Thursday, January 23, 2014

Patching The Executable

Greetings everyone and welcome to the third tutorial of the reverse engineering for newbs series. Today we are going to cover... patching! But you knew that already =)

NOTE: The knowledge from tutorial 1 & 2 is not needed for learning this technique; HOWEVER, if you want to be a good reverse engineer, then you will want to learn what was covered in tutorial 1 & 2. If you find yourself completely lost in this tutorial, do not feel that reversing isn't for you. Reading tutorial 1 & 2 will help you understand this one.

OK. We are going to use the same exact Crackmes that we used in both tutorial 1 & 2. Here is a link to tutorial one if you need instructions on getting the Crackmes. Because this tutorial is supposed to be stand-alone I will go over the steps covered in tutorial 1 & 2 to reaching the string we need. Now let us begin.

Step 1: Open ReWrit's Crackme #1 inside Ollydbg. Your Ollydbg should look like mine from the picture below when the Crackme is successfully loaded.

ReWrit's Crackme Loaded


Step 2: The first thing we do every time we want to solve a Crackme is run it. So let's go ahead and run the program to scout for juicy information. We have four ways to run the Crackme. First: run the Crackme outside of Ollydbg =) Second: click on the play icon in Ollydbg which is located underneath the 'w' in View on the menu bar. Third: select Debug from the menu and hit run. Fourth: hit F9 on your keyboard.




Step 3: Okay so the Crackme is running! Let us go ahead and look around for some juicy stuff. We immediately notice that the Crackme is a console app, so that kind of takes away the need to search around. Since we only have one possible path to go at the moment, let us tread along.

We are asked to enter a password, but the program says that the password is NUMBERS ONLY. That is a very important clue. It is not every day that a Crackme will tell you how the password (or answer) is shaped. So if the author of the Crackme is not lying then we already have discovered an important clue just from running the app. The password is only in numbers. Let us enter the password then =)

I went ahead and entered my password:

Dang

And you can see I was wrong. It is always worth the try! OK from this point on it seems we can't do anything else, so let us go ahead and restart the program.

Step 4: Restarting is as easy as switching to Ollybdg and hitting Ctrl + F2. You may also click on the icon to the right of the open file icon underneath the menu bar. It is the one with two arrows pointing to the left. And lastly you can go to Debug > Restart from the menu.


Step 5: OK we got a feel for the program. Now let us start cracking it. Right click in the Disassembler - Main Window, hover the mouse over Search For and select All Referenced Strings. Remember one of the best starting points for tackling a Crackme or any program is the strings of the program. A lot of  potentially program breaking information can be found in the strings.


Right click in the Disassembler - Main Window

Search for All Referenced Strings


Ollydbg will bring a window to the front that is titled Search - Text Strings referenced in ReWrit's_Crackme#1. See the image below for a reference.


Strings Window

We want to select a useful string here. If you read tutorial 1 & 2, this is all repetitive to you, and that must be a little boring. But these steps will have to be replicated over and over again in every Crackme we solve. You will see =)


Step 6: So we are going to look for a string that will point us closely to the function that determines if the password we entered is correct or incorrect. Let us go ahead and locate the "Correct, good job!" string. Once you find it double click on it. Ollydbg will select a line of code that loads the string.

Select this string

Ollydbg brings you here
Step 7: OK patching time. Do know that I am considering you have close to zero understanding of what you see on the screen. The only goal of this tutorial is to show you what patching is. Later on we will learn all the tiny bits piece by piece. Trying to teach you everything you see on the screen will be overwhelming.

So if you read the previous tutorials you will know that exactly five lines above the line Ollydbg dropped you on is the line that determines if the password is correct or incorrect. In tutorial one we flipped the Zero flag after this line computed in order for us to force the program to give us a success message. We did this by setting a break point on the line below (four lines above the one Ollydbg dropped us on), letting the program run, and after we entered our password we flipped the number to the right of the giant Z in the registers pane.

This method allows us to always have the "correct" password even though it truly isn't correct. The only downside to this method is that we must always flip that zero flag every single time in order for the program to pass through. What we are going to do now is make the program give us a success message EVERY TIME without having to flip that zero flag. This is called patching.

Now there are many ways we can patch this program .We will go over one, and I will leave it as homework for you to find the other ways to patch the program. The one we are going to use is the most common means of patching.

Step 8: So exactly four lines above the line Ollydbg dropped you on (that is, four lines above the line that says ASCII "Correct, good job!") we want to double click on the assembly code associated with that line. Refer to the pictures to locate the assembly code column as well the line I am writing about.

assembly code column


Select this line and dbl click in assembly code column

Assemble Window Loaded
Step 9: So now you have the assemble window opened. This window will allow us to change the code of the program. The only restrictions you have when changing code are these: we will only be allowed to change the line we selected, and the new code size can not exceed the size of the line of code already there. If we read the Machine Code column, we can see the bytes "75 36". This means this line is two bytes long. We cannot write code in here that exceeds two bytes.

But no worries. The most common patching technique only requires one byte!

In the assemble window that is open enter the instruction "NOP". This is in the infamous NO OPERATION instruction. This instruction simply tells the program to do nothing. Underneath the hood the NOP is a "XCHG EAX, EAX". That means swap the EAX register with the EAX register. Essentially, it means do nothing.

Entering NOP into assemble window

Hit assemble. Then hit close.

NOPs added

Step 10: Notice the assembly code and machine code columns now have text highlighted in red. This means that this code is patched. Also notice that there are two lines that say NOP. Didn't we just have one line? The previous instruction that was there was two bytes in length, and since a NOP is one byte in length the program must fill the remaining empty bytes with one byte instructions that do nothing. In other words, it will fill the remaining space with NOPs.

Let us go ahead and test this program. Go ahead and run the program, and enter whatever password you want =)

Success!

Good job! The patch we entered works. Simply NOPing out the jump instruction (explanation on this later) the program gives us the good message.

Step 11: OK let us restart the program now. When you restart the program, the patch that you applied is removed. The original code is set back in place. Ollydbg does save our patches though, so we can reapply them. Let us re-apply the patch we made to the program.

In the menu, click on View and then click on Patches.

The Patches
Like the image above Ollydbg will bring a window forward called Patches. You will notice that there is only one item in this window. One of the columns is titled Original Command, and the lone item that exists in the patch window has a value of  "JNE SHORT 00401594" for this column. To the left of this column is NOP. This is the line we patched.

Right click on this item and hit Apply Patch.

Apply the patch

You will notice that Ollydbg changes your Disassembler - Main Window to the location of the patched line. It will also highlight the patched lines.


Step 12: If both of the NOP lines are not highlighted, go ahead and highlight them with your mouse. Right click anywhere in the highlighted area, and select Edit > Copy To Executable.

Copy to Executable.

You might get an annoying window pop up from Ollydbg that looks like this:

In our way of success
Ignore the instructions from the window. Click OK. In the new window which has the two NOPs at the top, right click in this window and hit Save File... 


Save File!

Ollydbg will continue to block you from your success with another window titled File Changed.

Just let me save!

Click Yes on this window. Ollydbg will give you the Save File As windows dialogue now. This will save the new executable as whatever name you give it with the new instructions patched in. Go ahead and save it somewhere, on your desktop, where ever. Just be sure to have the Save as Type selected to Executable file or DLL. Run the newly patched program and see your success =)


Extra material: In order to become a good reverse engineering, it is imperative that you understand assembly code. You must know what the program is doing at a selected line. I am going to cover why patching that line that we did works. This will be a lesson in assembly language.

If you followed the first two tutorials then you know that the line above the one we patched is the line that determines if the password is correct or not. It compares the password we entered against the actual password. If the password is not the same as the one the author wrote, then the Z(ero) flag in the registers pane is set to 0.

Although the program sets the Z(ero) flag to 0, it has no idea what to do with this 0. The comparing password line does one thing and one thing only. It compares the password entered. It does not know what to do if the password is right or wrong. The line that follows determines what the program should do with the zero flag (the result of the compare).

JNE SHORT 00401594

This is the line that reads the zero flag, and makes a decision of what the program should do. The main instruction in this line, the JNE, reads JUMP IF NOT EQUAL. So this line will jump if the previous result is not equal to whatever it was comparing (which means the zero flag is set to 0). The short means it will jump a short distance from this line (either 129 bytes forward or 126 bytes backwards). And lastly the 00401594 is the address to jump to if not equal. 

So if you enter an incorrect password, you will be sent to the line 00401594

00401594


We can see in the picture above that the selected line is on address 00401594. If you look a little down from the selected line, in the comments column, you will see "Wrong!". This is where the program loads the bad message if you failed to guess the correct password. We saw that message load when we were scouting the program in step 2.

So here is an overview of the if structure the program has:

Pseudo Code


If the password is equal then it will fall through and print "Good job!" to the console. If, on the other hand, the password is incorrect, the program will display "Wrong!" to the console.

Here is pseudo code for what our patch did:

ComparePassword func is useless
We removed the entire if structure from the program, so no matter what the ComparePassword() function returns we will still show "Good job!".


That wraps up this tutorial. If you have found other means of patching the executable, post them here for all to see =) Also, I am expecting to write tutorials for much more difficult Crackmes as well  tutorials on iPhone Cracking.

Please leave any feedback here too! I appreciate all comments good or bad. Have a good day!

4 comments:

  1. When is the next tutorial coming?

    Thank you.

    ReplyDelete
  2. So I had my go at this, and came up with some other solutions.
    1. I changed the JNE to JE. This way you will get the opposite response of the original program.
    2. I changed the "Wrong!" assembly to "Correct!..." This way you will always get the "Correct!.." message wether you guessed right or not.
    I also wanted to patch the program so that it didn't make the jump, and wrote teh "Correct.." message at once, but I don't know how to do this right now.
    Duplication of the registers would also be cool if it is possible, so when you write in your bogus passwd, it checks if it is equal to itslef, and then jumps to "Correct!.." message. Altho I dont know how to do this at all...

    Hope my contributions are correct/helped. If someone can help me in my struggles it would be great.

    Thanks to Nicholas for doing this, RE is much amazing. wow.

    ReplyDelete
  3. This is fantastic, I hope your next lesson is out soon! Thanks for all the work you're putting into this

    ReplyDelete
  4. Keep up the good work. These tutorials are amazing. They're extremely coherent and easy to follow even though they are my first ever exposure to RE

    ReplyDelete