Compiling and then reversing your own software can be really good for learning, specially when you are just starting in this field but you have to know that in the real world, you will be reversing binaries that were made by other people and a lot of times those developers don’t want you to peek inside their code.
That’s why crackmes are so useful (and fun!).
Today I’m going to walk through a very old and simple crackme made by an historic hispanic hacker called “redh@wk” and I will show you a couple of tricks to advance quickly when doing a crackme.
So right after executing the crackme we can see the following
Ok so no mistery here the crackme will ask for a name and a serial. At first sight and based on experience one can say that the program will somehow “calculate” the valid serial based on the entered “username” and then will run some kind of comparision between the entered Serial and the valid one (calculated).
So what to do from now? We may think about opening the program right on IDA, but note that a lot of software, specially crackmes are delivered PACKED/CRYPTED so opening a packed binary in IDA won’t do pretty much anything.
So one of the things I first do is to check if the program is packed. I use a software called PEID.
So before proceeding, let’s first unpack the crackme
Now if we run PEID on the file again we should see something different
So it doesn’t show that the program is packed anymore, instead it shows that the program was probably written using Microsoft Visual Basic (God help us).
Now let’s try to move to IDA and see what goes on.
So this is what we see when we open this crackme in IDA. Pretty scary right? Actually Visual Basic is a disastrous language and its incredibly slow compared to other modern languages. It basically packs a lot of stuff and works with its own undocumented library MSVBVM60 (in VB6.0).
So what we want to do now is to start looking for a strategic point to start looking at it. As I said at the beginning of this post it looks like the program will compare a couple of strings at least a lot of crackmes do that… So one idea may be search for *CMP* instructions.
Two approaches are interesting here: One can start searching for the string “cmp” and look at every case to determine if it is interesting to analyze or not, that may be slow but it’s more probable that that ends with a result. The other strategic point is to look at the particular case, as we know we are dealing with VB code we can do a little bit of research and discover the function “vbaStrCmp” and search for it! Let’s do this
So after searching in this code we hit 2 matches. One of them looks pretty interesting by the context
As we see the call seems to work with 2 parameters being pushed in the stack previously (so one of them may be the valid serial!) and delivers a result using the EAX register. Let’s put a breakpoint there and hit the debugger.
The program will launch and wait, after entering some random text and hitting “registrate” something will happen…
Yes! We hit our breakpoint!
So let’s look at the stack, as the parameters should be there. So we move to the stack and we right click on those two top values and we hit “follow in hex dump”
The first parameters shows us what we just entered.
The second one shows something more interesting “1221600” This looks 100% like a valid Serial. Let’s try it.
And bingo, it is! So by now the crackme should be solved but I personally think that this has been pretty lame I would want to register this program for all of my friends and I won’t want to open the program in IDA and do the whole thing everytime, so I must be a method to get the calculation that the program is doing for generating the “Serial”. Let’s go back at IDA and examine the context of that call.
So we see some more function calls up from our position. VbaObjSet, vbaHresultCheckObj these ones (looking at their names and using common sense) look like Window related functions, like for working with the Window, the buttons and such on the other hand vbaStrr8 looks interesting it looks like it does somenthing with a string (Str) let’s move up so.
So after analyzing those instructions I identified interesting functiosn vbaStrR8 vbaR8Str and vbaStrI2. Also, rtcAnsiValueBstr looks interesting as well all of them seem to work with strings doing some kind of conversion.
In here it’s important to set a breakpoint BEFORE we enter to the function so we will know what parameters are passed to it but also AFTER so we see what does the function return.
Let’s go back to the debugger and run it step by step.
So first of all we see that we push “Pau” into the stack (the username) and we get ready to call rtcAnsiValueBstr, by the context it looks like we will get something by EAX. Let’s see:
So we got “50” which is the ASCII code of the first letter of the name “Pau” nice! Now we know the first thing. Let’s move on to the next function as we see that “50” is being passed to vbaStrI2
We see that address being returned after the call. Let’s examine the content of that address in the hex dump. We click on the hex dump window and press g, then we enter the address we see in EAX
So we see the number “80” What relates 50h with 80? Well 80 is the decimal value of 50h. So now we know that vbaStrI2 returns the decimal value of a hexadecimal number, nice what goes next?
The next is a bunch of strmove calls. So we can guess that in the original code it must have been some intermediate variables over there for the calculus or something like that, it doesn’t look like it’s doing any calculus on the text so we move on…
Ok so now it will call that vbaR8Str with the parameter “80“. We have 0 idea of what this one does and sometimes it should be so easy to know about what a function does but believe me these undocumented functions can be a pain in the ass.
Again, when we are infront of an unknown undocumented function, the best way is to look at the big picture and know the context well.
So in here, we see that we call the function with 80 as the parameter and then just right after executing it, we run “fmul” instruction with a memory address far from our context…
So we start by looking at what is inside that address:
So we see a number there, we can know for sure that this number is a fixed one 15270, by running the program multiple times with different values (we’ll see how the number is always that). Interesting
Now we are going for the fmul. fmul may come from float multiplicate and basically it does a multiplication and stores the value in a floating point register.
Let’s examine the output
Fascinating! If we look at ST0 floating point register we can see something familiar!
Which is basically 1221600. Let’s do a quick verification and divide 1221600 by 80 it is 15270. We got it!
So the program basically gets the first letter of the name converts it to string then it multiplies that by 15270 and converts the result to a string for doing the comparision (yes, vbaStrR8 does that for sure)
We can see how vbaStrR8 gets the string by examining EAX after running it