0x00 Preamble
Last year played a few months of penetration testing, originally felt very high-end appearance, now seems to be a few tricks, so began to toss reverse engineering. The learning process refers to the "reverse engineering Core Principles" This book, speaking very detailed, according to the above steps to crack a few crackme, and then found themselves on the Internet some programs to play, The first independent successful crack afkayas.1, a little excited, so the crack process recorded, as a gateway to open the door of the reverse engineering milestone it.
0x01 Preparation
Playing reverse engineering requires at least one debug tool, where I recommend ollydbg. Also need some small program, can take advantage of existing Crackme small program.
0x02 First Run
After getting the program, run it first to see what the features are:
This is a typical string sequence cracker that launches serial based on the value of name.
We try to enter:
One obvious feature is that when you click the OK button, the program will bounce and the feature string will be displayed.
0x03 Start Debugging
We open the ollydbg, which is roughly the case after loading the program:
1. Query feature string
According to the above box can be inferred, if the serial input is correct, it will prompt the success of the message, the above we obtained the failure of the string, as follows the following steps in the code snippet to find:
First right-click Code area, "Search for" = "All referenced text strings"
In the New dialog box, locate the failed prompt string:
Double-click one of these to return to the code area where you can see the string that failed and succeeded in the comment:
2. Condition judgment
We found that the success and failure of the string is not far apart, can be initially determined that the program will be judged before this, if the input serial correct success, or failure; then we look up and find the entry point of the call string comparison function:
3. Parameter passing
We know we need to pass the appropriate arguments to a function when it is called. The Assembly calls the function before it is called, and then calls the function with the call instruction. We find that there is an instruction before the string comparison function PUSH EAX
, and we can assume that the EAX here is the first address of the string.
4, find out the real serial
We set the breakpoint before the string comparison function (press F2) and then execute (press F9). Note that the middle will pop up the main interface, we need to enter and then click the OK button:
Then the program stops at the place where we set breakpoints, look at the stack area (bottom right), you can see the top of the stack is the real serial address, note has been marked serial:
Then we open the original program, enter name and serial:
Discovery has been successfully cracked. Let's look further at the real cause.
0x04 Hack encryption method
Above we have successfully cracked serial, but do not know how to get serial from the name, we will explain in detail below.
1. Starting point of the function
Each function has a starting point, and in the IA32 schema, the function has its own stack frame, so it first creates its own frame:
PUSH EBP ;保存调用者的帧指针MOV EBP, ESP ;创建自己的帧SUB0C ;分配局部存储空间
When we click the OK button, we call the function to read name, encrypt name to get serial, compare serial and so on, so we first need to find the starting point of the function:
From the string comparison function just looked up to see:
2. Get Name
One thing we should understand is that after clicking the button, the program first gets the name string, which generates serial, so we need to find the location of the name string below:
Stepping (pressing F8), we found the input name at the top of the stack before the program called Strlen:
3. Detection of suspicious targets
After getting the name, and then getting serial, looking down, we found some suspicious functions, plus breakpoints (press F2):
4. Lock target
We directly execute (press F9), found that three suspicious functions are nothing special, when the execution to the previous string comparison function when the correct serial, looking up to see the serial in the "aka-":
This part is directly splicing up, so you can conclude that the rest of the serial in the several suspicious functions produced, so we continue to run, re-enter name, run to the last suspicious function, press F7 into the function:
Press F8 to step through the instructions, to the following will jump:
After jump:
This adds a breakpoint to the jump point, and then proceeds to F8 single-Step execution:
Serial occurred in the register when executing to the second call command:
The previous instruction of this instruction is:
LEAECX,[EBP-1C]
It can be inferred that the function computed by the first call instruction after the jump is calculated serial, so we F7 go inside to see:
Repeated F7 we find that there is a loop:
This instruction is interesting, it put the value of ECX in EAX, and then constantly use EAX in addition to 10 (hex 0xA), the resulting quotient placed in the EAX, the remainder moved to the EDI point of memory buffer; in fact, the ECX into a decimal string.
We found that serial from ECX, recorded its value (000d6504), we look forward to ECX.
5. Reverse Analysis
F9 run to the end, re-enter name, continue to run to the breakpoint (the third suspicious function), found that EDI has been modified to 000d6504, so we track EDI:
Looking closely at the nearby instructions, we found that there were a lot of EDI-oriented, so we went back to the first of the three suspicious functions and started stepping:
The result is very exciting: EDI = strlen(name) * 0x17CFB;
Figure out is 000d64d3, and 000d6504 poor 0x31, continue F8 Single step:
See, the second suspicious function returns 0X31, so we just need to figure out what the 0x31 is all about, and continue to trace the second suspicious function:
F7 after entering, F8 single step, hit target:
After calling the system function, it appears when MOVZX AX,BYTE PTR [EBP-2]
AX becomes 0x31, right-click the Register area to see the area of name in memory:
Discover that 0x31 is the ASCII code of name's first character ' 1 '.
6, the Final Judgment
After the above analysis, we can extrapolate the algorithm from name to serial:
serial = ‘AKA-‘ + 逆序itoa(strlen(name0x17CFBname[0]);
0x05 Program Validation
According to the above steps, we cracked the encryption method, the following we use C language Program verification:
#include <stdio.h>#include <string.h>#define BUFSIZ 1024x768intMain () {CharName[bufsiz];CharSerial[bufsiz];intnum, i =0;printf("Input Your name:");scanf('%s ', name);printf("serial:aka-"); num =strlen(name) *0X17CFB+ name[0]; while(Num >0) {serial[i++] = num%Ten+' 0 '; Num/=Ten; } while(i--)Putchar(Serial[i]);Putchar(' \ n ');return 0;}
The program is simple, first gets the name, then the median num based on the above analysis, then converts num to a string, and the string is output in reverse order.
1, C language program operation results
2. Afkayas.1 operation result
We can see that in fact the middle number of the program is only related to the length of the string and the first character.
0x06 Summary
The first time to write such a long blog post, the first time to do reverse analysis, the first to crack a small program.
Reverse engineering Combat--afkayas.1