Reverse Engineering 101

This is a very basic tutorial on reverse engineering your first executable in Windows. This is a short application which I’ve written just for this purpose, just a simple program which came to my head.

#include <windows.h>
#include <stdio.h>
/*
	Name: Ultra Newbie CrackMe
	Copyright: 2014
	Author: Osanda Malith 
	Date: 30/12/14 07:51
	Description: This a very basic crack me just for demonstration purposes.
*/

void
enc (char cipher[], int shift) {
  int i = 0;
  while (*(cipher+i)) {
	  if ((*(cipher+i) + shift) >= 65 && (*(cipher+i)+ shift) <= 90) *(cipher+i) += shift;
      else *(cipher+i) += shift - 25;
    i++;
  }
}

int 
main () {
	int i;
    char msg[] = {0x53, 0x45, 0x43, 0x52, 0x45, 0x54, '\0'}, *in;
    int key = 6+3;
    enc(msg,key); printf("Coded by Osanda\nhttps://osandamalith.wordpress.com\n\n");   
    printf("Enter Pass\n");
    in = (char *) malloc(20);
    scanf("%s", in);
    if(!strcmp(in,msg)) MessageBox(NULL,TEXT("Access Granted :)"),TEXT("Info"),MB_OK | MB_ICONASTERISK  | MB_RIGHT );
    else MessageBox(NULL,TEXT("Try Again"),TEXT("Info"),MB_OK | MB_ICONERROR  | MB_RIGHT );
    return 0;
}

I’ll divide this tutorial in to two tasks. Task one is finding the pass. Task two would be patching the application so that any given user input would trigger the “Access Granted” message box.
Before we start what is reverse engineering? Let me put it in this way. We write applications in high level languages such as C, C++, Delphi, etc. and they are gone through a process called compiling and converted into machine code. We write programs in different languages but regardless, the computer won’t understand any of them. The closest language to the CPU which it would understand after assembling and linking would be the assembly language. Reverse engineering is the process of engineering an application once it is compiled into machine code. This is vastly used in malware analyzing, breaking protections in software, exploit development, adding more functionality into applications. There might be more than these few.


Ok, let’s start. First we need a debugger to play with. I’ll be using the good old OllyDbg. It’s a user mode debugger (ring 3). After compiling the program open it in the debugger. For reversing you need to understand assembly language. For this let’s assume you have zero knowledge in assembly and let’s continue. Keep scrolling down and try to understand what’s going on using the comments. You should see the application is calling the “strcmp” function which is located at the MSVCRT.DLL. The address of the EAX register is being moved into another location. This means our value from the “enc” function was stored in the EAX register and it’s preparing for comparison.

004013AE  |.  894424 04      MOV DWORD PTR SS:[LOCAL.25],EAX    ; /string2 => OFFSET LOCAL.10

Let’s hit a breakpoint their by pressing F2.

Now run the application and it should prompt for standard input. Give some random chars and notice the EAX register. Thanks to the debugger we can see the ASCII value stored in the register. The value seems to be “CNLBND”. Press F8 to step over. You will notice that the String 1 would be your given random value and strcmp will compare the two values return 0 or 1. The below images show the 8 32-bit registers used in the x86 architecture. After the registers it’s the flags such as carry, parity, Zero, etc.

Okay now if we test the original application with the password “CNLBND” we would get access granted 🙂

Now the task one is completed. Let’s try to patch the application so that any given user input would result in the “Access Granted” message box. Well, by now you should get this idea. Let’s look at the code.

004013BD  |.  85C0      TEST EAX,EAX
004013BF  |.  75 29     JNZ SHORT 004013EA ; This jumps into the “Try Again”

After the strcmp function is called its return value is stored in the EAX register. Next we have TEST EAX, EAX. This would set the Zero flag according to the result of bitwise AND between the EAX register. If the strcmp was successful it would return 0 to the EAX register. TEST EAX, EAX => 0 AND 0 = 0 would result in turning 1 in the Zero flag. But if the comparison was unsuccessful 1 AND 1 = 1 which would do nothing to the Zero flag. The next instruction is a JNZ = Jump Not Zero. This jump leads to the “Try Again” message, you can see the red arrow leading to that message in the above picture. JNZ will take the jump if the Zero flag is set to 0. What if we assemble this to a JZ which is Jump Zero  So each wrong input would result a return value of 1, 1 AND 1 = 1 and this will result the ZF to be 0. When there is a JNZ it will jump to the try again message. Once we patch this to JZ the jump won’t be taken.

Double click on the instruction and change the JNZ to a JZ and click on Assemble.

That is it, now if you run the program from the debugger and give any input you should get the “Access Granted” message 🙂

Now right click on disassembly and click on Copy to executable and click on Selection, you will get another dialog box and again click and save file and give a new file name.

Here is your newly cracked executable 🙂 Thanks for reading.

Advertisements

4 thoughts on “Reverse Engineering 101

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s