Working Through An Easy Crackme

Today I’m going to go over working through the Easy-Crackme from Reversing.kr.  As a note I do these in a virtual machine with a snapshot so that I can roll it back to a safe state in case I miss something malicious.  Some of the exercises online are live malware.  Then after the exercise is finished I restore the vm to the state it was in before hand just to be careful.  With that in mind lets gets started.

First Analysis:

First thing to do is figure out what the executable actually does.  Examining the file with SysInternals strings function we see that the basic functionality is to open a dialog box and take some input.

We can always go the naive route and look at the strings dump to see if the password is stored in plain text.  Unfortunately this time there isn’t anything that works.  That means we are going to have to look at the assembly to see if we can figure out what’s going on.

Assembly:

For something different I decided to use x32dbg, the 32-bit version of x64dbg, because I’m using a 32-bit system.  ec1

After scrolling to the functionality section of the program we can see several cmp instructions that include jumps to the address 00401135.  So lets check out what’s at address 00401135.

EC2.png

Now we can see the instructions for success or failure.  So we see that 00401135 is where we start pushing arguments on the stack to call the failure MessageBoxA.  Now we go through and see what needs to happen to avoid jumping to that address.

Evaluating Functionality:

Looking at the whole section of assembly that comprises the functionality of the executable we hope to trace through and figure out the password.

ec3

That top highlighted function call named GetDlgItemTextA got my attention.  Going to the documentation from Microsoft shows us that function gets input text from a dialog box.  So that’s the entry point of our input in the executable.  We can also hover over the function and see the assembly of it as well which shows an embedded function GetWindowTextA.

The very next thing we see is a cmp instruction with a jne to 00401135 with a character ‘a’.  That’s interesting.  Moving down the disassembly we see another cmp with an ‘E’.  Notice that these two are in adjacent locations. E at esp+4 and a at esp+5.

The next thing that jumps out to me is at 004010D1 where we load “R3versing” into esi and then move the value stored at esp+10 into eax then compare the two.  We can follow that chain of instructions down to 0040110B to get another jump to 00401135.  Which is where we fail.

This is where the pieces started fitting together for me.  We only have one set of characters left in the assembly that gets compared to anything.  So if we put them all together using the spacing of their relation to esp we get “Ea5yR3versing”,  the placing of 5y is a guess for me at this point though because it isn’t explicitly laid out with respect to esp in this portion of the assembly.  It makes sense though so lets give it a try.

EC4.png

ec5

Conclusion:

That was a pretty easy crackme.  Though there were some things I had to keep in mind while going through it.  One thing that stuck in my head while doing this was from PMA where the author stated not to get too caught up in the details and just try to get the functionality.  So I went wherever caught my eye in the assembly and tried to make the pieces fit together like a puzzle.  In this case it worked.  But if the password had been an arbitrary sequence of numbers or characters I would have had to dig into the code a lot deeper to get the ordering right.

This was a fun exercise though.  The only thing I think could have gone easier with it would have been to use a graph view of the assembly to see the flow of the program better.  We could have done this analysis on a Linux or Mac but then we wouldn’t have been able to run the program to check our results.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s