[CrackME] The hardest ever

csirkepap · 01/21/2013, 20:57

My other topic got deleted probably because of the virtualized executable which caused many false-positive. This one has some too, got no idea why.

Here are the starting details for you:
- It's an AutoIT script
- I used a different compiler than the default one
- It's very hardly obbfuscated
- The script uses many unique algorithms for detecting debuggers, sandboxes, self-modifications.

The target:
If you enter the right password you will get a messagebox containing some text like this: activated code: 1234567890

Usable methods:
You can use anything:
- Ollydbg
- Decompilers
- Deobfuscators
- Self-made tools
- everything else I haven't mentioned...
The only goal is to get the password or bypass the password requirement by decompiling & recompiling

Scans:

a) Virustotal:

b) Anubis Analysis:
This scan will prove that the script isn't doing any malicious thing.

Note:
If you find the code you get really strange that means the code IS NOT VALID!

Crack-wtf · 01/23/2013, 02:03

After reading the Footnote of your thread im already getting sick.
Surely you put in thousands of junkcode, fake functions and more.
Which is more "Deobfuscateme" then "Crackme".

csirkepap · 01/23/2013, 19:33

.
.
Well, basically there are NO FAKE functions and other crappy things (except if you count includes as it). Well, okay I have to be true, I didn't even protect the executable. But CrackMEs consists of everythings such as analyzing, decompiling, deobfuscating (if needed) and finally the modificating which will provide the success.
________________________________________________
Decompiling of AutoIT is quite easy, I could try to use some protectors, but I'm sure it could take near 2 mins to bypass it

________________________________________________
It's obfuscated with a VERY BIT modified JOS's obfuscator (2-3lines are changed). I'm sure it will be the hardest part.
If you finished obfuscation you can step on and start analyzing the source.
Another easy step, just find the "entry point" (where the script starts) and follow the funcs. You should trace it until the last and final msgbox which will provide you the right answer. If you just simply replace the original starting func with the final message then you cracked it.
If you can even find the right password which activates the original software then that's a plus point, you are a ***

________________________________________________
Good Luck. It would be great to here some response about the difficulty and about the progress if somebody tries it.
________________________________________________
I will answer any questions, except if you ask me the solution

________________________________________________
If you want I can make an DecompileME which won't include any obfusction and special functions. Do you want?

.
.

Jeoni · 01/23/2013, 20:27

As far as I have looked into it, it's quite easy. Decompiling is working perfectly, and the deobfuscation is just a question of time rather than skill. If you had obfuscated it with ShadowsObfuscater I would had made it in a minute, but I'll write a deobfuscator for JOS's obfuscator as soon as I have the time (this time in more clearly coding style

).
Best regards
Jeoni

csirkepap · 01/23/2013, 20:37

Do you have the right-working obfuscated au3? Hmm that seems interesting

I'm sure you can't start the au3 you've got because it'll contain a bunch of errors. Am I right?

_____

I started working on a DecompileME

It's quite hard because AutoIT is weak :S

Jeoni · 01/23/2013, 22:17

Yes, because the packed files (ok, it's just 1 file and some fail-files) aren't there, which isn't a big problem as it's easy to catch these files while the orginal exe is working (watching @TempDir --> easy to catch the files with the .net FileSystemWatcher-control afaik). A good trick, but easy to bypass (I will give it a try as soon as I'm home), if I'm right.

csirkepap · 01/23/2013, 22:45

Let's see if it works

Crack-wtf · 01/24/2013, 16:26

ProcessMonitor ftw.

csirkepap · 01/24/2013, 22:52

?

I started to make a DecompileME too

That one won't have any code-related protection, only exe-sided

Probably gonna upload tomorrow.

YatoDev · 01/27/2013, 23:23

anyone get it right now ?

VADika13 · 06/30/2013, 02:30

My Name Is Cruelhungary (From Skype/Hungary .. (Írj ha lesz időd)

So.. This is the right message?
Because It's meaningless ..
The password/Serial code is "uncenzured".
Have a nice day!
EDIT: I'm sry. I'm very tired. I've just read it carefully. I'll try it again.