Writep autumn crackme from "Kaspersky Lab"

Hello. The name speaks for itself. Event was poorly lit and I only miraculously managed to participate in one. As a result, managed to grab eleventh place and will receive the promised dividends. Let's get to it.

Crake. Or here (greetings from 2ะบ17 if the link is jammed)

/ > Tools: IDA, HxD, CFF Explorer, DbgView, PEChecksum, KmdManager
The last three instruments is quite specific, many crackers have already understood what the whole point of Crake.

After downloading the file it turned out that he has an extension. My head began to climb the dirty thoughts about the fact that this is another ctf stuff a La find how to use me. Hex listing brought me to a state of Ataraxia:

tucked under a spoiler
image

Cherished signatures Mark Zbikowski was in place, we continue the analysis:

tucked under a spoiler
image

Here's the twist — we driver. Safely rename CrackMe in crackme.sys. This time came up with the pertinent question: where is the loader? Where is the GUI(graphical user interface, do not think anything bad)? They are not. Literally. I think it's the second (hehe, to get first yet) is illogical, CrackMe: it does not happen. We continue the analysis.

Looks like the driver is imagebase:

tucked under a spoiler
image

And this is the real DriverEntry:

tucked under a spoiler
image

Here it is necessary to remember the name of the device and to draw attention to the fact that our driver kindly handles usermoney DeviceIoControl.

So the handler looks manual adjustments:

tucked under a spoiler
image

And that's after comparison with the ASM listing:

tucked under a spoiler
image

What's going on here? The function receives the input of a buffer (KST I have not figured out how to transmit means DeviceIoControl, write in the comments), and a control code. Buffer depending on ControlCode is copied to the mail or keygen (class emulation GUI, che said). After you complete these fields for the third time we need to send ControlCode and this will start a Validate, which displays a message.

Experienced cracker patched to this case and have launched a release, Yes, but we need to find the serial number to our mail. Prepare for the worst and go to the sacred functions of the Validate:

tucked under a spoiler
image

ASM listing her most intimate moment:

tucked under a spoiler
image

After validation of the obtained parameters, it calculates the hash of a certain string constants, a hash of the input buf1 (our mail, obviously) and a General hash of these two lines.

Looks like the func1? Scary and awful (actually not very). Inside it is another function 4, are doing something with the inbound line: fill, copy, modify, and so on.

It is worth remembering that in the func1 we do not share anything that would be associated with the buf2 (this is obviously our serial). And what does cracker when he sees a certain hash function from mail which is not transmitted anything associated with the keygen, and right after that lovely combination of:
the 
xor eax, eax
repe cmpsb
setz al
ret

Of course! He flying Kama bullet is to put a breakpoint after the call to this function, maybe the return line is our keygen (the biggest problem of any CrackMe — trivial strcmp). But there is a couple but:

    the
  1. We need to properly initialize the function call Validate through a series of requests to the driver (or handles call + to patch memory)
    2. the
  2. Common debugger archetype of the "Olga" for ring0 is not suitable — you need to use the tools more powerful

No matter how I tried, but my thumb on top of VirtualBox with xp sp3 refused to accept Syser/SoftICE/WinDbg. Had an idea: why not force the driver to kindly inform us the serial number? How can I do that?

To start patchin test the validity of the incoming data inside the Validate:

tucked under a spoiler
image

Just fill them with NOP AMI.

Then you have to manually fill the buffer with soap (it is dynamically allocated), do it, say, at the beginning of the Validate. It was this:

tucked under a spoiler
image

Became this:

tucked under a spoiler
image

They were sawed by the dynamic calculation of the length of the email and everything associated with buf2.

Now propatchen the end of the function, and instead of performing a repe cmpsb will try to force the call to DbgPrint:

tucked under a spoiler
image

After patching, you must recalculate the CheckSum field of the driver — to do this, use the utility PEChecksum. Then load the driver using KmdManager (to download the x32 driver you are required to have a x32 system, preferably xp), open DebugView. It remains to write a small program to call the driver:

the 
char tmp[0x100];

HANDLE handle = CreateFile(L"\\\\.\\crackme", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
DeviceIoControl(handle, 0x222408, 0, 0, &tmp, 0x100, &tmp, 0);
CloseHandle(handle);

Compile, run:

tucked under a spoiler
image

The first line is the required serial number. This is good-bye.
NOTE: the Decision was published right after the job is done the first fifteen participants. You need to respect fair competition.
Article based on information from habrahabr.ru

Comments

Post a Comment

Popular posts from this blog

Powershell and Cyrillic in the console (updated)

Image
In the development process is very often necessary to run a powershell script from a console application. What could be easier? the #test.ps1 & $PSScriptRoot\ConsoleApp.exe Examine the behavior of console applications when running them from the command line, using PowerShell and using PowerShell ISE: execution Result In PowerShell ISE, there is a problem with encoding, as the ISE expects the output to the encoding 1251. Use Google and find two problem solving: c use [Console]::OutputEncoding and through the powershell pipeline. Let's use the first solution: test2.ps1 $ErrorActionPreference = "Stop" function RunConsole($scriptBlock) { $encoding = [Console]::OutputEncoding [Console]::OutputEncoding = [System.Text.Encoding]::GetEncoding("cp866") try { &$scriptBlock } finally { [Console]::OutputEncoding = $encoding } } RunConsole { & $PSScriptRoot\ConsoleApp1.exe } execution Result At the command prompt, all is well, bu...
Read more

Active/Passive PostgreSQL Cluster, using Pacemaker, Corosync

Image
Description This article describes an example of configuring Active/Passive PostgreSQL cluster, using Pacemaker, Corosync. As the disk subsystem is considered the drive from the system data storage (CSV). Similar to the Windows Failover Cluster from Microsoft. Technical details: OS Version — CentOS 7.1 Version package pacemaker — 1.1.13-10 Package version pcs — 0.9.143 PostgreSQL — 9.4.6 As servers(2pcs) — iron server 2*12 CPU/ memory 94GB As a CSV(Cluster Shared Volume) — an array of class Mid-Range Hitachi RAID 1+0 Preparation of cluster nodes Rule /etc/hosts on both hosts and make the visibility of hosts to each other by short names, for example: the [root@node1 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.1.66.23 node1.local.lan node1 10.1.66.24 node2.local.lan node2 Also make exchange between servers using SSH keys and ...
Read more

Experience with the GPS logger Holux M-241. Working from under Windows, Mac OS X, Linux

Image
Inspired by the recent article on the GPS logger. I would like to tell you about GPS logger (GPS Receiver / Data Logger) Holux M-241, its features, capabilities and usability. May be someone this review will seem useful in the selection of such devices. The logger I needed to create tracks velopokatushki, forest walks skiing and snapping photos to coordinates. Bought this device at Dealextreme back in 2011 for about the same price for which he sold there now, something around 70$. There are of course the device is newer and cheaper, but for some features they lose this logger. (Photos of the device borrowed from Dealextreme) photos When choosing a logger, watching the small avaricious reviews of devices and spent a lot of time to form a view about the necessary for me features. In the end, I came to the following requirements: 1. Power supply — always removable, preferably standard batteries AA or AAA. After all, if you have to foray outside of civiliz...
Read more