[CrackME] The hardest ever

01/21/2013 20:57 csirkepap#1

My other topic got deleted probably because of the virtualized executable which caused many false-positive. This one has some too, got no idea why.

Here are the starting details for you:
- It's an AutoIT script
- I used a different compiler than the default one
- It's very hardly obbfuscated
- The script uses many unique algorithms for detecting debuggers, sandboxes, self-modifications.

The target:
If you enter the right password you will get a messagebox containing some text like this: activated code: 1234567890

Usable methods:
You can use anything:
- Ollydbg
- Decompilers
- Deobfuscators
- Self-made tools
- everything else I haven't mentioned...
The only goal is to get the password or bypass the password requirement by decompiling & recompiling

Scans:

a) Virustotal:
[Only registered and activated users can see links. Click Here To Register...]

b) Anubis Analysis:
This scan will prove that the script isn't doing any malicious thing.
[Only registered and activated users can see links. Click Here To Register...]

Note:
If you find the code you get really strange that means the code IS NOT VALID!

01/23/2013 02:03 Crack-wtf#2

After reading the Footnote of your thread im already getting sick.
Surely you put in thousands of junkcode, fake functions and more.
Which is more "Deobfuscateme" then "Crackme".

01/23/2013 19:33 csirkepap#3

.
.
Well, basically there are NO FAKE functions and other crappy things (except if you count includes as it). Well, okay I have to be true, I didn't even protect the executable. But CrackMEs consists of everythings such as analyzing, decompiling, deobfuscating (if needed) and finally the modificating which will provide the success.
________________________________________________
Decompiling of AutoIT is quite easy, I could try to use some protectors, but I'm sure it could take near 2 mins to bypass it :)
________________________________________________
It's obfuscated with a VERY BIT modified JOS's obfuscator (2-3lines are changed). I'm sure it will be the hardest part.
If you finished obfuscation you can step on and start analyzing the source.
Another easy step, just find the "entry point" (where the script starts) and follow the funcs. You should trace it until the last and final msgbox which will provide you the right answer. If you just simply replace the original starting func with the final message then you cracked it.
If you can even find the right password which activates the original software then that's a plus point, you are a god :D
________________________________________________
Good Luck. It would be great to here some response about the difficulty and about the progress if somebody tries it.
________________________________________________
I will answer any questions, except if you ask me the solution :D
________________________________________________
If you want I can make an DecompileME which won't include any obfusction and special functions. Do you want? :)
.
.

01/23/2013 20:27 Jeoni#4

As far as I have looked into it, it's quite easy. Decompiling is working perfectly, and the deobfuscation is just a question of time rather than skill. If you had obfuscated it with ShadowsObfuscater I would had made it in a minute, but I'll write a deobfuscator for JOS's obfuscator as soon as I have the time (this time in more clearly coding style ;) ).
Best regards
Jeoni

01/23/2013 20:37 csirkepap#5

Do you have the right-working obfuscated au3? Hmm that seems interesting :) I'm sure you can't start the au3 you've got because it'll contain a bunch of errors. Am I right?

_____

I started working on a DecompileME :) It's quite hard because AutoIT is weak :S

01/23/2013 22:17 Jeoni#6

Yes, because the packed files (ok, it's just 1 file and some fail-files) aren't there, which isn't a big problem as it's easy to catch these files while the orginal exe is working (watching @TempDir --> easy to catch the files with the .net FileSystemWatcher-control afaik). A good trick, but easy to bypass (I will give it a try as soon as I'm home), if I'm right.

01/23/2013 22:45 csirkepap#7

Let's see if it works :)

01/24/2013 16:26 Crack-wtf#8

ProcessMonitor ftw.

01/24/2013 22:52 csirkepap#9

?

I started to make a DecompileME too :) That one won't have any code-related protection, only exe-sided :D Probably gonna upload tomorrow.

01/27/2013 23:23 YatoDev#10

anyone get it right now ? :D

06/30/2013 02:30 VADika13#11

My Name Is Cruelhungary (From Skype/Hungary .. (�rj ha lesz időd)
[Only registered and activated users can see links. Click Here To Register...]
So.. This is the right message?
Because It's meaningless ..
The password/Serial code is "uncenzured".
Have a nice day!
EDIT: I'm sry. I'm very tired. I've just read it carefully. I'll try it again. :D