xorl %eax, %eax

cyclops’s NTS-Crackme10 Solution

leave a comment »

I found my solution for this crackme while cleaning up an old USB flash drive. So, here is my solution to this really cool crackme.
When you first run you’ll see something similar to this:

crackme1

After browsing for a few minutes the code in IDA I spotted the reason why it was exiting when I was attempting to run it in a debugger. The reason is:

.text:0040129C loc_40129C:                             ; CODE XREF: sub_401260+36j
.text:0040129C                 push    offset LibFileName ; "kernel32.dll"
.text:004012A1                 call    ds:LoadLibraryA
.text:004012A7                 push    offset ProcName ; "IsDebuggerPresent"
.text:004012AC                 push    eax             ; hModule
.text:004012AD                 call    ds:GetProcAddress
.text:004012B3                 call    eax
.text:004012B5                 test    eax, eax
.text:004012B7                 jz      short loc_4012BD
.text:004012B9                 push    0               ; nExitCode
.text:004012BB                 call    edi ; PostQuitMessage
.text:004012BD

As you can see, it uses IsDebuggerPresent() from kernel32.dll and if this returns TRUE which means EAX will be non-zero, it will jump to loc_4012BD. Otherwise, it will just execute PostQuitMessage(0). There a number of ways to overcome this protection, the simplest one is to just patch the binary and make “test” instruction succeed every time. Another common way is to attach to the process after this code has been executed. In this case, attaching is easier since this check is performed only once during the initialization of the process. Just start the process normally in your Windows and then attach your favorite debugger to it! :)
And now, it is the time to fill every “sound interesting” function with breakpoints. Probably the most interesting one was the Cwnd::GetDlgItemTextA(int, char *, int). From MSDN we can see that this is an MFC (Microsoft Foundation Class) library routine, this is definitely not surprising. Just have a look at that binary and you will see that it makes wide use of MFC. So… After entering a username/password like AAAAAAAA/BBBBBBBB and pressing a quite a few F7 I saw this:

.text:004014BA loc_4014BA:                             ; CODE XREF: sub_401490+21j
.text:004014BA                 nop
.text:004014BB                 pop     eax
.text:004014BC                 lea     eax, [ebp+var_24]
.text:004014BF                 push    1Fh
.text:004014C1                 push    eax
.text:004014C2                 push    3E8h
.text:004014C7                 call    ?GetDlgItemTextA@CWnd@@QBEHHPADH@Z ; CWnd::GetDlgItemTextA(int,char *,int)
.text:004014CC                 mov     edi, eax
.text:004014CE                 push    ecx
.text:004014CF                 push    eax
.text:004014D0                 rdtsc
.text:004014D2                 xor     ecx, ecx
.text:004014D4                 add     ecx, eax
.text:004014D6                 rdtsc
.text:004014D8                 sub     eax, ecx
.text:004014DA                 cmp     eax, 0FFFh
.text:004014DF                 jb      short loc_4014E8
.text:004014E1                 add     [ebp+var_4], 3025h
.text:004014E8

The value stored in EAX, is our username as we can see from the stack at that moment:

Stack[00000488]:0012F884 var_24          db 41h
Stack[00000488]:0012F885                 db  41h ; A
Stack[00000488]:0012F886                 db  41h ; A
Stack[00000488]:0012F887                 db  41h ; A
Stack[00000488]:0012F888                 db  41h ; A
Stack[00000488]:0012F889                 db  41h ; A
Stack[00000488]:0012F88A                 db  41h ; A
Stack[00000488]:0012F88B                 db  41h ; A

Then, it invokes Cwnd::GetDlgItemTextA() in a way similar to: GetDlgItemTextA(0x1F, username, 0x03E8). The last value represents the maximum length and in decimal this is 1000. The subsequent mov edi, eax instruction is used to store the return value (EAX) of GetDlgItemTextA() which represents the length of the characters being copied not including the NULL termination to EDI register.
The next snippet makes use of rdtsc to retrieve the processor timestamp and store the result which is 64bit long to ECX and EAX. It zeros out ECX by XOR’ing it with it self and then adds to it the value of EAX (the lower value returned by rdtsc). It invokes rdtsc once again and then substracts the returned value from the one stored in EAX from the first call. If the comparison succeeds, which means that EAX is equal to 0xFFF (which is 4096 in decimal) it skips the add instruction since it jumps to loc_4014E8 which is the immediately next location.
In case that CMP fails, which means that it took some more time than the expected between the two instructions, then it adds 0x3025 (12325 in decimal) to a local variable. This is another nice little anti-debugging feature. It counts the execution time between the two rdtsc instructions and if it is longer than the expected (probably because of some debugger single stepping around) then it changes its behavior. Once again, there are countless ways to bypass this. You can patch it to add 0, you can NOP it, you can make the CMP succeed always, or you can simply set a breakpoint after that code, for example in loc_4014E8 and thus no execution time overhead. I patched it to be zero and now, after bypassing this let’s move to the loc_4014E8 code.

.text:004014E8 loc_4014E8:                             ; CODE XREF: sub_401490+4Fj
.text:004014E8                 nop
.text:004014E9                 pop     eax
.text:004014EA                 pop     ecx
.text:004014EB                 lea     ecx, [ebp+var_48]
.text:004014EE                 push    11h
.text:004014F0                 push    ecx
.text:004014F1                 push    3E9h
.text:004014F6                 mov     ecx, esi
.text:004014F8                 call    ?GetDlgItemTextA@CWnd@@QBEHHPADH@Z ; CWnd::GetDlgItemTextA(int,char *,int)

Here it just invokes Cwnd::GetDlgItemTextA() in a way similar to: GetDlgItemTextA(17, password, 1001). So… Continuing with this function we have:

.text:004014FD                 cmp     edi, 5
.text:00401500                 jle     short loc_40152F
.text:00401502                 cmp     eax, 5
.text:00401505                 jle     short loc_40152F

If you recall, EDI has the length of the username not including the NULL termination and from the previous call, EAX has the length of the password. If any of these two is less than 5 characters, it will jump to loc_40152F. This is something you really don’t want to happen since this code simply ends this function like this:

.text:0040152F loc_40152F:                             ; CODE XREF: sub_401490+70j
.text:0040152F                                         ; sub_401490+75j ...
.text:0040152F                 pop     edi
.text:00401530                 pop     esi
.text:00401531                 mov     esp, ebp
.text:00401533                 pop     ebp
.text:00401534                 retn

Assuming that our credentials are more than 5 characters, then the code that follows is this:

.text:00401507                 mov     edx, [ebp+var_4]
.text:0040150A                 lea     eax, [ebp+var_48]
.text:0040150D                 push    edx
.text:0040150E                 lea     ecx, [ebp+var_24]
.text:00401511                 push    eax
.text:00401512                 push    ecx
.text:00401513                 call    sub_4013D0
.text:00401518                 add     esp, 0Ch
.text:0040151B                 test    eax, eax
.text:0040151D                 jz      short loc_40152F
.text:0040151F                 push    0
.text:00401521                 push    0
.text:00401523                 push    offset aSerialIsCorrec ; "Serial is Correct!!!"
.text:00401528                 mov     ecx, esi
.text:0040152A                 call    ?MessageBoxA@CWnd@@QAEHPBD0I@Z ; CWnd::MessageBoxA(char const *,char const *,uint)
.text:0040152F

Now, EDX contains the username, EAX the password and then a call to sub_4013D0 is made with parameters like these: sub_4013D0(&username, &password, var_4). It is noteworthy here that if the rdtsc anti-debugging succeeded, then var_4 would be set to 12325 instead of 0 that it is normally. Anyway, keep these in mind and let’s continue with the execution.
After a useless ESP+0, it tests the return value of sub_4013D0 function. If it returns FALSE, then it will jump to loc_40152F which was demonstrated earlier, it will just terminate the routine. However, if it returns true it will call MessageBoxA(“Serial is Correct!!!”, 0, 0). We have reached our goal! We can now choose the easy path of just patching it and creating a crack file that changes the behavior of that test instruction or its equivalent jz or whatever. But the fun part is to reverse the sub_4013D0 and write a nice little key logger. Let’s do this.

It starts like this…

.text:004013D0 sub_4013D0      proc near               ; CODE XREF: sub_401490+83p
.text:004013D0
.text:004013D0 Dest            = byte ptr -0Ch
.text:004013D0 arg_0           = dword ptr  4
.text:004013D0 arg_4           = dword ptr  8
.text:004013D0 arg_8           = dword ptr  0Ch
.text:004013D0
.text:004013D0                 sub     esp, 0Ch
.text:004013D3                 xor     eax, eax
.text:004013D5                 xor     edx, edx
.text:004013D7                 push    ebx
.text:004013D8                 push    esi
.text:004013D9                 mov     esi, [esp+14h+arg_0]
.text:004013DD                 mov     cl, [esi]
.text:004013DF                 test    cl, cl
.text:004013E1                 jz      short loc_401422
.text:004013E3                 push    edi
.text:004013E4                 mov     edi, [esp+18h+arg_8]

So, we have our three arguments username, password and that anti-debugging counter. Then it allocates 12 bytes on the stack and zeroes out EAX and EDX. For convenience I renamed the argumets to user, pass and counter respectively. The next mov instruction stores the address of the username to ESI and the following one, uses the lower part of ECX (meaning the CL register) to get the first character of the username. If this is not NULL (meaning that test instruction succeeds), it will jump to loc_401422. Otherwise, it will push the current value of EDI in the stack and then store the anti-debugging counter to it. Assuming that our username has at least 6 characters, to pass a check shown earlier we can move on with the execution knowing that the test instruction will succeed. The following code is this:

.text:004013E8 loc_4013E8:                             ; CODE XREF: sub_4013D0+4Fj
.text:004013E8                 movsx   ecx, cl
.text:004013EB                 mov     ebx, ecx
.text:004013ED                 xor     ebx, 0C0C0C0C0h
.text:004013F3                 sub     ebx, edi
.text:004013F5                 add     ebx, edx
.text:004013F7                 imul    ebx, eax
.text:004013FA                 shl     ebx, 1
.text:004013FC                 mov     edx, ebx
.text:004013FE                 lea     ebx, [ecx+ecx*4]
.text:00401401                 xor     edx, ebx
.text:00401403                 and     ecx, 8000001Fh
.text:00401409                 jns     short loc_401410
.text:0040140B                 dec     ecx
.text:0040140C                 or      ecx, 0FFFFFFE0h
.text:0040140F                 inc     ecx

Ok… It moves the character of the username stored in CL to ECX in order to be able to perform various operations. For this reason it uses movsx that performs sign extension. It then moves it into ECX and XORs it with 0x0C0C0C0C0. It then subtracts from it the anti-debugging counter/value which is 0 if everything works as expected and increments EBX (username pointer) by EDX (which is 0 now). The next three instructions, imul, shl and mov are used to multiply and sign extend EAX (which is 0) with EBX (username character) and store the result to EDX. The next lea instruction is tricky, it’s used simply to multiply by five and store that result to EBX. The previous result stored in EDX and the one of the exact previous instruction in EBX are XOR’d. Next, ECX is masked with 0x8000001F and if the value isn’t less than zero, then jump to loc_401410. If this is not the case, decrement ECX and OR it with 0x0FFFFFFE0 and then increment it. Assuming that we have a positive value, the following code will be executed:

.text:00401410 loc_401410:                             ; CODE XREF: sub_4013D0+39j
.text:00401410                 shl     edx, cl
.text:00401412                 mov     cl, [eax+esi+1]
.text:00401416                 xor     edx, 0BADDC001h
.text:0040141C                 inc     eax
.text:0040141D                 test    cl, cl
.text:0040141F                 jnz     short loc_4013E8
.text:00401421                 pop     edi

The first instruction shifts left EDX register, and the next mov instruction retrives the next character of the username. EDX is then XOR’d with 0x0BADDC001 and EAX is incremented. If CL is not NULL it jumps back to loc_4013E8. So.. this is a simple loop. In C this could be represent it like:

for(c = *(char *)username; username; ++i)
{
   edx = 5 * c ^ 2 * i * (edx + (c ^ 0xC0C0C0C0) - counter);
   ecx = c & 0x8000001F;

   if (ecx < 0)
     ecx = ((--ecx) | 0xFFFFFFE0) + 1;

   edx = edx << ecx;
   c = *(char *) (i + user + 1);
   edx = edx ^ 0x0BADDC001;
} 
&#91;/sourcecode&#93;

With this in mind we can move on with this routine. The next code is fairly simple...

&#91;sourcecode language="c"&#93;
.text:00401422 loc_401422:                             ; CODE XREF: sub_4013D0+11j
.text:00401422                 push    edx
.text:00401423                 lea     eax, &#91;esp+18h+Dest&#93;
.text:00401427                 push    offset Format   ; "%08X"
.text:0040142C                 push    eax             ; Dest
.text:0040142D                 call    ds:sprintf
.text:00401433                 mov     esi, &#91;esp+20h+pass&#93;
.text:00401437                 add     esp, 0Ch
.text:0040143A                 lea     eax, &#91;esp+14h+Dest&#93;
&#91;/sourcecode&#93;

What it does is basically sprintf(Dest, "%08X", edx). This means that the hex value is then stored into ESI and the final password into EAX. So, in C this code would be:

&#91;sourcecode language="c"&#93;
sprintf(dest, "%08X", edx);
esi = password;
eax = dest;
&#91;/sourcecode&#93;

And let's move to the next disassembled code...

&#91;sourcecode language="c"&#93;
.text:0040143E loc_40143E:                             ; CODE XREF: sub_4013D0+90j
.text:0040143E                 mov     dl, &#91;eax&#93;
.text:00401440                 mov     bl, &#91;esi&#93;
.text:00401442                 mov     cl, dl
.text:00401444                 cmp     dl, bl
.text:00401446                 jnz     short loc_401473
.text:00401448                 test    cl, cl
.text:0040144A                 jz      short loc_401462
&#91;/sourcecode&#93;

It moves the first character of the dest string into DL and the first of the password into BL registers. It then moves DL into CL and compares DL (aka the dest string character) with BL (the password character). If they are not equal it jumps to loc_401473, if they are, it checks that dest character, CL is not NULL. If it's NULL it jumps to loc_401462. The code continues like this:

&#91;sourcecode language="c"&#93;
.text:0040144C                 mov     dl, &#91;eax+1&#93;
.text:0040144F                 mov     bl, &#91;esi+1&#93;
.text:00401452                 mov     cl, dl
.text:00401454                 cmp     dl, bl
.text:00401456                 jnz     short loc_401473
.text:00401458                 add     eax, 2
.text:0040145B                 add     esi, 2
.text:0040145E                 test    cl, cl
.text:00401460                 jnz     short loc_40143E
&#91;/sourcecode&#93;

It increments the pointers to point to the next characters and compares them once again. It iterates to this loop until it completes the string, meaning CL is NULL. In C this could be written like:

&#91;sourcecode language="c"&#93;
dl = *(char *)dest;
bl = *(char *)password;
for(;;)
{
	cl = dl;

	if (dl != bl)
          goto loc_401473;
	if(cl == NULL)
          goto loc_401462;

        dl = *(char *)dest++;
	bl = *(char *)password++;

	if (dl != bl)
	  goto loc_401473;
 
        dest += 2;
	password += 2;

	if (cl == NULL)
          goto loc_40143E;
}
&#91;/sourcecode&#93;

So.. that's it! By the way, if you single step you can check out the value stored in dest using sprintf. This is the password we're looking for. In my case (user: AAAAAAAA) that was:

&#91;sourcecode language="c"&#93;
Stack&#91;00000D54&#93;:0012F83C Dest            db 37h
Stack&#91;00000D54&#93;:0012F83D                 db  41h ; A
Stack&#91;00000D54&#93;:0012F83E                 db  36h ; 6
Stack&#91;00000D54&#93;:0012F83F                 db  30h ; 0
Stack&#91;00000D54&#93;:0012F840                 db  33h ; 3
Stack&#91;00000D54&#93;:0012F841                 db  43h ; C
Stack&#91;00000D54&#93;:0012F842                 db  35h ; 5
Stack&#91;00000D54&#93;:0012F843                 db  42h ; B
Stack&#91;00000D54&#93;:0012F844                 db    0
&#91;/sourcecode&#93;

And of course the result of entering this is...

<img src="https://xorl.files.wordpress.com/2009/07/2.jpg" alt="crackme2" title="crackme2" width="336" height="258" class="aligncenter size-full wp-image-1015" />

And obviously, with the above knowledge you can easily write a key generator for this application. Here is mine:


#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void usage(const char *);

int
main(int argc, char *argv[])
{
         if (argc != 2)
           usage(argv[0]);
         
         char         *user = (char *) argv[1];
         char         *pass[10];
         char          ch;
         int           i = 0;
         long          edx, edx2, edx3 = 0;
         long          ecx;
          
         if (strlen(user) < 6)
         {
            fprintf(stderr, "Username must be more than 5 characters long\n");
            exit(EXIT_FAILURE);
         }
         
         memset(pass, 0, sizeof(pass));
         
         for(ch = *(char *)user; ch; ++i)
         {
                edx = 5 * ch ^ 2 * i * (edx3 + (ch ^ 0xC0C0C0C0));
                ecx = ch & 0x8000001F;
                
                if (ecx < 0)
                  ecx  = ((--ecx) | 0xFFFFFFE0) + 1;
                
                edx2 = edx << ecx;
                ch = *(char *) (i + user + 1);
                edx3 = edx2 ^ 0xBADDC001;
         }
         
         sprintf(&pass, "%08X", edx3);  
         
         fprintf(stdout, "\nUsername:\t%s\nPassword:\t%s\n", user, pass);
         return 0;
}

void
usage(const char *name)
{
            fprintf(stderr, "Usage: %s <username>\n", name);
            exit(EXIT_FAILURE);
}

Which as you can see here:

crackme3

It works!

crackme4

Written by xorl

July 8, 2009 at 06:22

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s