Thursday, January 23, 2014

Patching The Executable

Greetings everyone and welcome to the third tutorial of the reverse engineering for newbs series. Today we are going to cover... patching! But you knew that already =)

NOTE: The knowledge from tutorial 1 & 2 is not needed for learning this technique; HOWEVER, if you want to be a good reverse engineer, then you will want to learn what was covered in tutorial 1 & 2. If you find yourself completely lost in this tutorial, do not feel that reversing isn't for you. Reading tutorial 1 & 2 will help you understand this one.

OK. We are going to use the same exact Crackmes that we used in both tutorial 1 & 2. Here is a link to tutorial one if you need instructions on getting the Crackmes. Because this tutorial is supposed to be stand-alone I will go over the steps covered in tutorial 1 & 2 to reaching the string we need. Now let us begin.

Step 1: Open ReWrit's Crackme #1 inside Ollydbg. Your Ollydbg should look like mine from the picture below when the Crackme is successfully loaded.

ReWrit's Crackme Loaded

Step 2: The first thing we do every time we want to solve a Crackme is run it. So let's go ahead and run the program to scout for juicy information. We have four ways to run the Crackme. First: run the Crackme outside of Ollydbg =) Second: click on the play icon in Ollydbg which is located underneath the 'w' in View on the menu bar. Third: select Debug from the menu and hit run. Fourth: hit F9 on your keyboard.

Step 3: Okay so the Crackme is running! Let us go ahead and look around for some juicy stuff. We immediately notice that the Crackme is a console app, so that kind of takes away the need to search around. Since we only have one possible path to go at the moment, let us tread along.

We are asked to enter a password, but the program says that the password is NUMBERS ONLY. That is a very important clue. It is not every day that a Crackme will tell you how the password (or answer) is shaped. So if the author of the Crackme is not lying then we already have discovered an important clue just from running the app. The password is only in numbers. Let us enter the password then =)

I went ahead and entered my password:


And you can see I was wrong. It is always worth the try! OK from this point on it seems we can't do anything else, so let us go ahead and restart the program.

Step 4: Restarting is as easy as switching to Ollybdg and hitting Ctrl + F2. You may also click on the icon to the right of the open file icon underneath the menu bar. It is the one with two arrows pointing to the left. And lastly you can go to Debug > Restart from the menu.

Step 5: OK we got a feel for the program. Now let us start cracking it. Right click in the Disassembler - Main Window, hover the mouse over Search For and select All Referenced Strings. Remember one of the best starting points for tackling a Crackme or any program is the strings of the program. A lot of  potentially program breaking information can be found in the strings.

Right click in the Disassembler - Main Window

Search for All Referenced Strings

Ollydbg will bring a window to the front that is titled Search - Text Strings referenced in ReWrit's_Crackme#1. See the image below for a reference.

Strings Window

We want to select a useful string here. If you read tutorial 1 & 2, this is all repetitive to you, and that must be a little boring. But these steps will have to be replicated over and over again in every Crackme we solve. You will see =)

Step 6: So we are going to look for a string that will point us closely to the function that determines if the password we entered is correct or incorrect. Let us go ahead and locate the "Correct, good job!" string. Once you find it double click on it. Ollydbg will select a line of code that loads the string.

Select this string

Ollydbg brings you here
Step 7: OK patching time. Do know that I am considering you have close to zero understanding of what you see on the screen. The only goal of this tutorial is to show you what patching is. Later on we will learn all the tiny bits piece by piece. Trying to teach you everything you see on the screen will be overwhelming.

So if you read the previous tutorials you will know that exactly five lines above the line Ollydbg dropped you on is the line that determines if the password is correct or incorrect. In tutorial one we flipped the Zero flag after this line computed in order for us to force the program to give us a success message. We did this by setting a break point on the line below (four lines above the one Ollydbg dropped us on), letting the program run, and after we entered our password we flipped the number to the right of the giant Z in the registers pane.

This method allows us to always have the "correct" password even though it truly isn't correct. The only downside to this method is that we must always flip that zero flag every single time in order for the program to pass through. What we are going to do now is make the program give us a success message EVERY TIME without having to flip that zero flag. This is called patching.

Now there are many ways we can patch this program .We will go over one, and I will leave it as homework for you to find the other ways to patch the program. The one we are going to use is the most common means of patching.

Step 8: So exactly four lines above the line Ollydbg dropped you on (that is, four lines above the line that says ASCII "Correct, good job!") we want to double click on the assembly code associated with that line. Refer to the pictures to locate the assembly code column as well the line I am writing about.

assembly code column

Select this line and dbl click in assembly code column

Assemble Window Loaded
Step 9: So now you have the assemble window opened. This window will allow us to change the code of the program. The only restrictions you have when changing code are these: we will only be allowed to change the line we selected, and the new code size can not exceed the size of the line of code already there. If we read the Machine Code column, we can see the bytes "75 36". This means this line is two bytes long. We cannot write code in here that exceeds two bytes.

But no worries. The most common patching technique only requires one byte!

In the assemble window that is open enter the instruction "NOP". This is in the infamous NO OPERATION instruction. This instruction simply tells the program to do nothing. Underneath the hood the NOP is a "XCHG EAX, EAX". That means swap the EAX register with the EAX register. Essentially, it means do nothing.

Entering NOP into assemble window

Hit assemble. Then hit close.

NOPs added

Step 10: Notice the assembly code and machine code columns now have text highlighted in red. This means that this code is patched. Also notice that there are two lines that say NOP. Didn't we just have one line? The previous instruction that was there was two bytes in length, and since a NOP is one byte in length the program must fill the remaining empty bytes with one byte instructions that do nothing. In other words, it will fill the remaining space with NOPs.

Let us go ahead and test this program. Go ahead and run the program, and enter whatever password you want =)


Good job! The patch we entered works. Simply NOPing out the jump instruction (explanation on this later) the program gives us the good message.

Step 11: OK let us restart the program now. When you restart the program, the patch that you applied is removed. The original code is set back in place. Ollydbg does save our patches though, so we can reapply them. Let us re-apply the patch we made to the program.

In the menu, click on View and then click on Patches.

The Patches
Like the image above Ollydbg will bring a window forward called Patches. You will notice that there is only one item in this window. One of the columns is titled Original Command, and the lone item that exists in the patch window has a value of  "JNE SHORT 00401594" for this column. To the left of this column is NOP. This is the line we patched.

Right click on this item and hit Apply Patch.

Apply the patch

You will notice that Ollydbg changes your Disassembler - Main Window to the location of the patched line. It will also highlight the patched lines.

Step 12: If both of the NOP lines are not highlighted, go ahead and highlight them with your mouse. Right click anywhere in the highlighted area, and select Edit > Copy To Executable.

Copy to Executable.

You might get an annoying window pop up from Ollydbg that looks like this:

In our way of success
Ignore the instructions from the window. Click OK. In the new window which has the two NOPs at the top, right click in this window and hit Save File... 

Save File!

Ollydbg will continue to block you from your success with another window titled File Changed.

Just let me save!

Click Yes on this window. Ollydbg will give you the Save File As windows dialogue now. This will save the new executable as whatever name you give it with the new instructions patched in. Go ahead and save it somewhere, on your desktop, where ever. Just be sure to have the Save as Type selected to Executable file or DLL. Run the newly patched program and see your success =)

Extra material: In order to become a good reverse engineering, it is imperative that you understand assembly code. You must know what the program is doing at a selected line. I am going to cover why patching that line that we did works. This will be a lesson in assembly language.

If you followed the first two tutorials then you know that the line above the one we patched is the line that determines if the password is correct or not. It compares the password we entered against the actual password. If the password is not the same as the one the author wrote, then the Z(ero) flag in the registers pane is set to 0.

Although the program sets the Z(ero) flag to 0, it has no idea what to do with this 0. The comparing password line does one thing and one thing only. It compares the password entered. It does not know what to do if the password is right or wrong. The line that follows determines what the program should do with the zero flag (the result of the compare).

JNE SHORT 00401594

This is the line that reads the zero flag, and makes a decision of what the program should do. The main instruction in this line, the JNE, reads JUMP IF NOT EQUAL. So this line will jump if the previous result is not equal to whatever it was comparing (which means the zero flag is set to 0). The short means it will jump a short distance from this line (either 129 bytes forward or 126 bytes backwards). And lastly the 00401594 is the address to jump to if not equal. 

So if you enter an incorrect password, you will be sent to the line 00401594


We can see in the picture above that the selected line is on address 00401594. If you look a little down from the selected line, in the comments column, you will see "Wrong!". This is where the program loads the bad message if you failed to guess the correct password. We saw that message load when we were scouting the program in step 2.

So here is an overview of the if structure the program has:

Pseudo Code

If the password is equal then it will fall through and print "Good job!" to the console. If, on the other hand, the password is incorrect, the program will display "Wrong!" to the console.

Here is pseudo code for what our patch did:

ComparePassword func is useless
We removed the entire if structure from the program, so no matter what the ComparePassword() function returns we will still show "Good job!".

That wraps up this tutorial. If you have found other means of patching the executable, post them here for all to see =) Also, I am expecting to write tutorials for much more difficult Crackmes as well  tutorials on iPhone Cracking.

Please leave any feedback here too! I appreciate all comments good or bad. Have a good day!

Thursday, January 16, 2014

Moving Forward

Hey guys,

I want to know what kind of tutorials you want to see. What I have planned currently is: teaching different methods of beating a crackme, solving more difficult crackmes, and tutorials on iPhone cracking. Please tell me the kind of tutorials you want to see? All suggestions are welcome.

Oh. And.

Follow me so we can keep in touch easier:

Facebook Fan Page

Friday, January 10, 2014

Building off of exercise one

I hope tutorial one wasn't overwhelming for you. In this tutorial we are going to explain some of the things you saw in the first tutorial. We are also going to find correct password, so we can enter successfully every single time.

Recall the breakpoint that we set on the line that I said compares if the password entered is correct or incorrect. Well I was lying about that being the line that compares if the password is correct or not. It is the line above that determines if the password is right or wrong. We can see this by reading what is inside the third column. Let's see two photos before some more explaining.

The password checker

Column names

The assembly code column shows us what the program is doing. This is what we read when we are reversing  programs. I do not expect you to be able to understand any of the code that is in the column. Learning to read that code will come with time. Do keep in mind though that reversing programs REQUIRES one to know assembly. If you do not learn assembly eventually, you will not be able to reverse programs like you want to. You can solve many low level Crackme's with very little assembly understanding, but that is the furthest your skill will take you.

Let your first lesson in assembly start today. We'll dissect the password checker. (The line in the red box from the photo above). It reads:


The first word in the assembly line is always the instruction. In this case the word CMP is our instruction. Everything that follows from the first word up until the comma is argument one. Here argument one is DWORD PTR SS:[EBP-4]. Everything after the comma is argument two. Argument two in this case is 7F97E56C. Thus the structure:

instruction argument1, argument2

The CMP instruction compares argument one and argument two for equality. If they both are equal then it sets that number next to the Z (from the previous tutorial) to a one. If they are not equal, then it sets the number next to the Z to a zero. This explains why when we double clicked the number next to the Z in the previous tutorial, the application told us we got the password correct. I'll give a series of steps of what happened in the last tutorial, and then I will explain argument one and argument two a little bit.

Here is what happened last tutorial. This should explain why we solved the application so easily.

1) We set a break point underneath the password checking line
2) We ran the program and entered some bogus password
3) The program runs every line of code until it reaches the break point. This also means it ran the line that determines if the password is correct or not. The result of the password checking line was setting the Z number to a 0 - it was not equal.
4) We manually changed the programs password checking result by changing the zero into a one.
5) We ran the program as if the password was correct all along, allowing us to see the "Correct, Good job!" response.

The explanation for what argument one and argument two are will be difficult to understand but that's fine. We will go over the items upcoming a few times in the tutorials to come. Argument one, or DWORD PTR SS:[EBP-4] is a reference to a location on the stack. Recall in tutorial one the image with the titles of the panels. The stack is the lower right panel.

The stack is the lower right panel

We know it is referencing the stack because of the EBP-4. EBP stands for extended base pointer. Like a variable in programming, the EBP holds data for the program to use. In assembly we call these variables registers. The EBP register stores a location in the stack, so when we say EBP-4 we mean: take the location in stack that EBP is holding and subtract four from it. Let us see what value EBP is holding when the application hit the break point that we set from the previous tutorial.

EBP holds 0028FF38

I used the picture from the last tutorial and added some more mspaint art to it. This is to give you a reference of which point I'm talking about. We can see EBP holds the value 0028FF38. If we look at the stack, we can find that value in the purple boxed area. The same way the EBP register can store data, so too can the stack. At the location 0028FF38 in the stack is the value 0028FF74.

Remember that argument one from the password checking line is [EBP-4]. So we have to subtract four from the EBP to find location the line is using. So if we subtract 4 from 0028FF38 we get the value 0028FF34.
Note: the value 4 and 0028FF34 is in hexadecimal. You can always load up the windows calculator to do the subtraction when the subtraction is no longer simple.

So we can see that [EBP-4] is holding the value 3F. We should open the windows calculator, set the view to programmer, and select hexadecimal on the left side. Enter 3F into the calculator and then select decimal on the left side. The value will be 63. This is the password that I entered. I ask that you also check the value of EBP-4 with the password you entered.

Do you see where this is going? :) If you don't, it is OK. We will learn.

Recall the structure:
instruction argument1, argument2

We have a CMP instruction which means check if argument1 and argument2 are equal. So if argument1 is the value of our password, then argument2 is the password of the application. We can prove this by taking argument2 and entering it into the program.

Recall the value of argument2, 7F97E56C. If we enter that as hexadecimal into the windows calculator and set it to decimal, we get the value

So the password of the application must be 21400661100. Let us verify this.


Thursday, January 9, 2014

The First Exercise

Hello everyone =)

So today we will be breaking our first crackme. This exercise will assume you have ZERO knowledge in the field of reverse engineering. However I do want you to keep in mind this: what you will see will almost likely be extremely difficult to understand, and that is OK. Learning RE is done in very small steps. But let's go ahead and see the big picture first.

Step 1: Go to Google (I will be very careful with not posting links but rather directions. Simply because I feel it is good practice for you to manually go to the authoritative site and get what you need. You never know what's infected.) and type in ollydbg.

Step 2: The first search result that shows up should have the title of Olldbg v1.0 with the domain Enter this website.

Step 3: At the top of the page you will see a hyperlink to "Version 2.01". Click on this link, and a version update page will be presented to you. The top of the page shows the latest version change list. The title of the lastest version as of this writing is "September 27, 2013 - version 2.01. OllyDbgempty language filechicken language file, Disassembler 2.01 (GPL v3, preliminary version without documentation)". Notice the first tag which is "OllyDbg". Click on that tag to begin your download.

Step 4: Go to Google and type in Crackmes. The first link should be a link to a domain of Enter that website. Register an account and login. You will use this site to hone your skills in the future so this is a good account to have.

Step 5: OK. Five steps in and we still have not even began any cracking yet. It's close I promise =) I'm going to give you two methods of finding the Crackmes we want.

This is what you are looking for

a) Search for rewrit's crackme#1 in the search box on the left side of the website. The result you are looking for is like the one in the image above.
b)  Click on "advanced search >>" on the left side of the website underneath the search box. Then make the search options, which appears on the right, look like so. For difficulty select 1 - Very easy, for newbies. For the platform select Windows, and pick C/C++ for language that it is written in. Before you hit search change the sorting order to Easiest first :) You see where this is going don't you? ;) The options should be like the ones in the image below.

Search field parameters you need
Pick these options

Step 6: Click on the Crackme, you will be sent to the details page of that Crackme. Go ahead and download it. The link for downloading is at the top where it says Download ReWrit  s, 127kb.

Step 7: OK. We are VERY CLOSE to beginning! Unpack both the Crackme and Ollydbg v2.0. The Ollydbg zip file will extract a file called ollybdg. Open this application as an administrator.

Step 8: So Ollydbg is opened. It's a pretty application I know. The top left of the application you will see a folder icon. Click this icon and travel to where ever you extracted ReWrit's Crackme zip. Open the executable that came out. It should be called ReWrit's Crackme#1. If you wish, you could also click File > Open and select the executable from there too.

Ollydbg will do some loading if your computer is slow like mine. You will see the loading being done in the bottom left of Ollydbg. This is what everything should look like when it is loaded.

ReWrit's Crackme loaded
Crackme Loaded

I imagine it is very hard to not be overwhelmed with the amount of data that Ollydbg shows you once it has an executable loaded. But don't worry some time from now you will come to appreciate all the information Olly gives you. You might even complain that it isn't enough! But please do not be frightened by all the stuff you see. You will learn everything over time. Today you will see that you don't even need to know much in order to crack a program. Let us continue.

Step 9: Before attempting to crack any program it is important that you see how the program works. This is the scouting stage. We do this simply by using the program as a regular user would, and we keep our eyes open for anything juicy. "Juicy" could be a registration box where you are asked to enter a serial number =). So let us run the program. There are three ways to do this:

a) clicking on the play icon which is located directly underneath the end of the 'W' in View (from the menu bar).
b) Clicking on Debug in the menu bar, and selecting Run.
c) Hitting F9 on the keyboard.

This particular Crackme runs in a console window which looks a lot like a command prompt window. This is what you should see when you run the program.

The Crackme running

Now it is time to do some scouting. So what do you think is juicy on the window that popped up?

If you guessed "password is ONLY numbers!", you are correct!

Let us continue our scouting. We want to map out this program in our head, so it is important we touch everything. Since the only thing we can do next is enter a password, let us enter some numbers. 

My password
Dang. So we can't go further into the program unless we figure out the password. Since we can't compel the author into giving us the password like the NSA would, we will just "crack" this program. 

Go ahead and restart the program so we can get to cracking :)

Restarting can be done by clicking on the icon with two arrows pointing left. It is to the right of the open file icon. You could also go to Debug > Restart, or hit Ctrl+F2

Step 10: When you are attempting to crack a Crackme (or any program =)), it is always good to start your journey with the Strings. The strings I am talking about are ASCII text that Ollydbg has detected during loading of the executable. When you ask Ollydbg for these strings, it will give you a list of where all these strings exist in the program.

Pulling up the strings window in Ollydbg is really easy. Locate the window that opened up when you loaded the executable. It is titled CPU - main thread, module ReWrit's_Crackme#1. Right click in the Disassembler - Main Window (use below photo for directions).

Right click in the Disassembler panel

Put your mouse cursor over Search For and click on All Referenced Strings in the sub-menu. The photo below illustrates what you need to select.

All Referenced Strings is what you want

You'll know you did everything right when the window titled Search - Text strings referenced in ReWrit's_Crackme#1 appears. It will look like the one in the image below.

Strings window

Step 11: OK just as a reminder - we are going to quickly solve this Crackme without explaining every little thing you see. There would be to much information to retain. Remember. Just the big picture =) We will cover everything in tiny little pieces eventually.

So now that the Strings window is opened we are going to look for a string that signifies success. Sometimes this could be "Registration Successful" or "Your product is now registered" =). For this Crackme the string that closely correlates to a success message would look like something that tells us our password we entered is correct. If we look along the comments column in the strings window, we will find a comment that says "Correct, good job!". I am going to assume this is the string we would see if we entered a correct password. There's nothing else that could be a likely candidate, so let us double click on this string.

NOTE: The juicy information we discovered in step 9 will still be used!

The string "Correct, good job!" selected

Double clicking on the string makes Ollydbg bring forth the Main Disassembly window with a line greyed out. Which should look like this:

The line that Olldbg sends us to is where the program loads the string into memory. Reading that line will almost likely go over your head, but that is OK. We don't need to understand this to crack the program. Remember. Big picture =)

What we are going to do next is set something called a break point. A break point is a special thing any debugger can do (Olly DEBUG). Essentially a break point will freeze a program at a given moment. We are going to freeze the program a few moments before it loads the string "Correct, good job!". More precisely, we are going to freeze the program before it decides if the password entered is correct or incorrect.

Four lines above the line that Ollydbg has dropped you on is where the program decides if the password entered is correct or incorrect. Click this line and a grey box will surround it. Now, staying on the same line, place your mouse cursor over the second column from the left and double click. You will notice a change in the most left column. A red box will appear. That is the breakpoint.

Double click those numbers 75 36 inside the black circle

Step 12: Ollydbg has now set a break point on the line that determines how to handle if the password is correct or incorrect. Go ahead and run the program and enter a password again. When you enter the password into the program, you will notice Ollydbg changes the color of the red box (the break point) to black. This means that the program has been successfully frozen.

Now bring your mouse over to the registers pane. It is to the right of the disassembler main window. You will see a bunch of impossible to understand data there, but our only concern is the letter Z. Directly to the right of the letter Z you will see a zero. Double click on this zero and it will change into a one.

Select the zero that is adjacent of the letter Z

Step 13: I am very happy to say that we have accomplished our goal. Hit the run button in Ollydbg (F9 or Debug > Run), and notice the message that shows up in the Crackme.

Good job! ;)