Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Intoduction to Cracking - (Part II) (http://www.go4expert.com/articles/intoduction-cracking-part-ii-t17414/)

SaswatPadhi 8May2009 14:07

Intoduction to Cracking - (Part II)

Summary of Part I

In Introduction to Cracking - (Part I), we saw that .NET Reflector makes our lives easy by decompiling .NET apps accurately to any .NET language. We saw some limitations of Reflector too : It can't de-obfuscate assemblies, cannot unpack packed assemblies, cannot decrypt encrypted assemblies. We will discuss about those issues in this article.


Rarely we find .NET assemblies that are not obfuscated, because they are prone to instant decompilation by Reflector. .NET assemblies are found obfuscated, packed, encrypted or protected by a multiple combination of these techniques. Let me clear that by packing we don't expect to gain compression, rather we gain protection (we'll see how ...)

We will mainly talk about de-obfuscating simple obfuscations and unpacking known packers in this article.

Obfuscation and De-obfuscation

Observe the following code snippets :

Snippet 1 : Code without obfuscation
Code: vb.net

Private Function SHABytes(ByVal MStr As String) As Byte()
        Dim SHAProvider As New System.Security.Cryptography.SHA1CryptoServiceProvider
        Dim GetBytes(), RetBytes() As Byte
        GetBytes = System.Text.Encoding.ASCII.GetBytes(MStr)
        RetBytes = SHAProvider.ComputeHash(GetBytes)
        Return RetBytes
    End Function

Snippet 2 : Code with obfuscation
Code: vb.net

Private Function A(ByVal B As String) As Byte()
        Dim C As New System.Security.Cryptography.SHA1CryptoServiceProvider
        Dim D(), E() As Byte
        D = System.Text.Encoding.ASCII.GetBytes(B)
        E = C.ComputeHash(D)
        Return E
    End Function

Snippet 1 is instantly understood at first sight. But Snippet 2 is not. It's obfuscated with simple variable renaming. It can be understood, but after a bit closer observation. This kind of obfuscation is the weakest and can be readily de-obfuscated by careful observation.

Now, take a look at the following snippets :

Snippet 1 : Code without obfuscation
Code: vb.net

Private Sub CheckSerial(ByVal MStr As String)
        If MStr = "T-26832-GST" Then
                TextBox1.Text = "WRONG SERIAL !"
                TextBox1.Text = "CORRECT SERIAL !"
        End If
    End Sub

Snippet 2 : Code with obfuscation
Code: vb.net

Private Sub A(ByVal B As String)
        If C(B) = "]$;?1:;$NZ]" Then
                D.Text = C("^[FGN)ZL[@HE)(")
                D.Text = C("F[[LJ])ZL[@HE)(")
        End If
    End Sub

The obfuscation done here is Variable Renaming + String Encryption. All strings are stored encrypted by simple XOR encryption with base 9 (i.e. a = a XOR 9). When the text is compared or printed to the textbox, it is re-XORed :wink:.
This obfuscation, although better than the previous, can be still cracked easily, without aid of software !

The better obfuscation techniques that are difficult to crack can be achieved by using Obfuscators e.g. {smartassembly}. But remember, although difficult it's not impossible to crack obfuscated assemblies :wink:

The obfuscators can apply a variety of techniques to make assemblies extremely difficult (rather painful) to crack. They may use ILDASM to disassemble it, then change the code with something that performs similar function but in a complicated way and then re-assemble with ILASM. They may additionally encrypt the assemblies and while running, the assembly will be decrypted in memory and then be executed.

Two of my friends Karupica and UFO PU55Y developed a de-obfuscator for the {smartassembly}. They named it {smartkill}. It's currently in Ver.0.6 and perhaps not being developed further.

Packing and Unpacking

What packers do is, they compress the program and then combine this compressed data with the decompression code it needs, into a single executable. When the program gets executed, the compressed executable essentially unpacks the original executable code, then transfers control to it. So, when you try to decompile a packed exe, you would end up with an error !

This is a quote from Wikipedia :


Executable compression is also frequently used to deter reverse engineering or to obfuscate the contents of the executable (for example, to hide the presence of malware from antivirus scanners) by proprietary methods of compression and/or added encryption. Executable compression can be used to prevent direct disassembly, mask string literals and modify signatures. Although this does not eliminate the chance of reverse engineering, it can make the process more costly.
Several popular exe packers are available today : UPX, ASPack, PESpin, PELock, PEPack etc...Unpacking exes manually is possible but is incredibly painful. Thanx to crackers, we have several unpacking tools :smile:


Applications :
(1) {smartkill} Ver.0.6 (http://rapidshare.com/files/11166936..._v0.6.rar.html)
(2) PEiD Ver.0.95 (http://www.peid.info/)

PEiD can identify a huge array packed/encrypted exes. It is a very nice price of software and it's functionality can be extended by several plugins. The KANAL (Krypto ANALyser) plugin helps you identify crypto-signatures inside exes.

Setup ...

None of these tools require installation. Simply unzip/unrar them to any folder you like, and start using them! Plugins for PEiD are easy to install and instructions can be found on the website, so I'm not explaining here.

Action !

(1) Using PEiD
Using PEiD is fairly easy. Simply drag an exe and drop it on PEiD window and PEiD will instantly show you the statistics. You can get the compiler used, it's version, the PE entropy .. lots and lots of useful stuff.
I'll discuss about specific functions of PEiD, when we encounter their need (in up-coming parts ..).

(2) Using {smartkill}
Well, now that you know how to use Reflector, open any {smartassembly} obfuscated assembly in it. You will see all function names and string names are encoded. It does not display any string but displays a hexadecimal ID that uniquely identifies that string.

For example, the following snippet :
Code: vb.net

TextBox1.Text = "Serial accepted !"

might look like :
Code: vb.net

□.□ = □.□.□(0x31f5)

What {smartkill} does is it can identify what the hell does 0x31f5 stand for. It can successfully recover the encoded string "Serial accepted !".
Well {smartkill} can do lot more than that, it can remove "StrongNames", it can fix 2.xx algo which renders a cracked application useless, it can patch exes and much more... (I will discuss that in the up-coming parts ... )

I think it's enough for this part.

I will discuss {smartkill} in details and will also talk about cracking other languages like c, c++, vb etc... later.

Till then take care and good bye ..:smile:

Thanks for reading this part and thanx for the excellent response to Part I.

fantascy 16May2009 01:19

Re: Intoduction to Cracking - (Part II)
Nice 4 a crack novice. keep it up

SaswatPadhi 16May2009 07:41

Re: Intoduction to Cracking - (Part II)
Glad to know that you liked it. :biggrin:

I had decided not to write Part III until I recieve some replies for Part II. I'm waiting for some more feedback on my article. :thinking:

Discordia23 18May2009 11:14

Re: Intoduction to Cracking - (Part II)
Your tutorials are the reason I ended up joining these forums so I could thank you for this great info. Please keep them coming, I am looking forward to part 3!


SaswatPadhi 18May2009 11:24

Re: Intoduction to Cracking - (Part II)
Thanx :biggrin:
Glad to know that you liked it !

I'll post Part III within a couple of days :pleased:

shabbir 3Jun2009 09:43

Re: Intoduction to Cracking - (Part II)
Nomination this Article for Article of the month - May 2009

mayjune 15Jun2009 14:34

Re: Intoduction to Cracking - (Part II)
can you upload cracking in terms of c c++? i don't know .net

mayjune 15Jun2009 14:35

Re: Intoduction to Cracking - (Part II)
nice work though...

SaswatPadhi 15Jun2009 17:36

Re: Intoduction to Cracking - (Part II)
Yeah, I will soon upload cracking C/C++ programs (which are tougher than .NET). ;)

mayjune 16Jun2009 01:50

Re: Intoduction to Cracking - (Part II)
i don't mind as long as we learn something new from it :) but try to keep it simple yet technical,
if you know what i mean ;)

All times are GMT +5.5. The time now is 14:12.