/avatar.jpg

Brian Stadnicki's reverse engineering & malware analysis blog

Cracking rendariaka's packedcrackmev1.0

This crackme is packed unlike the previous ones. We’ll be unpacking it manually as an exercise. The crackme is rendariaka’s packedcrackmev1.0 Property Value Language C/C++ Platform Windows Difficulty 2.0 Quality 4.0 Arch x86 First run Enter serial number: Entering the incorrect serial causes it to exit. Initial static analysis As by the name suggests, this crackme is packed. +-----------------------------------------------------------------+ |+-------------------------------------------------------------+-+| || Data | || |+-------------------------------------------------------------+^+| +---------------------------------------------------------------+-+ | | Tiny bit of code---+ This is proved again by IDA Pro.

Analysis of vzlom_vk (Failed)

Malware obtained from any.run. It’s an unknown executable which unpacks itself, fails to run update.exe and prints out some russian. Property Value MD5 18b065e37c55a00d7a023f5cef02bde4 SHA1 fb6e6596c617f932cd9c7740b29ed6f5dda8a88c SHA256 bc4896abbf0726df8b9ef9134d584bbe1b649f59e453bbc327f8cd5b5b5a0651 File Type Portable Executable 32 File Info Microsoft Visual C++ 8 First run When run, it prints out the following text: The system cannot find the file update.exe Вас приветствует программа взлома ВК аккаунтов! Благодарим за приобретение лицензии нашей программы! Вы уверенны, что хотите начать?

Cracking Marquire's CrackMe_V4_Marquire

This crackme will be a bit more difficult than the last one: Marquire’s CrackMe_V4_Marquire Property Value Language C/C++ Platform Windows Difficulty 2.7 Quality 4.0 Arch x86 Initial run ### The goal of this crackme is to find the key! ## Enter the key : Asks for a key, exits if it’s false, and gives a message if it’s correct. Initial analysis +-----+ |Print| +--+--+ | +----v------+ | Read char <-----+ |Check enter| | +----+--+---+ | T| |F | +---------+ | | +-----+------+ |Dead code<----+ +--->Encrypt char| +----+----+ |Store char | | +------------+ | +----v---+ +-----+ +------------+ |Generate| |Hash | |input hash | |correct +-->input+---> == | |hash | |key | |correct hash| +--------+ +-----+ +----+-+-----+ T| |F +-------+ | | +-------+ |Success<----+ +----->Failure| +-------+ +-------+ This is a very high level overview of what this program does, it’s simple enough to see all the logic in the main function.

Analysis of Skylanders Giants PC game

When I was a kid, I played Skylanders: Giants, it was probably my favourite game growing up. It was released for the following platforms: Nintendo 3DS PlayStation 3 Wii Wii U Xbox 360 As much as I’d like to believe that the game was ported to PC, it’s way more likely that this is malware, especially given how SEO-optimized it is and the list in the blog archive. Source: Shady games site

Analysis of FreeBitco.in Next Roll Prediction

Malware obtained from any.run. It’s a bitcoin scam executable. Property Value MD5 afb30fed336e9b1e5e8ea5d941691b2a SHA1 afeb330ea75da11608bc4f32d3490ed38cfd4c11 SHA256 16b4664969ce27b9914dc9d41b5baa16a341e00f442527efffd478a73a014fa1 2 EXEs dropped Running procmon when running the malware shows that 2 possibly interesting executables are created: C:\Users\IEUser\AppData\Roaming\Microsoft\gons.exe and C:\Users\IEUser\AppData\Roaming\Microsoft\temp5789e.exe. Both of these dropped executables are .NET assemblies, so they should be trivial to reverse. gons.exe Opening gons in dnSpy shows that this executable is responsible for the GUI, and I didn’t notice any malicious behaviour initially.

Cracking Marquire's CrackMe_V3_Marquire

Let’s start off the crackmes series with a basic one: Marquire’s CrackMe_V3_Marquire . Property Value Language C/C++ Platform Windows Difficulty 1.3 Quality 4.3 Arch x86 Initial run It’s very standard, it just asks for the key and tells us if it’s right or wrong. Initial analysis It’s quite clear what’s going on. Ask for the input, do some simple logic, say if right or wrong and exit. The validation logic just compares each letter of our input ([esp+113h], [esp+114h] …) to randomly placed out offsets ([esp+39h], [esp_2Ch] …), checking to see if they’re equal.