View previous topic :: View next topic |
Author |
Message |
joonas905 Advanced Cheater Reputation: 0
Joined: 02 Jan 2008 Posts: 62
|
Posted: Wed Jan 30, 2008 5:35 am Post subject: Crackme (pack) |
|
|
Just serial fish all app in pack.
I can tell you that it's easy
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Wed Jan 30, 2008 9:26 am Post subject: |
|
|
Quote: | A-Squared
Found nothing
AntiVir
Found HEUR/Crypted
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found Trojan-Downloader.Win32.Banload.F
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found MalwareScope.Trojan-Spy.BZub.2 |
The crackme imports wsock32 for what ever reason. Sorry but I don't trust these.
_________________
- Retired. |
|
Back to top |
|
|
samuri25404 Grandmaster Cheater Reputation: 7
Joined: 04 May 2007 Posts: 955 Location: Why do you care?
|
Posted: Wed Jan 30, 2008 6:47 pm Post subject: |
|
|
Especially coming from a user with 4 posts.
Usually, I'm not one to judge a person by their post count, but this is a little strange.
_________________
|
|
Back to top |
|
|
Buggy Advanced Cheater Reputation: 0
Joined: 04 Jan 2008 Posts: 72 Location: Republic of Korea (South Korea)
|
Posted: Sat Feb 02, 2008 1:51 am Post subject: |
|
|
[quote="Wiccaan"] Quote: |
The crackme imports wsock32 for what ever reason. Sorry but I don't trust these. |
What should I do when I open this before ?/
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
|
Back to top |
|
|
haha01haha01 Grandmaster Cheater Supreme Reputation: 0
Joined: 15 Jun 2007 Posts: 1233 Location: http://www.SaviourFagFails.com/
|
Posted: Sun Feb 03, 2008 6:40 am Post subject: |
|
|
lol, crackme invoking ws2?
LOL. from all the viruses i saw, this one is the cheapest.
|
|
Back to top |
|
|
Buggy Advanced Cheater Reputation: 0
Joined: 04 Jan 2008 Posts: 72 Location: Republic of Korea (South Korea)
|
Posted: Sun Feb 03, 2008 9:27 am Post subject: |
|
|
well i tried to know where it connects but V3IS07 couldn't catch it ....
and i want to know what he protected with.
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Sun Feb 03, 2008 12:05 pm Post subject: |
|
|
Based on some external signatures for PEiD, I came up with:
UPX v3.0 (EXE_LZMA) -> Markus Oberhumer & Laszlo Molnar & John Reiser * Sing.By.hot_UNP *
Although with some others it came up with 2.93 (EXE_LZMA) so I used an automatic unpacker (VMUnpacker ftw >.>)
Afterward:
Microsoft Visual C++ 6.0
And nice to see after being unpacked, the main exe for the crackme has a resource section named PHP whch is what I'd assume is being used for the winsock connections inside this section is:
- BAMBALAM_GETINI.PHP
- BAMBALAM_INIT.PHP
- CRACK-ME.php
- EXTENSIONS
- MAIN
- PHP_WINBINDER.DLL
- WB_GENERIC.INC.PHP
- WB_RESOURCE.INC.PHP
- WB_WINDOWS.INC.PHP
- WINBINDER.PHP
The PHP files are encrypted/encoded so posting them would be useless. They use mmcache_load or Turck MMCache for PHP. Attached the files below if you want to look at them.
Since after actually looking into the crack-me I would say it probably isn't doing anything other then extracting those resources somewhere and using winsock to load them. I still can't say for sure that its safe cause I'm not opening it but yea, thats what I got from above.
The other files don't show up as anything in PEiD and VMUnpacker but they are very very easy to manually unpack (they are a modded version of UPX it looks like.) Anyway, at the start of loading one in Olly hit F8 once, and notice ESP changes, then you should know what to do for the rest. Dump the debugged proc when you get the OEP and check them again. They are written in Delphi.
Fishme1.exe is based on your computers hardware ID.
For my computer the serial is:
45565554060584
When entered the text changes to: Yes. You have entered a correct serial!
And the button greys out and says "Registered!"
Anyway, I did a little digging into this one and figured out how the key is generated for what your serial is compared to, it's based on the user name of the system thats currently logged in. So I dug some more to see how it's computed and figured out you split each character of the string then add the current position to it, then reverse the string back and forth for each character.
I made a quick VB program to pull this and do the same thing:
Code: | Option Explicit
'##################################################################################################################################################
'#
'# Get Environment Variable Function
'#
'# Obtains system environment variable value.
'#
'##################################################################################################################################################
Private Declare Function GetEnvironmentVariable Lib "kernel32" Alias "GetEnvironmentVariableA" (ByVal lpName As String, ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Function GetEnvVar(sName As String) As String
GetEnvVar = String(255, 0)
GetEnvironmentVariable sName, GetEnvVar, Len(GetEnvVar)
If InStr(1, GetEnvVar, Chr$(0)) > 0 Then GetEnvVar = Left$(GetEnvVar, InStr(1, GetEnvVar, Chr$(0)) - 1)
End Function
'##################################################################################################################################################
'##################################################################################################################################################
'#
'# Generate Key Code Function
'#
'# Generates the user key code based on their current
'# user name that is logged into the syste.
'#
'##################################################################################################################################################
Public Function GenerateKeyCode(strName As String) As String
Dim strKey As String
Dim x As Long
For x = 0 To Len(strName) - 1
strKey = StrReverse(strKey) & Asc(Mid(strName, x + 1, 1)) + (x + 1)
Next x
GenerateKeyCode = StrReverse(strKey)
End Function
'##################################################################################################################################################
Private Sub Form_Load()
'//
'// Obtain Current Username
'//
Dim strUserName As String
strUserName = GetEnvVar("USERNAME")
Text1.Text = strUserName
'//
'// Get KeyCode To Compare Username To
'//
Dim strKeyCode As String
strKeyCode = GenerateKeyCode(strUserName)
Text2.Text = strKeyCode
End Sub |
Dug some more cause I was going to try to keygen it but yea.. I saw a ton of float instructions for the method of the actual serial generation from the key and just said fuck that >.>
_________________
- Retired. |
|
Back to top |
|
|
joonas905 Advanced Cheater Reputation: 0
Joined: 02 Jan 2008 Posts: 62
|
Posted: Thu Feb 14, 2008 1:17 pm Post subject: |
|
|
Yeah, all those Crack/Fish-mes were UPXed which makes some antivir progs suspicious, but I promise that there is no virus/trojan or nothing like that.
Oh, one crackme connects to internet just because that way you can directly receive it's source code and the program is really written in PHP (PEiD thinks it's Visual C++ 6.0).
I understand if you don't trust me,
but that's OK, cause I'm still new in here
|
|
Back to top |
|
|
The Test How do I cheat? Reputation: 0
Joined: 01 Mar 2008 Posts: 3 Location: Australia
|
Posted: Sun Mar 02, 2008 12:53 am Post subject: |
|
|
So what exactly can I do with it?
|
|
Back to top |
|
|
|