[CrackMe] NoREpls - Part 6

assembly
crackme
windows
reverseengineering

#1

Backstory

After reading the cracking attempts from the previous thread, edgyReggie asked DownerDanny to take some time into researching further possible solutions to deter crackers. That some time has now passed and edgeS0ft are ready to release their updated software hoping that it will at least hold off the weaker pirates until DownerDanny can study and apply more methods…

Difficulty

Author Assigned Level: Wannabe

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters


Goal

  • Your goal is to achieve the “full” version of the software, i.e. removing all nags that you see and unlocking all features of the program.
  • Your second goal is to ensure that your unlocked program works on different machines.
  • Your third (optional) goal is to generate a working name-serial pair if possible.
  • Bonus points to the most elegant solutions (minimal byte patching).

Rules of Engagement

Not really a rule but it would be a better learning experience if you disable all anti-anti plugins. I’m not forcing this onto you but I’d recommend leaving them until later.


Research Material

DEFINITE SPOILERS IN HERE! Don't reveal unless you're really stuck!

Binary

Preview (look and design may not be accurate):

Version 2.2 revised version (bug fixes)

MediaFire - http://www.mediafire.com/file/p5awaouaj7rak74/NoREpls2.2.exe

VirusTotal - https://www.virustotal.com/en/file/d3d8c6d8ff5d7733b531f0fb19329f6341fbb003e0e5854eb8ff56b9193e1b9d/analysis/1501149854/

Good luck! :wink:


Challenge Collection: Reverse Engineering and CrackMe
#2

This is getting fun!

Control flow obfuscation threw me off a bit. I patched it out en-masse and while program ran most of the time getting rid of last nag (demo label and register menu item) just crashed application. Got to be more careful next time :wink:

After that i added usual “mov al, 1” to serial check function there was no more nag window, but it was still labeled a demo. Had to patch one more spot which removes demo label and disables “Register” menu item. This was weird and xref to that variable was lost to control flow obfuscation. But hey - whatever works… :wink:


#3

An updated version has been released to address some bugs. Please download the revised version!

@rokups Please retry your solution and see if it works better.


#4

Better indeed :wink: edgyReggie should not be coding while intoxicated :stuck_out_tongue:

Now its enough to patch “setnle al” > “mov al, 1” in serial check function, like before. I me needing that other patch to clean up UI was edgyReggie’s bug but hesitated. Too many times when i shouted “bug” it turned out to be my mistake :slight_smile:

Any recommendations on reading material regarding reverse-engineering serial generation algorithm? I have a general idea of just going through serial check algorithm and adjusting serial values to ones that algorithm expects, but it would produce one serial and sounds inefficient. Is there a better way?


(The C# Dude) #5

Pretty cool anti-debug this time… Here’s my approach.

We use the same strategy as always for finding the anti-debug: Step your way through the code. You’ll see the structure is known from the last two parts; nearly the same. When you come to the loop you’ll know what I mean by nearly :wink:.

Again it’s the second call which makes us worry, but this time it’s triggered on the third (Not second as last time) run!
And that’s not everything; just jump into it and you’ll see what I mean:

What? Mmh… Something’s wrong; let us remove our automatic analysis and have a look at the raw stuff. Right-click -> Analysis -> Remove analysis from module:

Now the reversing can continue. Jump a few instructions to get here:

The highlighted line is the terminating call; but how can that be? It’s not shown as a call! Just re enable the analysis (Right-click -> Analysis -> Analyse code [CTRL + A]) and it will be correctly interpreted.
How do we want to patch? As always, you’ve got multiple possible solutions:

  • NOP the call (And the PUSHs before! Why? Think or try it yourself :wink:)
  • change PUSH EBP to RETN

I prefer the second way (1 byte patch; just unselect the “Fill with NOP’s”); but it’s up to you. Anyway, we’ve managed to clean our binary and are ready for cracking it!

It’s the same as last time; run the program, pause the execution when the first nag is shown, ALT+K for having a look at the call stack, select the call to the DialogBox and change the JNZ in front of the call to a JZ (=JE) - done!


#6

Sorry, I don’t have anything on that. I’d assume it just takes a lot of practice.


#7

Thanks dtm!

My first approaches half way failed with cracked binaries that crashed 50% of the time and worked the other 50%.
At the end I did something similar to @rokups and also patched the CRC on the StringTable to mess it that as well.
(To allow debugging I just patched a few jumps, I didn’t include those in the final binary tho’ which means my crack won’t work if a debugger is running in the background)
And because I love pictures:


@TheDoctor that trick is pretty cool, thank you for showing it! :open_mouth:


#8

So… My patch is just 3 bytes. Does anyone have any less?


#9

If you start asking like that, 1 byte patch :stuck_out_tongue::

End of serial checking routine, replace pop ebx or pop esi with pop eax (0x58).
The program will start in demo mode, you then have to register. After registering the program exits.
Now restarting and you have the full version.

CPU Disasm
Address   Hex dump          Command                                  Comments
00F7337B      837D E8 00    CMP DWORD PTR SS:[EBP-18],0
00F7337F      0F95C0        SETNE AL                                 ; here is the 3 byte patch I guess?
00F73382      5F            POP EDI
00F73383      5E            POP ESI                                  ; Either replace this
00F73384      5B            POP EBX                                  ; or this
00F73385      8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
00F73388      33CD          XOR ECX,EBP
00F7338A      E8 7F070000   CALL 00F73B0E
00F7338F      8BE5          MOV ESP,EBP
00F73391      5D            POP EBP
00F73392      C3            RETN

#10

Oh wow that is a nice observation right there! Only way to beat that must be making a working serial :smiley:


(The C# Dude) #11

Optional 1 byte patch to remove the anti-debug and the 1 byte patch to crack the program; read my comment above, if you’re interested :wink:.