InfoSec Institute Resources – ESET Rule the Code – CrackMe Challenge Part 1: The Unpacking Process

1. Presenting the Problem

The CrackMe challenge was first observed on the ESET CrackMe web page, which looked like the the picture below:

On the web page we can observe that the challenge is being held at Black Hat 2012. The winner will receive free entry into one of the conferences, either Black Hat America or Black Hat Europe, in 2013, plus a thousand dollars.

We can also see the download link where the crackme.exe program can be downloaded. The program is still accessible on their web page, so you can also try to download and crack it.

2. Unpacking the Program

Upon downloading the program crackme.exe, we can normally run it without any problems. The program looks like the picture presented below:

We can see that at first we need to enter the Name and Key 1 for the Key 2 to become available, which must also be filled in correctly.

If we try to run the program with OllyDbg debugger, we can quickly see that our program crackme.exe is encoded. We can see the warning message that Ollydbg presented in the picture below:

This could greatly complicate our debugging, so it’s better to decode the program first before trying to debug it. We could debug the encoded version of the program, but it could present complications, maybe even premature termination of the program.

So the first thing to do is to download a program that is able to detect most commonly used packers or encryptors, the PEiD tool. After opening our crackme.exe program with PEid, we can see what the picture below presents:

We can immediately see that the program is encoded with a standard ultimate packer for executables named UPX. This is an open source packer and can be easily downloaded and installed. When we download and run upx.exe we get the default help page presented in the following section:

C:\Documents and Settings\eleanore\Desktop\upx308w>upx.exe

Ultimate Packer for eXecutables

UPX 3.08w Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

Commands:

-1 compress faster -9 compress better

-d decompress -l list compressed file

-t test compressed file -V display version number

-h give more help -L display software license

Options:

-q be quiet -v be verbose

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

Dual Certification - CEH and CPT
5 days of Intensive Hands-On Labs
Expert Instruction
CTF exercises in the evening
Most up-to-date proprietary courseware available

VIEW ETHICAL HACKING

-oFILE write output to ‘FILE’

-f force compression of suspicious files

-k keep backup files

file.. executables to (de)compress

Type ‘upx –help’ for more detailed help.

UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net

It’s clear that we need to use the option -d to decompress the compressed executable. To decompress the executable we must run the following command:

> upx.exe -d -o main.exe crackme.exe

Ultimate Packer for eXecutables

UPX 3.08w Markus Oberhumer, Laszlo Molnar & John Reiser Dec 12th 2011

File size Ratio Format Name

——————– —— ———– ———–

2064384 <- 1041920 50.47% win32/pe main.exe

Unpacked 1 file.

The new unpacked executable file is named main.exe and is put into the same directory as crackme.exe. If we run OllyDbg with our new main.exe, the Olly doesn’t complain anymore and starts normally.

3. Conclusion

In this part of the tutorial we’ve looked at the unpacking process of the crackme.exe program. In the next tutorials we’ll try to analyze the first challenge, where we need to enter the right Name and Key 1 value.

Incoming search terms:

9 Comments

alistair reyniel labuga August 28, 2012 at 2:23 am - Reply

this article has a detailed as a guide on me is very helpful and i’ve learned on how to crack to unpacked the process…
Bonidee Capoy August 28, 2012 at 2:24 am - Reply

Hello Sir Dejan Lukan , just wanna say thank you for this information that you shared. About the Crackme.exe program so that i can join this Challenge to try and crack the program . And also thank you for the step by step tutorial about how to use the Crackme.exe..
Looking forward for the Part 2 of this Article.. God Bless..
riojohn August 28, 2012 at 2:31 am - Reply

i like your article beacause i’ve learned to secure my software .
Vance August 28, 2012 at 2:37 am - Reply

Well presented and a very informative guide on how to properly unpack and decompress the program, crackme.exe.

Looking forward to the next chapter.

Good luck.
Benxter@gmail.com August 28, 2012 at 2:39 am - Reply

This is really great!! thank you for this tutorial..looking forward for the next tutorials..
keep it up ^_^
Dejan Lukan (eleanor) August 28, 2012 at 11:53 am - Reply

Thank you all, there will be 9 more series of this crackme challenge – it will be very detailed and I hope you’ll learn a lot from it. It’s good to know that somebody has learned something from the articles – it makes my work meaningful. Thanks again.
Jevirick Andales August 30, 2012 at 4:32 am - Reply

This tutorial really helps.. Thanks..
Smurfx February 21, 2013 at 5:12 am - Reply

Is there no link to download the Crackme.exe?!
Dejan Lukan April 11, 2013 at 12:37 pm - Reply

You can download it here: http://badishi.com/wp-content/uploads/2012/07/ESET-Rule-The-Code-2012-Crackme.exe . Sorry for the late response.