The trick is to find that routine and modify it so that the application thinks it is registered. Trace back a bit trough the instructions in x64dbg. Set a break point at 00007FF70E2FAE0E and restart the application. Lets take a look at the next one: Oh! If you see the above image, 3 lines below our code where the password is loaded onto the register, you will test EAX, EAX at address 0000000000401590. And crack_mex64.401636 is nothing but our printing of ’Correct Password’ at address 0000000000401636. It means we are still in the thread. We test this by changing 369 to another constant from the string table. You can see on the top right window that our password ‘pass123’ and original password ‘PASSWORD1’ is loaded onto the registers RCX and RAX for comparison. In the next blog, we will be looking at a bit more complex examples rather than finding just plaintext passwords from binaries. Press space to modify the row and change jne to jmp. Therefore, when 1 is loaded into EAX, it by default goes into RAX register. This tutorial describes how to crack Winrar. The main reason for that is because I can see a jmp statement and a call statement right above it. ow if you are on 32bit you can use OllyDBG, if you are on 64bit you need to use another debugger. Since we are debugging a x64 binary, the values of x86 registers for example EAX or ECX will be inside of RAX or RCX itself. You can see in the below image that it uses cmp to check if the value matches to 1. Fastcalls are x64 calling conventions which is done between just 4 registers. So, if the test value returns they are equal, it will jump (je = jump if equal) to crack_m3x64.40159B which is where it will mov 0 to the EAX register. It still mentions the 40 days trial copy. To load the binary into x64dbg, below is the commandline you can use:.\x64dbg.exe crack_mex64.exe pass123. You can compile the binary in Windows with the below command: $ g++ crack_me.cpp -o crack_mex64.exe -static -m64. je at 00007FF70E2F80D2 is taken and mov al,1 is not executed. In this blog however, we will be using the same source code of the binary but compile and debug it in Windows. Fundamentals, Hacks, Incident Response, Malware Analysis, Research, Tools, Uncategorized Learn how your comment data is processed. The reason different architectures (32/64bit) requires different debuggers is because of the distribution of our target. Choose either x64dbg or x32dbg according to, if the file is 64 bit or 32 bit respectively. We do the latter first because this can be easily checked by setting a hardware write breakpoint at 7FF7B92848E4. That’s why I decided to reverse engineer it and write a tutorial upon it. In the previous blog here, we reverse engineered a simple binary containing plaintext password in Linux with the help of GNU Debugger (GDB). Meaning we have to change (don’t do it yet!) This usually means the function we are in is inside a thread, which matches the behaviour of the nag screen. This is however a re-posting of my own blog from here. We are now at the beginning of the routine that is very likely to modify the al (rax) register that eventually will decide if evaluation copy or no string is shown in the title bar. So, this is the point where our interesting function starts. Now restart the application by pressing ctrl+F2. Lets follow the code (step over, f8): As you can see, the jump (JE) wasn’t hit and we are going to execute the function located at 0x13F169968. Now restart the application (ctrl+F2). ow if you are on 32bit you can use OllyDBG, if you are on 64bit you need to use another debugger. I’ll be using x64dbg, but if you are on 32 bit and you are using Olly the steps shouldn’t differ that much (the debuggers are very look a like). The registration routine can be found in many ways, but usually a good place to search is for certain strings. The middle two windows, left one shows you the .text section of the assembly code, and right one shows the fastcalls in x64 assembly. The value of eax are the 32 least significant bits of the rax register (image), which can be seen on the top-right window in x64dbg. The instruction at 00007FF70E2FAE07 that decides if the jne is taken, cmp byte ptr ds:[7FF7B92848E4],dil, compares the byte located at memory address 7FF7B92848E4 with the contents of the dil register. I noticed after putting the breakpoint that 9/10 times it takes the second JE to the end of the method. You see that the constant is represented as 369, which is hexadecimal for 873. In the window that appears enter 873 in the Signed: box and click OK. x64dbg finds one occurance of the constant located at address 00007FF6A403AE4A. Analysing the routine, at 00007FF70E2F80D4 the al register is specifically modified to contain the value 1. Can i use some points in my assignment? Then we patched this routine by removing the je instruction that was causing the application to execute in the non-registered state. This means that the result of cmp byte ptr ds:[7FF7B92848E4],dil will be 0 and ZF will be set. We modify the eax register so that it contains a value <= 13 and the ja jump is not taken. ", Copyright 2015 Extreme Hacking | All Rights Reserved | Cyber Suraksha Abhiyan | Site Protected by Sadik Shaikh |, Advanced Ethical Hacking Institute in Pune, CEHv8 CHFIv8 ECSAv8 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Center For Advanced Security Training in India, IT Security Training Information Security Traning Courses in Pune, Houston consulate one of worst offenders in Chinese espionage, say U.S. officials, Shocked I am. We are now in the CPU tab at the memory address that uses the constant. The patch is fairly simple, if its JNZ it will always show the nag screen unless it actually should shows us the nag screen (the 1/10 times) screen. Once you have downloaded the required debugger, you can compile the source code which is uploaded on my Git repo here. We have verified that the constant 369 in the instruction is used for the evaluation copy string. Let me quickly explain what these windows are: The top left window displays the disassembled code. It will walk you through the entire assembly code of the binary. The string cannot be found, so most likely it is not stored as consecutive characters in the executable. No machine can do the work of one extraordinary man. We found the registration routine by tracing back from the evaluation copy string. 1. Extreme Hacking If you inspected the first JE you would notice that it jumps past the second JE. Only the last couple of bytes should be the same. We now need to modify the return value of 1 to 0 which is returned by the check_pass() function. It will walk you through the entire assembly code of the binary. If its JE it will only show the nag screen sometimes, but still enough for it to annoy the fuck out of us. To search for strings, right click anywhere in the disassembled code -> Search for -> All Modules -> String References. String tables are used to save memory. The string in the title bar has now changed to only xx days left to buy a license. No string is shown any more in the title bar, this looks like the registration flow. How to use the x64dbg debugger? We know a few strings when we executed the binary i.e. So, unlike GDB where we can supply the argument inside the GDB; in Windows, we will have to supply it during the loading of binary via the command line itself. nop means no-op and does not execute anything. There, the instruction cmp eax, 13 will compare the eax register with the value 13 (in hex), and set the ZF if eax <= 0x13. This tells us the target hash multiple license formats, which we can and will exploit. Search for the constant 873 in x64dbg: right click somewhere in the CPU window and goto Search for -> Current module -> Constant. We search for the instructions that modify the rax register. It is highly likely that the rax register is modified in there. And then you should see that RAX is changed to Zero. The application is now running without pausing at any break points. Step over some more instructions and you will see a few JE’s. Hmm, that’s unexpected behavior as that would skip our patch. Shocked to find that underground bank-card-trading forums are full of liars, cheats, small-time grifters, Vint Cerf suggests GDPR could hurt coronavirus vaccine development, Brit defense contractor hacked, up to 100,000 past and present employees’ details siphoned off – report, US officially warns China is launching cyberattacks to steal coronavirus research. Save my name, email, and website in this browser for the next time I comment. This address is likely to be a bit different on your system, but the last two bytes should be the same: 4A. To move on, lets search for ‘rarkey’, these are my results (yours should be the same except for the addresses): This looks like the function is trying to find any of the allowed file formats. This type of breakpoint will break when a value is written to that memory address. Lets just hit on the run button till it reaches this breakpoint execution. We check what happens when je is not taken by changing the je with nop instructions (we could also invert je to jne). Press F9 until the application pauses at the break point we just set. It uses the jne (jump if not equal) condition, which means it will jump to crack_mex64.401636 if its is not equal to One. At 00007FF70E2FAE0E there is a jump, jne, that jumps past both the instructions mov ecx, 368 and mov eax, 369. jne stands for jump not equal and takes the jump when ZF == 0. We test what execution path will be taken around this instruction mov al,1 by setting a break point at the beginning of the routine at 00007FF70E2F80A8. If you put a breakpoint on the first JE and run the program again (F9) you will notice it keeps getting hit. Now, keep stepping into the next registers till you reach the address 0000000000401584, which is where our plaintext password gets loaded into the RAX register. Now you are in the References tab of x64dbg. You can also download the binary from my repo mentioned above. Now since our passwords are different, it will be printing out ‘Incorrect password’. Change 369 to 368, which is 872 in hex. In this post, I will be using x64dbg since I wasn’t able to find a version of x64 Immunity debugger or Olly Debugger to reverse engineer the binary. The value of 7FF7B92848E4 and dil is both 00. We are looking for jumps that will change the instruction flow to show another string in the title bar. Press F9 again until the application runs. This will pop up a list of all occuring strings in the WinRAR.exe module. Also, when you look through the method you will see strings like ‘reminder’ and you will see the link that is on the nag screen. In x64dbg you can search for strings in the executable.

Advantages Of Modern Education, Cineplex Store App Version, Macbeth Act 1, Scene 7 Analysis, Elaborative Rehearsal Adalah, What Makes A Good Children's Librarian, Nan Optipro Ha Stage 1, Witcher 3 Werewolf Quest, Choice Hotels Gift Card Balance, Dark Imperium Book,