banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

"Learning Notes on Starting IDA Reverse Engineering from Scratch - 8 (Introduction to Static Reverse Analysis)"

Generally speaking, reverse analysis does not involve complete reverse engineering of large programs, but rather the analysis of one or several specific functions at specific locations.

1. Detailed Explanation of Program Loading#

Open the VIEW-OPEN SUBVIEW-SEGMENTS menu to see the automatically loaded program segments.

In the "NAME" column of the segments, you can see the start and end addresses of each segment.
The RWX column shows the initial permissions of the segment, whether it has read (R), write (W), and execution (X) permissions.
The D and L columns correspond to the debugger and loader, respectively.
The first column (D) is empty, and only filled when the program is in debug mode. The L column shows the segments created by the loader. The contents of the other columns are not as important.

2. Viewing Key Strings#

Try opening the exe program.

At the "help-register" section, you can enter a name and serial.

Enter random characters and you will see the message "No luck there, mate!"

View the strings using the shortcut Shift + F12.

You can see the same message as in the program.

Double-click on the characters in the image to jump to the corresponding location.

The string is saved at address 0x00402169. Press the "D" key at this address to view the specific bytes.

Press the "A" key again to restore the display of the string, and press the "X" key to display the references on the right.

3. Finding Key Functions#

In the image, two different functions reference the string. One is "sub_401362" and the other is "sub_40137E".

They are two different functions because the addresses after "sub_" are different. If they belonged to the same function, only the XXXX value would change, while the preceding part would remain the same. However, the addresses after "sub_" are different.

"sub_401362":

"sub_40137E":

These are the locations where the unsuccessful registration message is displayed.

In the "sub_401362" function, as shown in the image, the messagebox API function is called to display the message "NO LUCK THERE MATE". The API function takes the "NO LUCK" string as the window title and the "NO LUCK THERE MATE" string as the displayed text.

The same applies to "sub_40137E", which means that the unsuccessful registration message will be triggered in both places. It is possible that they handle different information. If you want to display a successful registration message, both of these places need to be bypassed.

Next, press the "X" key to view the references to the "sub_401362" function. There is only one reference.

Go to the reference before renaming the "sub_401362" function to "CARTEL_ERROR". Press the "N" key at the function address and enter the new name.

Go to the location of the reference to the "CARTEL_ERROR" function.

Before the call to the "CARTEL_ERROR" function, there is a "jz" jump. To differentiate between the code blocks for success and failure, you can add colors to these code blocks. Click on the color selector in the upper right corner of the code block, as shown in the image.

Continue to the address 0x40124c and enter the called function 0x40134d.

"0x40134D function":

Change the name of the "0x40134D function" to "CARTEL_BUENO".

Change the color of the code blocks that reference them to green.

4. Marking Instruction Positions#

Go to the "jz" command at address 0x401243 and open the JUMP-MARK POSITION menu (shortcut: Alt + M) to name it "DECISION_FINAL". This will allow you to easily return to this position.

Open the JUMP-Jump to marked position menu.

You can easily jump to the corresponding position.

5. Modifying Instructions#

Based on the previous analysis, if the "jz" at address 0x401243 is changed to "jnz", the program will also take the path of successful registration when an invalid password is entered.

Right-click on the current instruction and select "keypatch-patch" (shortcut: Ctrl + Alt + K).

Open the patch window.

Modify the content as follows:

After modifying, click "patch" and you will see the following message indicating the modification.

Right-click again and select "patching-apply patch to..." to save the modified content.

Save it as an exe file.

Run the crackme.exe program and enter any content. Two windows will appear, one indicating success and the other indicating failure.

In conclusion, two modifications need to be made to bypass the registration.

As shown in the image, another registration failure message is displayed here, and there is a "cmp" instruction above the red code block that compares the characters of the user-entered username to see if they are less than 0x41, which is the character 'A'. If it is less than 0x41, it displays a registration failure message.

Previously, when running crackme.exe for registration, the input was 111 (0=30, 1=31), which is obviously less than 0x41. So when the program detects numbers, it displays a registration failure message. Therefore, the "jb" cannot be changed to "jnb", otherwise it will cause an error when entering characters.

The dashed line in the image shows that the program will throw an error when it jumps to this point. Therefore, if the jump instruction is changed to "nop", the program will not jump, but continue to execute the next instruction without executing the error message.

Switch back to the graphical display.

The modified "nop" bytes and the isolated error message can be seen in the image.

Save the modified file again.

After testing, any characters can be entered.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.