Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Friday, April 03 2020 @ 07:45 AM CEST

Gabor's CrackMe 2 Solution

   

TutorialsLevel : newbie

This tutorial is only intended for those who are really new to cracking and reverse engineering. Still, it's a step every cracker had to take at one stage, cracking something simple. This tutorial should teach the basics of unpacking a UPX packed file, restoring the IAT in an executable and then we'll go fishing for a hard-coded serial in our unpacked executable. The tools used in this tutorial are all freely available on the internet and you won't have to go looking for them.

This is my first tutorial and I'm really only writing it so that I can learn and maybe be criticised.
I'm really new to cracking, but this CrackMe is trivial. It should take anyone who knows what they're doing less than 5 minutes to crack.

This tutorial is only intended for those who are really new to cracking and reverse engineering. Still, it's a step every cracker had to take at one stage, cracking something simple. This tutorial should teach the basics of unpacking a UPX packed file, restoring the IAT in an executable and then we'll go fishing for a hard-coded serial in our unpacked executable.

Okay, here we go:

Tools used:

Other useful tools:

Target: Gabor's CrackMe 2



1. Recon. Work

The first step in cracking anything is reconnaissance work,
Open the crackme using PeiD to find out if it's packed:




As you can see in the highlighted cyan box there, it's packed using UPX. That's about all the recon we can do right now, seeing as it's a packed executable, so:


    2. Unpacking The Executable

UPX is a simple free packer and UPX packed files are easy to unpack using a debugger such as OllyDBG. So fire up OllyDBG and load crackme2.exe.



OllyDBG breakpoints at the Entry Point (EP) of crackme2.exe, See how the first command shown is PUSHAD (Meaning PUSH All Doubles onto the stack.) This is consistent for all(?) UPX packed programs.
We're currently at the beginning of the unpacking stub of the packed exe, but we want to be at the beginning of the crackme's unpacked code, so we push [F7] once to execute the PUSHAD instruction, and note now how ESP has become red - signifying that it has changed. Now, to get to the OEP, we know that we want to be at the end of the unpacking stub where (as more experienced crackers will know) a POPAD instruction resides which will access this same byte of memory. So we right-click ESP and click [Follow in dump]. Then in the dump window (the lower left-hand window of OllyDBG) we right-click the byte 0012FFA4 (the top left byte) and select [Breakpoint] > [Hardware, on access] then press [F9] to run our program until the breakpoint, which occurs almost instantly.




See the JMP just under POPAD? That takes us to the beginning of the decompressed code, and the entry point of the original (unpacked) exe - otherwise known as the OEP (some call it the REP.) Press [F7] twice so that we're at the OEP.


    3. Dumping And Restoring The Executable

Now use the OllyDumpplugin to dump the file, remembering to click the "Use EIP as OEP" The EIP is our current address. We need to change the "Base of Code" to 1000, this is because the code of our unpacked executable starts at the RVA 1000, so enter it into the "Base of Code" box. Uncheck the "Rebuild Import" checkbox and click dump to save the file to disk, I normally number the steps when I crack something, so I named it "1Dumped.exe"



Now, UPX messes up the import table (the IAT) so we need to use a neat program which automates the tast of restoring the import tables called ImpRec. Open ImpRec and run crackme2.exe, then select the exe from the dropdown menu and follow the image:



ImpRec will try and restore the OEP to that of the packed one, so enter 11EC in the OEP box (you may notice that that's our EP in any of the above images)
Ofcourse, when you click [Fix Dump] you want to choose 1Dumped.exe.
Now the executable has been (pretty much) restored to it's former, pre packing glory.


    4. Fishing For The Serial

Now open 1Dumped_.exe it up in OllyDBG and you should be at the OEP (VA 004011EC)
Regardless of what you did, scroll up and you'll see a whole lot of jumps (mine are highlighted in yellow)
Some people call areas like this in an exe a trampoline, because essentially this area is where the linker replaces calls made to these locations by the compiler with jumps to external functions (in this case from the VB DLL) so that everything works (If someone could clarify this for me, that would be great.)
Our OEP is highlighted, but see a call to "__vbaStrCmp"? ...It is a Visual Basic function to compare two strings and tell the program if they're the same. So we know that this is a Visual Basic program, that's more recon.
Right click on the StrCmp line and select  [Find references to] > [Address constant]. Then in the window which appears, set a breakpoint on the 4 references to the strcmp function.



Now press [F9] and click [Yes] on the crackme to enter a serial, I entered "ViceVirtue" but what you enter isn't important at this stage.
Now, It's important to note that Visual Basic is a very stack oriented programing language, almost everything passes though the stack, and that goes for pointers to strings which are going to be compared.
Click [Ok] and Olly will break, you'll be left at this screen:



In the lower right-hand corner of OllyDBG is the stack window, and look at the two items on the top of the stack!
One's the serial we entered and the other one is the correct serial which it's going to be compared to.
At this point we have fished our serial, so we want to remove all breakpoints and just enter the serial.
Press [ALT] + [B] to open the breakpoints window and delete them all.
Now press [F9] to resume the crackme and we're confronted with the badboy message, click though it and enter "12345" as our serial number and viola! You've successfully unpacked and restored an executable and fished for a hardcoded serial inside it.


    Conclusion
I hope that this tutorial was good enough to show you a thing or two about simple crackme's it taught me a bit about repairing executables, also thank you for reading it and please give me some criticism about what I'm doing wrong, and what could be done better or faster (well, for one, [CTRL] + [N] to find names and then set a breakpoint on reference would've been faster and clearer than the above method, but I wanted to give this a try)
I'd also like to know what I've said here which was inaccurate, I've only been cracking for... well less than two weeks now and I still haven't learned all of X86 assembly so I'm by all means a newbie.

download complete package here
It was my first tutorial ever, and I tried to make it of decent quality. If ever I learn something new, or someone wants some help on something, I may well write another because they're fun to do, and I like to help people if I can.




What's Related

Story Options

Gabor's CrackMe 2 Solution | 1 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Gabor's CrackMe 2 Solution
Authored by: Helios on Wednesday, May 24 2006 @ 10:25 PM CEST

This was definitely helpful. Thank you very much :)
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.74 seconds