Thursday, June 25, 2015

SecurityOverride.org Software Cracking Level 1 | Basic Serial Disclosure

SecurityOverride.org is an Information Security related site, which provides security enthusiast a platform to communicate, share this ideas, views, exploits, research, and also contains several Hacking or Security challenges which judges your skills at different levels.

A few days back I stumbled upon this site (Not for first time) and decided to sign up. After that I straight away went to the challenges section and solved a few of them and picked an interest. So in this I will be sharing how I solved the Level 1 of Software cracking challenge.

Spoilers and Excitement Alert :- People who wish to solve it of their own do not proceed any further and go straight to some other threads.


========XXX Line of Interest XXX ========

Level 1 : A software program is given in compressed .rar archive format and you're required to crack it and get the password.

Step 1 : Know Your Target.

To learn and gather more information about the format of the executable should be known, also to execute the program and see the kind of task it requires us to perform to get the data. The application should be run in a sandboxed environment for security and privacy purpose.

To understand the format and specification of the PE file specially PEiD Signature I used a tool named PortExAnalyzer made by our very own and loved Deque.


I downloaded Sandboxie, a software application which runs programs in a sandboxed environment. You can download Sandboxie from here [~ 6.6 MB]:- http://www.sandboxie.com/SandboxieInstall.exe

After you can installed Sandboxie open the application  inside the archive downloaded from the SecurityOverride site.

It looks something like this :-

[Image: clLGHSK.png]

Step 2 : Research and Reverse Engineer

Now after we have a had a look at how the main program looks like its time to derive conclusion based on facts and results. On a visual level we first notice at the icon of the PE which denotes the application is made with some .NET language, but you can't be sure. Why ? because the icon could have been changed or fuzzed in order to confuse you. So its better to cross verify. Now we analyse the PE using PortEx we downloaded earlier. Following is the trace log created when I use it on the PE.

C:\Users\Psycho\Desktop>java -jar PortexAnalyzer.jar -o PortEx-Report-SL1.txt "Software Level 1.exe"
PortEx Analyzer

Creating report file...
Writing header reports...
Writing section reports...
Writing analysis reports...
Done!

C:\Users\Psycho\Desktop>

The report has been saved with the filename "PortEx-Report-SL1.txt". Open and see if you find something interesting.

Alternatively, we can extract the sections we are interested in and that is CodeView and PEiD Signature. You can use the above but I prefer writing a code to get what I need to know rather than the complete report. So I wrote the following code in Java using Deque's PortEx Library to get the sections we are interested in :-

package com.rawcoders.REStuffs;

import java.io.File;
import java.io.IOException;
import java.util.List;

import com.github.katjahahn.parser.PEData;
import com.github.katjahahn.parser.PELoader;
import com.github.katjahahn.parser.sections.SectionLoader;
import com.github.katjahahn.parser.sections.debug.DebugSection;
import com.github.katjahahn.tools.sigscanner.SignatureScanner;

/**
*
* @author Psycho_Coder 
*
*/
public class SoScL1 {

    public static void main(String[] args) throws IOException {
        File pefile = new File("C:\\Users\\Psycho\\Desktop\\Software Level 1.exe");
        
        /*
         * Get PE Signature.
         */            
        SignatureScanner scanner = SignatureScanner.newInstance();
        boolean epOnly = true;
        List sigs = scanner.scanAll(pefile, epOnly);
        System.out.println("PEiD Signature\n");    
        sigs.forEach(System.out::println);
        
        /*    
         * Print the CodeviewInfo
         */
        PEData pedata = PELoader.loadPE(pefile);
        DebugSection debug = new SectionLoader(pedata).loadDebugSection();
        System.out.println(debug.getCodeView().getInfo());        
    }
}

The Output for the above code :-

PEiD Signature

[Microsoft Visual C# v7.0 / Basic .NET] bytes matched: 54 at address: 13470

Codeview
--------

Age:  10
GUID: f512ffaf-b4c3-4f5a-b634-aa8f46bb8dce
File: C:\Users\overide\Documents\Visual Studio 2005\Projects\WindowsApplication1\WindowsApplication1\obj\Debug\WindowsApplicati​on1.pdb

Observations

The following gives the location of the pdb (Program database) file commonly used by .NET applications. From the forensic point of view the Username of the System that "overide" is important since it tells us that someone with a system account name "overide" made this (Most Probably but not with conclusive evidence)

Codeview
--------

Age:  10
GUID: f512ffaf-b4c3-4f5a-b634-aa8f46bb8dce
File: C:\Users\overide\Documents\Visual Studio 2005\Projects\WindowsApplication1\WindowsApplication1\obj\Debug\WindowsApplicati​on1.pdb
---------------------------------------------------------------------------------------------------------------

The following PEiD Signature tells us that the Application was programmed with C#.

PEID Signatures
***************

[Microsoft Visual C# v7.0 / Basic .NET] bytes matched: 54 at address: 13470

From here on we have two approaches. First we open the exe using any Hex Editor and see if we can find something interesting or if we can directly get the Serial from there(this step can be done earlier too). Now its a common sense that the serials or the password required will be stored in a string when it was coded (Not necessarily true because I can store them in hex or other encrypted format too which is being changed to other form by some other instructions.). So if you open the exe with any hex editor and observe thn you will come across something like this which is the serial we want :-

[Image: rS4fhbX.png]

The problem with this method is that if any PE file which is large in size or the serials are encrypted in some some binary form then it will be a problem to manually look for the serial and it could get difficult. So we will focus on the second approach which is much more easy.

Lets move on to the next approach. Based upon the above observation we can downloaded any .NET decompiler to reverse engineer the code. For such purpose you can use different tools, several free applications are available. The better one's would be ILSpy and dotPeek.

Download ILSpy : https://github.com/icsharpcode/ILSpy/releases/download/2.3/ILSpy_Master_2.3.0.1827_Binaries.zip
Download dotPeek : https://www.jetbrains.com/decompiler/download/

I will give show you both of them. You need to install ILSpy but dotPeek doesn't needs any installation.

Now all you have to do is open the PE file we have to crack with ILSpy or dotPeek and then locate :- "WindowsApplication1\Form1\button1_Click" and double press it to see the decompiled code. button1.Click is the event for the Register button. On the main panel the Serial Number and Password which you will be prompted with is clearly isible.

Observe the Images

ILSpy
[Image: ljUQZSy.png]

dotPeek
[Image: vtE1wKx.png]

Step 3 :Verify your Findings

So, these were the number of steps you can perform to get the serial and password. The following shows the password when you enter the password.
[Image: 9ETeKT7.png]


Conclusion

For software cracking, that concepts we learnt are applicable for many different scenarios and in different ways too like Source Code Theft forensics, Secure Code analysis etc.

I hope you enjoyed the tutorial. Stay tuned for the next Level 2 Walkathrough.

Tool Summary

1. PortExAnalyzer
2. Sandboxie
3. ILSpy or dotPeek.

Thank you,
Sincerely,
Psycho_Coder.

0 comments :

Post a Comment

Follow Me!

Blog Archive

Followers

Visitor Map