Hello All,

This is my introductory blog post. I am new to the world of blogging and I hope that through this venture I will be able to share my love of embedded systems, operating systems, and programming with those who are interested and learn along the way!

I have decided that my first few posts will be in regards to reversing various programs/file with a program called IDA Pro. IDA stands for Interactice DisAssembler. This program is used to disassemble binaries of all types into their relative assembly code. More about the program can be found here.

https://www.hex-rays.com/products/ida/index.shtml

The programs that we will be reverse engineering and writing key generators for will be taken from the website http://www.crackmes.de I highly encourage anyone interested in computer science of any sort to take a look at this site. There is a lot of helpful information as well as a vibrant and active community of engineers and scientists.

The Crack that we will be exploring in this particular post can be found here

http://crackmes.de/users/lucifer/first_c_crackme/

This program was written in C++ and is an introductory level CrackMe. I thought that being that this was my first post, an introductory level crack was appropriate.

The methods for cracking this program were relatively intuitive and straightforward, failing to enter the correct key only resulted in the closing of the program. You are allowed to attempt it as many times as you like. Note that some crackmes that you will encounter will alter your local registry in order to only allow you one shot! These registry alterations can be detected with programs like ProcMon for windows. Luckily, this Crackme does not contain any tricks of that sort!

After searching through the strings in IDA pro, we can see the string for a “Correct” message,

This lead us to a branch instruction that allows us to bypass the check. The picture below shows an excellent example of the graph view in IDA ProTo simply patch this software we can alter the ZF register state by setting a breakpoint and before “jz short loc_401719” and altering the ZF flag before this command is executed in the debugger and be done with it, however that is not quite enough for this crackme, we are instructed to write Keygen

In the screenshot above we can see the crucial breakpoint! After selecting the “jz short loc_401719” as a breakpoint we can fool this CrackMe!

This final branch checks the ZF register (Zero Flag) If this bit is set, it branches to the “Correct” message, otherwire the error message is generated. In IDA we can toggle the register state to force the program to jump to the “correct” branch!

Using this small trick we are able to force the branch to go where we want it to. However in order to write a keygenerator we need to analyze exactly what is happening before this branch and reverse engineer the algorithm that is being used to generate the password for a given username!

So what takes place before this final branch? Let’s set some breakpoints in the code and find out!

00401671 call strlen ; strlen returns into the eax register, get's the length of the entered username 00401676 mov edx, eax ; move eax into edx 00401678 imul edx, 875CDh ; Here we multiply the length of the string by 0x875cdh -- Note that this is SIGNED! 0040167E mov eax, 51EB851Fh ; Place the value 0x51EB851F into EAX 00401683 mul edx ; Multiply EDX by EAX (0x51eb851f) and store into EDX:EAX -- Note that this is UNSIGNED! 00401685 mov eax, edx ; Now transfer the result into EAX 00401687 shr eax, 5 ; Shift the result (EAX) by 5 0040168A imul eax, 0FFFFFC90h ; Multiply EAX by 0FFFFFC90, store into edx:eax -- Note that this is SIGNED! 00401690 mov edx, 0 ; edx == 0 00401695 push edx ; Store into stack 00401696 push eax ; Store into stack 00401697 fild qword ptr [esp] ; Fetches the top of the stack (previously EAX) into a floating point value and stores it to ST(0) 0040169A lea esp, [esp+8] ; Computes the effective address of esp+8 and stores that value back to ESP, quick way of clearing the values! 0040169E fstp qword ptr [ebp-410h] ; Stores our result (held at ST(0) ) at ebp-0x410, and also clears ST(0), also pops the stack 004016A4 fld qword ptr [ebp-410h] ; Now we push the operand back onto the FPU register stack, as it was cleared by the previous instruction! 004016AA fstp qword ptr [esp+8] ; Now we store our result which is once again at ST(0) onto the base stack as ESP+8 004016AE mov dword ptr [esp+4], 401469h ; Now the stack also contains the value 401469h 004016B6 lea eax, [ebp-308h] ; It would seems as though ebp-308h is the destination for our final serial key before comparison 004016BC mov [esp], eax ; esp+8 contains our floating point value, and esp+4 contains the immediate value to be appended! 004016BF call sprintf ; Sprintf is what is modifying our final serial! It is appending the 0x401469 value to our calculated value 004016C4 lea eax, [ebp-308h] ; EAX now contains the address pointing to the results of the sprintf operation! 004016CA mov [esp+4], eax ; [esp+4] now contains the address to the result of the sprintf operation 004016CE lea eax, [ebp-208h] ; [ebp-208h] points to our serial that we entered beforehand 004016D4 mov [esp], eax ; Now at this point the stack should contain both pointers to our entered values 004016D7 call strcmp ; Compare the two operations 004016DC mov [ebp-1044], eax ; Store the result of the comparison into [ebp-1044], if they were equal then the result will be '1', otherwise it will be '0' this is where we can make our register alteration, 004016E2 cmp dword ptr [ebp-1044], 0 ; This will give us our final result, comparing it with zero, if its's zero then the ZF Flag will be set, otherwise the program will crash! 004016E9 jz short loc_401719 ;

——————————————————————————————————————————————-

Just a quick note

[ebp-308h] is referenced by address — 0x28FC40

[ebp-208h] is referenced by address — 0x284D40

Note the difference of 0x100!

Does this mean that we could potentially overflow the buffer with a long username –> Yes, tested this, it causes the program to crash

——————————————————————————————————————————————-

Codename: Testing

Length: 7

EAX Before Floating Point Instruction: FDF6DB30 –> Convert To Double –> It’s Mantissa is 4260813616…OR 4.260813616e9!

Convert 4.260813616e9 to hex and you get 41EFBEDB66000000 Take the least significant 32 bits and you have 66000000

convert this to an integer and you have 1711276032! This is our calculated portion of the serial, not counting the

string value to be appended!

Just a quick walk through for debugging the keygenerator using “testing” as our name, please feel free to follow along with a calculator

For the floating point instructions, download and use http://sourceforge.net/projects/ieeecalc/

.text:00401676 mov edx, eax // EAX == 7, EDX == 7

.text:00401678 imul edx, 875CDh edx = 3B389B

.text:0040167E mov eax, 51EB851Fh // EAX = 51EB851FH

.text:00401683 mul edx // EDX = 12F364, EAX = CCDD61C5

.text:00401685 mov eax, edx // EAX = EDX = 12F364

.text:00401687 shr eax, 5

.text:0040168A imul eax, 0FFFFFC90h // EDX = 979A EAX = FDF6DB30

.text:00401690 mov edx, 0

.text:00401695 push edx // Loading EDX onto the Stack

.text:00401696 push eax // Loading EAX onto the Stack, FDF6DB30

.text:00401697 fild qword ptr [esp] // Converts out result thus far (previously EAX) into a floating point value and adds it to ST(0)

.text:0040169A lea esp, [esp+8] // Computes the effective address of esp+8 and stores that value back to ESP, quick way of clearing the values!

.text:0040169E fstp qword ptr [ebp-410h] // Stores our result (held at ST(0) ) at ebp-0x410, and also clears ST(0)

.text:004016A4 fld qword ptr [ebp-410h] // Now we push the operand back onto the FPU register stack, as it was cleared by the previous instruction!

.text:004016AA fstp qword ptr [esp+8] // Now we store our result which is once again at ST(0) onto the base stack as ESP+8

.text:004016AE mov [esp+428h+var_424], offset aIX019871 ; “%i-x019871”

.text:004016B6 lea eax, [ebp+var_308]

.text:004016BC mov [esp+428h+var_428], eax

.text:004016BF call sprintf

.text:004016C4 lea eax, [ebp+var_308]

.text:004016CA mov [esp+428h+var_424], eax

.text:004016CE lea eax, [ebp+var_208]

.text:004016D4 mov [esp+428h+var_428], eax

.text:004016D7 call strcmp

My KeyGen and it’s source can be found here, as well as the Crack and my notes: https://github.com/Destinaxe/reversing/tree/master/IntroductoryCrackme

Hope this helps! If you have any questions please feel free to email me at destinaxe.contact@gmail.com!