SecurityOverride.org is an
Information Security related site, which provides security enthusiast a
platform to communicate, share this ideas, views, exploits, research,
and also contains several Hacking or Security challenges which judges
your skills at different levels.
A few days back I stumbled upon this site (Not for first time) and decided to
sign up. After that I straight away went to the challenges section and
solved a few of them and picked an interest. So in this I will be
sharing how I solved the Level 1 of Software cracking challenge.
Spoilers and Excitement Alert :- People who wish to solve it of their own do not proceed any further and go straight to some other threads.
========XXX Line of Interest XXX ========
Level 1 : A software program is given in compressed .rar archive format and you're required to crack it and get the password.
Step 1 : Know Your Target.
To learn and gather more information about the format of the executable
should be known, also to execute the program and see the kind of task it
requires us to perform to get the data. The application should be run
in a sandboxed environment for security and privacy purpose.
To understand the format and specification of the
PE file specially PEiD Signature I used a tool named
PortExAnalyzer made by our very own and loved
Deque.
After you can installed Sandboxie open the application inside the archive downloaded from the SecurityOverride site.
It looks something like this :-
Step 2 : Research and Reverse Engineer
Now after we have a had a look at how the main program looks like its
time to derive conclusion based on facts and results. On a visual level
we first notice at the icon of the PE which denotes the application is
made with some .NET language, but you can't be sure. Why ? because the
icon could have been changed or fuzzed in order to confuse you. So its
better to cross verify. Now we analyse the PE using PortEx we downloaded
earlier. Following is the trace log created when I use it on the PE.
C:\Users\Psycho\Desktop>java -jar PortexAnalyzer.jar -o PortEx-Report-SL1.txt "Software Level 1.exe"
PortEx Analyzer
Creating report file...
Writing header reports...
Writing section reports...
Writing analysis reports...
Done!
C:\Users\Psycho\Desktop>
The report has been saved with the filename "PortEx-Report-SL1.txt". Open and see if you find something interesting.
Alternatively, we can extract the sections we are interested in and that is CodeView and PEiD Signature.
You can use the above but I prefer writing a code to get what I need to
know rather than the complete report. So I wrote the following code in
Java using Deque's PortEx Library to get the sections we are interested
in :-
package com.rawcoders.REStuffs;
import java.io.File;
import java.io.IOException;
import java.util.List;
import com.github.katjahahn.parser.PEData;
import com.github.katjahahn.parser.PELoader;
import com.github.katjahahn.parser.sections.SectionLoader;
import com.github.katjahahn.parser.sections.debug.DebugSection;
import com.github.katjahahn.tools.sigscanner.SignatureScanner;
/**
*
* @author Psycho_Coder
*
*/
public class SoScL1 {
public static void main(String[] args) throws IOException {
File pefile = new File("C:\\Users\\Psycho\\Desktop\\Software Level 1.exe");
/*
* Get PE Signature.
*/
SignatureScanner scanner = SignatureScanner.newInstance();
boolean epOnly = true;
List sigs = scanner.scanAll(pefile, epOnly);
System.out.println("PEiD Signature\n");
sigs.forEach(System.out::println);
/*
* Print the CodeviewInfo
*/
PEData pedata = PELoader.loadPE(pefile);
DebugSection debug = new SectionLoader(pedata).loadDebugSection();
System.out.println(debug.getCodeView().getInfo());
}
}
The Output for the above code :-
PEiD Signature
[Microsoft Visual C# v7.0 / Basic .NET] bytes matched: 54 at address: 13470
Codeview
--------
Age: 10
GUID: f512ffaf-b4c3-4f5a-b634-aa8f46bb8dce
File: C:\Users\overide\Documents\Visual Studio 2005\Projects\WindowsApplication1\WindowsApplication1\obj\Debug\WindowsApplication1.pdb
Observations
The following gives the location of the pdb (Program database) file commonly used by .NET applications. From the forensic point of view the Username of the System that "overide" is important since it tells us that someone with a system account name "overide" made this (Most Probably but not with conclusive evidence)
Codeview
--------
Age: 10
GUID: f512ffaf-b4c3-4f5a-b634-aa8f46bb8dce
File: C:\Users\overide\Documents\Visual Studio 2005\Projects\WindowsApplication1\WindowsApplication1\obj\Debug\WindowsApplication1.pdb
---------------------------------------------------------------------------------------------------------------
The following PEiD Signature tells us that the Application was programmed with C#.
PEID Signatures
***************
[Microsoft Visual C# v7.0 / Basic .NET] bytes matched: 54 at address: 13470
From here on we have two approaches. First we open the exe using any Hex
Editor and see if we can find something interesting or if we can
directly get the Serial from there(this step can be done earlier too).
Now its a common sense that the serials or the password required will be
stored in a string when it was coded (Not necessarily true because I
can store them in hex or other encrypted format too which is being
changed to other form by some other instructions.). So if you open the
exe with any hex editor and observe thn you will come across something
like this which is the serial we want :-
![[Image: rS4fhbX.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t1kUVJi-IK96WFikc_vhsMkfS8bZsfTVK7M8HM-Nn0aj2Ybf3aTmPtdKPmqyHXbgOyA_VgDEDEpC3phhgGXEH8jw=s0-d)
The problem with this method is that if any PE file which is large in
size or the serials are encrypted in some some binary form then it will
be a problem to manually look for the serial and it could get difficult.
So we will focus on the second approach which is much more easy.
Lets move on to the next approach. Based upon the above observation we
can downloaded any .NET decompiler to reverse engineer the code. For
such purpose you can use different tools, several free applications are
available. The better one's would be ILSpy and dotPeek.
Download ILSpy :
https://github.com/icsharpcode/ILSpy/releases/download/2.3/ILSpy_Master_2.3.0.1827_Binaries.zipDownload dotPeek :
https://www.jetbrains.com/decompiler/download/
I will give show you both of them. You need to install ILSpy but dotPeek doesn't needs any installation.
Now all you have to do is open the PE file we have to crack with ILSpy
or dotPeek and then locate :- "WindowsApplication1\Form1\button1_Click"
and double press it to see the decompiled code. button1.Click is the
event for the Register button. On the main panel the Serial Number and
Password which you will be prompted with is clearly isible.
Observe the ImagesILSpy
![[Image: ljUQZSy.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sHCYd6UD-joHVA5BR_Cbx7zWhLAmAdfTsjGVGDVCGbRN5MC48GWjrzUicmCE2rpYhEVu8Q4uOBoJUcek1qyaEXFA=s0-d)
dotPeek
Step 3 :Verify your Findings
So, these were the number of steps you can perform to get the serial and
password. The following shows the password when you enter the password.
Conclusion
For software cracking, that concepts we learnt are applicable for many
different scenarios and in different ways too like Source Code Theft
forensics, Secure Code analysis etc.
I hope you enjoyed the tutorial. Stay tuned for the next Level 2 Walkathrough.
Tool Summary
1. PortExAnalyzer
2. Sandboxie
3. ILSpy or dotPeek.
Thank you,
Sincerely,
Psycho_Coder.
![[Image: clLGHSK.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tyx_Eg9egt9q4IU1RcjT2u9h0BNNME4D28PGXOIr3f8HwCB3UGHz4vhntXsspmaUtGq2BFXf0t3H1LbJAb4u5w=s0-d)
![[Image: vtE1wKx.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v8VyDq3Vwv9yHFVZtu3tPAdaQ8s7S--GDU5u1xioZiG0jwdkmMx-K3iBETTZJgm-UUm5JyUf-RDl_IY8rPXWC0XA=s0-d)
![[Image: 9ETeKT7.png]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uoYIgHhStmVMzMHGaT232FgCfET1sY8Zog7eO3lwH-KgJV_jyTb5rNOWk5f9jVYeq4ggUmLsis46vj1xYZXn_6=s0-d)
