The Legend Of Random

Introduction

Bruteforcing is a way to extract a serial (or password or whatever…) from a binary when you know the input and output of a encryption/decryption routine, but perhaps do not know how, nor wish to spend the time patching the software. It is the difference between cracked software coming with a patcher (or a copy of the patched executable) and coming with a username/serial that works. If you’ve ever downloaded cracked software and the person who cracked it includes a username/serial to crack it, they have probably used bruteforcing.

The way it works is, knowing the input and output of the encryption/decryption routine, you try every possibility that turns the input into the output until one matches. For example, if I enter a serial of ’12121212′ and the app sends this into the decryption routine, and after the routine the app compares this with “j6^^gD7-L”, we have the input as my serial and the output as that strange string. What we want to find out is how the ’12121212′ was turned into ‘j6^^gD7-L’, and how we can enter our a serial that matches what the program expected as output, in other words what serial to put in so the app successfully registers us.

Keep in mind that this only works on binaries that user a username/serial in order to check the legitimacy of registration. If the app queries a database online, this won’t work.

All that being said, bruteforcing is not terribly difficult. One requirement is that you know at least one programming language that you can make a bruteforcing program in. In this tutorial I will be discussing mostly C, as that’s high-level enough for most to see what’s going on (far more than assembly, at least).

Another requirement is understanding how the username or serial (or both) is converted into the output. The reason for this is that it cuts down on the amount of operation we must try. If I say we must turn the password “SECRET” into the output “MESSAGE”, there are an infinite amount of ways. But if I say that the only operations we can user are XORing the username with a certain value, well, that limits it a great deal.

Now we can begin talking specifically about our crackme. As always, you can download the relevant files on the tutorials page. In this tutorial we will be dealing with the same crackme we previously used, as well as our bruteforcing program.
(continue reading…)

In this tutorial we will discuss working with binaries written in Delphi. Delphi binaries are quite different then binaries written in other languages. You can generally tell a Delphi program by the numerous calls (far more than a typical program) as well as some other techniques we will be discussing.

Included in the tutorial download are the two crackme’s, the Delphi Decompiler (DeDe), and ExeInfoPE, available on the tutorials page.

You will also need Resource Hacker (and OllyDBG)  available on the tools page.

(continue reading…)

In part two of this three part series we will go over self-modifying code and will eventually crack this binary. As promised, it will be challenging, but don’t worry if you don’t get everything- a lot is specific to this binary and you may never see again.

As always, the files you need are included with the download of this tutorial on the tutorials page.

(continue reading…)

Well, after overcoming two viruses (one for me and one for my computer) I finally have the latest tutorial up. This tutorial will be part of a three part tutorial, all dealing with the same crackme ( a pretty hard one) called Crackme12 by Detten. In the first part we will go over how Windows messaging works. The second part will be about self-modifying code. In this part we will also crack the app. In the third and final part we will introduce bruteforcing. And you guessed it, in the third part we will bruteforce this binary. Each part will continue where the previous left off.

This three part series will be challenging, but I guarantee you that if you take your time and experiment on your own, you will gain critical knowledge in reverse engineering. And remember, if you have any questions, feel free to ask in the forum . I will also give homework at the end of each tutorial that will help you prepare for the next one. This is where the real learning will come in .

As always, the files you need will be available in the download of this tutorial on the tutorials page. For the first part, the files include the crackme and a cheat sheet for Windows messaging.

So, without further ado, let’s begin…

(continue reading…)

Introduction

In this tutorial we will be removing a nag from a ‘real’ program. In an attempt to help out the author’s, who spend a great deal of time creating these apps, I have attempted to pick an app that will do the least amount of harm. This time, I did a Google search for “Cracked Software” and this program came up with the most hits, including tutorials, serial numbers, keygens, you name it. Because it is so incredibly easy to get a crack for this app, I figured someone would probably not have much trouble getting it anyway. But please, if you do like it, pay for it.

We will also be adding a couple tricks to our arsenal for reverse engineering. One note, if you are running these tutorials under 64-bit windows 7 (like I am), Olly 1.10, even my version, the call stack trick will not work. My suggestion is to do what I do: Run Olly 2.0 just to perform the trick (and get the correct address) then switch back over to my version of Olly for the rest of it. Or just use Olly 2.0- there are a lot of nice features in it and it has been fixed to work properly with 64-bit operating systems.

You can download the files for this tutorial on the tutorials page.

(continue reading…)

Introduction

Nags, or nag screens, are generally message boxes that pop up to remind you that your trial is ending, you need to register, a reminder about visiting the website… basically anything that’s nagging and not necessary (like most bosses ). Many Freeware programs come free because they’re full of nags (ads, time-trials, re-directs). Commercial software also includes them often, reminding you “you have 18 days left to try this product.” etc. Getting rid of nags is a central theme in reverse engineering, and sometimes provides it’s own set of challenges. In this tutorial we will be going over two apps that have nags. We will then bypass them so they no longer show, and then patch them so they won’t ever come back.

I will also be introducing a new plugin for Olly called IDAFicator. It has many features and settings. you can download the plugin from the tools page. Because there are so many features, I am also including a tutorial by the author of IDAFicator in the download for this tutorial. I highly recommend watching it as there are a lot of very cool features to this plugin.

You can download the files and PDF version of this tutorial on the tutorials page.

(continue reading…)

Introduction

In this tutorial we are going to take off the training wheels and crack a real program. This program has a time restriction, and after this time, it will not work anymore. We are going to patch it to think it is registered. The target is included in this download (I am not stating the name of the program as the purpose of this tutorial is not to get a ‘cracked’ program but to learn how to do it.) Like all commercial programs, if you plan on using them, you really should consider buying it. People put a great deal of time into apps and they deserve to be compensated. In an attempt to not make this series about ‘getting cracked software’, I tried to get a program that no one would really want, so I downloaded this app, which had the least amount of downloads last week on Download.com. To be totally honest, after cracking the program in this tutorial, I liked it so much I paid for the registration and now use the app legitimately. Just goes to show you you can’t judge an app by it’s downloads.

You can download the files and PDF version of this tutorial on the tutorials page.

Well, on with the show…

(continue reading…)

Introduction

In this tutorial we will be going over a program that’s a little more challenging. It is called ReverseM1, written by R4ndom. I will also be discussing the plugin “Ascii Table” for Olly. It is downloadable on the tools page. This ReverseMe is a perfect example of why the LAME way of patching is often just that- lame.

You can download the files and PDF version of this tutorial on the tutorials page.
(continue reading…)

Introduction

In this tutorial we will be discussing patching programs again, but diving a little deeper than a typical single “first patch we come to”. We will start with a console program and find the correct password that has been hidden in it. It is included in the tutorial download. Other than this, all you will need is OllyDBG.

You can download the files and PDF version of this tutorial on the tutorials page.

So let’s get started…

(continue reading…)

Introduction

In this tutorial we will be discussing the different levels to patching a binary. This tutorial is a little on the long and detailed side, but we will be covering a lot of ground, some of which is not that easy. I wanted to give you an example of deep analysis on a binary, and what it entails. You may not understand a great deal of it, but it will give you a good overall view of reverse engineering. This way, in future tutorials, you will have a frame of reference. We will be studying the same crackme as last tutorial, Crackme6 by “TDC”, included in the download.

You can download the files and PDF version of this tutorial on the tutorials page.

Overall, it’s not a tough crackme as we saw in the last tut, but we will be doing some advanced analysis on it, preparing for future tutorials. So sit back, grab a coffee/cigarette/candy bar/hypodermic needle, whatever gets you going, and let’s get started…

(continue reading…)