Reverse Engineering 101 Contest Steps<\/h3>\n\n- Get the exe to be hacked<\/li>\n
- Break it open and start exploring.<\/li>\n
- The only rule for the challenge is that it has to be solved by creating a valid key file named eLearnSecurity.dat. No patching is allowed! Test your dat file using the exe. <\/li>\n<\/ol>\n
Download the exe here: https:\/\/www.ethicalhacker.net\/i\/features\/specialevents\/els_re_2013\/elearnsecurity_eh-net_re_challenge2013.7z<\/p>\n
<\/b><\/p>\nStatic analysis with IDA<\/h3>\n
A big giveaway is the following rule:<\/p>\n
\u201cThe only rule for the challenge is that it has to be solved by creating a valid key file named eLearnSecurity.dat<\/b>\u201d.<\/p>\n
That means the binary is reading that file sooner or later. So let\u2019s open the binary in IDA and check the imports. Maybe we find something like ReadFile.<\/p>\n
![\"pic1\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic1_thumb1.png\" "\\"pic1\\"")
<\/a><\/b><\/p>\nSo here the binary reads the file:<\/p>\n
![\"pic2\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic2_thumb1.png\" "\\"pic2\\"")
<\/a><\/b><\/p>\nWe also can see that after the function GetFileSize<\/b> there\u2019s a compare against 10h which means, the size of the file is 10h = 16 bytes.<\/p>\n
Scrolling down a little bit we can find the crypto algorithm right after reading the file:<\/p>\n
![\"pic3\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic3_thumb1.png\" "\\"pic3\\"")
<\/a><\/b><\/p>\nSince ESI points to the buffer where the file was written in memory, the file should contain 4 dwords like this:<\/p>\n
dword1dword2dword3dword4 <\/pre>\nwhich is represented in memory by this buffer:<\/p>\n
[ESI][ESI+4][ESI+8][ESI+C]<\/pre>\nSo the algorithm is:<\/p>\n
dword4 ^ dword3 ^ dword2 ^ dword1 ^ key1 ^ key2 ^ key3 ^ key4 ^ key5 == 4C833425<\/pre>\nFrom now on it\u2019s pure mathematics and some fiddling\u2026\u2026\u2026\u2026..<\/p>\n
We can influence dword1 to dword4, key1 to key5 are computed at compile time, run time or whatever. We don\u2019t have to care about that at the moment (getting back to key5 soon!) since they are constant for each run of the program, that means key1 ^ key2 ^ key3 ^ key4 ^ key5<\/b> <\/b>is a constant value for each run of the binary. <\/p>\n
And this means the following:<\/p>\n
<\/b><\/p>\ndword4 ^ dword3 ^ dword2 ^ dword1 ^ const_Value == 4C833425<\/pre>\n<\/b><\/p>\n
So we only need to know the value of const_Value <\/b>at runtime! <\/p>\n
But how to get it? <\/p>\n
Well, the check is done here after the crypto algorithm:<\/p>\n
.text:0x004014D9 cmp ecx, 0x4C833425 <\/pre>\nwhere<\/p>\n
ecx = dword4 ^ dword3 ^ dword2 ^ dword1 ^ const_Value<\/pre>\nWe know: A ^ 0 = A<\/p>\n
So if we provide a file with only null bytes then at the time the compare happens we will have in ecx:<\/p>\n
ecx = 0 ^ 0 ^ 0 ^ 0 ^ const_Value = const_Value <\/pre>\nSo we just have to provide a file containing only null bytes, start the binary in a debugger, set a breakpoint at that compare, and check what\u2019s in ecx, right?<\/p>\n
Well, it\u2019s not that easy here as we will see soon! But anyway, as an exercise let\u2019s try that out...<\/p>\n
<\/b><\/p>\nDynamic analysis with Immunity<\/b><\/h3>\n
Starting the binary in a debugger, you are landing here:<\/p>\n
![\"pic4\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic4_thumb.png\" "\\"pic4\\"")
<\/a><\/p>\nUnfortunately it\u2019s horrible to step through the binary since there is a fair amount of anti-debug techniques in place, like this one:<\/p>\n
![\"pic5\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic5_thumb.png\" "\\"pic5\\"")
<\/a><\/p>\nOf course, we can set a BP on the exception handler, and continue stepping through the binary. But we don\u2019t want to lose time on anti-debugging. So let\u2019s search for the ReadFile API:<\/p>\n
![\"pic6\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic6_thumb.png\" "\\"pic6\\"")
<\/a><\/p>\nDouble-click on the first ReadFile entry:<\/p>\n
![\"pic7\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic7_thumb.png\" "\\"pic7\\"")
<\/a><\/p>\nOk, what now??? Because we never get here when running the binary in a debugger due to anti-debug stuff, I suggest to place instructions for an infinite loop here (EB FE), to run the binary and then to attach a debugger to it.<\/p>\n
Here are the steps:<\/p>\n
[*] Patch the binary with an infinite loop:<\/h4>\n
CTRL-E, write down the original bytes which we are changing now (85 C0) to EB FE:<\/p>\n
![\"pic8\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic8_thumb.png\" "\\"pic8\\"")
<\/a><\/p>\n[*] Then save the patched file:<\/h4>\n\n- Copy to executable -> all modifications<\/li>\n
- Save file: \u201celearnsecurity_eh-net_re_challenge2013_patched.exe\u201d<\/li>\n<\/ol>\n
[*] Now run the patched binary and attach a debugger to its process: <\/h4>\n
![\"pic9\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic9_thumb.png\" "\\"pic9\\"")
<\/a><\/p>\nImportant: wait around 10 \u2013 15 seconds before attaching the debugger \u2026..the anti-debugging stuff is running now\u2026\u2026<\/font><\/b><\/p>\n[*] Then start ImmunityDebugger or OllyDbg, attach to the process, press F9 to start and then press F12 to pause the application:<\/h4>\n
-> you land our our loop (EB FE):<\/p>\n
[*] Set a BP here (F2) and restore the original bytes :<\/h4>\n
![\"pic10\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic10_thumb.png\" "\\"pic10\\"")
<\/a><\/p>\n[*] Now we can step through the crypto algorithm (F8) till the compare instruction:<\/h4>\n
![\"pic11\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic11_thumb.jpg\" "\\"pic11\\"")
<\/a><\/p>\nSo here is ECX = A50DA5E3.<\/p>\n
But I\u2019m sorry, this is worth nothing since key5<\/font><\/b> \u2013 the value at DWORD PTR DS:[41B2C4] -<\/b> is generated by some kind of checksum during runtime. If you patch the binary its value is different. Ouch. So if we change even more bytes in the same routine in that binary we receive<\/p>\nECX = 2AF4A100.<\/p>\n
What now?<\/p>\n
Well, checking the rules again we recognize: no patching is allowed! <\/b><\/p>\n
So anyway we are not allowed to patch the binary therefore we need to find another way to solve it \u2013 DBI to the rescue !!!<\/p>\n
Analyzing with DBI (PIN)<\/h3>\n
I then wrote a small PIN Tool which traces all compare instructions and logs the values of ECX into a logfile.<\/p>\n
pin \u2013t PINtrace_INS.dll -- E:\\work\\elearnsecurity_eh-net_re_challenge2013\\elearnsecurity_eh-net_re_challenge2013.exe<\/pre>\n(you can find the source code for the pin tool at the bottom of this post)<\/p>\n
The logfile will look like this:<\/p>\n
0x00406F8A cmp ecx, dword ptr [0x41a1a0] ECX:0x0041A0C8\n0x00406F8A cmp ecx, dword ptr [0x41a1a0] ECX:0x0041A0C8\n0x00406F8A cmp ecx, dword ptr [0x41a1a0] ECX:0x0041A0C8\n0x00411BA4 cmp ecx, eax ECX:0x0018F70C\n0x004041D4 cmp ecx, dword ptr [0x419680] ECX:0x6C6DFEF0\n0x00406F8A cmp ecx, dword ptr [0x41a1a0] ECX:0x0041A0C8\n0x00407012 cmp ecx, ebx ECX:0x000000FF\nx00407012 cmp ecx, ebx ECX:0x000000FE\n0x00407012 cmp ecx, ebx ECX:0x000000FD\n0x00407012 cmp ecx, ebx ECX:0x000000FC\n0x00407012 cmp ecx, ebx ECX:0x000000FB\n0x00407012 cmp ecx, ebx ECX:0x000000FA\n.\n.\n.<\/pre>\nAlmost at the end of the logfile we find the result for the important compare instruction:<\/p>\n
0x004014D9 cmp ecx, 0x4c833425 ECX:0xCF6FC79D <\/pre>\nNote: ECX is different than in our analysis with ImmunityDebugger.<\/p>\n
So this means:<\/p>\n
const_Value <\/b>= <\/b>0xCF6FC79D<\/p>\n
-> dword4 ^ dword3 ^ dword2 ^ dword1 ^ 0xCF6FC79D = 0x4C833425<\/strong><\/p>\n-> dword4 ^ dword3 ^ dword2 ^ dword1 = 0x83ECF3B8 <\/b><\/p>\n
(0xCF6FC79D ^ 0x4C833425 = 0x83ECF3B8)<\/p>\n
If we deliberately choose <\/p>\n
dword1= 0<\/b>, dword2 = 0<\/b>, dword3 = 0<\/b><\/p>\n
then <\/p>\n
dword4 = 0x83ECF3B8<\/font><\/b><\/b><\/p>\nOk, let\u2019s construct the appropriate dat-file with our favorite hex editor (mind the little endian nuisance):<\/p>\n
![\"pic12\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic12_thumb.png\" "\\"pic12\\"")
<\/a><\/p>\nRun the binary and voila:<\/p>\n
Download the exe here: https:\/\/www.ethicalhacker.net\/i\/features\/specialevents\/els_re_2013\/elearnsecurity_eh-net_re_challenge2013.7z<\/p>\n
<\/b><\/p>\nStatic analysis with IDA<\/h3>\n
A big giveaway is the following rule:<\/p>\n
\u201cThe only rule for the challenge is that it has to be solved by creating a valid key file named eLearnSecurity.dat<\/b>\u201d.<\/p>\n
That means the binary is reading that file sooner or later. So let\u2019s open the binary in IDA and check the imports. Maybe we find something like ReadFile.<\/p>\n
So here the binary reads the file:<\/p>\n We also can see that after the function GetFileSize<\/b> there\u2019s a compare against 10h which means, the size of the file is 10h = 16 bytes.<\/p>\n Scrolling down a little bit we can find the crypto algorithm right after reading the file:<\/p>\n Since ESI points to the buffer where the file was written in memory, the file should contain 4 dwords like this:<\/p>\n which is represented in memory by this buffer:<\/p>\n So the algorithm is:<\/p>\n From now on it\u2019s pure mathematics and some fiddling\u2026\u2026\u2026\u2026..<\/p>\n We can influence dword1 to dword4, key1 to key5 are computed at compile time, run time or whatever. We don\u2019t have to care about that at the moment (getting back to key5 soon!) since they are constant for each run of the program, that means key1 ^ key2 ^ key3 ^ key4 ^ key5<\/b> <\/b>is a constant value for each run of the binary. <\/p>\n And this means the following:<\/p>\n <\/b><\/p>\n <\/b><\/p>\n So we only need to know the value of const_Value <\/b>at runtime! <\/p>\n But how to get it? <\/p>\n Well, the check is done here after the crypto algorithm:<\/p>\n where<\/p>\n We know: A ^ 0 = A<\/p>\n So if we provide a file with only null bytes then at the time the compare happens we will have in ecx:<\/p>\n So we just have to provide a file containing only null bytes, start the binary in a debugger, set a breakpoint at that compare, and check what\u2019s in ecx, right?<\/p>\n Well, it\u2019s not that easy here as we will see soon! But anyway, as an exercise let\u2019s try that out...<\/p>\n <\/b><\/p>\n Starting the binary in a debugger, you are landing here:<\/p>\n Unfortunately it\u2019s horrible to step through the binary since there is a fair amount of anti-debug techniques in place, like this one:<\/p>\n Of course, we can set a BP on the exception handler, and continue stepping through the binary. But we don\u2019t want to lose time on anti-debugging. So let\u2019s search for the ReadFile API:<\/p>\n Double-click on the first ReadFile entry:<\/p>\n Ok, what now??? Because we never get here when running the binary in a debugger due to anti-debug stuff, I suggest to place instructions for an infinite loop here (EB FE), to run the binary and then to attach a debugger to it.<\/p>\n Here are the steps:<\/p>\n CTRL-E, write down the original bytes which we are changing now (85 C0) to EB FE:<\/p>\n Important: wait around 10 \u2013 15 seconds before attaching the debugger \u2026..the anti-debugging stuff is running now\u2026\u2026<\/font><\/b><\/p>\n -> you land our our loop (EB FE):<\/p>\n So here is ECX = A50DA5E3.<\/p>\n But I\u2019m sorry, this is worth nothing since key5<\/font><\/b> \u2013 the value at DWORD PTR DS:[41B2C4] -<\/b> is generated by some kind of checksum during runtime. If you patch the binary its value is different. Ouch. So if we change even more bytes in the same routine in that binary we receive<\/p>\n ECX = 2AF4A100.<\/p>\n What now?<\/p>\n Well, checking the rules again we recognize: no patching is allowed! <\/b><\/p>\n So anyway we are not allowed to patch the binary therefore we need to find another way to solve it \u2013 DBI to the rescue !!!<\/p>\n I then wrote a small PIN Tool which traces all compare instructions and logs the values of ECX into a logfile.<\/p>\n (you can find the source code for the pin tool at the bottom of this post)<\/p>\n The logfile will look like this:<\/p>\n Almost at the end of the logfile we find the result for the important compare instruction:<\/p>\n Note: ECX is different than in our analysis with ImmunityDebugger.<\/p>\n So this means:<\/p>\n const_Value <\/b>= <\/b>0xCF6FC79D<\/p>\n -> dword4 ^ dword3 ^ dword2 ^ dword1 ^ 0xCF6FC79D = 0x4C833425<\/strong><\/p>\n -> dword4 ^ dword3 ^ dword2 ^ dword1 = 0x83ECF3B8 <\/b><\/p>\n (0xCF6FC79D ^ 0x4C833425 = 0x83ECF3B8)<\/p>\n If we deliberately choose <\/p>\n dword1= 0<\/b>, dword2 = 0<\/b>, dword3 = 0<\/b><\/p>\n then <\/p>\n dword4 = 0x83ECF3B8<\/font><\/b><\/b><\/p>\n Ok, let\u2019s construct the appropriate dat-file with our favorite hex editor (mind the little endian nuisance):<\/p>\n Run the binary and voila:<\/p>\n<\/a><\/b><\/p>\n<\/a><\/b><\/p>\n<\/a><\/b><\/p>\ndword1dword2dword3dword4 <\/pre>\n
[ESI][ESI+4][ESI+8][ESI+C]<\/pre>\n
dword4 ^ dword3 ^ dword2 ^ dword1 ^ key1 ^ key2 ^ key3 ^ key4 ^ key5 == 4C833425<\/pre>\n
dword4 ^ dword3 ^ dword2 ^ dword1 ^ const_Value == 4C833425<\/pre>\n
.text:0x004014D9 cmp ecx, 0x4C833425 <\/pre>\n
ecx = dword4 ^ dword3 ^ dword2 ^ dword1 ^ const_Value<\/pre>\n
ecx = 0 ^ 0 ^ 0 ^ 0 ^ const_Value = const_Value <\/pre>\n
Dynamic analysis with Immunity<\/b><\/h3>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n[*] Patch the binary with an infinite loop:<\/h4>\n
<\/a><\/p>\n[*] Then save the patched file:<\/h4>\n
\n
[*] Now run the patched binary and attach a debugger to its process: <\/h4>\n
<\/a><\/p>\n[*] Then start ImmunityDebugger or OllyDbg, attach to the process, press F9 to start and then press F12 to pause the application:<\/h4>\n
[*] Set a BP here (F2) and restore the original bytes :<\/h4>\n
<\/a><\/p>\n[*] Now we can step through the crypto algorithm (F8) till the compare instruction:<\/h4>\n
<\/a><\/p>\nAnalyzing with DBI (PIN)<\/h3>\n
pin \u2013t PINtrace_INS.dll -- E:\\work\\elearnsecurity_eh-net_re_challenge2013\\elearnsecurity_eh-net_re_challenge2013.exe<\/pre>\n
0x00406F8A cmp ecx, dword ptr [0x41a1a0] ECX:0x0041A0C8\n0x00406F8A cmp ecx, dword ptr [0x41a1a0] ECX:0x0041A0C8\n0x00406F8A cmp ecx, dword ptr [0x41a1a0] ECX:0x0041A0C8\n0x00411BA4 cmp ecx, eax ECX:0x0018F70C\n0x004041D4 cmp ecx, dword ptr [0x419680] ECX:0x6C6DFEF0\n0x00406F8A cmp ecx, dword ptr [0x41a1a0] ECX:0x0041A0C8\n0x00407012 cmp ecx, ebx ECX:0x000000FF\nx00407012 cmp ecx, ebx ECX:0x000000FE\n0x00407012 cmp ecx, ebx ECX:0x000000FD\n0x00407012 cmp ecx, ebx ECX:0x000000FC\n0x00407012 cmp ecx, ebx ECX:0x000000FB\n0x00407012 cmp ecx, ebx ECX:0x000000FA\n.\n.\n.<\/pre>\n
0x004014D9 cmp ecx, 0x4c833425 ECX:0xCF6FC79D <\/pre>\n
<\/a><\/p>\n
![\"pic13\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/12\/pic13_thumb.png\" "\\"pic13\\"")
<\/a><\/b><\/p>\n