Cracking Using Ida Pro

Posted on - 24.08.2019

clipslogoboss.netlify.com › Cracking Using Ida Pro ▼ ▼ ▼

Cracking Using Ida Pro 4,4/5 1064 votes

Ida Pro Download
Ida Pro Demo
Windbg

In this post, we will learn how to use the to disassemble, debug, and crack a simple crackMe software. You may download a copy of crackMe. Simply unzip, load into IDA Pro, and follow along. After unzipping the target binary and running it In our scenario, we have a piece of software that is asking for a passphrase or key to unlock it.

Applied Cracking & Byte Patching with IDA Pro. This rare dissertation committed to impart cracking and byte patching in a binary executable using IDA Pro with. Reverse Engineering 101 ( Using IDA to break password protections ). How to Reverse Engineer with IDA Pro Disassembler Part1. (IDA Cracking Part 1. Cracking Program With Ida Pro. Added Title Size RTS S L DL Subcat;. Disassemble exe, how to modify an executable, using IDA and OllyDbg to debug an exe.

Since we don’t know the correct passcode, the software exits with a “wrong password” message. All is not lost. This is the power of reverse engineering and using tools such as IDA Pro’s disassembler and debugger: we don’t need the source code to learn how the software works. With just a debugger and a disassembler, we can often extract keys and learn a lot about the our target software. After installing your IDA demo. Double-click to the IDA demo icon and you should see a window like below: Select the “New” button and then open your crackMe binary: Then click Ok on the “Load New File” Window: IDA will ask if you want to switch to “proximity view now”, simply click the “No” button.

You should see a window similar to the screenshot below: At the very top is the navigation band. It gives a layout of the binary as loaded in the virtual address space of memory. The dark blue bands refer to code or functions written inside the binary. The light blue bands refer to functions that come from a library (e.g. The C run time library), and the pink area refers to Windows APIs that are loaded by Dynamic Link Libraries (DLLs).

The boxes on the left side contain a function window and a graph overview window. Both can be used to quickly navigate to areas of code that might be interesting to investigate.

The middle window contains a call graph of the entire binary. You can change from this call graph view to a flat source code view by hitting the space bar. The space bar will toggle back and forth between call graph view and flat view. Before examining the source code, let us first set up IDA’s debugger. In the menu bar, select Debugger, then at the dialog box, select the Local Win32 debugger. Once the debugger is set, the green debugging arrow should be activated. Before we begin debugging, lets navigate around the code to find some interesting landmarks.

Right at the start, we can see a call being made to a Windows API, IsDebuggerPresent. According to the, this function determines if the calling process, i.e. CrackMe, is being debugged by a user-mode debugger.

It sets EAX to 1 if the calling process is being debugged. It sets EAX to 0 if the calling process is not being debugged. If we were to start the IDA debugger (green arrow button or hit F9 key), crackMe simply exits. So we will have to deal with this common anti-debugging technique. Scrolling down a little ways, we see what looks to be a command prompt asking for the passphrase and then some sort of comparison routine.

Note the hard-coded string that is moved into the ECX register: It looks like this comparison routine is comparing the user’s command line input to the hard-coded string “ericroolz”. Just by static examination, we managed to extract the passphrase. We can test that by running crackMe from the command line and typing in “ericroolz” and we should get the “Correct password” message.

That is one way to defeat this example. But suppose we did not see the passphrase, perhaps it was obfuscated or encrypted, or buried in thousands of thousands of lines of code. All is not lost, we can use IDA’s debugger to step to this crucial decision point: Then we can manipulate the results of EAX or the JNZ command to always take the path to the correct password message. But first, we are going to have to deal with the IsDebuggerPresent check at the start of this code. First, lets set a break point at the very start of the program, like in the screenshot below (hit the F2 key and you will see a red band indicating the break point is set): Now hit run or F9. We should break: While we are at this break, hit the ‘G’ key and type “kernel32IsDebuggerPresent” in the resulting dialog box.

It is important to have the kernel32 and the underscore along with the IsDebuggerPresent): you should wind up here: Next, set a break point (F2) at the “retn” instruction at address 7C8130B0: Right-click on that break point and select “Edit Breakpoint”. In the resulting dialogbox, you want to set the condition of EAX=0 and unselect the Break (under Actions) check box. Next click OK:, We are setting the break point in such a way that we are not suspending the program when we hit the break point, but simply setting the return value (stored in EAX) from IsDebuggerPresent to always be 0, that is, regardless of the fact that we are running crackMe in IDA’s debugger, the condition will always return false and we will fool the program into continuing with our debug session. Next, hit the ‘G’ key again and type in ‘eip’ in the box.

This will take us back to our current break point, that is, to where the current instruction pointer is pointing to: Next, we are going to want to navigate to that crucial decision point we saw earlier during our static analysis: So let us go to loc401067 and set a break point there. We can use the ‘G’ key and type in the address to take us there: Now after hitting F9 again, the debugger runs to this break point we just set. Open the resulting command window and enter any passphrase you want (I typed in “whatever” then hit the enter key): After typing any phassphrase, we hit the breakpoint. Note the value in the EAX register. The TEST EAX, EAX instruction is checking whether EAX is 0 or not.

Ida Pro Download

Since it is 1, the JNZ command will jump us to the incorrect password message. We don’t want that. We can do one of two things: 1.

We can change the value of EAX by highlighting the EAX register, right clicking and choosing the “Zero value”. This will change EAX to 0 and we will take the path to the correct password message. We could step past the TEST EAX, EAX instruction and pause on the JNZ instruction. If EAX was 0, the TEST instruction would set the zero flag (ZF = 1) but since what I typed in won’t match “ericroolz” either, the zero flag will not be set (ZF=0). We can simply change the zero flag by right clicking on the ZF value and choosing “Increment value”. This will increment the ZF to 1 from 0, thus causing the JNZ instruction to take the correct password message. I will demonstrate method number 1.

You may re-run this example and try method 2 if you wish. Right-clicking on the EAX value: We will just 0 out EAX: Note that the EAX value changed to 0 and if we single step past the TEST instruction: You should see the red arrow pointing to the correct password message blinking. That signifies that we will take that path after setting EAX to 0. If we continue to run the debugger (F9) we should see that even though we clearly entered the wrong key, we still were able to “unlock” our program: Now that we know the crucial decision point, we could use an editor such as OllyDbg and change the JNZ instruction to something that will always jump to the correct message location no matter what passphrase is typed in. Although, this example was rather simple, it does illustrate the power of using a disassembler and a debugger. Even though we do not possess the source code, that did not prevent us from learning how our target binary worked. Once we understood how our binary worked, we were able to manipulate it into “unlocking” itself.

Ida Pro Demo

I would like to introduce you now to a more advanced and professional cracking technique, cracking using a debugger. What is a debugger? In few words, a debugger is a software that will let us look in the asm code before and after the code is executed by the cpu. The debugger will pause the the execution of the code and will allow us to trace it step by step as the cpu executes it. All crackers uses a debugger, even W32Dasm has a debugger built in but is not very confortable.

The most advanced debugger for cracking used by all crackers is OllyDBG, this tool will become your friend, your partner, it will be for you the tool number one! Configurations of your OllyDbg. Let's do some configurations, press alt+o to access options and go to the CPU menu. Make you settings look like in this picture: After this go to EXCEPTIONS menu and make your settings look like in this other picture: Ok, we are done for now.

We will use olly for everything, like patching, finding serial keys, unpacking, studing, etc. We will start our first lesson with olly by finding the serial key of a crackme, during tracing the code it will be very easy to understand where we should patch if needed. Our mission in this lesson is to find a serial key for our entered name. Run the crackme and you will see that it needs a name and a serial number, enter some fake info. Click on check serial.:? Nothing happens Lets find a real serial for our name now! Disassemble our target with w32dasm then click on the imports button.

See the picture below: On the dialog box that shows up find this: USER32.GetDlgItemTextA like in the picture below: Select it like in picture above and double click on it, you will land at the address: 004011DF (write down this address), just a bit below this we have an other reference to USER32.GetDlgItemTextA at the address 004011F0 (write this address down too). Close W32Dasm, we don't need it anymore. Run OllyDBG and click on file, open, browse to our crackme and open it. Cool, you should see the asm code now.

Thanks Lloyd, Since posting here I found a link to CNCzone with info about a similar issue. It is going to take me a week or so to get the machine installed and powered up but I will report progress as soon as I get some! Regards, Les Logged. The poster, Jmccracken, sorted his machine out and listed a full set of settings.

Press F9 button from your keyboard then the crackme should show up. Enter your name and any serial number but don't click on 'check serial' button yet. I will enter MiStErX as name and 12345 as serial. Return to OllyDBG then click on 'Go to Address' button.

Windbg

This button is indicated in the picture below: picture5: On the blank box enter the first address we did found on w32dasm, 4011DF then click ok! You will be here: PUSH 019h PUSH 0403096h PUSH 066h PUSH DWORD PTR SS:EBP+8 004011DF CALL GetDlgItemTextA;read the entered name PUSH 01Eh PUSH 0403078h PUSH 065h PUSH DWORD PTR SS:EBP+8 004011F0 CALL GetDlgItemTextA;read the entered serial CMP EAX,4; compare entered name with 4 JB @crackme00401245; jump if below (if our entered name is smaller than 4 digits then jump) GetDlgItemTextA is used in asm to retrive the information entered by users in blank boxes! Now, put the selector line on '004011DF Call GetDlgItemTextA' then press the F2 button from your keyboard to set a breakpoint. Go to the second address to and set a breakpoint there too by pressing F2.

See the picture below to see my breakpoints. The addresses highlighted with white means that there is set a breakpoint. Picture6: Bring up the crackme from the taskbar and click on 'check serial' Olly will break on the first breakpoint, now press F9 (run) and Olly will break on the other breakpoint we did set. The first breakpoint was for the name we have entered and the second is for the serial number. Now trace line by line slowly with F8 button until you are on the address '0040121F' picture7: Refering to the picture too, you must be on this line: 0040121F CMP EAX, EBX Let's explain what does this mean, CMP means compare, eax register is storing the fake serial we did enter and ebx register is storing the real serial number for the entered name. Check this on the top-right of your screen, in the above picture are number 2 and 3.

EAX has the value 12345 that is the fake serial I did enter and EBX is has the value 2EB. Can 2EB be the real serial number for the name MiStErX?? Yes it is, we did found a real serial number and we can find a serial for any name we enter by following the procedure of this tutorial. As you see, on the address.40121F the protection of the crackme is comparing our fake serial with a real serial for our name.

For Free download of the Crackme used in this TUT: For Free download of Olly please go to: w32dasm. Debuggers: DebugView v4.77: OllyDbg v1.10: Zeta Deb v1.3ugger:.NET Decompilers: Dotnet IL Editor v0.2.6: ILIDE# v3.0.1799.34705: Red Gate's.NET Reflector v7.4: Delphi Decompiler: IDR (Interactive Delphi Reconstructor) v2.5.3: Visual Basic Decompilers: P32Dasm v2.8: VB Decompiler Lite v5.0: Disassemblers: Dotnet IL Editor (DILE) v0.2.4: IDA Pro v5.0: Hex Calculators: HexTool v1.7.0.1: Reversers' Calculator v1.2: Hex Editors: BIEW v6.1.0: Frhed v1.6.0: Hiew v6.50: HxD v1.7.7.0: MiTeC Hexadecimal Editor v6.0.0: Memory Hacking Memory Hacking Software v6.1.