Thursday, January 9, 2014

The First Exercise


Hello everyone =)

So today we will be breaking our first crackme. This exercise will assume you have ZERO knowledge in the field of reverse engineering. However I do want you to keep in mind this: what you will see will almost likely be extremely difficult to understand, and that is OK. Learning RE is done in very small steps. But let's go ahead and see the big picture first.

Step 1: Go to Google (I will be very careful with not posting links but rather directions. Simply because I feel it is good practice for you to manually go to the authoritative site and get what you need. You never know what's infected.) and type in ollydbg.

Step 2: The first search result that shows up should have the title of Olldbg v1.0 with the domain ollydbg.de. Enter this website.

Step 3: At the top of the page you will see a hyperlink to "Version 2.01". Click on this link, and a version update page will be presented to you. The top of the page shows the latest version change list. The title of the lastest version as of this writing is "September 27, 2013 - version 2.01. OllyDbgempty language filechicken language file, Disassembler 2.01 (GPL v3, preliminary version without documentation)". Notice the first tag which is "OllyDbg". Click on that tag to begin your download.

Step 4: Go to Google and type in Crackmes. The first link should be a link to a domain of crackmes.de. Enter that website. Register an account and login. You will use this site to hone your skills in the future so this is a good account to have.

Step 5: OK. Five steps in and we still have not even began any cracking yet. It's close I promise =) I'm going to give you two methods of finding the Crackmes we want.


This is what you are looking for


a) Search for rewrit's crackme#1 in the search box on the left side of the website. The result you are looking for is like the one in the image above.
b)  Click on "advanced search >>" on the left side of the website underneath the search box. Then make the search options, which appears on the right, look like so. For difficulty select 1 - Very easy, for newbies. For the platform select Windows, and pick C/C++ for language that it is written in. Before you hit search change the sorting order to Easiest first :) You see where this is going don't you? ;) The options should be like the ones in the image below.

Search field parameters you need
Pick these options


Step 6: Click on the Crackme, you will be sent to the details page of that Crackme. Go ahead and download it. The link for downloading is at the top where it says Download ReWrit  s Crackme#1.zip, 127kb.

Step 7: OK. We are VERY CLOSE to beginning! Unpack both the Crackme and Ollydbg v2.0. The Ollydbg zip file will extract a file called ollybdg. Open this application as an administrator.

Step 8: So Ollydbg is opened. It's a pretty application I know. The top left of the application you will see a folder icon. Click this icon and travel to where ever you extracted ReWrit's Crackme zip. Open the executable that came out. It should be called ReWrit's Crackme#1. If you wish, you could also click File > Open and select the executable from there too.

Ollydbg will do some loading if your computer is slow like mine. You will see the loading being done in the bottom left of Ollydbg. This is what everything should look like when it is loaded.

ReWrit's Crackme loaded
Crackme Loaded


I imagine it is very hard to not be overwhelmed with the amount of data that Ollydbg shows you once it has an executable loaded. But don't worry some time from now you will come to appreciate all the information Olly gives you. You might even complain that it isn't enough! But please do not be frightened by all the stuff you see. You will learn everything over time. Today you will see that you don't even need to know much in order to crack a program. Let us continue.

Step 9: Before attempting to crack any program it is important that you see how the program works. This is the scouting stage. We do this simply by using the program as a regular user would, and we keep our eyes open for anything juicy. "Juicy" could be a registration box where you are asked to enter a serial number =). So let us run the program. There are three ways to do this:

a) clicking on the play icon which is located directly underneath the end of the 'W' in View (from the menu bar).
b) Clicking on Debug in the menu bar, and selecting Run.
c) Hitting F9 on the keyboard.

This particular Crackme runs in a console window which looks a lot like a command prompt window. This is what you should see when you run the program.

The Crackme running

Now it is time to do some scouting. So what do you think is juicy on the window that popped up?

If you guessed "password is ONLY numbers!", you are correct!

Let us continue our scouting. We want to map out this program in our head, so it is important we touch everything. Since the only thing we can do next is enter a password, let us enter some numbers. 


My password
Dang. So we can't go further into the program unless we figure out the password. Since we can't compel the author into giving us the password like the NSA would, we will just "crack" this program. 

Go ahead and restart the program so we can get to cracking :)

Restarting can be done by clicking on the icon with two arrows pointing left. It is to the right of the open file icon. You could also go to Debug > Restart, or hit Ctrl+F2


Step 10: When you are attempting to crack a Crackme (or any program =)), it is always good to start your journey with the Strings. The strings I am talking about are ASCII text that Ollydbg has detected during loading of the executable. When you ask Ollydbg for these strings, it will give you a list of where all these strings exist in the program.

Pulling up the strings window in Ollydbg is really easy. Locate the window that opened up when you loaded the executable. It is titled CPU - main thread, module ReWrit's_Crackme#1. Right click in the Disassembler - Main Window (use below photo for directions).

Right click in the Disassembler panel

Put your mouse cursor over Search For and click on All Referenced Strings in the sub-menu. The photo below illustrates what you need to select.

All Referenced Strings is what you want

You'll know you did everything right when the window titled Search - Text strings referenced in ReWrit's_Crackme#1 appears. It will look like the one in the image below.

Strings window

Step 11: OK just as a reminder - we are going to quickly solve this Crackme without explaining every little thing you see. There would be to much information to retain. Remember. Just the big picture =) We will cover everything in tiny little pieces eventually.

So now that the Strings window is opened we are going to look for a string that signifies success. Sometimes this could be "Registration Successful" or "Your product is now registered" =). For this Crackme the string that closely correlates to a success message would look like something that tells us our password we entered is correct. If we look along the comments column in the strings window, we will find a comment that says "Correct, good job!". I am going to assume this is the string we would see if we entered a correct password. There's nothing else that could be a likely candidate, so let us double click on this string.

NOTE: The juicy information we discovered in step 9 will still be used!

The string "Correct, good job!" selected


Double clicking on the string makes Ollydbg bring forth the Main Disassembly window with a line greyed out. Which should look like this:



The line that Olldbg sends us to is where the program loads the string into memory. Reading that line will almost likely go over your head, but that is OK. We don't need to understand this to crack the program. Remember. Big picture =)

What we are going to do next is set something called a break point. A break point is a special thing any debugger can do (Olly DEBUG). Essentially a break point will freeze a program at a given moment. We are going to freeze the program a few moments before it loads the string "Correct, good job!". More precisely, we are going to freeze the program before it decides if the password entered is correct or incorrect.

Four lines above the line that Ollydbg has dropped you on is where the program decides if the password entered is correct or incorrect. Click this line and a grey box will surround it. Now, staying on the same line, place your mouse cursor over the second column from the left and double click. You will notice a change in the most left column. A red box will appear. That is the breakpoint.

Double click those numbers 75 36 inside the black circle

Step 12: Ollydbg has now set a break point on the line that determines how to handle if the password is correct or incorrect. Go ahead and run the program and enter a password again. When you enter the password into the program, you will notice Ollydbg changes the color of the red box (the break point) to black. This means that the program has been successfully frozen.

Now bring your mouse over to the registers pane. It is to the right of the disassembler main window. You will see a bunch of impossible to understand data there, but our only concern is the letter Z. Directly to the right of the letter Z you will see a zero. Double click on this zero and it will change into a one.

Select the zero that is adjacent of the letter Z

Step 13: I am very happy to say that we have accomplished our goal. Hit the run button in Ollydbg (F9 or Debug > Run), and notice the message that shows up in the Crackme.


Good job! ;)

6 comments:

  1. Man, you are a saint. Learning how to START reverse engineering seems like it's harder than the actual reverse engineering.

    Thanks!

    ReplyDelete
    Replies
    1. Reversing is a multidisciplinary field. In order to get better and better at it, you will find you must pull together many different arts; programming ,networking, operating system internals, maybe some security theory, and more. But this ultimately depends on what you want to reverse and how far you want to go.

      For breaking games or crackmes you don't need all of that (depends), but when you enter the realm of security you will see a natural need for more knowledge

      Delete
  2. A very nice and elaborate tutorial. I guess i have an idea for another way to patch the crackme. Can we use the JMP command just before the password comparison and make it JMP the execution to the statement where it prints success?

    Thank you.

    ReplyDelete
    Replies
    1. Thanks for your comment Rohan. If you mean to replace the assembly CALL before the CMP, then I fear the program would break. You may change the assembly of the CMP itself though, or the JNE below the CMP instruction. If you are referring to placing a JMP somewhere way before the password even compares, then yes =) its possible. In bigger programs somethings might go haywire though

      Delete
    2. Oh alright. So how can we determine how far before to place the JMP. Or do we have to use a trial and error method?
      Thank you.

      Delete
    3. You can use trial and error. But you should also use some thought to lessen your area of testing. Try sometime after the console is loaded.

      Delete