Adventures in reverse-engineering a crackme on Crackmes.de
In this post I'll show how to reverse this crackme. This crackme is classified as level 5, but is not that complicated. Just require some knowledge.
I use a new shiny copy of Windows 10 as enviroment for reversing, please note that the result may vary basing on the OS you're using. The approach I used is quite "pragmatic" (basically, I change stuff and see what happens) and may not be suitable for larger/more complex protection where a deeper knowledge of the protection is needed.
I use a new shiny copy of Windows 10 as enviroment for reversing, please note that the result may vary basing on the OS you're using. The approach I used is quite "pragmatic" (basically, I change stuff and see what happens) and may not be suitable for larger/more complex protection where a deeper knowledge of the protection is needed.
- First of all, try to launch it. Crash. That's good. Note that the author "certified" it for running on OSs up to Windows 7 so this crash is nothing special. We'll try to understand the reason later.
- Fire OllyDBG, open it and the process terminate itself before entrypoint is reached. Good enough. Now, suppose you don't know what a "TLS Callback" is, just look at the call-stack. Someone called TerminateProcess before the program reached the entrypoint. Again, supposing you don't know nothing about how this is done, simply looking around this TerminateProcess makes pretty clear that this someone is using here some anti-debug tricks. In pseudo-code this function (TLS Callback) is something like this:
- The important thing to keep in mind is the overwriting of the entry-point at runtime. This trick may work on previous version of windows but fails miserably on windows 10. In other word Windows 10 check the entry point in the PE Header earlier, and don't allow this kind of trick based on PE malformation to work. In order to let this application run on newer version of windows we've to patch the entry point manually. The correct value, as we can see in disasm is 1491h.
- Done that, this window pop-up due to all the patch I made:
Around this call to MessageBox there is a fancy JNE SHORT 0040123F. Just substitute this with a JMP SHORT 0040123F to make the window disappear. - Okay, relaunch. This message box pop-up:C'mon, seriously? Okay, fine.
- Considering that the software ask for a string, open "Strings" IDA's subview may be a good idea. Done that, there is a string that shine like an oasis in a desert: http://www.xtremeroot.net/Offensive/
Seeing xref is clear that is used only in one point: 00401132 - Putting a breakpoint there and watching the content of ECX we can see the software build this wonderful secret string and then trying to destroy it:
void tls_callback(arg1)
{
var A = GetTickCount();
do_anti_debug_stuff(arg1);
if(GetTickCount() - A > TIMEOUT)
TerminateProcess();
return;
}
void do_anti_debug_stuff(arg1)
{
this_process->entry_point = REAL_ENTRY_POINT;
if (arg1!=1)
return;
// Various simple anti-debug tricks, including
// NtQueryInformationProcess, IsDebuggerPresent, etc.
}
Just put arg1 to 0 to make the application skip all that.
The security systems have to win every time, the attacker only has to win once
Yes, it was worth it.
Commenti
Posta un commento