERE! Don't reveal unless you're really stuck!

MSDN - PEB Structure
MSDN - STRINGTABLE Resource
Stack Overflow - mov eax, large fs:30h


Binary

Preview (look and design may not be accurate):

MediaFire - http://www.mediafire.com/file/1erkjhn73ty1v1y/NoREpls2.1.exe

VirusTotal - https://www.virustotal.com/en/file/7ee72509d6094671fa5a9dd4e1103a835769435ffb030583da2e7e6d744958bb/analysis/1500885516/

Good luck!

5 Likes

You have to talk to edgyReggie! Right now he is forcing his potential customers to crack his software, because there can not be a valid name-serial pair.
No matter what name-serial pair is passed to the verification function, you can tell it will always return false when you look at how the return value is computed: return Acc % 10 > 105;

How convenient for a crackme challenge! But I will keep that in mind for later tasks.

:wink:

Also, please consider using spoiler tags so that it won’t interfere with other people’s progress.

Instead of calling IsDebuggerPresent, the program checks the BeingDebugged field of the Process Environment Block SPOILER![spoiler]by itself. Here is the responsible function:

After that we gotta find the license check. All strings seem to be obfuscated and InitCommonControls is gone so instead I opted to find DialogBoxParamW:

Right above that we see the familiar CALL, TEST, JNE. We patch it out using our preferred method and the program is cracked!

[/spoiler]
@dtm: Do you have some plan of these challenges or do you make them up as you go along?

1 Like

I do have a plan but there is also some influences from how you guys are cracking them as well.

Hm only have little time at the moment, got it working but it isn’t looking correct.
I guess I have to search for all the anti debugging and anti modification code later! :open_mouth:

CPU Disasm
Address   Hex dump          Command                                 Comments
013818D9  |> \8B35 98603901 MOV ESI,DWORD PTR DS:[<&KERNEL32.GetMod ; Case 110 (WM_INITDIALOG) of switch NoREpls2_1.13817C6
013818DF  |.  6A 00         PUSH 0                                  ; /Count = 0
013818E1  |.  68 B8F53901   PUSH OFFSET 0139F5B8                    ; |Buffer = ""
013818E6  |.  6A 75         PUSH 75                                 ; |StringID = 117. => 'NoREpls - Version 2.1 (demo version)'
013818E8  |.  6A 00         PUSH 0                                  ; |/ModuleName = NULL
013818EA  |.  FFD6          CALL ESI                                ; |\KERNEL32.GetModuleHandleW
013818EC  |.  8B3D C8613901 MOV EDI,DWORD PTR DS:[<&USER32.LoadStri ; |
013818F2  |.  50            PUSH EAX                                ; |hInst
013818F3  |.  FFD7          CALL EDI                                ; \USER32.LoadStringW
013818F5  |.  FF35 B8F53901 PUSH DWORD PTR DS:[139F5B8]             ; /Text = NULL
013818FB  |.  53            PUSH EBX                                ; |hWnd
013818FC  |.  FF15 90613901 CALL DWORD PTR DS:[<&USER32.SetWindowTe 
01381902  |.  C705 B8F53901 MOV DWORD PTR DS:[139F5B8],0
0138190C  |.  E8 8F190000   CALL 013832A0
01381911  |.  84C0          TEST AL,AL              
01381913      74 18         JNZ SHORT 0138192D                      ; patch this to JZ and you will get a working version
2 Likes

I don’t like double posting, but whatever. Thanks dtm! :smiley:

Jumped over mean anti-debugger code in a trial and error approach.
I then NOPed the ExitProcess code that CRCed the StringTable to be able to modify it.
Now I applied the patch from my previous comment.
The program crashed for some reason, so I had fixed that as well.

Interesting further reading I found but not necessary directly connected to this:

Oh also, do you plan on releasing the source of the challenges at some point? I would love to see it! :smiley:

1 Like

Yeah, I will but it might be a while until we hit that end game stage.

1 Like

Guys some of you go about it in a very complex way, it is actually very easy.

Solution is exactly same as part 4. At VA 0342FE8 just patch it to mov al, 1; nop. It is serial verification function. With the patch you can enter any name and serial provided it follows regex NOREPLS-%d-%d-%d-%d and it will be accepted. License file was removed but w/e, license data is saved to registry. Same proc is used to verify key from registry so it will remain cracked on relaunch.

@Joe_Schmoe another easy way to find license check function is to put breakpoint on MessageBoxW and let license check fail. We can see where from it is called and find license check easily.

2 Likes

Let them learn. :wink:

Same as before, jumped the main dialog box which jumped the entire security cookie script shenanigans.

Though found the 2 obfuscated reference points of the Username and Serial long before anything else. Dead end for me!

Thanks :grin:

1 Like