1. We have moved from vBulletin to XenForo and you are viewing the site in the middle of the move. Though the functional aspect of everything is working fine, we are still working on other changes including the new design on Xenforo.
    Dismiss Notice

Intoduction to Cracking - (Part II)

Discussion in 'Ethical hacking Tips' started by SaswatPadhi, May 8, 2009.

  1. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Summary of Part I

    In Introduction to Cracking - (Part I), we saw that .NET Reflector makes our lives easy by decompiling .NET apps accurately to any .NET language. We saw some limitations of Reflector too : It can't de-obfuscate assemblies, cannot unpack packed assemblies, cannot decrypt encrypted assemblies. We will discuss about those issues in this article.


    Rarely we find .NET assemblies that are not obfuscated, because they are prone to instant decompilation by Reflector. .NET assemblies are found obfuscated, packed, encrypted or protected by a multiple combination of these techniques. Let me clear that by packing we don't expect to gain compression, rather we gain protection (we'll see how ...)

    We will mainly talk about de-obfuscating simple obfuscations and unpacking known packers in this article.

    Obfuscation and De-obfuscation

    Observe the following code snippets :

    Snippet 1 : Code without obfuscation
    Private Function SHABytes(ByVal MStr As String) As Byte()
            Dim SHAProvider As New System.Security.Cryptography.SHA1CryptoServiceProvider
            Dim GetBytes(), RetBytes() As Byte
            GetBytes = System.Text.Encoding.ASCII.GetBytes(MStr)
            RetBytes = SHAProvider.ComputeHash(GetBytes)
            Return RetBytes
        End Function
    Snippet 2 : Code with obfuscation
    Private Function A(ByVal B As String) As Byte()
            Dim C As New System.Security.Cryptography.SHA1CryptoServiceProvider
            Dim D(), E() As Byte
            D = System.Text.Encoding.ASCII.GetBytes(B)
            E = C.ComputeHash(D)
            Return E
        End Function
    Snippet 1 is instantly understood at first sight. But Snippet 2 is not. It's obfuscated with simple variable renaming. It can be understood, but after a bit closer observation. This kind of obfuscation is the weakest and can be readily de-obfuscated by careful observation.

    Now, take a look at the following snippets :

    Snippet 1 : Code without obfuscation
    Private Sub CheckSerial(ByVal MStr As String)
            If MStr = "T-26832-GST" Then
                    TextBox1.Text = "WRONG SERIAL !"
                    TextBox1.Text = "CORRECT SERIAL !"
            End If
        End Sub
    Snippet 2 : Code with obfuscation
    Private Sub A(ByVal B As String)
            If C(B) = "]$;?1:;$NZ]" Then
                    D.Text = C("^[FGN)ZL[@HE)(")
                    D.Text = C("F[[LJ])ZL[@HE)(")
            End If
        End Sub
    The obfuscation done here is Variable Renaming + String Encryption. All strings are stored encrypted by simple XOR encryption with base 9 (i.e. a = a XOR 9). When the text is compared or printed to the textbox, it is re-XORed :wink:.
    This obfuscation, although better than the previous, can be still cracked easily, without aid of software !

    The better obfuscation techniques that are difficult to crack can be achieved by using Obfuscators e.g. {smartassembly}. But remember, although difficult it's not impossible to crack obfuscated assemblies :wink:

    The obfuscators can apply a variety of techniques to make assemblies extremely difficult (rather painful) to crack. They may use ILDASM to disassemble it, then change the code with something that performs similar function but in a complicated way and then re-assemble with ILASM. They may additionally encrypt the assemblies and while running, the assembly will be decrypted in memory and then be executed.

    Two of my friends Karupica and UFO PU55Y developed a de-obfuscator for the {smartassembly}. They named it {smartkill}. It's currently in Ver.0.6 and perhaps not being developed further.

    Packing and Unpacking

    What packers do is, they compress the program and then combine this compressed data with the decompression code it needs, into a single executable. When the program gets executed, the compressed executable essentially unpacks the original executable code, then transfers control to it. So, when you try to decompile a packed exe, you would end up with an error !

    This is a quote from Wikipedia :

    Several popular exe packers are available today : UPX, ASPack, PESpin, PELock, PEPack etc...Unpacking exes manually is possible but is incredibly painful. Thanx to crackers, we have several unpacking tools :smile:


    Applications :
    (1) {smartkill} Ver.0.6 (http://rapidshare.com/files/111669366/smartkill_v0.6.rar.html)
    (2) PEiD Ver.0.95 (http://www.peid.info/)

    PEiD can identify a huge array packed/encrypted exes. It is a very nice price of software and it's functionality can be extended by several plugins. The KANAL (Krypto ANALyser) plugin helps you identify crypto-signatures inside exes.

    Setup ...

    None of these tools require installation. Simply unzip/unrar them to any folder you like, and start using them! Plugins for PEiD are easy to install and instructions can be found on the website, so I'm not explaining here.

    Action !

    (1) Using PEiD
    Using PEiD is fairly easy. Simply drag an exe and drop it on PEiD window and PEiD will instantly show you the statistics. You can get the compiler used, it's version, the PE entropy .. lots and lots of useful stuff.
    I'll discuss about specific functions of PEiD, when we encounter their need (in up-coming parts ..).

    (2) Using {smartkill}
    Well, now that you know how to use Reflector, open any {smartassembly} obfuscated assembly in it. You will see all function names and string names are encoded. It does not display any string but displays a hexadecimal ID that uniquely identifies that string.

    For example, the following snippet :
    TextBox1.Text = "Serial accepted !"
    might look like :
    □.□ = □.□.□(0x31f5)
    What {smartkill} does is it can identify what the hell does 0x31f5 stand for. It can successfully recover the encoded string "Serial accepted !".
    Well {smartkill} can do lot more than that, it can remove "StrongNames", it can fix 2.xx algo which renders a cracked application useless, it can patch exes and much more... (I will discuss that in the up-coming parts ... )

    I think it's enough for this part.

    I will discuss {smartkill} in details and will also talk about cracking other languages like c, c++, vb etc... later.

    Till then take care and good bye ..:smile:

    Thanks for reading this part and thanx for the excellent response to Part I.
  2. fantascy

    fantascy New Member

    Nice 4 a crack novice. keep it up
  3. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Glad to know that you liked it. :biggrin:

    I had decided not to write Part III until I recieve some replies for Part II. I'm waiting for some more feedback on my article. :thinking:
  4. Discordia23

    Discordia23 New Member

    Your tutorials are the reason I ended up joining these forums so I could thank you for this great info. Please keep them coming, I am looking forward to part 3!

  5. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Thanx :biggrin:
    Glad to know that you liked it !

    I'll post Part III within a couple of days :pleased:
  6. shabbir

    shabbir Administrator Staff Member

  7. mayjune

    mayjune New Member

    can you upload cracking in terms of c c++? i don't know .net
  8. mayjune

    mayjune New Member

    nice work though...
  9. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Yeah, I will soon upload cracking C/C++ programs (which are tougher than .NET). ;)
  10. mayjune

    mayjune New Member

    i don't mind as long as we learn something new from it :) but try to keep it simple yet technical,
    if you know what i mean ;)
  11. shabbir

    shabbir Administrator Staff Member

  12. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

  13. shabbir

    shabbir Administrator Staff Member

    I have included the third part which links to Part I and II and so mentioned them here as well that Part III if you liked chances are you like it this one as well.
  14. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    Oh ! Thanx !! :)
  15. thehunk

    thehunk New Member

    hi your article is good and i liked it and when i download the smartkill software it say its expired do u have any latest version for that i can't use it
  16. SaswatPadhi

    SaswatPadhi ~ Б0ЯИ Τ0 С0δЭ ~

    I guess, something was wrong with the one uploaded to RapidShare.

    The one with me works fine. I have attached it with this post. You can download and use it. :)

    Attached Files:

Share This Page