CodeEngn Basic RCE L01~L20

- of Syn3ck Team

# Basic RCE L01

msdn.

# Basic RCE L02

.
stringsL02.exe.

# Basic RCE L03

1.
2..

# Basic RCE L04

or

# Basic RCE L05

upx.
.

.
.


call
,.
RegisteredUser,GFX754IER954
.

# Basic RCE L06

upx.upx.
.


OEP!(OriginalEntryPoint=.
.)
.()

..

# Basic RCE L07

chapter1..

chapter2..

chapter3..

# Basic RCE L08

.

# Basic RCE L09

UPX.
upx.

..??

().

upxjmpOEP.
POPAD..
jmp.


??MessageBoxApush.OEP0040100C
.
,

3.

upx.

L09upx.

upx.

.L09.exe.
dumpdebuggedprocess.


(Rebuildloadpe.)

# Basic RCE L10

ASPack..

RaiseException.
f8
.


bpcall.
.

jnz.
exception.nopfile
..

OK..

RegisteredWelldone!


exception

# Basic RCE L11

==BasicRCEL09

# Basic RCE L12

!!!
ASCII~~~??
.
.
.
.call..


..
1~x+1=x(?)2
.(2.)
2~x+1=x~x=x1
3.
3eax0
ebx1eax1ebx0
..
xor?
4eax=eax^ebx.
,AxorB=CA=BxorCGetDlgItemInt
keyxor
key.
4.
key.

@@@@@@@CMPEAX,7A2896BF!!!!!
7A2896BFkey.10~!

hexeditor
.

~~

# Basic RCE L13

C#?!C#.
Reflector!!

~.password
!!

Igotdab~

# Basic RCE L14

UPX.or.

MessageBoxA.
bp.


.Name
.
callSerial
.
NameSerial.
(nameserial.)
serial.

serial.


NameSerialc.

5.
.
(1
.)

GoodGood~(?)

# Basic RCE L15

textstrings.

!
cmpserialserial.
serial45B844.
serial45B844bp.


bp.
.

!!

C.

.
!!

!!!!!!!

~!!

# Basic RCE L16

*1.referencedstring.

*2..

*3..

*4.

# Basic RCE L17

referencedtextstrings!


00404C3C
.

.
.
.

1,2,3,4,5
.
1,2,4,5.
3.
.

call.


call

ebxeaxeax[ebp6C].
load.

.0045ACEC.


64

MD5.
MD5statevariable.

3.
(.)
(PEiDKryptoANALyzerplugin
......)

Name>SerialSerial>Name
.

python2.7.
[+]
https://docs.google.com/file/d/0B_BlLbVn2PJQkdGd1ZYT2M2a2s
!

L17.
.Nameor

# Basic RCE L18

!!!~!!!!

# Basic RCE L19

^^

.
backtotheusermode
.
alt+f9.

?
WaitForSingleObject
.
.

CreateThreadbp.


!!!
CreathThread..

eax0x138..
retn.

??.WaitForSingleObject
.

..
?

start_timesleep
start_time0x2B70.
0x2B70.dec~

# Basic RCE L20

0x12CRACKME3.KEY.

buffer.

~~


xorfilecontent
.

!!

~~

 CodeEngn Basic RCE L01~L20 .

Syn3ckTistory:http://syn3ck.tistory.com/
Email:xornrbboy@naver.com

*!

#(L17 python source code)

#CodebymajorPE
frommathimport*
fromctypesimport*
importtime

defEncrypt1stPart(Name):
res=c_uint(0)
forchinName:
res.value+=ord(ch)
res.value*=0x772
res.value=res.value**2+res.value
res.value*=0x8E8
res=hex(res.value)[2:6]
returnres

defEncrypt2stPart(Name):
res=c_uint(0)
n=c_uint(0)
forchinName[::1]:
n.value=ord(ch)+0x110x5
n.value*=0x92
n.value*=2
n.value*=0x819
res.value+=n.value
res=hex(res.value)[2:6]
returnres

defEncrypt4stPart(Name):
res=c_uint(0)
k=c_uint(0)
forchinName[::1]:
res.value+=(ord(ch)+0x929+0x767+k.value)
res.value*=0x8392
k.value=res.value
k.value=0x33
k.value*=res.value
k.value+=res.value
res=hex(res.value)[2:6]

returnres

defEncrypt5stPart(Name):
res=c_uint(0)
k=c_uint(0)
forchinName:
res.value+=ord(ch)
res.value*=2
res.value=res.value**3
res.value=(res.value^0x10)|0x44
res.value=res.value*0x373+0x443
res.value+=ord(ch)
res.value*=res.value
res=hex(res.value)[2:6]
returnres

defEncrypt3stPart(Name):
msg=Name
d=[0x77,0x30,0x39,0x2F,0x26,0x37,0x32,0x30,0x28,0x22,0x3D,0x29,0x3D,0x21,0x29,
0x26,0x22,0x29,0x3F,0x60,0x22,0x28,0x3D,0x28,0xA7,0x29]
forhind:
msg+=chr(h)
c=MD5_for_L17(msg)
res=c[0:8]
returnres

#thisMD5havedifferentstatevariable
#msgisstring
#thisfunctionneedstoctypeslibrary(fromctypesimport*)
defMD5_for_L17(msg):
r=[7,12,17,22,7,12,17,22,7,12,17,22,7,12,17,22]+\
[5,9,14,20,5,9,14,20,5,9,14,20,5,9,14,20]+\
[4,11,16,23,4,11,16,23,4,11,16,23,4,11,16,23]+\
[6,10,15,21,6,10,15,21,6,10,15,21,6,10,15,21]
k=[]
foriinrange(0,64):
k.append((int)(floor(fabs(sin(i+1))*pow(2,32))))

#thisisdifferentthannormalMD5
h0=c_uint(0xA3557D07)#normalvalue=0x01234567
h1=c_uint(0x62FB12D3)#normalvalue=0x89ABCDEF
h2=c_uint(0xEFD945F6)#normalvalue=0xFEDCBA98
h3=c_uint(0xE57AE29E)#normalvalue=0x76543210


w=[]
msg_len=len(msg)
msg_bit_len=msg_len*8
msg+=chr(0x80)#append1bittomsg

#makepaddingmessage
foriinrange(0,msg_len+1,4):
w.append(c_uint(0))
foriinrange(0,msg_len+1):
w[i/4].value+=ord(msg[i])<<(i%4)*8
foriinrange(len(w)*32,(448+((msg_bit_len+64)/512)*512),32):
w.append(c_uint(0))

#appendoriginal_message_bit_lentolast64bit(littleendian)
msg_bit_len=msg_bit_len%0x10000000000000000
lower=msg_bit_len%0x100000000
higher=msg_bit_len>>32
w.append(c_uint(lower))
w.append(c_uint(higher))

#print[hex(x.value).upper()[2:]forxinw]#DebugCode

w_len=len(w)
#processeach512bitchunkofmessage
foriinrange(0,w_len,16):
base=i
a=c_uint(h0.value)
b=c_uint(h1.value)
c=c_uint(h2.value)
d=c_uint(h3.value)

forjinrange(0,64):
if0<=jandj<=15:
f=d.value^(b.value&(c.value^d.value))
g=j
elif16<=jandj<=31:
f=c.value^(d.value&(b.value^c.value))
g=(5*j+1)%16
elif32<=jandj<=47:
f=b.value^c.value^d.value
g=(3*j+5)%16
elif48<=jandj<=63:

f=c.value^(b.value|(~d.value))
g=(7*j)%16
tmp=d.value
d.value=c.value
c.value=b.value
x=c_uint(a.value+f+k[j]+w[base+g].value)
b.value=b.value+((x.value<<r[j])|(x.value>>(32r[j])))#b=b+leftrotate(x,r[j])
a.value=tmp

h0.value=h0.value+a.value
h1.value=h1.value+b.value
h2.value=h2.value+c.value
h3.value=h3.value+d.value

res=hex(h0.value%0x100)[2:4]+hex((h0.value/0x100)%0x100)[2:4]+
hex((h0.value/0x10000)%0x100)[2:4]+hex((h0.value/0x1000000)%0x100)[2:4]+\
hex(h1.value%0x100)[2:4]+hex((h1.value/0x100)%0x100)[2:4]+
hex((h1.value/0x10000)%0x100)[2:4]+hex((h1.value/0x1000000)%0x100)[2:4]+\
hex(h2.value%0x100)[2:4]+hex((h2.value/0x100)%0x100)[2:4]+
hex((h2.value/0x10000)%0x100)[2:4]+hex((h2.value/0x1000000)%0x100)[2:4]+\
hex(h3.value%0x100)[2:4]+hex((h3.value/0x100)%0x100)[2:4]+
hex((h3.value/0x10000)%0x100)[2:4]+hex((h3.value/0x1000000)%0x100)[2:4]

returnres

defEncryptName(Name):
serial=Encrypt1stPart(Name)+""+\
Encrypt2stPart(Name)+""+\
Encrypt3stPart(Name)+""+\
Encrypt4stPart(Name)+""+\
Encrypt5stPart(Name)
returnserial.upper()

defNameToSerial():
print"\nNameToSerial"
Name=raw_input("Inputname:")
print"Serialis"+EncryptName(Name)
print"\n"

defshow_brute_res(Name,Serial,dt):
print"[*]BruteForsingSuccess!!"
print"Name:%s"%Name
print"Serial:%s"%Serial

print"time:%.3fsec"%dt

defBruteForce(t_name,piece):
ifpiece[0]!=Encrypt1stPart(t_name).upper():
returnFalse
elifpiece[1]!=Encrypt2stPart(t_name).upper():
returnFalse
elifpiece[3]!=Encrypt4stPart(t_name).upper():
returnFalse
elifpiece[4]!=Encrypt5stPart(t_name).upper():
returnFalse
elifpiece[2]!=Encrypt3stPart(t_name).upper():
returnFalse
else:
returnTrue

defSerialToName():
print"\nSerialToName"
print"[*]Onlysupportascii[0x20~0x7E]"
Serial=raw_input("Inputserial:")
Serial=Serial.upper()
piece=Serial.split('')
iflen(piece)!=5:
print"Incorrectformatserial!"
return
st=time.time()
t_len=1
t_hex_list=[0x20]
print"BruteForsingon%dlength..."%t_len
whileTrue:
t_name=""
forhxint_hex_list:
t_name+=chr(hx)
ifBruteForce(t_name,piece):
break
t_hex_list[t_len1]+=1
foriinrange(t_len1,0,1):
ift_hex_list[i]>0x7E:
t_hex_list[i]=0x20
t_hex_list[i1]+=1
else:
break
ift_hex_list[0]>0x7E:

t_len+=1
t_hex_list=[0x20foriinrange(t_len)]
print"BruteForsingon%dlength..."%t_len
et=time.time()
dt=etst
show_brute_res(t_name,Serial,dt)
print"\n"

defmain():
whileTrue:
print"[+]CodingBymajorPE"
print"Menu"
print"1.NameToSerial"
print"2.SerialToName"
print"q.quit"
print""
sel=raw_input("sel>")
ifsel=='1':
NameToSerial()
elifsel=='2':
SerialToName()
elifsel=='Q'orsel=='q':
break
else:
print"IncorrectSelection!\n"

if__name__=='__main__':
main()