2aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs How to solve the Malwarebytes CrackMe: a step-by-step tutorial his posts Mata i eerve interna urpoees, bu than it was eases ote communty on Titer and rg 5 cesta. Feat, the challenge was erat 1 lot of postive response, Thanks tal of you who sent in your wre vps! Some of he ithe Crack. |am golng ge nto detal o that even someone wth Ite experience In reverse engineering will ot fel lst. But you s ‘unclar, please don’t hesitate o ak nthe comments 1m people who were stuck and needed some mors explanationlgusance. So | promised lo present my own sluion na sep-y sep tll ind something experience forthe beginner malware analyst. Like always, he many possible Techniques demonstrated rn riquosskle hat we wanted o oxen tha CraceMe ae + Nocing common evasion ticks (anidebug, nin, ead bypassing the chucks + Detecting XOR + Finding a way o debunioes oh Environment and tools used For the analysis envronment, | used Windows 7 32bon Vital Box, wih an Items connection, + Forstatic analysis: IDA (emo varie Is enough) + For game analysis: mmunityDdqiOlyObghe4dbg + PEbear Stage 1 Wan wa nthe Mo, the fest ting we 22 isthe following banner MosIIJICRACKINGIHow2010%20s0Wve%201N6%20Malwarebyies%420CrackMe_%20a%20step-by-stop%20Luoral420_%20Malwarabytos%2 wr2aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs Se far, wo know tat the ak040sSrished when wo gt lin the following forma Aaat..-) “Tere eno password prompt whatscever—ws ust se the allure message onthe sereen, The ony way to understan mre i by looking ini, For his purpose Finding the decisive variable ca printe cal 'anstre ben eat fn a fest Hl. at ine Short ie 10401975 puch aFfeet athntoSarryvaur ; "I an so Surry, you Fallea® =m bonowee cant “prince fetuareHs oo03 va BonsioN? puch BeFset aPouse 5 “pause lstuovins eal sab arene bouaioee Cai “aysten uBI9RR push Bret aPause yi adc” esp. rNbWvAF call systen ‘The succes of he cack wl depend onthe value of AL east (AL=O leads to flu). This valu i tin he function above: x2 4eneto Let's go inset function and soo where exact is st wonorsee push ortset sours bioead eal Suh Aina skater tay! ee, Leip ay Souerere emp ‘nre2cén bnes78 sere TE mar, ete, eb Banies moe esp, emp Se hers sme vanabe (OA automatsly named sstr), ogo og that twilbe used somewhere asa URL) tat pasedto auction 2h 0288 The ‘out of thine (a hi point we can guns thal ts sore ehacksum) i going lobe compared wit he hardcosed one it malches, AL's beng so, So, oUF Finding references Iba: MosIIICRACKING Mow2010%20s0Wve%201N6%20Malwarobyles%20CrackMo_%20a%20step-by-stop%20tutoral420_%20Malwarobytos%2 anv2aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs [as you can 800, ts referenced from tires ples in th How is the variable used? ‘Te tha wil probably refer tothe usage of is vribl, So let's eI rstee ota tpszur| Emerng nthe function sub_40900, we can sae some AP calles to readhg th conn fom te gn URL such a: bonseree push ea 4 dtontent 4S akrtags 4 dameaderstengen 5 Inseteers internetopeniia SonosATe mov EE, ow oweaure mu febjeoar atc], and sonosncs 16 ea, [eoprantunveraraytestezay BowOsAEG push far £"IpdknunnerdFaytestead] Bunosved push oh E dreonberoFBptes Tames} Soveawe? es” eax, Cenpsburser] DwonuonDe push eax apsurrer Bonnsnpe push BSH nite Jo, The sacond (ila one she place where we came fom (s2UH being passe tthe checksum UnEADR eal] atinterneteouF tLe [Ate pot, we can be sure thatthe cont of the sr fled comely, willbe use to downoad some corant rom the Inte How i the variable filed? Now lets have alook athe Fa refers and nd oxt where the value of ee comes fom: MosIIJICRACKINGIHow2010%20s0Wve%201N6%20Malwarebyies%420CrackMe_%20a%20step-by-stop%20Luoral420_%20Malwarabytos%2 an?2aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs [etpevar=eo] sozeaan [evpevar=66]” aapsotean Teapevar=on]> goaennaen [ebpevar=ea] seaurreczy ‘oiersco mov febpruar_sc], torbeacon foretscr mv [ebpevar=s8], ninacesen fouersce my fenpruar=ce] Senso73Eh foLets0s mov fenpruar_s0], woacsesan ‘eNBTSDE mv [ebpevar-AC], 272875 faonersea my fenpruar=ae] 2nsnrgran fuuietsen mov enpruar vt]. orsecscann DeNBISET mov [ebpevar nd], ONCDED EH faouersre mv [enpruar=2t], Saurecurn Tenpevar=o6] Fenpewar=24] Tenpevar=oa] Teopeuar=20]; onvocsarn [sbpevar=28) eossse iso feoptuar=24]? Snever ten Teopevar=20]; ssnozom [ebpevar= 12] aruzesinn feoptvar_16] two0czran feapevar=ta] or7a0e¥aim [ebpevar 18], acrrenagn Feoprace-€),"omeor cach that Windows Crypto APs being use onosze ea eax, (ebprszrroviser} Bowod20y push tax fseProvider bonoszar pus cox + szvontainer fovetaae fen" Gary (ebpeperos] oveaoie mov cal, effet altlerosortéahan ; “iorvsort Enhanced Rin and AES cryptoge Bonosz1s tea eat, [ebprsztraviaer] Bovoa2ts push eax + ohProw Bouea219 rep nous BOROI2IB call eszcryptacquirecontexty “The passed contents decrypt wit th hap of Windows API, sing AES algorthm, Following the order of he passed parameters iti easy to guess used to store the output So the on thing thal we need to take checksum xo4e7sacs 1g to decry he passed ber (he aay of NORD) andthe a2 wt be ois valid kay for th decypton. Then wo willgttne proper URL that has he dotned Finding the decryption key “The key derived tom the hash another ble, passes as one ofthe funtion’ parameters, We can soe thal Windows Crypto APIs se to dave the hash The used hashing fet ie SHA2SS (algorth ID: Ox200C = CALG. SHA 256) 8225 ea eax, (ebpeptash) e228 push fas pnash wue3229 push eb ‘urtags ten Engle Teoptonorouy 3 nrros nove3293 call asstryptcrestenasn ‘This hash a use to derve the AES28 key (lgorthm ID: Ox eax. Leoprsniey) eae + aikey ° PM ags Teppepniasny — ntaseData ete gia Teoptpneraoy — hrrow asrorypeverdvetey MosIIJICRACKINGIHow2010%20s0Wve%201N6%20Malwarebyies%420CrackMe_%20a%20step-by-stop%20Luoral420_%20Malwarabytos%2 4nr2aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs fad, ebsites beh, Farad enjevar ta] eae fenpepivatal® et Letra kay. ad dot where es passed tthe uno Stet ROAR ey bor ‘om WBF en oC Up haope ror eb ec Sup 4 sums or ketutece ex Sup suaon-3e ror eyed ec Sup suanscnsay or eter ec Sup 6 anmans or eter ec Up we strain ror Netuecee ex Sup susomen-s0 or ey tuecee ee Sp sucoceronzzs ore tutece em Hyp amano or ey tuTecee ex We tout at tefl butler consists a lees thal ave gel DYYORD by DWORD in various funcbon. La’ have ook at ach of hose functions ‘As pont, ings are gating eae: We have various envcomant checks tha malware on uae for recognizing itis run i a controled envionment or not, For oxamplo,enecingiitruns under the debugger ‘GsefsDebuggerrresent ENE [Spepumuagerresenty ce + phibebuanerPresent] eal, coe ‘@szonecknonatevebuggerFresent eopepnoenuggerrvesent], fe Shit sy ey pur. '@ en) est ey butLeaneny, eo more pecs of deta othe be. We need to catch seal Wo may achive iby folowing each check and patching tout (removing th MosIIJICRACKINGIHow2010%20s0Wve%201N6%20Malwarebyies%420CrackMe_%20a%20step-by-stop%20Luoral420_%20Malwarabytos%2 ona jump) s0 that tho chunk wl bo add othe buffer uncontorally. You ean use IDA for patching, but MHO itis ol convenient, 0 usualy dit wh the help ef some ater laa (debugger ke OtY/Obo, or PE-ear), nd ute IDA us fn tng te debugger often tains the executen this case he condensate ravers Having wach chck passeditem deleted ghves us one sii72aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malvarsbyles Labs Follow the ofest of na chece xs es 1 rae vA > (a) [cet costa | rena | mena | sear | ‘onmot [Geral | o0shi [Fett | Goat Stone | 1 Gimbsatmeow 2) Lee | TRS Dorp secon to. [Beeman oy he patched version, wa see some progress! The message "You are onthe ight racks prints onthe sreen We can also soe a hint hat something MosIIICRACKINGIMow200%20solve%.20IN6%20Malwarebyles%20CrackMe_%20a'%420step-by-slop%2OtulorlaN20_%20Malwarebytes'h2... 6/172aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs eRe es peer a Examining the trac ‘We sready know tat something was downloaded forth intemal using the deerypted URL), sot maybe help io have a closer oka the network tae Thane ara many ways of hacking the URL at was queried We can do iwh the help of Wireshark Fier: rags Tee de Wen Daagper let Take Took Vw Help GT /boe ED centage 1 Spreng X~ Go Steam ffOwode | Keg Aine « Gls me some wana peta ama. fT Request and response TSN GET ew a1 HTT 1 | he age. We ss that the content was downloade rm the pastebin fom the URL: hi stebn comrani9FugFa9t turer encrypted). So t's go wai he apptestions agin Understanding the payload Fetes do sore stato analysis to understans wnat exactly be payed is suenosed to be anghow ek going tobe used Le ‘mestage boxe beng shown, Wo soe hat ofr there ie a check ifthe butler stars om WZ." tis awolLkrown mage number staring 00S applications and ako MostIICRACKINGIMow'2010%20solve%.201N6%20Malwarebyles%20CrackMe_%20a'%420step-by-slop%2Otulorlal%20_%20Malwarebytes%h2... 7/172aynizote Taking a sero ahi fact, we fd ou tat the downlad Ml it processed by few functions, Fst tis beset decoded. Than, te ouputis uncompressed ea eax, febwsensy pis ean ish eat push ex fines, fabpeuar_ ate] pusn eb foe [enprvar. sty, 0 Sono17C4 EIN Su 405080"; decorpression routine| 15960 push ebp 6 how ee esp niosed fal deseetishenagied Short Toe 405076 push offset antadeconpressb, ftowesore eal Sescoterocaadront ‘Ten, wa ation uncon hatreds ha something om the pboar Ceapvoae 4 bax, [epprvar v0] soni ; espe tin Tay int getting ctipoard content Going inst t, wo can alo easy fe rolovant API calls, such 35 MosIIJICRACKINGIHow2010%20s0Wve%201N6%20Malwarebyies%420CrackMe_%20a%20step-by-stop%20Luoral420_%20Malwarabytos%2 How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs an72aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs ponorsin Leo eax, (edpevar 103) Souain7e puch bax Soneieat push Lebprvar_o10) wae Sib_ve1ine 5 decrypting routine ‘Ater allt, th osu stars fom the NZ" magi number. is boing itd no run Following side the function s40_AON1FO. we sacty how te njcton was mace, Ris a classic RunPE tacrnque, The naw press i created as suspended “Te paybad i boing writen ino its morory spa¢0, inked to is PEB and resumed famuarssn mov eae, [eats28n] eae, est Tebpetantert. eax], eax amy (enpecoatext) cae apcontext ebpennrend) 5 Ninread {eopsannresy iebpentnrenth "usec est": Closetenaie {evptnbrocens} 5 novject More detailed explanation of ts wonown technique fou of scone of his arte, However, unpacking ts very easy—wo just need to dump he payload ator tis decrypt bl belo iti converted nto the vital forms - wen othe fomate process. wl show some of he posible unpacking mebrods next Decrypting the payload + The payload downloaded rom he decrypted URL + Ris docomprossod win RiDecompressButer, + Rls XOR-decryptad wi he neo some key that read rm te aboard “Topass this lve, we must ns te XOR key. will not be dtu, knowing tat the XOR operation i setreversble, But fat It's cump the payload ator tis docomprassed 0 tha we el the mater for futher analy, ‘wit the ptened version of the Gracie under he debugger (eg. InmuntyDdg) ane go tothe API call RDecompcass Bul 1 decompression function and thn running he Creche, MostIICRACKINGIMow'2010%20s0lve%20IN6%20Malwarebyles%20CrackMe_%20a'420step-by-slop%2Otulorlal20_%20Malwarebytes’h2... 9/172aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs Wo can saa on he stack the variable that was passed othe funtion, Let's follow the ble that was urcomprestx ous appeoaces of unpacking wll domonsiae jst one f them Decoding the XOR-obfuscated payload tir th but is decom 20, wo dump ito fl and decode by ur ete to0l dex. Baka i) [Sais Senor | Lead talup fom fle we nave‘ itso hat twit sta fom the proper fect. We can do so by opening he dumped memory page In XVISZ never, navigating to ie begining of out ber. and choosing [fons cetinen ae OGBxX images @e Pi oma] ‘Than, we can easly decode ity ho sop, suplying he XOR key. nts cas, we could easly guess thal ho hoy I "malwarcbyios" because ths sting repeats lip tos in he decoded bile (XOR key i visible in those fragment fle hon & was appiog on NULL bytes Goxyor.py -=Fi2e dump.bin key “nalwarebytes ‘You can so the steps akon on the vdeo below MostiICRACKINGIHow2010%20s0lve%.20IN6%20Malwarebyles%20CrackMe_%20a'%420step-by-slop%2Otulorlal%20_%20Malwarebytes%.. 10/172aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs [As we excted, based onthe ert facings, he decoded ouput is now PE fl Stage 2 Stage 2sinsite the now oxeculable. Mer we dumped i, we ca run 1 fly independent module. Wo a 1a pos up te follwing message: You fied [=m] Understanding the checked concltions Feat ofl we can soe hy the Fait message was doplayad. The frst hing thats ehackad Ihe module path, compared with he patho runl32.048. The checks not done by drect comparison of he atings, but instead he checksums ofthe pats are cleubted and compare ouerone ada esp, ac ies fenperstenane) bien cae # ptienane BORGI25F Lea eax, [eaprFiienane] Bovor20s push est, eae . fon [eprvar sar) BaA61208 mow [edpenst}, & esp, un bonetF2 push nsize ovoizrr push eax post Honeire puck Sffact sre oystentont§\ \aystenio\ rum 382 exe Boreizrp fail dszcxpanatnvironnentstringst Boweaee ies” fax, [enpedst) soiree pun foverans saa) saps 4 orp tare 5 compare cheeksuns oF paths ovetate jar Shore’ a In or the curent PE is ot ijt nto the rurli2. 0, he check shovk fil and fast the mentones message box. Ashe moment, we want un this PE Re ws an independent uit ol via undI82. So we red lo pti of his check. We can dolby simply patching ou the condo jump (He saree way a8 we patched ou the condonal jumps Stage 1) MostIICRACKINGIMow2010%20solve%.20IN6%20Malwarebyles%20CrackMe_%20a%420step-by-slop%2Otuloral%20_%20Malwarebytes'h2... 11/172aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malvarsbyles Labs [Ateraivoy, we can loathe executable under a debugger, st the breakpoint on he chock, and change the lag to bypass nord forthe Sina gto pop-up, hwo mr colons have tobe me: 1. process witha window of van class has tobe runing nthe syst, Feat the EnumWindows uncon called. The searched checksum f given inthe parameter ta the frfect Enunrune } 1penunrune (ésstnuninaoue {unation, each window’ clas name it compared othe checksum. matches, the patcul process i being opened for fhe injection oer Leoprelacstioney SORT [eopeora.n] s camaro the ula clase rane checks 455 belongs to ProcessExporr somo ck simplemente smart this one under the dabugger, 2. Tae appleation must be la wo run the executable under the debugger and if we have Processtxploor (32-i)runing, te MessageBox wit the flag wl be injected there and wo wil ge tho MosIIICRACKINGIMow2010%20solve%.201N6%20Malwarebyles%20CrackMe_%20a'420step-by-slop%2Otulorlal%s20_%20Malwarebytes%.. 12/172aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs Dumping and running the shellcode two ave uck we may gett ory quickly. utr ral, facing to propor process that has obo inject cout be problematic Also, peopl who ware running the maven order to se i, knaving ne process name not tal que, We can Nt dump te shaleode before nected an load by our em oader, Fest, wo have a lok in DA and see the pat of ho code where the ijactn is mado, Beto, tho checksum ofthe shllndo is alate Fares pee bonorss6 push Bena 1356 push Sonstaen se” ap, ath BERET rm Gans HehreEEN ‘So a this point wo losty have the vad shaleode storein he bulle We dori realy care where ti njcied-—we ca jst dump and ran itn ou own. To each ths pce, we only noo to bypass the search othe window wih te given checksum. We ean do by simply patching the conlon (or ehanging he lag under debugger). Thisis he contin that must be pat yd out Gana posh —aeorress yaaa | NOLTHD puch arFeet Enunrune | Ipénunrus| raze fal desc nunvinous 528 cmp PracescHandie, 8 fsonotser je short fa (nthe attached video we can #66 the ul slut: dumping he sheleade and running i nsapenderty. nthe given exam the seloode 2 tothe orginal Crackle with ne help of PED mb crackme stage2 b ‘Thats how wo gttho fal ag: MostIICRACKINGIMow2010%20solve%.20IN6%20Malwarebyles%20CrackMe_%20a%420step-by-slop%2Otulorlal%20_%20Malwarebytes%.. 13/172asigore How to solve the Malwarebytes CrackMe: stop-by-step tural | Malwarebytes Labs lg sted he fu adone on ke-mei) Conclusion Intute oexoin step-by-step one of he posible soions othe CrackMe, recommend yu to have a ook he wie ups below to see erent perspec andleam mere, And of cous, lancourage you to ty on your own and describ yeur on solution, because this the Bes way olan. ‘Appendix hipssimaurna github ainb-eackmel—by @FraMauronz hips:tve google comilel082054QFOXKSSURMMUZmaVeWRIk—by @UROAriguezB hps:tve goog comilesOB255xQFOXKSUngwN2SWT21}2XM — by @SHAGOWHUNEY 0 hips:i29wspyruteversin/SolutonasherezadeCraciene20°7 pl —by @ValthekOn SHARE THIS ARTICLE, O.Comments Malwarebytes Labs @ Ausencio Garriga Recommend Eb Share Sort by Best ~ © stantne ascussion Dsunerte © cas onquetoyourstaned squad Praey Welcome to Malwarebytes Unpacked ‘oi. 20, 2012 - Malwarebytes was founded wi he community a mind. Facebook, Titer, ou forums, and cous her aus have alaned uo communicate wth you, our corimunty, We felt major pede wae msng, Welcome te Malwarebytes Unpacked, Malwarebytes Unpackad isthe oficial Maluarbyte log roving you with ho latest oxcitng news and cuting edge rosearch dsc. Malwarebytes Wants You! In The Fight Against Malware! ‘August 17,2012 - Malwarebyos was born aut ofthe malware ging community. am nous taking about antivirus vendors and expe ut rom everyday paaple \wro wand taka a stand against malvare and help ther people ight itso. tis because of hat origin hat we not only y ogo back othe community. MosIIICRACKINGIMow2010%20s0Wve%201N6%20Malwarobyles%20CrackMe_%20a%20step-by-stop"20tulorial420_%20Mawarebytos% s4a72aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malwarebytes Labs Malwarebytes: Fighting To The Top ‘August 29,2012 - You might not be aware of his but Ant Malvare ane anti sofware ge tasted every yar along wih other sims sacunty sofware. The purpose of hese ots it oon which products the best at dating malware, This pocass valves thi party organzaon using Upto-date versions of he ‘efter and runing ter al Meet Malwarebytes Anti-Rootkit [November 15,2012 id you know the fern malware’ afer omar han js vrs and worms? Di you know hatter ae typos ofmalaare thane your runing Chameleon: One Year Later December 14,2012 - Abou one year ago, Malwarebytes gine new weapon inthe ht ageine cybercrime lo accomplish Bings had no ben abe to before, by reluasing tool kon a “Chameson". Sina hen, very few changes have been made othe tl in elpng continue o evade the offensive efor of malware against Malwarebytes ABOUT THE AUTHOR, hasnerezade Malware Insigence Analyst “Tre deny uno, Uns malware wih as muh joy a8 Kd unpacking candi. CATEGORIES Cyberoome aloo Pur Secury wots SEARCH LABS MostIJICRACKINGIMow2010%20s0lve%.20IN6%20Malwarebyles%20CrackMe_%20a%420step-by-slop%2Otulorlal%20_%20Malwarebytes%.. 18/17stop-by-step tural | Malwarebytes Labs 2asigore How to solve the Malwarebytes CrackMe: Subscribe to RSS ‘nen an “Otetanding” rating from CNET ent rough Mable Menace Monday despicable sovare BadRatbitransomware shes Easton Europe Please dont buy tis: smartecks ‘Tedtona AY gluons shown inafetve in easime leat heat map) Emr youre-mall address Soare Manns FLA Priney Terns ot Series 82017 Manabe MosIILICRACKING Mow'200%.20s0Wve%201N6%20Malwarebyies%20CrackMe_%20a%20stop-by-stop%20Luloral%20_%20Malwarebytes%... 16/172aynizote How to solve the Malwarebytes CrackMe: a step-by-step tutorial | Malvarsbyles Labs MosIIICRACKINGIHow'200%20solve%.201N6%20Malwarebyles%20CrackMe_%20a%420step-by-slop%2Otulorlal%20_%20Malwarebytes%.. 17/17