Reverse Engineering 101 – With Crack-mes

cms pentration testing
BlueBorne- the lethal attack to take over your devices
September 13, 2017
insecure direct object reference
OWASP TOP 10: #4 | Insecure Direct Object Reference Vulnerability
September 20, 2017

September 15, 2017

Reverse Engineering is an fascinating art of playing with low level code.

In this article, we will see a hands-on tutorial for patching an exe file to accept any serial key!

Tool for use:
● Ollydbg (http://www.ollydbg.de/)
● A crack-me for demonstration. You can download loads of crack-mes for hands-on practice from http://crackmes.de/

A crack-me is a small program designed to test a programmer’s reverse engineering skills. They are programmed by other reversers as a legal way to “crack” software.

Let me show you how a simple crack-me exercise, which has a particular serial key (obviously unknown to me) can be patched for making it accept any serial key)

Any application can be patched/ cracked in multiple ways. Some of the situations I have worked on in the past included:

1) Application logic patched to accept any serial key
2) Use breakpoint-analysis to step through the application and find a serial key from inside the debugger windows
3) Decipher the serial-key generation and create a key-generator to produce infinite product keys

As you can see here is a sample crack-me, “passwordapp.exe”. Upon clicking the application, it shows us to enter a password for access.

Sample crackme

Sample crackme

Entering random password: 1111, we try to test the app

Random key

Random key

As normally expected, we will get a warning due to wrong password: Not authorized.
Now to patch this exe, we open “Ollydbg” to fire up the same app inside the debugger to analyze it.

Ollydbg initial screen

Ollydbg initial screen

For beginners, here is a short intro to ollydbg, to help you get familiar with it. 4
1) CPU Window : The most frequent workplace where we will be working on as a step by step flow for code analysis
2) Registers: The part of the window which contains the 32bit/ 64bit registers, and flag informations
3) Hex Dump: Simply said, it shows the hex representation of data
4) Memory Stack: The stack display pane showing comments, and the address of memory.

Click File /Open and the above box will pop up, select the appropriate directory and launch the app inside the debugger.

Parts of Olly

Parts of Olly

Once the application loads inside the debugger, we can the app inside the windows with all the assembly instructions visible.

Setting Debug

Setting Debug

As a part of our inspection, we need to run the application again, but this time inside the debugger to inspect and analyze its responses. Go to debug menu -> and Click on Run. The application will again run inside Ollydbg. As usual the application is waiting for the user input for password.

To test the application logic, we will again enter a random password as input.

Loadup exe in olly

Loadup exe in olly

Loadup exe in olly

Loadup exe in olly

As soon as we again enter a random password, we are greeted with the same error as before.

In simple applications such as these, often THE KEY TO REVERSING IS FINDING THE ERROR MESSAGE!

Here just note the error message, which says we are unauthorized to use the application. Once we close the error message, just right click inside the console window and Right click -> Search for-> All referenced strings. Following this step is the reason, since now we will be hunting the error message, which we just encountered.

Searching for Error String_1

Searching for Error String_1

Searching for Error String_2

Searching for Error String_2

On clicking all reference strings, we will get a text box, where we will type the error message.
Once done, we get a window where all the ASCII strings of the application are present.

Once we double click on message finding the window, we will be taken back to the main console. Observing closely, go a little above the line of the error message looking for a jump instruction.

Error Message

Error Message

Here you can find the following instruction: “JE SHORT Password.00457728”

Jump Statement

Jump Statement

JE is a conditional jump which means that if the condition is right then it will jump to 00457728,which leaves us to the message “You are not authorized to use the application” and if the condition is not satisfied it just continues reading the code

Now we finally can remove this message, our approach being:

•Fill it with NOP’s(No Operation) and make this conditional jump not work

•Change JE SHORT Password.00457728 to JNE SHORT Password.00457728, JNE(Jump If Not Equal) means that if the password is correct it will give you the bad message and if the password is incorrect it will give you the correct message.

Here, I am changing the JE to JNE by double clicking on the instruction line.

Set Jump Instruction

 

Set Jump Instruction

Finding Jump Instruction

Finding Jump Instruction

Again the application will ask us to enter the password, but this time the 1111 password which was wrong, will be ignored by the application about its authenticity thus it will directly jump to the “you are authorized” section demonstrating successful patching of the app. Hit assemble and re-run the app.

Testing Random Serial

Testing Random Serial

 

Successful Patching of crackme

Successful Patching of crackme

Now to permanently modify the app to accept any password, simply save the modified exe.
Right click on code window-> “copy to executable” -> “All modifications” -> Copy all-> “Save file”.
So that’s it, we have patched a simple application.

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks