Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/forumdisplay.php?f=55)
-   -   Introduction to Cracking - (Part III) (http://www.go4expert.com/showthread.php?t=17685)

SaswatPadhi 24May2009 18:18
Introduction to Cracking - (Part III)
 

Summary of previous parts



In Part-I, and Part -II we saw Reflector can very accurately de-compile .NET apps and we also studies some basics of packing and obfuscation.
We saw that Reflector cannot directly de-obfuscate obfuscated assemblies, so we need external tools to de-obfuscate .NET assemblies. {smartkill} is one such tool that can de-obfuscate assemblies obfuscated by {smartassembly}.
Reflector can't also unpack/decrypt packed/crypted exes, so we need unpackers and decryptors. PEiD can identify huge array of packed and crypted exes, to make our lives easier.

Introduction



I think readers are starting to lose interest as I cover only theoretical aspects of cracking. So, in this part I will actually CRACK an app :wink:
As I have written only about .NET cracking till now, so I would crack a .NET app. We will cover other languages gradually.

Here is the link to the target of this article is : http://crackmes.de/users/w02057/crac...02057/download

Background



The target is a Level-2 crackme, solved my me. This crackme was an easy one, designed by w02057.

The author(w02057) gives the following information about his crackme:
(*) Language : .NET
(*) Platform : Windows

The rule that the author stated for solving are:
(*) No Patching : that would make it too easy :p
(*) No Bruteforcing : that would make it time-consuming and boring

ACTION :)



(1) Load the crack me into Reflector: File --> Open --> Select crackme location

(2) Expand the following: CrackMe5 --> frmMain --> btnValidate_Click

(3) See that it works with the following:
..(*) txtKey : a textbox obviously
..(*) txtSerial : another textbox obviously
..(*) getserial : a function
..(*) check : a function

(4) Click 'check' to goto the associated code. You will see this:
Code: vb.net
Private Function check(ByVal str As String) As Boolean
        Dim num As Integer = 0
        Dim num2 As Integer = 0
        Dim startIndex As Integer = 0
        Dim flag2 As Boolean = False
            Try 
            num2 = 1
            Do
                Dim num4 As Integer = (str.Length - 1)
                startIndex = 0
                Do While (startIndex <= num4)
                    If (Conversions.ToDouble(str.Substring(startIndex, 1)) = num2) Then
                        If flag2 Then
                            Return False
                        End If
                        flag2 = True
                    End If
                    startIndex += 1
                Loop
                flag2 = False
                num2 += 1
            Loop While (num2 <= 9)
            If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(0, 1)), Conversion.Int(str.Substring(4, 1))), Conversion.Int(str.Substring(8, 1))), 15, False) Then
                num += 1
            End If
            If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(2, 1)), Conversion.Int(str.Substring(4, 1))), Conversion.Int(str.Substring(6, 1))), 15, False) Then
                num += 1
            End If
            If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(0, 1)), Conversion.Int(str.Substring(3, 1))), Conversion.Int(str.Substring(6, 1))), 15, False) Then
                num += 1
            End If
            If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(1, 1)), Conversion.Int(str.Substring(4, 1))), Conversion.Int(str.Substring(7, 1))), 15, False) Then
                num += 1
            End If
            If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(2, 1)), Conversion.Int(str.Substring(5, 1))), Conversion.Int(str.Substring(8, 1))), 15, False) Then
                num += 1
            End If
            If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(0, 1)), Conversion.Int(str.Substring(1, 1))), Conversion.Int(str.Substring(2, 1))), 15, False) Then
                num += 1
            End If
            If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(3, 1)), Conversion.Int(str.Substring(4, 1))), Conversion.Int(str.Substring(5, 1))), 15, False) Then
                num += 1
            End If
            If Operators.ConditionalCompareObjectEqual(Operators.AddObject(Operators.AddObject(Conversion.Int(str.Substring(6, 1)), Conversion.Int(str.Substring(7, 1))), Conversion.Int(str.Substring(8, 1))), 15, False) Then
                num += 1
            End If
        Catch exception1 As Exception
            ProjectData.SetProjectError(exception1)
            ProjectData.ClearProjectError
            Return False
        End Try
        Return (num = 8)
    End Function
(5) Press Back to go back and click 'getserial' to goto associated code. You will observe this:
Code: vb.net
Private Function getserial(ByVal str As String) As Object
        Dim obj2 As Object
        Try 
            Dim str3 As String = Conversions.ToString(Me.hash(str))
            Dim str2 As String = ""
            Dim startIndex As Integer = 0
            Dim num2 As Integer = (str.Length - 1)
            startIndex = 0
            Do While (startIndex <= num2)
                str2 = (str2 & str3.Substring(CInt(Math.Round(CDbl((Conversions.ToDouble(str.Substring(startIndex, 1)) - 1)))), 1))
                startIndex += 1
            Loop
            str = Conversions.ToString(Me.hash(str2))
            str2 = ""
            startIndex = 1
            Do
                str2 = (str2 & str.Substring((startIndex * 4), 4))
                   If (startIndex <> 5) Then
                    str2 = (str2 & "-")
                End If
                startIndex += 1
            Loop While (startIndex <= 5)
            obj2 = Strings.UCase(str2)
        Catch exception1 As Exception
            ProjectData.SetProjectError(exception1)
            obj2 = Nothing
            ProjectData.ClearProjectError
        End Try
        Return obj2
    End Function
(6) You see another unknown funtion 'hash' used in the first line of 'Try' block. So click 'hash' in Reflector and you go here:
Code: vb.net
Private Function hash(ByVal str As String) As Object
        Dim provider As New MD5CryptoServiceProvider
        Dim bytes As Byte() = Encoding.ASCII.GetBytes(str)
        bytes = provider.ComputeHash(bytes)
        str = ""
        Dim num As Byte
        For Each num In bytes
            str = (str & num.ToString("x2"))
        Next
        Return str
    End Function

NOTE FOR NEWBIES : Don't be afraid of seeing so much code. Your work is simple (as you will see when you read further). At max, you'll have to write about 10 lines :eek: of code.

(7) So, now we have enough information, about what's going on inside :wink: :
..(*) The check function checks if the entered key is valid.
..(*) If key is valid, it generates a serial and matches the entered serial with it.
Simple, isn't it ?

(8) So, what we do to crack this easily is.. we try to understand what the check function expects as a GOOD key. Lets's analyze :

OBSERVATION : Observe the Do...Loop While(num2 <= 9) loop inside the 'Try' block.
CONCLUSION : It ensures that, there are not repeated digits in the key. Thus, note that, the key consists only of DIGITS no alphabets.
OBSERVATION : Next move to the sequence of 'If' Checks. [ There are 8 'If's ]. If an 'If' is satisfied, num is increased by 1 ( 'cuz num += 1). At the end the function checks if num = 8.
CONCLUSION : So, ALL 'If's must be satisfied.

(9) Study the 'If's now. BTW, hover mouse over 'Substring' and 'Conversions' to know about them. See that, the author extracts the i'th character in the string str (which is the key), by using the command 'str.Substring(i-1, 1)'. So, 'str.Substring(1, 1)' would give the 2nd character in the key.
Note that, the author uses i = 9 at max because he uses 'str.Substring(8, 1)' at maximum.
So, we got a hint -- the author checks ONLY the first 9 chars of key.

(10) Now, what does he check ?? Note again that, 'Conversion.Int(c)' returns the digit contained in the character c. As the key consists only of digits, 'Conversion.Int(str.Substring(i-1, 1))' would return the i'th digit in the key.

(11) So, finally we get to know that the function 'check' does this:
Code: Algorithm
(*) Checks that first 9 digits in key are unequal.

    (*) Checks that the key satisfies the following:

        (1)  0 + 4 + 8 = 15

        (2)  2 + 4 + 6 = 15

        (3)  0 + 3 + 6 = 15

        (4)  1 + 4 + 7 = 15

        (5)  2 + 5 + 8 = 15

        (6)  0 + 1 + 2 = 15

        (7)  3 + 4 + 5 = 15

        (8)  6 + 7 + 8 = 15

        [ Here 0 represents 1st digit, 4 represents 5th digit and so on... ;) ]
(12) So we need a unique permutation of the digits 123456789 as the first 9 digits which satisfies above. Simple observation leads to a better representation of the above conditions [ as a MAGIC SQUARE ]
Code:
        0  1  2  <-- 15

        3  4  5  <-- 15

        6  7  8  <-- 15
                 
    /  ^  ^  ^  \
    /        |  |  |  \
  15        15  15  15  15
Sum of each Row, Column and Diagonal is 15. So, lets fill up the magic square.

(13) Representation of 15 as sum of 3 distinct natural numbers :
Code: Algorithm
..(*)   Using 1 :  1 + 6 + 8 [ as 1 can be present in 2 different combinations, it must be, ]

                   1 + 5 + 9 [ at the mid-point of a side of the magic square          ]

..(*)   Using 2 :  2 + 6 + 7 [ as 2 can be present in 3 different combinations, it must be, ]

                   2 + 5 + 8 [ at a vertex of of the magic square                           ]

                   2 + 4 + 9

..(*)   Using 3 :  3 + 5 + 7 [ as 3 can be present in 2 different combinations, it must be, ]

                   3 + 4 + 8 [ at the mid-point of a side of the magic square          ]

..(*)   Using 4 :  4 + 2 + 9 [ as 4 can be present in 3 different combinations, it must be, ]

                   4 + 3 + 8 [ at a vertex of of the magic square                           ]

                   4 + 5 + 6
We have enough hints now. So, we now have the magic square of the form:
2 x x
x x 1
4 3 x

Now we can fill up logically as follows:
Code: Algorithm
(*) 1 and 3 cannot be opposite to each other as they are not together in any combination.

(*) 4 should not be above or below 1 as they are not together in any combination.

(*) Mid-Left is obviously 9.

(*) Bottom-Right is obviously 8.
Now we have:
2 x x
9 x 1
4 3 8

Code: Algorithm
(*) Center is of course 5

(*) Top-Right is 6.

(*) Mid-Top is 7.
So finally we have the grid as:
2 7 6
9 5 1
4 3 8

So, the key corresponding to this is 276951438.
NOTE: All other keys can be formed by simply rotating and transposing.

(14) Now we know the valid keys. The getserial function can fetch us a valid serial for a key, so we don't need to be bothered about calculating a serial. We can just copy the getserial function (and the hash function, because getserial uses it) to VB.NET and can pass the keys as arguments to get the serials :wink:

(15) So, we are done ! We have just finished a keygen for w02057's Crackme :happy:
All the valid keys and serial combination are :
Code: Output
--------------------------------------------------

        KEYS              SERIALS

--------------------------------------------------

    276951438  :  7DFF-7430-C0FE-FB5E-5675

    294753618  :  C528-6819-5244-62B2-9FA4

    438951276  :  CDB6-32A6-C696-62DA-E1BA

    492357816  :  3AE9-0717-B6B6-7AFC-D688

    618753294  :  8DC0-E6A2-D499-0F1E-29D5

    672159834  :  C520-15B6-6AFA-6B40-DFA1

    816357492  :  CE71-5143-D977-A8EA-C38E

    834159672  :  60D7-0189-3A7E-5172-CE21


I hope you enjoyed making the keygen, as much as I enjoyed it.

Greets to shabbir and all my friends here at G4EF and thanks to you for reading this long article !

Take care and good bye :smile:

shabbir 3Jun2009 09:36
Re: Introduction to Cracking - (Part III)
 
Nomination this Article for Article of the month - May 2009

mdjww 9Jun2009 08:05
Re: Introduction to Cracking - (Part III)
 
i have checked it’s really great

SaswatPadhi 9Jun2009 10:16
Re: Introduction to Cracking - (Part III)
 
Thanx for the feedback ! :)

shabbir 17Jun2009 18:56
Re: Introduction to Cracking - (Part III)
 
Vote for this article in Article of the month - May 2009

anthzer0 13Jul2009 23:30
Re: Introduction to Cracking - (Part III)
 
Im new at this. Could you tell me how you plugged in the numbers for the magic cube? The 2, 3 and 4. I understood they equal 15 but not how they were placed where they were. Thanks :)

SaswatPadhi 13Jul2009 23:42
Re: Introduction to Cracking - (Part III)
 
You can do that in two ways :

(1) Use a logical approach as I mentioned in POINT (13) : You calculate "in how many different valid combinations, does a digit occur". From that knowledge, you can easily know its position.

(2) Brute-force ! Write a program in any language of your choice to brute-force all the valid combinations.

If you still have doubts, I can post a simple C++ Bruter here. Or I can explain POINT 13.

!Newbie! 14Jul2009 12:27
Re: Introduction to Cracking - (Part III)
 
Good one...

SaswatPadhi 14Jul2009 13:26
Re: Introduction to Cracking - (Part III)
 
Thanx !Newbie!. Glad that you liked it.

naimish 14Jul2009 13:29
Re: Introduction to Cracking - (Part III)
 
Awesome Man :)


All times are GMT +5.5. The time now is 07:02.