{"id":9051,"date":"2012-05-14T15:00:07","date_gmt":"2012-05-14T13:00:07","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9051"},"modified":"2012-05-14T15:00:07","modified_gmt":"2012-05-14T13:00:07","slug":"reversing-101-solving-a-protectionscheme","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2012\/05\/14\/reversing-101-solving-a-protectionscheme\/","title":{"rendered":"Reversing 101 - Solving a protection scheme"},"content":{"rendered":"

 <\/p>\n

Introduction:<\/strong><\/h3>\n

In this post, we'll look at an application reversing challenge from HTS (hackthissite.org) resembling a real-life protection scheme. You can find a copy of the challenge here:\u00a0\u00a0 http:\/\/www.hackthissite.org\/missions\/application\/app17win.zip<\/a><\/p>\n

Put simple, the program creates a key for your username, and compares it to the one you enter.<\/p>\n

This tutorial is not meant as a spoiler for HTS since for every username a dedicated password will be computed. This tutorial is purely written to allow you to understand how some (even real-life) protection schemes are implemented.<\/p>\n

The goal of the HTS challenge is to create a key generator, but in this tutorial I just want to find out my own dedicated password.<\/p>\n

Note: the length of the password is NOT static, and there are no anti-debugging mechanisms in effect \ud83d\ude42<\/p>\n

I used Windows XP SP3, so if you have a different windows version the addresses may be different as well.<\/p>\n

Thanks to HTS, and thanks to NightQuest for coding this nice application.<\/p>\n

 <\/p>\n

Run the application:<\/strong><\/h3>\n
Z:\\HTS\\app17win>app17win.exe\n******************************************\n* HackThisSite Application Challenge #17 *<\/span>\n*    Coded by NightQuest - 02-14-2009    *\n******************************************\nObjective:\nYou need to create a key that is unique to your HackThisSite username.\nThe idea is to create a keygen, but any method is allowed.\nAn example would be:\nUsername: SomeUserName\nPassword: HTS-1234-5678-9012-3456\nUsername: fancy\nPassword: **********\nUsername: fancy\nPassword: ****\nUsername:<\/pre>\n
As you can see, when you supply the wrong password, you'll be asked to input your username again!<\/p>\n
 <\/p>\n
Find the password:<\/strong><\/h3>\n
Start the program (inside the debugger right away), enter your username and an arbitrary password. Do NOT press enter after entering the password.\u00a0 The idea is to use the debugger to \"hook\" into the execution flow at this point, and see what happens.<\/p>\n
Username: fancy\nPassword: 123456<\/pre>\n
Press the pause button (or press F12) in the debugger (OllyDbg or Immunity Debugger) to interrupt the execution.\u00a0 Next, press Alt-F9 (return to user).\u00a0 This will tell the debugger to break as soon as it returns from any Operating System code and starts executing code from the application itself again.<\/p>\n
The process should now be running again.\u00a0 Open the command prompt and press enter.\u00a0 You'll notice that the debugger will intervene and pause the process again right after a call to kernel32.ReadConsoleInputA<\/p>\n
\"app17_1\"<\/a><\/p>\n
The idea now is to continue to step through the application, and try to see where our input was used.\u00a0 Let's use F8 (step over) to step through the instructions at this time.\u00a0 F8 will step over CALL instructions (to keep things a bit easier at this point), but we do need to keep an eye on the stack, every time we're about the execute a CALL.<\/p>\n
In fact, whenever reaching a CALL instruction, before pressing F8, check the stack and see if we can see our username and password on the stack.<\/p>\n
Press F8, and you should find this \"magic call\":<\/p>\n
00402210   E8 8AEEFFFF     CALL app17win.0040109F         ; # magic call<\/span><\/pre>\n
 <\/p>\n
\"app17_2\"<\/a><\/p>\n
Why is this the \"magic\" call? <\/strong><\/h5>\n
Well, not only does it use the input, but also returns a value in eax.\u00a0 It basically sets AL to 1 if a wrong password is given. When it returns AL=0, the \"TEST AL,AL\" would set the zero flag, so the \"JNZ\" instruction below would not be taken. The app will then tell you: \"Congratulations! Enter that password on HackThisSite<\/em>.<\/p>\n
Let's evaluate what happens inside this call. Instead of setting over the call with F8, use F7 to step into the call.<\/p>\n
Then use F8 to step until you reach 0x004012B2.\u00a0 This is where AL is set to 1 (indicating the password is wrong).\u00a0 You'll notice that the routine jumped directly to the MOV AL,1 instruction, and didn't execute the XOR AL,AL and JMP just above it:<\/p>\n
\"app17_3\"<\/a><\/p>\n
Anyways, AL is set to 1, but we we should avoid this !!!\u00a0 In fact, we should try to make the application jump to<\/p>\n
004012AE     32C0         XOR AL,AL<\/pre>\n
 <\/p>\n
There are a lot of compare functions in this routine, and a lot of things are going on.<\/p>\n
Let\u2019s set a breakpoint at the magic CALL at 00402210, restart the application and enter a password in the format suggested by the application. In fact, you'll need to use your hackthissite.org username.<\/p>\n
I used \"fancy\" before, but my real username is \"fancy__004\", so that's what I'll use from this point forward \ud83d\ude42<\/p>\n
Username: fancy__04\nPassword: HTS-1234-5678-9900-1122<\/pre>\n
 <\/p>\n
When the breakpoint at 0x00402210 gets hit, we can enter the function again with F7 and step through the routine.<\/p>\n
You'll see that there's a a lot of calls to this function:<\/p>\n
004011B3     E8 68150000       CALL app17win.00402720<\/pre>\n
By stepping into this function you\u2019ll see that there\u2019s a lot of computing done. To understand the algorithm behind calculating the password you have to examine this function.<\/p>\n
But I\u2019ll continue since I just want to have my password.<\/p>\n
We will encounter 2 compare functions which are not important to us, like this one:<\/p>\n
\"app17_3b\"<\/a><\/p>\n
 <\/p>\n
But then this compare function is interesting:<\/p>\n
\"app17_4\"<\/a><\/p>\n
 <\/p>\n
Why is this compare interesting?<\/h5>\n
If you follow the jump which is taken when these values are not equal, AL is set to 1 (remember: we need AL = 0<\/strong>) and then the function returns.<\/p>\n
\"app17_4b\"<\/a><\/p>\n
So here we have a compare of the values 10<\/strong> and 12<\/strong>.<\/p>\n
Note: it\u2019s in hex, in decimal it is: 16 != 18<\/p>\n
So what does that mean??<\/h5>\n
Well, based on the input we provided (the username & password), we can derive this relationship:<\/p>\n