The goal of this post is to help the reader create a working 'crackme' and analyse it later (or „crack” it - you name it;)). I believe if you understand what’s going on in the background of the program you’re trying to crack – it should be pretty easy to get things done. That’s why below we will start from creating 2 simple crackmes.
Environment
Main environment I used was based on Windows system. I used Windows 7 (32bit) installed on VirtualBox and tools like Immunity Debugger or IDA. All of them – if needed – I will list in each case described below.
Base toolset:
- VirtualBox with Windows 7 installed (x32)
- Immunity Debugger
- DevCpp
TL;DR - Let's start!
CrackMe#01 - creating NagScreen
Ok, let’s start from very, very basic CrackMe. Our goal will be to remove the nagscreen. But first of all we’ll create it – using DevCpp IDE:
Run DevCpp and go directly to File -> New Project:
We will use Windows Application:
As you can see this is pretty all we need in this case to ‘create’ a skeleton of our new application. Now we’ll add a simple message box (nag):
So far, so good. Check your results with F11:
Wow! What an amazing peace of code! ;] But for our purposes it will be just perfect. Now it’s time to remove the nag! (you'll find it from time to time during your crackmes-adventures;)) So?
Let’s do it...
Cracking CrackMe#01 - removing the NagScreen
Ok, now it’s time to remove our super protection so let’s open our new created app in Immunity Debugger. We should be somewhere here:The simplest (in my opinion) way to do it is (simply;)) go to the search of text strings, like this:
As you can see (screen below) we can see the string presented by the nagscreen:
We can see that to present our 'nag windows' there will be a CALL to EAX:
We can 'remove it' replacing the CALL EAX with NOP instruction. Click space on call eax, type NOP and hit Enter. We should be here:
Congratulations! Now if you'll run the app (F9), there will be no NagScreen. ;)
Crackme#02 - comparing the password
Another possible 'scenario' of the crackme you'll find online will be probably 'comparing' something to something else, for example: comparing user's input to the key/serial/password.
So just like before our first goal will be creating the app that can "get user's input and compare it to some other string value" ;)
Let's do it!
As you can see I created a (lame&simple) app:
- to get 'name' as "user's input"
- added button to do the 'check' (our compare) action
- text field to present response message.
Next step...
CrackMe#02 - finding the password
From IdaPro perspective it will looks like this:
But we will start from ImunityDbg just like with CrackMe#01. We should be here:
Here we go, press F9 to start the app:
Let's try again to find some interesting strings:
As you can see there is a Name and few other strings used in the app:
We can see that there is also some kind of a message probably related to the BadBoy. Double click on that (No!) and we should here here:
As we can see there is a strcpy as well as strcmp. Good indicators for our comparsion. ;) As you can see for both functions I used breakpoint (F2).
Next, let's restart the app (Ctrl+F2) and run it (F9):
As you can see our 'Name' value is holded now in EAX register. Press F8 to step forward and observe registers:
As you can see we have now a clear-text value of the string that is compared to our (Name) string:
Let's restart the app and this time we'll use the value presented in EDX register. Checking (as you can see we'll now also break on our second breakpoint (strcpy)):
Congratulations! ;) Now you should be ready to solve some about 50% of crackmes available online ;) "Good luck & have fun!" ;)
Remember that "cracking" is illegal in many countries so remember to use your knowledge only to do legal things.
Special thanks goes to my new Patreons:
- Daniel
- julianvolodia
Thank you! You are AWSOME! ;)
References
If you're looking for more text about it, maybe you will find it useful:
[1] : Fravia / +ORC / +HCU
[2] : 'Enlil notes'[3] : tuts4you.com
[4] : Few cracking notes
[5] : RTFM
Brak komentarzy:
Prześlij komentarz