czwartek, 30 kwietnia 2020

CrackMe for Beginners

I decided to create a „CrackMe for Beginners” paper to prepare some basic ideas and hints for new reversers. After a while there were a few 'papers' related to the subcjet so I decided to publish it on the blog. Below you will find the details. Here we go...

The goal of this post is to help the reader create a working 'crackme' and analyse it later (or „crack” it - you name it;)). I believe if you understand what’s going on in the background of the program you’re trying to crack – it should be pretty easy to get things done. That’s why below we will start from creating 2 simple crackmes.


Environment

Main environment I used was based on Windows system. I used Windows 7 (32bit) installed on VirtualBox and tools like Immunity Debugger or IDA. All of them – if needed – I will list in each case described below.

Base toolset:
- VirtualBox with Windows 7 installed (x32)
- Immunity Debugger
- DevCpp

TL;DR - Let's start!


CrackMe#01 - creating NagScreen

Ok, let’s start from very, very basic CrackMe. Our goal will be to remove the nagscreen. But first of all we’ll create it – using DevCpp IDE:

Run DevCpp and go directly to File -> New Project:



We will use Windows Application:


As you can see this is pretty all we need in this case to ‘create’ a skeleton of our new application. Now we’ll add a simple message box (nag):


So far, so good. Check your results with F11:


Wow! What an amazing peace of code! ;] But for our purposes it will be just perfect. Now it’s time to remove the nag! (you'll find it from time to time during your crackmes-adventures;)) So?
Let’s do it... 

Cracking CrackMe#01 - removing the NagScreen
 
Ok, now it’s time to remove our super protection so let’s open our new created app in Immunity Debugger. We should be somewhere here:


The simplest (in my opinion) way to do it is (simply;)) go to the search of text strings, like this:


As you can see (screen below) we can see the string presented by the nagscreen:


We can see that to present our 'nag windows' there will be a CALL to EAX:


We can 'remove it' replacing the CALL EAX with NOP instruction. Click space on call eax, type NOP and hit Enter. We should be here:


Congratulations! Now if you'll run the app (F9), there will be no NagScreen. ;) 



Crackme#02 - comparing the password

Another possible 'scenario' of the crackme you'll find online will be probably 'comparing' something to something else, for example: comparing user's input to the key/serial/password. 

So just like before our first goal will be creating the app that can "get user's input and compare it to some other string value" ;)


Let's do it!

As you can see I created a (lame&simple) app:
- to get 'name' as "user's input"
- added button to do the 'check' (our compare) action
- text field to present response message.

Next step...


CrackMe#02 - finding the password
 
From IdaPro perspective it will looks like this:


But we will start from ImunityDbg just like with CrackMe#01. We should be here:




Here we go, press F9 to start the app:


Let's try again to find some interesting strings:


As you can see there is a Name and few other strings used in the app:


We can see that there is also some kind of a message probably related to the BadBoy. Double click on that (No!) and we should here here:


As we can see there is a strcpy as well as strcmp. Good indicators for our comparsion. ;) As you can see for both functions I used breakpoint (F2).

Next, let's restart the app (Ctrl+F2) and run it (F9):


As you can see our 'Name' value is holded now in EAX register. Press F8 to step forward and observe registers:


As you can see we have now a clear-text value of the string that is compared to our (Name) string:


Let's restart the app and this time we'll use the value presented in EDX register. Checking (as you can see we'll now also break on our second breakpoint (strcpy)):


Congratulations! ;) Now you should be ready to solve some about 50% of crackmes available online ;) "Good luck & have fun!" ;)



Remember that "cracking" is illegal in many countries so remember to use your knowledge only to do legal things. 





Special thanks goes to my new Patreons:
- Daniel
- julianvolodia

Thank you! You are AWSOME! ;)



References
If you're looking for more text about it, maybe you will find it useful:

[2] : 'Enlil notes'
[3] : tuts4you.com
[4] : Few cracking notes
[5] : RTFM









Brak komentarzy:

Prześlij komentarz