banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

"Learning Notes on IDA Reverse Engineering from Scratch - 8 (Introduction to Static Reverse Analysis)"

Generally speaking, reverse analysis does not involve complete reverse engineering of large programs, but rather the analysis of specific functions or a few functions at specific locations.

1. Program Loading Explanation#

Open the VIEW-OPEN SUBVIEW-SEGMENTS menu to see the automatically loaded program sections.

In the "NAME" column of the sections, you can see the start and end addresses of each section.
The RWX column shows the initial permissions of the section, whether it has read (R), write (W), and execution (X) permissions.
The D and L columns correspond to the debugger and loader, respectively.
The first column (D) is empty, and only filled when the program is in debug mode. The L column shows the sections created by the loader. The contents of the other columns are not as important.

2. Viewing Key Strings#

Try opening the exe program.

At the "help-register" section, you can enter a name and serial.

Enter random characters, and it will prompt "No luck there, mate!"

View the strings by pressing Shift + F12.

You can see the same prompt as the program.

Double-click on the characters in the image to jump to the following location.

The string is saved at address 0x00402169. Pressing the "D" key at this address will show the specific bytes.

Pressing the "A" key again will restore the display of the string, and pressing the "X" key will show the references on the right.

3. Finding Key Functions#

In the image, two different functions reference the string. One is "sub_401362" and the other is "sub_40137E".

They are two different functions because IDA displays references as "functions + XXXX". If they belonged to the same function, only the XXXX value would change, while the preceding part would remain the same. However, the addresses after "sub_" are different.

"sub_401362"

"sub_40137E"

All the positions displaying the unsuccessful registration message have been found.

Going back to the "sub_401362" function, as shown in the image, it calls the messagebox API function to display the message "NO LUCK THERE MATE". This API function takes the "NO LUCK" string as the window title and the "NO LUCK THERE MATE" string as the displayed text.

"sub_40137E" is the same, meaning that the unsuccessful registration message will be triggered in both places. It is possible that they handle different information. If you want to display a successful registration message, both of these places need to be bypassed.

Next, press the X key to view the references to the "sub_401362" function in the program. There is only one reference.

Go to the reference before renaming the "sub_401362" function, such as CARTEL_ERROR. Press the N key at the function address and enter the new name.

Arrive at the reference to the CARTEL_ERROR function.

Before calling the CARTEL_ERROR function, there is a jz jump. To differentiate between the success/failure code blocks, you can add color to these code blocks. Click on the color selector in the upper right corner of the code block.

Continue to the address 0x40124c and enter the called function 0x40134d.

CARTEL_BUENO function

Change the name of the "0x40134D" function to CARTEL_BUENO.

Change the color of the code blocks that reference them to green.

4. Marking Instruction Positions#

Continue to the jz command at the code location 0x401243. Open the JUMP-MARK POSITION menu (shortcut: alt + m) and name it DECISION_FINAL, so you can easily return to this position.

Open the Jump-Jump to marked position menu.

You can easily jump to the corresponding position.

5. Modifying Instructions#

Based on the previous analysis, if the JZ at 0x401243 is changed to JNZ, the program will also take the path of successful registration when an invalid password is entered.

Right-click on the current instruction and select "keypatch-patch" (shortcut: ctrl + alt + k).

Open the following window:

Modify the content as follows:

After modifying, click "patch" and you will see the following content, with comments indicating the modified content.

Right-click again and select "patching-apply patch to..." to save the modified content.

Save it as an exe file.

Run the crackme.exe program and enter any content. Two windows will pop up, one for successful registration and one for unsuccessful registration.

In conclusion, two modifications need to be made to bypass the registration.

As shown in the image, another unsuccessful registration message is displayed here, and there is a cmp instruction above the red code block, comparing whether the characters of the user-entered username are less than 0x41, which is the character 'A'. If it is less than 0x41, it will prompt registration failure.

Previously, when running crackme.exe for registration, the input was 111 (0=30, 1=31), which is obviously less than 0x41, so when the program detects numbers, it displays registration failure. In this case, jb cannot be changed to jnb, otherwise there will be an error when entering characters.

The dashed line in the image shows that the program will throw an error when it jumps to this point. So if the jump instruction is changed to nop, the program will not jump, but continue to execute the next instruction instead of executing the error message here.

Switch back to graphical display.

The modified nop bytes can be seen in the image, and the error message is isolated.

Save the modified file again.

After testing, any characters can be entered.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.