Basic Reverse-Engineering Explained

Networking/Security Forums -> Programming and More

Author: KaosuLocation: United States PostPosted: Thu Oct 07, 2004 4:50 pm    Post subject: Basic Reverse-Engineering Explained
    ----
Disclaimer

I do not condone the illegal modification of proprietary software in order to circumvent mechanisms put in place to preserve the integrity of copyrighted materials; nor do I wish to breach the DMCA. With that said, information should still flow freely and knowledge, regardless of how taboo, should be shared among a community of intellectual peers. I am not liable for anything the user-base of this community may do with the supplied knowledge.

Reverse engineering is an art; not a mere means to an end, but the first step to achieving digital awareness in a world of secrets. A man who finds an unlocked door may see the truth for a moment, but a man who can craft his own keys will see the truth for eternity.

EDIT; This post has been modified as of Tuesday, May 18th, 2010. Almost all technical information remains the same. Reviewing this post after several years, I decided it was time to fix some glaring grammar and punctuation mistakes. I like to think I replaced them with much less noticeable mistakes.

I have added information, and fixed many mistakes. I will continue to fix mistakes as I feel like it.

The original method I explained is also highly inefficient, but this was written back in 2004. Just keep your eyes peeled for updates and minor fixes if anyone still follows this post.

Tracing The Algorithm

We will be reviewing a security mechanism known as offline serial authentication. This method, while a commonplace, falls victim to a few key elements:

A) It assumes that the person with a unique serial number is a paying customer and should have full access to the software.

B) It also assumes the serial number has been issued, to that individual, by the developers of said software.

C) It verifies information in a environment that is under the end-users control.

If you would like to use a serial authentication system in your application, you should look into verifying each serial number against an online database. You can check them against a whitelist or blacklist, depending on the amount of work one would like to put in.

Whitelist Filtering: This will allow you allow/disallow access to your application based on what serial numbers you know are valid. I personally like this method, because it only requires me to keep track of data I am already sending to my customers and I can also attach each serial number to a unique account, Internet Protocol address, and other identifying bits of data to minimize the risk of this serial number being shared across the Internet.

Blacklist Filtering: This method is simply collecting all known pirated serial numbers and disallowing access to your application when one is found to be in use.

A good system can use both. One to ensure only a select group of people (customers) can use your product (by having them verify information against servers that are under your control with identifying data) and another to disallow use of your product that may have slipped through the cracks.

Online verification defeats keygenning as long as you do not offer any form of offline activation. In my personal opinion, if you allow any type of offline activation - then it is your own fault if your software is pirated.

Our primary goal is not to simply unlock the application, phish a serial number, or even ignore the mechanism as a whole (read as: patching) - but to manipulate the underlying mathematics put in place by the developers to supply us with an endless stream of valid serial numbers. This is known as keygenning.

So let's open this application up in W32DASM. This will give us a static overview of the application. Also known as "deadlisting".

After opening the application, the first thing that we should do to find what we are looking for is check the string references. The reason for doing this is so that we can find out where in all of this assembly code the algorithm we are looking for is -- it won't tell us exactly where, but it will give us a place to start looking.

Code:

"%X"
"Thanks for registering!"
"Invalid Serial"


As you can see in the string references above we can go to different vital parts of this application, such as; when the application accepts a serial, rejects a serial, and the variable used to store information.

We will take a look at the variable (%X) string, and as expected nothing much is in that function except for a few pushes, however, if we scroll up just a little bit we see the following:

Code:

* Reference To: USER32.SendMessageA, Ord:01C0h
                                  |
:004010DC E8DE000000              Call 004011BF
:004010E1 83F803                  cmp eax, 00000003
:004010E4 0F8C93000000            jl 0040117D
:004010EA 8BD0                    mov edx, eax
:004010EC 33C9                    xor ecx, ecx
:004010EE 33DB                    xor ebx, ebx


We take note of this function because of the reference to the SendMessage API. In this specific application it is used to grab information that we entered into the program. Here is a description of the following function(s):

Code:

:004010E1 83F803                  cmp eax, 00000003
:004010E4 0F8C93000000            jl 0040117D


The section of code above will take the information we entered into the name field of the program and check its length. If the length is less than the decimal value three (3) the program will simply start from the beginning until we enter a name that has a length greater than the decimal value of three (3).

Code:

:004010EA 8BD0                    mov edx, eax
:004010EC 33C9                    xor ecx, ecx
:004010EE 33DB                    xor ebx, ebx


This section of code above will move eax into edx, and then xor ecx and ebx against themselves to reset the registers to the value of zero (0). Now scroll down just a bit, and you will see the following:

Code:

:004010F0 0FB68150204000          movzx eax, byte ptr [ecx+00402050]
:004010F7 3537130300              xor eax, 00031337
:004010FC 05EFBEADDE              add eax, DEADBEEF
:00401101 69C066060000            imul eax, 00000666
:00401107 2DB3BAAD1B              sub eax, 1BADBAB3
:0040110C C1E003                  shl eax, 03
:0040110F 350DD04DD3              xor eax, D34DD00D
:00401114 03D8                    add ebx, eax
:00401116 41                      inc ecx
:00401117 3BD1                    cmp edx, ecx
:00401119 75D5                    jne 004010F0
:0040111B 53                      push ebx


Can you take a guess at what this function does? Well, let me just tell you. It's the function that generates a serial number. Here is a basic overview of the function for those who do not understand assembly code.


The Algorithm

Code:
movzx eax, byte ptr [ecx+00402050]


This will take the first character of eax which is the name we entered into the program. That character is then converted into it's ASCII equivalent, and then converted into Hex. Now remember when we xor'd ecx so it has a value of zero (0)? Well, we can think of [ecx+00402050] as [0+00402050].


Now we take a look at the mathematics behind this security scheme:

Code:

:004010F7 3537130300              xor eax, 00031337
:004010FC 05EFBEADDE              add eax, DEADBEEF
:00401101 69C066060000            imul eax, 00000666
:00401107 2DB3BAAD1B              sub eax, 1BADBAB3
:0040110C C1E003                  shl eax, 03
:0040110F 350DD04DD3              xor eax, D34DD00D
:00401114 03D8                    add ebx, eax


We take eax (which has the hex value of the character), xor it by the hex value 00031337, add what we have in eax by the value DEADBEEF, multiply the value of eax by the value of 00000666, subtract the value of eax by the hex value 1BADBAB3, shift three places to the left, and last we xor the current value of eax by D34DD00D. Then we store the answer to all of the calculations into ebx so at the end of the loop ebx will hold a valid serial number.


The Loop

Code:

:00401116 41                      inc ecx
:00401117 3BD1                    cmp edx, ecx
:00401119 75D5                    jne 004010F0


Ecx is incremented by one (1), and then compared against edx (which holds the length of the name that we entered. For example, if we entered "CAT" this value would be three (3)). If ecx is not equal to edx we continue to cycle the loop.

That basically means ecx will gain + 1 each loop, and when ecx is equal to the length of character(s) in the name it will stop the loop because the serial number has been created.




Keygen Description

Now we have successfully figured out how the program generates the serial and the mathematics behind it. So now we can create a keygen for it.

If you are proficient in assembly, you can basically just take all of the mathematical operations in that code, and slightly modify it to get a fully working keygen, but if you use another language to write the keygen you will just have to simply apply the mathematics. Here is a description of how the keygen should operate in plain English.


* Take the input for a username

* Take each character of that name, and get it's ASCII value, and then convert that into Hex. (By each character I simply mean one character at a time, for example, "Troopa" would be taken apart each loop like "T" - "R" - "O" - "O" - "P" - "A"). Then simply apply the mathematics to the current string.

* Xor the current string in the loop by the hex value 00031337, add that value by DEADBEEF, multiply that value by 00000666, subtract that value by the hex value 1BADBAB3, shift three places to the left of the string, and last we xor the current value of the string by D34DD00D. Then we store the answer to all of the calculations into a new variable each loop so at the end of our loop that variable holds a valid serial number.



The Code

Here is the assembly code to generate a serial for the name "Troopa":

Code:

.486
.model flat,stdcall
option casemap:none
include \masm32\include\user32.inc
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib


.data
sName db "Troopa",0
szFormat db "%X",0

.data?
sNameCode dd 20 dup(?)

.code
start:
    mov edx,6h
    xor ecx,ecx
    xor ebx,ebx

   NextChar:
    movzx eax, byte ptr [ecx+sName]
    xor eax,31337h
    add eax,0DEADBEEFh
    imul eax,666h
    sub eax,1BADBAB3h
    shl eax,03h
    xor eax,0D34DD00Dh
    add ebx,eax
    inc ecx
    cmp edx,ecx
    jne NextChar
    invoke wsprintfA,addr sNameCode,addr szFormat,ebx               
    invoke MessageBox,NULL,addr sNameCode,addr sName,MB_OK
    invoke ExitProcess,NULL
end start


Last edited by Kaosu on Tue May 18, 2010 10:29 pm; edited 20 times in total

Author: tsh33p PostPosted: Thu Oct 07, 2004 8:29 pm    Post subject: heh...
    ----
Well actually this is pertinent to security because of the way things are supposedly secure in the protection routine, by people studying and reversing things like this, software companies will have to make more secure, harder, etc. algorithms. Second of all cracking is nothing bad... it has nothing to do with using Sub7 like you might be used to using... Smile. Reverse-engineering is an art as some professional reversers would say... 0mega, as Troopa said, this has nothing to do with hacking, or warez... can't you read?. It's not that hard to understand really. That all... Rolling Eyes.

Author: OddOne PostPosted: Thu Oct 07, 2004 8:57 pm    Post subject:
    ----
Speaking as a software developer...


Troopa is indeed walking a VERY fine line here, as no matter what the rationale we ARE talking about circumventing software protection systems. In the U.S. it could be construed as a violation of the DMCA just to discuss this subject.

That said...

Troopa's information would be invaluable to a developer seeking to harden his or her work against casual cracking. Of course there's really no such thing as truly uncrackable, but if you have an idea HOW cracks are made you can take steps to make it harder TO make one for a given application.


Developers are not taking nearly as many steps to protect their goods against being cracked as they should, and as a result end up having to raise their license prices to compensate for the loss. Learning how to break your own apps from a cracker is the best thing you can possibly do as a developer.

I've sat at the virtual feet of many a cracker in my day - before starting a software company of my own I was an op in several major warez channels on IRC, so I had access to EVERYTHING I could ever want - and it's helped me tremendously ever since with my own coding projects. Of my last three software releases, one took ten months to crack and the other two remain uncracked since 2001, all because I had learned a cracker's mentality when it came to security and approached protection with the mindset of "how would I best attack this." If more developers were to do so we'd provide a challenge worthy of the genuine code poets in the cracking universe AND keep our products from being so heavily bootlegged by the myriads of amateurs.


So, FWIW, if Troopa is willing to disclose the methods behind the madness I for one am grateful. There's a lot to learn from your own weaknesses.

oO

Author: capiLocation: Portugal PostPosted: Thu Oct 07, 2004 9:32 pm    Post subject:
    ----
Speaking as a software developer as well...

You cannot secure against that which you do not understand. This same discussion happens everytime anyone posts theory regarding a code exploit, vulnerabilities of networks, and so on.

Knowledge is neither good or bad, it's what you apply it to that matters. The whole purpose for the existance of this forum is to share knowledge. If we were to follow the proposed line of reasoning we would soon reach a point where we would necessarily have to ban any and all discussion pertaining to any computer related topics, except perhaps things like "how do I install Outlook" or the Funny Section.

The author has used a generic example to illustrate the basics of reverse engineering and a glimpse at how one might analyze code looking for flaws. I do not believe this to be in any way imoral or unethical, anymore than the countless other posts we have throughout our forums regarding cryptanalisis, buffer overflows, network "tools", particular coding techniques regarding hooks and flaws in firewall design, et cetera.

Now, were this "how to crack application X", the case would obviously be different. But as it stands, I don't see any problems with it, barring the snippet which I removed where the author offered to provide a copy of the program for practicing purposes..

Author: White ScorpionLocation: The Netherlands PostPosted: Thu Oct 07, 2004 11:22 pm    Post subject:
    ----
Quote:
Now, were this "how to crack application X", the case would obviously be different. But as it stands, I don't see any problems with it, barring the snippet which I removed where the author offered to provide a copy of the program for practicing purposes..
was this a program he has written hisself, or was it someone elses?

Cause i think if he had written it for this purposes he has all right of linking it in his tut.

For the rest i totally agree with you guys, that's the main reason why i started to learn ASM. to crack my programs (and others to learn, not to use illegally).

for the rest, great tutorial, can't wait until the next one shows up Wink

Author: capiLocation: Portugal PostPosted: Thu Oct 07, 2004 11:34 pm    Post subject:
    ----
lepricaun wrote:
was this a program he has written hisself, or was it someone elses?

Good point, hand't thought of that. Well, troopa: if the program you used here was an example created by yourself, or an open source program, or something for which you have the express permission of the author to use for these purposes, feel free to make it available here.

Author: KaosuLocation: United States PostPosted: Fri Oct 08, 2004 9:22 am    Post subject:
    ----
A member of our reverse-engineering group wrote this application so we could have something to play around with for a little while. I did have express permission to crack this software, and make public how this was done.

I understand why Capi took that part out of my post though, so if it's alright with the moderators I am more than happy to pass out this crackme to the community, PM me if you want a copy.

Author: viksitLocation: India PostPosted: Fri Oct 08, 2004 4:10 pm    Post subject:
    ----
Interesting stuff...

Do you intend to follow this up with a more comprehensive tutorial/walkthrough?

Author: capiLocation: Portugal PostPosted: Fri Oct 08, 2004 7:20 pm    Post subject:
    ----
troopa wrote:
I understand why Capi took that part out of my post though, so if it's alright with the moderators I am more than happy to pass out this crackme to the community, PM me if you want a copy.

No problem at all there, now that you explained the circumstances. Smile

I do appologize for jumping into conclusions - nothing directed at you, as I'm sure you understand it's always best to err on the side of caution in this sort of thing Wink. Please feel free to make the program available in whatever way you feel appropriate, either publicly through a link here or through a more private venue.

Author: White ScorpionLocation: The Netherlands PostPosted: Fri Oct 08, 2004 7:29 pm    Post subject:
    ----
well, i'm glad we got that sorted out :p

troopa, could you send me a copy of that program, i would like to have a look at it. my mail address: scorpius_unknown(at)yahoo(dot)com.

thanks in advance,

Regards


Scorpius

Author: KaosuLocation: United States PostPosted: Fri Oct 08, 2004 11:29 pm    Post subject:
    ----
Quote:
Do you intend to follow this up with a more comprehensive tutorial/walkthrough?


What would you like to see enhanced? I can surely follow up on this if you would like me to, however, I was hoping to move on to a new subject for the community such as how nag screens are disabled.

I know that is a very simple thing to discuss, however, there might be some programmers here interested in knowing how it is done so they can better secure their code against an attack such as patching.


Quote:
I do apologize for jumping into conclusions - nothing directed at you, as I'm sure you understand it's always best to err on the side of caution in this sort of thing Wink.


Yes, I understand fully and I did not take a personal offense to it. I realize as a moderator you have the job of making sure content is within the rules of the community.

Quote:
Please feel free to make the program available in whatever way you feel appropriate, either publicly through a link here or through a more private venue.


Right now I don't have any place to host the file, but as soon as I get a new shell with web space I will be sure to post a link. For now I will just send it to people who ask me for it.

Author: DunceorLocation: Sweden PostPosted: Mon Oct 11, 2004 3:50 pm    Post subject:
    ----
I wouldn't mind takin a look at that software also so please mail me at dunceor AT gmail DOT com. thanks. Very nice post also Smile

Author: Crazy PostPosted: Thu Nov 11, 2004 2:30 pm    Post subject:
    ----
thanks Update now & good stuff...

Smile

Author: Agentsmith15Location: Texas... PostPosted: Tue Jan 18, 2005 8:07 pm    Post subject:
    ----
Quote:
:004010F7 3537130300 xor eax, 00031337
:004010FC 05EFBEADDE add eax, DEADBEEF
:00401101 69C066060000 imul eax, 00000666
:00401107 2DB3BAAD1B sub eax, 1BADBAB3
:0040110C C1E003 shl eax, 03
:0040110F 350DD04DD3 xor eax, D34DD00D
:00401114 03D8 add ebx, eax



We take eax (which has the hex value of the character), xor it by the hex value 00031337, add what we have in eax by the value DEADBEEF, multiply the value of eax by the value of 00000666, subtract the value of eax by the hex value 1BADBAB3, shift three places to the left, and last we xor the current value of eax by D34DD00D. Then we store the answer to all of the calculations into ebx so at the end of the loop ebx will hold a valid serial number.


What are some of the other types of mathematics in ASM like What would be three places to the right and other stuff. Couldn't you use a hex calculator instead of a keygen? and if so where would be a good one?

Author: Moore PostPosted: Mon Feb 07, 2005 1:43 pm    Post subject:
    ----
Thanks for the info .. Cool

I'm wondering if anyone has more information along the lines of reversing hostile code, such as this article:
http://www.securityfocus.com/infocus/1637

Author: z0mbi3 PostPosted: Fri Jun 17, 2005 5:34 pm    Post subject:
    ----
sry for a really late post

http://www.eeye.com/html/research/advisories/AL20010717.html
Anaylsis of the code-red worm

and check this book
Reversing: Secrets of Reverse Engineering
http://www.amazon.co.uk/exec/obidos/ASIN/0764574817/

Author: Nathaniel Firethorn PostPosted: Sun Jul 17, 2005 1:11 pm    Post subject:
    ----
A really n00b question:

Reversing looks like a lot of fun. I've done a bit of it, but with 1982-level tools on Apple ][ (never with the kind of tools available today.)

Is it possible to make a living at it (or part of a living) as a white-hat?

Thanx
- NF

Author: HAVOKLocation: Spain PostPosted: Wed Dec 07, 2005 8:11 pm    Post subject:
    ----
Nathaniel Firethorn wrote:
Is it possible to make a living at it (or part of a living) as a white-hat?


Yes, it is. For example:

1. If you work for an anti-virus company you will have to analyse viruses to see how they work. Part of this is done through disassembly / debugging.

2. If you sell anti-cracking software you will have to crack other's people protections to keep current (not very white-hat, but this is how this works).

3. You can find out exploits for windows comparing and reversing an unpatched DLL with the patched one. This is a legitimate work and there is some people who do this for money.

[EDIT=> 4: forensics]

Small comment on the tutor:

I see you only mention W32DASM, but IDA is really much better, nothing to be with w32dasm. There is a free version of IDA for download at their website. The only diff with the commercial version is that the later has a built-in debugger, but you can use Olly instead.

Author: vxLocation: norway PostPosted: Mon Nov 13, 2006 10:26 pm    Post subject: were is the program
    ----
I did not find the program that the link was supposed to contain,
is it just me that is stupid Question

Author: alt.don PostPosted: Mon Nov 13, 2006 11:06 pm    Post subject:
    ----
Hello,

You may wish to Google for Ollydbg and IDA Pro free version. Of the two I would go with Ollydbg.

You will also need the following tools/knowledge:

Hex editor: There are many good and free ones out there. Give it a Google

PE format: Become familiar with what it is as it will help you understand a Microsoft executable that much better, and also just how code gets mapped from physical memory to RAM.

ELF format: This is the format of Linux/BSD executables and will do the same as the above for you in terms of knowledge.

Programming knowledge: It is important to understand C, C++ and Assembler at a high level if nothing else. You don't necessarily have to be a full-fledged programmer to reverse but it certainly is helpful.

One of the simplest ways to start out is to code your "Hello World" program and then to disassemble it. That is a good and simple starting point.

The two above file formats are important to understand as it will also be most beneficial when you are looking at malware. Lastly, I will have an article series on reverse engineering for beginners going up on WindowSecurity soon. Keep an eye out for it.



Networking/Security Forums -> Programming and More


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group