I've acquired a free hour and finally decided to translate from Russian my first article about reverse engineering. This topic is as new for me, as it is for you, but that probably will help me to tell you about it better than anyone else. So what basis do we need? I don't have a single application written in assembler in my professional background. I know some scripting languages and a little bit C++. Plus I have some theoretical software development knowledge. So this should be enough to start learn reverse engineering. This is an Olly Debugger that we will use in our lessons. You can download it from its official page but zip archive I presented here already contains a lot of necessary plugins and configurations. And this is a program that we will use for our first lesson. Download an Olly debugger and run it. Probably you will see an error that plugin folders and UDD folder was not found. So you will need to open Options -> Appearence -> Directories menu and specify path to folders with the same names in OllyDbg unzipped folder. Try to run the program we are going to hack. You will see simple application that asks you to enter name and serial number. I doubt that you will be able to enter serial number correctly from the first try. There are two ways to solve a problem with serial number here:
I would like to move to the second solution, but it much more difficult than the first one. So we will patch the initial program to make it ignore incorrect serials. Run the olly debugger. Press F3 (or File->Open) and select our crackme application. Than press F8 and you'll see how debugger executes binary code of our application step by step. Continue to press F8 until you see that your application interface window appeared. That should be somewhere at this address: As you see, our code at this address requested a call to function DialogBoxParamA of the dynamic linking library user32.dll In the appeared window of the tested application you can work in the same way as you work with it without debugger. You enter some serial and app shows you an error again. So, lets stop here for a moment and think. When we run an application, it shows us an error "Wrong Serial!". This is a string constant, that should be saved somewhere in the memory. If we will be able to find a part of code, that references this constant, than we will be able to bypass it. Lets restart the debugging process. Press CTRL+F2. Do a right click in debugger window and select Search For -> All Referenced Text Strings. We'll get: Double click on string with Wrong Serial and you will be pointed to the dialog function that uses this constant. Everything that calls this dialog function is bad for us. Lets find out how many parts of code references "Wrong Serial" dialog in application. Right click on the place, where dialog preparation starts (PUSH 10) and take a look at Go To part: We see that this dialog is referenced by 3 transitions JNZ. That means our application does 3 verification for correct serials. It would be good to analyze all 3 verification, but I will do it in next lessons. And now I just want quickly patch all unwanted redirections to this part of code.
Google tells me that JNZ is a command that redirects code flow to specified address if at least one byte of the accumulator is not equal to 0. So, in order to move our code to the desired flow we can remove those JNZ transitions. Here we need to remember, that size of the application cannot be changed. So we must to preserve it. That is why we cannot simply remove JNZ line of code. But we can rewrite it with NOP command. This is a command that does nothing. It is equivalent of sleep command in C++. So, by using right mouse click Go To menu item we are navigating to undesired JNZ lines, than chose Binary -> Fill with NOPs context menu item by clicking with right mouse button on the JNZ line. Do it for all 3 JNZ lines that reference dialog with Wrong Serial constant. After that press F9 to run your pathced application. You can specify any name and serial or just leave input fields blank and press OK button. And your will get a dialog with a message which tells that you successfully passed the tutorial and hacked that crackme. That is all for today. I hope you liked this article. Post your comments so I know how can I improve my future articles and make those more understandable for you. Thank you for reading my blog!
0 Comments
Leave a Reply. |
NoticeI have removed Russian content from my website and now will post articles in English only. This is not because of some politics, Russian speaking people you are great, but just it is very hard to support bilingual web site in Weebly. For those who read my articles as usual I ask to click on a single advertisement banner on my web site. This gives me some credits and is free of charge for you. Archives
August 2016
Categories
All
|