Wednesday, February 08 2006 @ 04:33 PM CET Contributed by: ViceVirtue Views: 13321
Level : newbie
This tutorial is only intended for those who are really new to cracking and reverse engineering. Still, it's a step every cracker had to take at one stage, cracking something simple. This tutorial should teach the basics of unpacking a UPX packed file, restoring the IAT in an executable and then we'll go fishing for a hard-coded serial in our unpacked executable. The tools used in this tutorial are all freely available on the internet and you won't have to go looking for them.
This is my first tutorial and I'm
really only writing it so that I can learn and maybe be criticised.
I'm really new to cracking, but this CrackMe is
trivial. It should take anyone who knows what they're doing less than 5 minutes to crack.
This tutorial is only intended for those who
are really new to cracking and reverse engineering. Still, it's a step
every cracker had to take at one stage, cracking something simple. This
tutorial should teach the basics of unpacking a UPX packed file,
restoring the IAT in an executable and then we'll go fishing for a
hard-coded serial in our unpacked executable.
The first step in cracking
anything is reconnaissance work,
Open the crackme using PeiD
to find out if it's packed:
As you can see in the
highlighted cyan box there, it's packed using UPX. That's about all the
recon we can do right now, seeing as it's a packed executable, so:
2. Unpacking The Executable
UPX is a simple free packer
and UPX packed files are easy to unpack using a debugger such as
OllyDBG. So fire up OllyDBG and load crackme2.exe.
OllyDBG breakpoints at the Entry Point (EP) of crackme2.exe, See how the first command shown is PUSHAD (Meaning PUSHAll Doubles onto the stack.) This is consistent for all(?) UPX packed programs.
We're currently at the beginning of the unpacking stub of the packed
exe, but we want to be at the beginning of the crackme's unpacked code,
so we push [F7] once to execute the PUSHAD instruction, and note now how ESP
has become red - signifying that it has changed. Now, to get to the
OEP, we know that we want to be at the end of the unpacking stub where
(as more experienced crackers will know) a POPAD
instruction resides which will access this same byte of memory. So we
right-click ESP and click [Follow in dump]. Then in the dump window
(the lower left-hand window of OllyDBG) we right-click the byte
0012FFA4 (the top left byte) and select [Breakpoint] > [Hardware, on
access] then press [F9] to run our program until the breakpoint, which
occurs almost instantly.
See the JMP just under POPAD?
That takes us to the beginning of the decompressed code, and the entry
point of the original (unpacked) exe - otherwise known as the OEP (some
call it the REP.) Press [F7] twice so that we're at the OEP.
3. Dumping And Restoring The Executable
Now use the OllyDumpplugin
to dump the file, remembering to click the "Use EIP as OEP" The
EIP is our current address. We need to change the "Base of Code" to
1000, this is because the code of our unpacked executable starts at the
RVA 1000, so enter it into the "Base of Code" box. Uncheck the "Rebuild
Import" checkbox and click dump to save the file to disk, I normally
number the steps when I
crack something, so I named it "1Dumped.exe"
Now, UPX messes up the import table (the IAT) so we need to use a neat
program which automates the tast of restoring the import tables called ImpRec. Open ImpRec and run crackme2.exe, then select the exe from the dropdown menu and follow the image:
ImpRec will try and restore the OEP to that of the packed one, so enter
11EC in the OEP box (you may notice that that's our EP in any of the
Ofcourse, when you click [Fix Dump] you want to choose 1Dumped.exe. Now the executable has been (pretty much) restored to it's former, pre packing glory.
4. Fishing For The Serial
Now open 1Dumped_.exe it up in OllyDBG and you should be at the OEP (VA 004011EC)
Regardless of what you did, scroll up and you'll see a whole lot of jumps (mine are highlighted in yellow)
Some people call areas like this in an exe a trampoline, because
essentially this area is where the linker replaces calls made to these
locations by the compiler with jumps to external functions (in this
case from the VB DLL) so that everything works (If someone could
clarify this for me, that would be great.)
Our OEP is highlighted, but see a call
to "__vbaStrCmp"? ...It is a Visual Basic function to compare two
strings and tell the program if they're the same. So we know that this is a Visual Basic program, that's more recon.
Right click on the StrCmp line and select [Find references to]
> [Address constant]. Then in the window which appears, set a
breakpoint on the 4 references to the strcmp function.
Now press [F9] and click [Yes] on the crackme to enter a serial, I
entered "ViceVirtue" but what you enter isn't important at this stage.
Now, It's important to note that Visual Basic is a very stack oriented
programing language, almost everything passes though the stack, and
that goes for pointers to strings which are going to be compared.
Click [Ok] and Olly will break, you'll be left at this screen:
In the lower right-hand corner of OllyDBG is the stack window, and look at the two items on the top of the stack!
One's the serial we entered and the other one is the correct serial which it's going to be compared to.
At this point we have fished our serial, so we want to remove all breakpoints and just enter the serial.
Press [ALT] + [B] to open the breakpoints window and delete them all.
Now press [F9] to resume the crackme and we're confronted with
the badboy message, click though it and enter "12345" as our
serial number and viola! You've successfully unpacked and restored an
executable and fished for a hardcoded serial inside it.
I hope that this tutorial was good enough to show you a thing or two
about simple crackme's it taught me a bit about repairing executables,
also thank you for reading it and please give me some criticism about
what I'm doing wrong, and what could be done better or faster (well,
for one, [CTRL] + [N] to find names and then set a breakpoint on
reference would've been faster and clearer than the above method, but I
wanted to give this a try)
I'd also like to know what I've said here which was inaccurate, I've
only been cracking for... well less than two weeks now and I still
haven't learned all of X86 assembly so I'm by all means a newbie.
download complete package
It was my first tutorial ever, and I tried to make it of decent
quality. If ever I learn something new, or someone wants some help on
something, I may well write another because they're fun to do, and I
like to help people if I can.