Reverse Engineering For The Not So Backward

Transcription

1 Reverse Engineering For The Not So Backward It is a Friday night and I am sitting home hyped up on caffeine and resting from a long work week. I like to relax on Friday nights and get stuff done, such as pay bills, do any side jobs that need to be done, and follow up on some of my independent research stuff. One of my interests (I have many) involves software reverse engineering. For years humans have been reverse engineering creations done by others to gain an insight on ones work or to build something of their own based around it, adding their own ideas and making it better, or worse. We reverse engineer things ranging from simple children s toys to the human species. Software is no different than anything else ever reverse engineered. Software made and distributed on a PC comes in executable form in a way that only machines can understand. Cryptic binary operations that have been converted from a high level language that a human used to make the program can only be understood by the machine. It is all a matter of procedure and a lot of it gets carried out within the extremely fast environment we call the CPU. Coders ranging from a solo programmer in his garage all the way to major corporations create software that will do what they specify it to do. Software that does not come with its original source, so called closed source, does not give the user the blueprints in how it was made and thought up. It is like looking at a car engine and not knowing how things work without some detailed engineering spec. Most closed source software is software that requires purchase and most likely contains many creative and intuitive functions to carry out what it does and how it is better than its competitors. Open source software is different in that the source code is given and the user is free to change anything they choose to, for the most part, make it better. It is closed source software that a reverse engineer is after and below I will attempt to explain the concepts use on a simple example. It is ok if you do not understand what is going on exactly, it is the concept that I am trying to get across. Reverse engineering, besides requiring a good programming background, requires a lot of time and patience to master. What is Reverse Engineering? In simplest terms, reverse engineering is the means by which closed source software in executable form can be examined at the machine code level for its overall functionality. This machine code, understood natively by the CPU, is very cryptic and has no defined method of abstraction. Different compilers and machines may produce and read machine code differently than the next, yet have the same functionality. Those reasons are why reverse engineering is so complex. Reverse engineering is used everywhere, from software companies trying to understand their competitors methods to hackers trying to find vulnerabilities. Reverse engineering can be for the good and the bad. Some things to know and gather before moving on First and foremost you do not need to be a computer scientist to read this. The point of this is all about the concept of the subject, which you should get by the end. You do not need to understand the code, but to just follow my methods on how things are done. If you are brave enough to do what I am doing on your own, feel free. Below are some of the requirements to get you started. For the rest of you, all you need is a working brain. -Microsoft C/C++ Linker and Compiler (CL.EXE): This tool is packaged with Visual Studio and can probably be found somewhere on Microsoft s website for free I am sure. It is responsible for turning the source code into the binary files that we will be reversing.

2 -Ollydbg This program is a Debugger and a Disassembler all in one. This program will be used to reverse engineer our binary file. Luckily this program is free for all and a simple Google search will guide you the way. -XVI32 Hex Editor This free Hex Editor we will use to make the final patches to our binary file and change it so that it does what we want it to do. Final Notes The program below is a proof of concept for this exercise and was created by me. It is a console win32 application, so there is no GUI, although it easily could have one. I find running things from the command prompt to be easier. If the correct password is entered then the windows Calculator should launch. If the wrong password is entered then an error is displayed and the program exits. If no password is entered an error is displayed and the program exits. Now these methods of password verification are very weak, yet to this day are still used by some large software programs. Most password verification programs contain more cryptic verifiers and pose a lot more challenge to a reverse engineer, but still can be done. That said, the below program is simple to reverse by today s standards, but a great place to start. Enjoy Let s get started already!!! This program takes in one argument as the password, in plain text. It compares the input, and if it equals the correct password, sets a flag. If the flag is set to signify a correct password the program proceeds. Our goal in this program is to modify the flag so ANY password will work. I give the source code below, but it is for show only. We will be working with the binary and pretending that the below source code was not at our disposal at time of reverse engineering. Source: #include <stdio.h> int main(int argc, char **argv) { int value = 0; if(argc < 2){ printf("no password entered..."); exit(0); } if (!(strcmp(argv[1], "password"))) { value = 1; } if(value == 1) { printf("congrats you got the password!!!"); system("start calc.exe"); } else{ printf("wrong password...you cannot proceed");} return 0; } Compiling the code: cl o main.c

3 Running binary with no password: Main.exe Output: No password entered Running binary with wrong password: Main.exe Output: Wrong password.you cannot proceed Running binary with correct password (password): Main.exe password Output: Congrats you got the password!!! Calculator runs Now let s pretend we didn t know the password and keep getting stuck with the error from method two above. Now it is time to have some fun!! Olly to the rescue!!! Here is the procedure: 1. Launch good ole Olly. 2. Go to file Open. Browse to where Main.exe is stored. Single click it. 3. Under Arguments put in the password of your choice. Anything you wish, and remember we do not know the real password so we are guessing. Soon it won t matter anyway :). 4. Olly shows a lot of stuff garbage to most.this is machine code. Sexy isn t it!! Scroll the big window in the center all the way to the top. Below is what you should see. It is so beautiful. Let me dump the whole program machine code out below for you, just in case you cannot see the above. It is important that we have this.

4 55 PUSH EBP 8BEC MOV EBP,ESP 51 PUSH ECX C745 FC >MOV DWORD PTR SS:[EBP-4],0 837D CMP DWORD PTR SS:[EBP+8],2 7D 17 JGE SHORT main E04000 PUSH main.0040e000 E CALL main c 6A 00 PUSH 0 E8 AB CALL main d E04000 PUSH main.0040e018 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 51 PUSH ECX E CALL main C4 08 ADD ESP,8 85C0 TEST EAX,EAX JNZ SHORT main C745 FC >MOV DWORD PTR SS:[EBP-4],1 837D FC 01 CMP DWORD PTR SS:[EBP-4],1 75 1C JNZ SHORT main E04000 PUSH main.0040e024 E CALL main c 68 48E04000 PUSH main.0040e048 E CALL main c EB 0D JMP SHORT main E04000 PUSH main.0040e058 E8 E CALL main c 33C0 XOR EAX,EAX 8BE5 MOV ESP,EBP 5D POP EBP C3 RETN The letters and numbers to the left side are called opcodes. Opcodes are the actual binary instructions, represented in HEX, that are extracted from the executable. If you viewed the executable in a HEX Viewer (as we will do later) you will see these opcodes. These are going to be important later. The opcodes are translated to assembly code, created from a compiler and more human readable than the binary, but not so much more. The stuff down the middle that kind of looks like English are the actual assembly instructions. We will be focusing on these instructions for now. Just so you know, the stuff I created above in source code is automatically generated to this when compiled (using cl). Now you see how hard reversing can be when there is no source code available. Before I go on I am going to remind you that I am not going to give a lesson on Assembly Language. You will have to bare with me and take my word for things if you do not fully understand. Read over again if you get lost. Do not let this stuff intimidate you too much. Let s look for some things that stand out. The nice thing about assembly is that some of the instructions actually look somewhat understandable. The CALL instruction calls internal and external functions. The JMP, JNZ,

5 JNE instructions jump over code on specific conditions that are determined before the instruction call, usually a couple bytes before hand. The CMP instruction does a comparison and sets a flag based on the comparison. A keen reverser will look for these kinds of instructions and proceed from there. Another thing a good reverser does is find variables used within the program. EBP is a register that seems to be storing variable data. As a matter of fact [EBP-4] (EBP offset -4) looks like it is storing something. By the looks of it the value 0 is being placed into [EBP-4], this signifies a common variable declaration situation. Most C languages do not like variables instantiated without being initialized, this one happens to be initialized to zero and I would guess it is an integer or a long of some kind. It is 4 bytes (hence the 4 offset value) so it is a word value, I would guess 32-bit unsigned integer. The next instruction you see a CMP on a value stored in [EBP+8]. I would guess this holds the argument input amount (ARGC), usually [EBP+8] holds that value. As you can see from analyzing the assembly, there is no place where the real password is stored. But in order for a comparison to be done it must be either in a register or on the stack, most likely the stack. Any PUSH instruction from memory could be this value as well as anything else, it is hard to tell. Could this be our password value? We are not going to search around and see, that takes the fun out of it. Plus if the value is encrypted or obfuscated it would be of no use anyway. Let us proceed. I am interested in that variable, the one at [EBP-4], it HAS to be used for something. But let us see what kind of CALL instructions we have first. I analyzed the last line to see what was being called. Simple analyses, or by just using Olly to find out for you, tells us that the function at is a strcmp function. Now this function, along with many others from the C/C++ standard library were imported during the linking stage of building the binary. The whole function is stored in our binary for faster and portable access. Their location is specified by a memory address within the binary, hence the CALL.main , this is merely saying call the function at that address. The strcmp function, by just googling (remember we do not have source) takes two arguments which happen to be strings that are compared. The first argument is already on the stack, and as I said above it is most likely the real password. The second argument comes from [EBP+C] and is moved into EAX. This value happens to be the password we send in (ARGV[]) and it is an array. [EAX+4] is the element of that array that contains our string, in C terms [EAX+4] is the same as ARGV[1], or 4 bytes from the start of the array. [EAX+4] is pushed onto the stack for strcpy to access. So to recap our EBP and EAX registers, here is what we know: [EBP-4] holds some weird integer variable, [EAX+4] holds our password we sent in, and [EBP+8] holds the total argument sent in the program, which in our case is always one when properly used. How things can unfold so quickly!!

6 After strcmp returns, the stack is flushed and EAX is zeroed out. The JNZ instruction jumps if the return value of strcmp was anything but zero (JNZ = Jump if Not Zero). If the value of the return function was zero it means that the two strings sent in were equal and that the password was correct. So let s ignore the JNZ instruction and proceed to the next couple lines to see what happens if both strings were equal (which in our case wouldn t have been the case because we had the wrong password). Look at that, our mystery variable at [EBP-4] pops up again. This time the variable is assigned a value of 1 instead of zero. Very interesting I must say. Below the assignment is another CMP and it looks like it is comparing the value of [EBP-4] to 1. Now if the flow went as expected with our bad password the value at [EBP-4] would still be 0 due to the jump over the assignment. The next compare jumps if the compare returns false, or any value other than zero. So let s not jump, let s proceed to the next couple instructions as if we had the right password and [EBP-4] was really set to 1. I see a PUSH and a CALL instruction. That means a function is being called. By further analysis the CALL to C happens to be a printf() instruction that takes one parameter, a string that outputs to the screen. And after that another CALL is done to C, and by analyzing that I find that is a System() call that takes one parameter, a string that represents a command. I would bet the command that runs is PUSHED at 0040E048, and that happens to be a string for the CALC.EXE program. Whoa, that is what is supposed to happen when the password is right!! Wow. We are not done yet because we need to make it run with our password. Let s do a simple thing with Olly first to really make sure that this variable is the only thing that needs to be changed. We are going to change the CMP instruction to compare the variable at [EBP-4] to zero instead of one, so that the program runs normally as if we had the correct password. A simple change in Olly can do that. Double click the instruction and let s change it!

7 Let s make one simple change to this: Now click Assemble and then click Cancel. Are you ready to see what happens? Click the blue play arrow at the top of Olly. If all goes well you should see the Calculator pop up. I did. We did it, we cracked it!!!! But the change in Olly is only temporary and the main executable is unchanged. We now need to patch the executable so that the change is permanent. Remember the opcodes stuff? Well let s go back to them and make some simple changes in the binary with a hex editor, in this case XVI32. Pay attention to the opcode value 837D FC 01, this is going to be changed in the executable. Now apply the change to the CMP instruction as done before. Do not run though when done. Let s see what we get now. Sweet, we see a change. Now we get the opcode 837D FC 00, with the last digit being the only change. We will use this to change our main binary. Fire up XVI32 and do the following. Make sure Olly is closed now so that the binary can be read and written to. 1. Go to File->Open and browse to where the Main.exe file is located. Double Click it. 2. We are now in hex view. Make sure you are in edit mode, by going to Tools and making sure Overwrite is checked. Here is what we got. All the ugly opcode values and their ASCII equivalents. By the way, opcodes are HEX!!

8 Let s do this patch and get this over with already. Go to Search->Find. Make sure the Hex String bubble is checked. In the box type in, without the quotes, 837DFC01, hit Ok. You will go to an area where this opcode exists. Now the simple part - Move over 4 places with the right arrow so that the 01 block is highlighted, click once inside of the highlighted block so that the background of all the opcodes turns white. Type in 00. Now go to File->Save and close XVI32. Now let s go to the command prompt and see what happens. Running the binary with no password: Main.exe Output: No password entered Running the binary with wrong password: Main.exe p@ssw0rd Output: Congrats you got the password!!! Calculator runs Don t believe me, see for yourself with a few trial runs:

9 Sweet. I love this stuff. So there you have it. We successfully reversed a program. All it took was a few hours and one, ONE simple hex change and we cracked this program. If they were all that easy! As you can see this stuff takes patience and experience. The benefits are very good when it is mastered. I hope most of you got the concept through, enough to make me happy since I spent a few hours on this exercise, make me feel good some how. Haha. By all means try it out. I will give you the.exe file and you can go at it and screw around, it is really fun. Thanks for reading and stay tuned for more exciting articles by the one and only DJT3K Copyright 2006 T3K. Skill comes with those that work hard.