Hello Mister Shadow992,
Nice work with crackme, i'd like the way your packer works)
I'll post here the analisys of your packer but not the solution to your crackme...since is pointless patch it, when you can decompile it totally...However I can make patched solution and send you in private.
From my point of view has been nice reverse your crackme, and again good job Mate!
List of Anti-Debugging tricks used:
- FindWindow function
- IsDebuggerPresent function
- OutputDebugString function
- ZwQuerySystemInformation function
- ContextFlags
read and write at runtime:
- ReadProcessMemory function
- WriteProcessMemory function
In addition to this it will use self-mod code description is down:
About the AU3 script - compressed it means (interpreter + plain AU3 script encrypted):
the executable will be handled and rewritten using 4 "C" functions:
// c functions
int fseek(FILE *stream, long offset, int whence);
size_t fwrite(const void *ptr, size_t size, size_t nmemb, FILE *stream);
long ftell(FILE *stream);
void rewind(FILE *stream);
// end c functions
After that the packer will check if it is a DOS MZ format: checking if it has the MAgic_Number MZ and after it checks if it's a portable executable using a cmp with the hexadecimal rappresentation of "EP".
At the end it will create the process using Windows API CreateProcess
Now it will pause the thread and preparing us for a nice surprise:
it will play us with the last trick to check if debugger is present using "ContextFlags"....
and after it will resume the thread and run the program normally.
so if you want to use Ollydbd you need this plugin MagicHideOllyDbg
and you need to turn on these options:
Auto Run HideOD
HideNTDebugBit
OutDebugStringA
ZwSetInformationThread
ZwQuerySysteminformation
ZwSetInformationProcess
I was forgetting that you need to hide even the Window title of Ollydbg, since shadow's packer is checking for it
so I posted a little piece of Asm to change title of "Ollydbg" in "AxelMtE" so it won't be detected, however you can use any Ollydbg plugin to do this.
The code has been written using masm32, so you need masm32 to compile this little piece of code
Code:
.486
.model flat, stdcall
option casemap :none
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
Error db "Error",0
ODBG db "OLLYDBG",0
NFodbg db "OllyDbg not found.",0
Success db "Succesfully Changed!",0
hWndW dd 0
NewT db "AxelMtE",0
.code
start:
mov edx,offset ODBG
push 0
push edx
call FindWindow
cmp eax,0
jz err
mov edx,offset NewT
push edx
push eax
call SetWindowText
jz noDBG
cmp eax,0
je err
mov edx,offset Success
push 40h
push 0
push edx
push 0
call MessageBox
push 0
call ExitProcess
err:
mov edx,offset Error
push 10h
push 0
push edx
push 0
call MessageBox
jmp exit
noDBG:
mov edx,offset NFodbg
push 10h
push 0
push edx
push 0
call MessageBox
exit:
push 1
call ExitProcess
end start
; end of code
have fun
Best regards
AxelMtE
kind of a waste of time but i dont want to end this yet any idea?
