Reverse Engineering 101

This is a very basic tutorial on reverse engineering your first executable in Windows. This is a short application which I’ve written just for this purpose, just a simple program which came to my head.

#include <windows.h>
#include <stdio.h>
/*
	Name: Ultra Newbie CrackMe
	Copyright: 2014
	Author: Osanda Malith 
	Date: 30/12/14 07:51
	Description: This a very basic crack me just for demonstration purposes.
*/

void
enc (char cipher[], int shift) {
  int i = 0;
  while (*(cipher+i)) {
	  if ((*(cipher+i) + shift) >= 65 && (*(cipher+i)+ shift) <= 90) *(cipher+i) += shift;
      else *(cipher+i) += shift - 25;
    i++;
  }
}

int 
main () {
	int i;
    char msg[] = {0x53, 0x45, 0x43, 0x52, 0x45, 0x54, '\0'}, *in;
    int key = 6+3;
    enc(msg,key); printf("Coded by Osanda\nhttp://osandamalith.wordpress.com\n\n");   
    printf("Enter Pass\n");
    in = (char *) malloc(20);
    scanf("%s", in);
    if(!strcmp(in,msg)) MessageBox(NULL,TEXT("Access Granted :)"),TEXT("Info"),MB_OK | MB_ICONASTERISK  | MB_RIGHT );
    else MessageBox(NULL,TEXT("Try Again"),TEXT("Info"),MB_OK | MB_ICONERROR  | MB_RIGHT );
    return 0;
}

I’ll divide this tutorial in to two tasks. Task one is finding the pass. Task two would be patching the application so that any given user input would trigger the “Access Granted” message box.
Before we start what is reverse engineering? Let me put it in this way. We write applications in high level languages such as C, C++, Delphi, etc. and they are gone through a process called compiling and converted into machine code. We write programs in different languages but regardless, the computer won’t understand any of them. The closest language to the CPU which it would understand after assembling and linking would be the assembly language. Reverse engineering is the process of engineering an application once it is compiled into machine code. This is vastly used in malware analyzing, breaking protections in software, exploit development, adding more functionality into applications. There might be more than these few.


Ok, let’s start. First we need a debugger to play with. I’ll be using the good old OllyDbg. It’s a user mode debugger (ring 3). After compiling the program open it in the debugger. For reversing you need to understand assembly language. For this let’s assume you have zero knowledge in assembly and let’s continue. Keep scrolling down and try to understand what’s going on using the comments. You should see the application is calling the “strcmp” function which is located at the MSVCRT.DLL. The address of the EAX register is being moved into another location. This means our value from the “enc” function was stored in the EAX register and it’s preparing for comparison.

004013AE  |.  894424 04      MOV DWORD PTR SS:[LOCAL.25],EAX    ; /string2 => OFFSET LOCAL.10

Let’s hit a breakpoint their by pressing F2.

View post on imgur.com


Now run the application and it should prompt for standard input. Give some random chars and notice the EAX register. Thanks to the debugger we can see the ASCII value stored in the register. The value seems to be “CNLBND”. Press F8 to step over. You will notice that the String 1 would be your given random value and strcmp will compare the two values return 0 or 1. The below images show the 8 32-bit registers used in the x86 architecture. After the registers it’s the flags such as carry, parity, Zero, etc.

View post on imgur.com


Okay now if we test the original application with the password “CNLBND” we would get access granted 🙂

View post on imgur.com


Now the task one is completed. Let’s try to patch the application so that any given user input would result in the “Access Granted” message box. Well, by now you should get this idea. Let’s look at the code.

View post on imgur.com

004013BD  |.  85C0      TEST EAX,EAX
004013BF  |.  75 29     JNZ SHORT 004013EA ; This jumps into the “Try Again”

After the strcmp function is called its return value is stored in the EAX register. Next we have TEST EAX, EAX. This would set the Zero flag according to the result of bitwise AND between the EAX register. If the strcmp was successful it would return 0 to the EAX register. TEST EAX, EAX => 0 AND 0 = 0 would result in turning 1 in the Zero flag. But if the comparison was unsuccessful 1 AND 1 = 1 which would do nothing to the Zero flag. The next instruction is a JNZ = Jump Not Zero. This jump leads to the “Try Again” message, you can see the red arrow leading to that message in the above picture. JNZ will take the jump if the Zero flag is set to 0. What if we assemble this to a JZ which is Jump Zero  So each wrong input would result a return value of 1, 1 AND 1 = 1 and this will result the ZF to be 0. When there is a JNZ it will jump to the try again message. Once we patch this to JZ the jump won’t be taken.

Double click on the instruction and change the JNZ to a JZ and click on Assemble.

View post on imgur.com


That is it, now if you run the program from the debugger and give any input you should get the “Access Granted” message 🙂

View post on imgur.com


Now right click on disassembly and click on Copy to executable and click on Selection, you will get another dialog box and again click and save file and give a new file name.

View post on imgur.com

Here is your newly cracked executable 🙂 Thanks for reading.

Advertisements

4 thoughts on “Reverse Engineering 101

  1. Excellent tutorial bro, good intro for new people to get some hands on experience 🙂

Leave a Reply