Write-up of the monkey_.exe_1 crackme

This is a write-up of monkey_.exe_1, a crackme written by monkey and published on crackmes.de, now available at crackmes.one.
To get an idea of what the program does, we first run it normally. We see two message boxes:
Remove this MessageBox()
Keep this MessageBox()

Now that we know what we need to do, let's start running it in x64dbg. Once we get to the entry point, we see:
00401000mov edi,monkey-exe1.401014edi:EntryPoint
00401005mov ecx,47ecx:EntryPoint, 47:'G'
0040100Amov al,byte ptr ds:[edi]edi:EntryPoint
0040100Cxor al,11
0040100Estosb
0040100Fsub ecx,1ecx:EntryPoint
00401012jne monkey-exe1.40100A

This is a loop where the bytes following 0x00401014 are decrypted into the instructions that will actually be executed by XOR-ing them with 0x11. To see what this code is, we can place a breakpoint at 0x00401014 and then let the loop finish by allowing execution to continue.

We see another decryption routine, and some code which creates a message box:
00401016mov edi,monkey-exe1.40103F
0040101Bmov ecx,1C
00401020mov al,byte ptr ds:[edi]
00401022xor al,5
00401024stosb
00401025sub ecx,1
00401028jne monkey-exe1.401020
0040102Apop edi
0040102Bpush 0
0040102Dpush monkey-exe1.402000
00401032push monkey-exe1.402000
00401037push 0
00401039call dword ptr ds:[<&MessageBoxA>]

Since we only need to get rid of the first message box, we don't need to worry about the second decryption routine (which only decrypts code after 0x0040103F). We just need to NOP the message box creation code (which lasts from 0x0040102A to 0x0040103E).

Since NOP has the instruction code 0x90, and it is to be XOR-ed with 0x11 when decrypting, we need to fill the range 0x0040102A to 0x0040103E with 0x81 bytes (since 0x90 XOR 0x11 = 0x81).

After making these changes, we have gotten rid of the bad message box while keeping the new one. The crackme is solved!

Comments

Popular posts from this blog

Experimenting with the Audiocodes MP264

Security implications of ANSI escape codes in Git sever responses

Local File Inclusion and reading password-protected forums in MyBB