🍈 Zettelkasten

Lena Tut 3

9 min read

We are given Nagware that nags us to purchase software with popups.

The nature of nagware will check for registration keys at program startup, meaning that if we find what the specific condition of this is, then we can effectively register without paying.

Our challenge is to not use referenced strings.

Note: This tutorial reverseme has been flagged as malware. Trojan of sorts

Crack It myself

Im going to try and use my current skills to crack this software.

  • we dont know what the end product will look like

  • there are 3 messages in the unpatched version

  • Remove the nags to register This will make the program fully registered :))

  • You need to register me now! It is supposed to be quite easy. Just patch the program to remove the Nags

  • Oops! I am not registered !!

  • the first message I dont think i can skip, but the second and third i can probably remove

Search referenced strings and then go here.

This is the address of where the found string is located

The call GetModuleHandleA does nothing of importance. Just get the filename ReverseMe and store that in eax. Of course, since it exists, we bypass the je that would lead us to a bad scenario.

So actually, I realize this. The program has a register good message, but we never have the option to jump to it because there is no jump directly to it. Im going to try to patch and create a jump to it then!

And so apparently there is this entry point comment here for some reason. I will just jump to there. So replace the first line of code with a jump then

Used to be push 0, now it is JMP 00401066

Yea so i did that, didn’t do anything at all so I think I was led astray. Back to the lab again.

What I did notice is that there is this args. Lets see what it compares them to…

Yes so the call jumps here. There is sooo much information and loops and conditional jumps here. This is where we must go.

Crack # 2

Right, so uhh I am just going to uhh follow the tutorial as it is yea? Lena mentions something about text strings being obfuscated from methods like packing or encryption. Im thinking of making a crackme for cs club so these might be techniques to consider

So, yes, we want to fulfill the JE in order to move pass the badboy. The code below is the badboy because there, it is generating the evil message box!

Then we go to this segment. Message box not created.

Problem is, we keep going down and there are even more nags!

We are going to change entry points

PE Locating

We are going to utilize the PE header from imagebase address. To crack this program

In our case, address 00400000 is the imagebase

at 00400000, that is actually the MZ section which contains lastpage size, total pages in file, relocation items, etc as well as a pointer to the location of the PE header.

Alternatively, you can open this Memory map button:

Which will open this screen:

Aheyyoooo, PE header right there!

Double click that address, it opens up

And we also found the PE offset to tell us where the PE header is located

Great, it tells us it is at an offset of 0C0, so we will need to go to 004000C0

Indeed it is

To clear up some inconsistencies, using the first method with the hex dump, we see that the PE header location is actually

C0 00 00 00

But using the second method of memory map, we see the PE header location is

004000C0.

These are actually the same address. There are 2 reasons why

  1. The hex dump sorts via little endian. C0000000 is the same as 000000C0 in big endian.

  2. The hex dump starts reading from the image base(00400000) so it doesn’t include the 400000. It literally becomes a virtual address (relative virtual address)

Relative Virtual Address

A relative virtual address is a virtual address used if you don’t know the exact memory locaiton you are referencing. It is an value you need to add(offset) from the imagebase of the PE file hence the relative in the name.

You can think of everything in the hex dump as a relative virtual address little endian form

We go to the section table section of the PE format. This lists all sections in relative virtual address form. Some sections may have a reference, some may not, some may point to the same section.

Section Alignment

The PE header defines 2 alignment values for sections to use. One that points to the section on the raw disk, the other in memory(virtual address). From

the values the PE header gives, the actual section’s alignment is an offset of this value(usually a multiple of the value).

Sections

Usually starting at RVA 1000 from the image base, sections start to appear

The section table is just an array that describes the location and size a section takes up. Allowing the loader to find a section very quickly. It is an array of IMAGE_NUMBER_OF_DIRECTORY(16 space reserved for entries) and IMAGE_DATA_DIRECTORYIES

The code section (.text) is the first one.

PE linkage

When you use code or data from a DLL file, you are linking it. when you link against, the compiler will grab compiled code from the DLL and make them available in your code.

when any pe file loads. job of win32 loader is to:

  • locate all imported functions

  • locate all imported data

  • make addressess avaiable to file being loaded

within a PE file, theres an array of data structures, one per imported DLL. each of these structures gives the name of the

imported DLL and points the an array of function pointers known as the Import Address Table(IAT)

each imported API/function has its own reserved spot in the IAT where

address of imported function is loaded/written by the win32 loader

the following is very important:

once the module/library is loaded into RAM, the IAT contains the addresses invoked when calling imported APIs.

the IAT is where all imported API addresses are stored so every call goes to the same function pointer in IAT

This is how it goes:

from the PE header, we change the entry point to the address after the badboy message generation.

Fifth Skill – Hex Edit

First thing I need to do is change my header to 00400000 (start of file) in the hex dump

Look where I am now:

00403068

So I need to go to 00400000

Rightclick > Go to > Expression OR CTRL+G

type in 00400000 then follow it.

Thar we go!

This hex dump section here allows us to change the memory values

I go to address 004000E8 in the hex dump.(the one that is selected right now)

Notice it is on the 9th column. The first column is 004000E0, so thats the way its ordered. Goes up to F(15).

Right click > Edit > Binary Edit OR CTRL+E

Ok, so I wanted to change the entry point instead of 0D to 24 instead. That will skip the badboy generation message

Now we save the changes.

I select the entire byte 24100000

Then Right click > Edit > Copy to Executable

Rightclick > Save File

Arite

What you will see when you execute is that, yes we do skip the first badboy, but the other 2 still show up.

Sixth Skill - Eradication

We are going to get our hands dirty.

The specific badboy messages are being generated from the mnemonics so we will need to remove the mnemonics. NOP them, wipe them outbound

These specific 5 lines are all used in the creation of the 3rd badboy. Nuke them and the arguments because we don’t want stragglers left in the stack.

Rightclick > Edit > Fill With NOPs

Then save the changes to executable, and we are good

Crack # 3

There is another file bundled into this lesson. RegisterMe_Oops.exe the gimmick with this one is that it is packed/protected meaning that upon olly running it, the PE file is unreadable.

wet dog shit

Lena’s olly stopped at a system breakpoint, my olly stopped at WinMain. I will change it to lena’s breakpoint.

This is how its done:

Options > Options OR Alt+O

Change it to system breakpoint

Ok now, lets go to the Memory map

Diagnose the problem. Go to the PE header portion

Then lets go to the AddressEntryPoint field.

Here it is

Dont forget, Address Entry Point is a relative virtual address, we still need the IMAGEBASE to find the actual address. Lucky us, the IMAGEBASE field is right beside this one.

so Imagebase is 400000. entry point address is then 401000

Lets go to there

Rightclick > Go To > Expression OR CTRL + G

continue on

The following is now antiquated in Ollydbg2, Ollydbg1 had this bug, but Ollydbg2 fixes this feature

We try and put a breakpoint at 00401000

Olly is confused 🤭🤭🤭🤭🤭🤭🤭🤭🤭🤭🤭

So why does this happened?

Lets look back at the memory dump

The PE header eats the sections!

Some fields were changed in this program that mess Olly up. Nothing fatal was changed and it can run as a regular exe. As a result, Olly gets confused

The fields that were changed are as follows

RVAs are messed up

SizeOfCode = 400

SizeOfInitializedData = A00

BaseOfCode = 1000

BaseOfData = 2000

NumberOfRvaAndSizes = 10

Export Table Address = 0

Export Table Size = 0

Ok lets make those changes

In the hex dump, Go To the address where this whole charade started. 004000DC(i went to 004000D4 to change memory map layout. You can just calculate if different offset)

Select a whole bunch of hex, then binary edit them or CTRL + E

Once the Triage is complete, we are as well.

Look at that healthy window! Hex dump looking sharp, entry point high in the sky.

Graph View

Backlinks