Quicklinks: Home | Contact |

Subscribe to the RSS feed in case you are interested in updates

Here is quick overview of one possible way to solve the Hack.lu 2009 crackme  (reversing challenge) with the classical JZ/JNZ method (hence the 1998 reference).

Disclaimer : If you are used to reversing software, you can skip this post, there is nothing new for you to glimpse here.  This is one way to solve this crackme, of course you could try to reverse engineer the serial generation algorithm. In reality, if you'd  use a serial system like this in a shareware type of application nobody would bother to do so. 

Although there are no classical packer signatures to be detected (PEid, ExeInfoPE), looking at the results of entropy tests it is clear that the sample is compressed/crypted in some way or another.  Entropy being the measure for randomness/chaos.

Examples : 

  • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx has an entropy of 96,04%

 Entropy measurement of crackme.exe

There are several ways to measure whether a binary (or parts of it) are compressed/encrypted, I happen to use gynvaels' excellent tool ENT (not to be confused by a similar entropy measurement tool) as it offers several advantages such as mapping to .code and .data section of a PE file. As we can see above the entropy of the code section (Green) is that of normal code, the data section is high on entropy at the very end of it.

Luckily for us it doesn't use stolen bytes or more advanced methods to hinder dumping from memory while the sample decrypted/decompressed itself.

So we proceed with

  • Loading the sample in Ollydbg - Wait until it hits OEP
  • Dump the process using Ollydump 
  • fix import table
  • Search for "serial"
  • Look for branching code 
  • Patch branching code from JZ to JNZ

Patching the Jump Zero to a Jump Not Zero instruction

This is it

Posted by Thierry Zoller


At 12 November, 2009 20:07 Baboon said...

Hi, it's me again

First of all this crackme is NOT packed ...

There is absolutely NO need to use ollydump or other stuff because there is NOTHING to unpack

If you have big entropy it's because challenge store a big table to make substitutions, it's absolutely NOT ciphered code or anything else.

Next :
You replace a jz by a jnz WHY ?!

What will happen if someone try to enter the good serial ? He'll get the "bad boy" message ...
Very impressive work !!!

this challenge is, of course, not protected again patching for the reason it was dedicated to be reversed and not ... patched.

If you want the real solution, here it is : 192EF9E61164BD289F773E6C9101B89C

Sometimes, "loss" time in studying a code is more interresting than patching (even more than BAD patching ...).

I'll publish a complete solution in the next days but in french, my english is really too bad...

At 12 November, 2009 21:51 Thierry Zoller said...

Dear Baboon,
Merci :)

Measuring entropy is a passive (and common means) to analyse a PE file for compressed/encrypted content - this is of course not foolproof.

If I understood you correctly the challenge was a "keygen-me" challenge and not a "crack-me" challenge. Which explains it :)

The possibility that someone enters the correct serial is, I'd say, very minimal ;)

You are right about the time too, it's more interesting to study the serial generation code than to patch it. It is certainly not wasted time.

Anyways the goal of this post was not to make the challenge (or the author) look weak but to offer newbies a way to understand how basic serial registration shemes can be bypassed (even today!)

No hard feelings :)


At 12 November, 2009 21:59 Thierry Zoller said...

PS. Actually I did not find the string "serial" nor does the binary correctly dissasemle in IDA unless you dump it. So I thought my assumption that some sort of compression/encryption/obfuscation was going on, was actually confirmed by that.

I didn't spent much time on it though

At 20 November, 2009 18:54 Baboon said...

I persist and sign : this crack-me is not packed, you can find the "good boy" message at 00401413 without unpacking anything, what you see at entry point is just the initialisation of programm made by VC code (to parse command line, get module handle and do other stuff)

Here is my solution : http://baboon.rce.free.fr/index.php?post/2009/11/20/HackLu-Reverse-Challenge

Sorry for the first comments a little bit violent ;)


Post a Comment