Introduction
This is my solution for the JoinESET Crackme 2015, It was on my disk for more than a year and I'm sharing it maybe someone is interested in how to solve this challenge.
Working files can be downloaded from here.
Working files can be downloaded from here.
Stage One
The crackme has two files EsetCrackme2015.exe and EsetCrackme2015.dll. Both don’t
seem to be packed.
The crackme
asks for three passwords, lets hunt the first password.
The executable
loads the DLL, which has multiple files appended to it. To enumerate all the
files we have first the file ID which is two bytes then four bytes that
represent the file size followed by the file.
I coded a small
tool to dump all the files and here is the ID list 0x1, 0x2, 0x3, 0x4, 0x101,
0x102, 0x103, 0x104, 0x151, 0x152, 0x153, 0x154, 0x155, 0xAA02, 0xAA06, 0xBB01,
0xBB02, 0xFF00, 0xFF02, 0xFF04 and 0xFF05.
File 0x2 is the
name of the pipe, “\\.\pipe\EsetCrackmePipe” that will be created and will be
used to communicate with the different crakme's processes.
File 0x3
contains "SXJyZW4lMjBpc3QlMjBtZW5zY2hsaWNo" or "Irren%20ist%20menschlich" base64
decoded, and that string will be used to decrypt later files.
The file 0x151
is an executable that gets injected into SVCHOST.exe through a virtual machine
which its engine resides in the file 0x102 and opcode in 0x103. I will explain
the virtual machine later in stage two.
The pipe works
as follows, the main module waits for either a file request (0x1) or
STATUS_COMPLETE (0x2) followed by the file ID and responds with the file
requested or OK message in case of STATUS_COMPLETE.
The injected
code in svchost.exe starts with retrieving the handle to a window, whose class
name is EDIT and then uses SetWindowLong to change the address of the window
procedure to 0x00AD2360.
The files
0xBB01 and 0xBB02, both gets decrypted by xoring with “PIPE”. The file 0xBB01
contains the hashes of the three passwords respectively as follows:
869B39E9F2DB16F2A771A3A38FF656E050BB1882
0F30181CF3A9857360A313DB95D5A169BED7CC37 0B6A1C6651D1EB5BD21DF5921261697AA1593B7E
The crackme
hashes every entered password using a hash algorithm similar to SHA-1 and
compares it with the hashes above.
When entering
the first password we get the window procedure 0x00AD2360 triggered. What it do
is it base64 encode the password then decrement each odd indexed character,
finally it compares it with RFV1aV4fQ1FydFxk which it got from the file 0xBB02.
By reversing
this operation we get our first password “Devin Castle”
Upon entering
the right password a STATUS_COMPLETE with ID 0xBB01 is sent through the pipe,
declaring that we have completed stage one and a drv.zip is written to disk.
The procedure that
handles the progress of the crackme is loaded from the file 0x101.