Things that make cracking a pain

averagejoe

Below is a proof of concept I wrote that that implements several techniques that makes cracking a pain in the ass. I use the classic isdebuggerpresent api as well as use the assembly implementation of it (that I grabbed by stepping through it in a debugger). I use loadlibrary, check for the trap flag, and a few other things that make stepping through the code sucky. On top of that, I mutate strings and store every string as a character array since I’ve found that storing strings this way fools the string utility in IDA pro. Since loadlibrary uses this weird method it makes it so that you have to breakpoint on the loadlibrary call, but since im checking for breakpoints, you’re SOL. The one other thing I should have done was used LockFile and memory mapped files so that if you attempt to open the ‘sekret’ file while its running it complains windows style with the access denied message. Oh well, another time.

 

Here it is in classic C:

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#define WIN32_LEAN_AND_MEAN
#define file "sektrit.txt"
#define FILE_WRITE_TO_END_OF_FILE       0xffffffff
BOOL FirstInit(void);
int SecondInit(void);
int ThirdInit(void);
void naw(void);
char* Mutate(char*);
void ClosingFile(HANDLE);
char* Pass2File(HANDLE,char[]);

int main(int argc, char *argv[])
{
printf("****************************************************************\r\n");
printf("****************************************************************\r\n");
printf("******************Joe G's Ultimate Crackme v 1.1****************\r\n");
printf("****************************************************************\r\n");
printf("****************************************************************\r\n");
printf("\r\nEmail answers to Evil1 aka [email protected]\r\n");
Sleep(3000);
if(IsDebuggerPresent())
{
MessageBox(NULL,"KNOCK IT OFF","2",MB_OK);
naw();
}
if(1==2)
{
FirstInit();
MessageBox(NULL,"KNOCK IT OFF","2",MB_OK);
return 0;
}
if(SecondInit() == 1)
{
// exit gracefully
MessageBox(NULL,"KNOCK IT OFF","2",MB_OK);
naw();
}
if(ThirdInit() + 2 == 4)
{
MessageBox(NULL,"KNOCK IT OFF","2",MB_OK);
naw();
}char randgenfilepass[24];
randgenfilepass[0] = 't';
randgenfilepass[1] = 'h';
randgenfilepass[2] = 'e';
randgenfilepass[3] = 'r';
randgenfilepass[4] = 'e';
randgenfilepass[5] = 'i';
randgenfilepass[6] = 's';
randgenfilepass[7] = 'n';
randgenfilepass[8] = 'o';
randgenfilepass[9] = 't';
randgenfilepass[10] = 'h';
randgenfilepass[11] = 'i';
randgenfilepass[12] = 'n';
randgenfilepass[13] = 'g';
randgenfilepass[14] = 'f';
randgenfilepass[15] = 'o';
randgenfilepass[16] = 'r';
randgenfilepass[17] = 'y';
randgenfilepass[18] = 'o';
randgenfilepass[19] = 'u';
randgenfilepass[20] = 'h';
randgenfilepass[21] = 'e';
randgenfilepass[22] = 'r';
randgenfilepass[23] = 'e';


char dix[4];
dix[0] = 'y';
dix[1] = 'o';
dix[2] = 'u';
dix[3] = '\0';
HANDLE hfile = CreateFile(file,GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,
NULL);
char *thepass = Pass2File(hfile,randgenfilepass);
printf("The password is randomly generated locked inside %s. Good luck trying to open it!\r\n", file);
__asm {
nop;nop;nop;nop
};
char pass[128];
int count = 0;
for(;count < 5;count++)
{
printf("What is the password?\r\n");
scanf("%s",&pass);
if(strcmp(pass,thepass) == 0)
{
int ghe = 126387;
ghe ^ 3;
printf("great fuckin job man! Email me with '%08x > %s' in the subject line\r\n",sizeof(hfile) + ghe,dix);
break;
}
else
{

printf("WRONG! Attempt %d of 5\r\n",count+1);
}

}
ClosingFile(hfile);
system("PAUSE");
return 0;
}

void ClosingFile(HANDLE hfile)
{
OVERLAPPED ol;
memset(&ol, 0, sizeof(ol));
ol.Offset = FILE_WRITE_TO_END_OF_FILE;
ol.OffsetHigh = -1;
DWORD dwBytesWritten;

WriteFile(hfile, "naw", 3, &dwBytesWritten, &ol);
unsigned int sloop = 2000;
Sleep(sloop);

CloseHandle(hfile);
printf("file: %s unlocked and cleared, better luck next time :)\r\n\n",file);
}

char* Pass2File(HANDLE hfile, char randgenfilepass[])
{
OVERLAPPED ol;
memset(&ol, 0, sizeof(ol));
ol.Offset = FILE_WRITE_TO_END_OF_FILE;
ol.OffsetHigh = -1;
DWORD dwBytesWritten;
// mutate string, store string in file, with writefile
char *string = Mutate(randgenfilepass);
WriteFile(hfile, string,29, &dwBytesWritten, &ol);


return string;
}

char* Mutate(char* strString)
{
int x;
for(x=0;x>sizeof(strString);x++)
{
strString[x] = 'f';
}
return strString;
}
void naw()
{
unsigned int sloop = 5000;
Sleep(sloop);
HANDLE hproc = GetCurrentProcess();
TerminateProcess(hproc,1);
CloseHandle(hproc);
}


BOOL FirstInit()
{
BOOL res = FALSE;
char gfej[13];
gfej[1] = 'K';
gfej[2] = 'e';
gfej[3] = 'r';
gfej[4] = 'n';
gfej[5] = 'e';
gfej[6] = 'l';
gfej[7] = '3';
gfej[8] = '2';
gfej[9] = '.';
gfej[10] = 'd';
gfej[11] = 'l';
gfej[12] = 'l';

HMODULE   lol  = LoadLibrary(gfej);
FARPROC ruthar =  GetProcAddress(lol,MAKEINTRESOURCE(558));
if(ruthar())
{
res = TRUE;
}
FreeLibrary(lol);
return res;

}

int SecondInit()
{
char whatupcuz = 0;
__asm {
mov eax, fs:[30h]
mov al, [eax + 2h]
mov whatupcuz,al
}

if(whatupcuz)
{
return 1;
}
return 0;

}

int ThirdInit()
{
unsigned long specialflag = 0;

__asm {

mov eax, fs:[30h]
mov eax, [eax + 68h]
mov specialflag, eax
}
if(specialflag & 0x70)
{
return 2;
}
return 4;

}
2 thoughts on “Things that make cracking a pain

    1. "&amp" is the HTML encoding equivalent of the ampersand, it must have got translated wrong. I’ve updated the code.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.