The tutorial is based on Net Force crackit3 and was written to help beginning (software) crackers to get started... In the future I'll release an entire series on cracking, which will start at the very basics.
Lets dive right into the cracking..
The program prompts one of these to messages: "ACCESS GRANTED" or "ACCESS DENIED".
We start ollydbg and scroll to the pard that prompts the "ACCESS GRANTED" text.
As you can see this is at address 00402DC1.
see following snippet:
00402DC1 > 8B35 D4104000 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
00402DC7 . 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68]
00402DCA . FFD6 CALL ESI ; <&MSVBVM60.__vbaFreeObj>
.........
.........
00402DDE . 68 48214000 PUSH CRACKIT3.00402148 ; UNICODE "ACCESS GRANTED"
00402DE3 . 57 PUSH EDI
At the address 00402DF5 we find the "ACCESS DENIED" message:
00402DF5 > FF91 00030000 CALL DWORD PTR DS:[ECX+300]
00402DFB . 8D55 98 LEA EDX,DWORD PTR SS:[EBP-68]
00402DFE . 50 PUSH EAX
00402DFF . 52 PUSH EDX
.........
.........
00402E5C . 8BF8 MOV EDI,EAX
00402E5E . 68 6C214000 PUSH CRACKIT3.0040216C ; UNICODE "ACCESS DENIED"
00402E63 . 57 PUSH EDI
So what's causing the JUMP to either "ACCESS DENIED" or "ACCESS GRANTED" ?!?
If you check out the piece of code just above the "ACCESS GRANTED" bit. You will spot a JNZ (Jump if not zero) instruction.
at address 00402D6D. This Instruction checks a certain value, and if this value is 0 the program will skip the piece of code that displays the "ACCESS GRANTED" message, and jumps straight to the code that displays "ACCESS DENIED".
This snippet shows this JNZ:
00402D6D . 85C0 TEST EAX,EAX
00402D6F . 0F85 80000000 JNZ CRACKIT3.00402DF5
We want to prevent this from happening. If we were only intrested in showing the "ACCESS GRANTED" message we would simply replace the JNZ in a JZ (Jump if Zero).... The JZ will show up as a JE (Jump if Equal) below, this is due to historic reasons, the two are totally the same.
snippet:
00402D6F 0F84 80000000 JE CRACKIT3.00402DF5
00402D75 . FF91 00030000 CALL DWORD PTR DS:[ECX+300]
You can make this change by using the edit functionality in Ollydbg (use the right-click menu). Now the program will respond in exactly the opposite way, as it did before. If the value is zero it will display the "ACCESS GRANTED". Ironicly it will now only display "ACCESS DENIED" when you enter the correct password.
However ... because we want to retrieve the password it will be a little bit trickier!
To find the correct password we will probably need to look above the JNZ at address 00402D6F. Since we suppose that program flow is as follows:
-accept input
-check input
-jump to good or bad boy message
When we look above the JNZ we spot a rather akward piece of code, with plenty of JE's and unicode numbers... watch below:
00402964 . 0F80 AD050000 JO CRACKIT3.00402F17
0040296A . 8945 C0 MOV DWORD PTR SS:[EBP-40],EAX
0040296D . FF15 98104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCo>; MSVBVM60.__vbaStrCopy
00402973 . 0FBF45 D8 MOVSX EAX,WORD PTR SS:[EBP-28]
00402977 . 8985 0CFFFFFF MOV DWORD PTR SS:[EBP-F4],EAX
0040297D . 68 AC204000 PUSH CRACKIT3.004020AC ; UNICODE "164"
We can spot 7 of these "UNICODE numbers" so we could assume that the length of the password is 7. However to be sure we look a few instructions before these numbers. At address 0402469 to be exact:
00402469 . FF15 10104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>; MSVBVM60.__vbaLenBstr
0040246F . 33C9 XOR ECX,ECX
00402471 . 83F8 07 CMP EAX,7
CALL MSVBVM60.__vbaLenBstr means that a lenght of a string is calculated. (Most lightly the password ;) )
As you can see the value that is calculated by the CALL is compared to 7 => 00402471 . 83F8 07 CMP EAX,7
So we were right, the lenght of the password is 7!
Now lets go back to the part with the UNICODE numbers, address 00402964. Here the program starts to check the first letter of the password. After every UNICODE number a line with a JE instruction follows. This Instruction will allow you to advance if the letter was correct. JE = Jump if Equal:
0040299C . F6C4 40 TEST AH,40
0040299F . 0F84 2C010000 JE CRACKIT3.00402AD1
We are going to use this location to set breakpoints.. By setting breakpoints we can interupt the normal execution of a program.
If we set a breakpoint at the first 3 JE's (we do this by pressing F2). The program will stop running when it reaches one of those breakpoints.
Go to 0040299F and press F2, the address will now be highlighted in red. (default colors)
Do the same for 004029D0 and 00402A02.
Ok, since the password has to be 7 characters in length, we will run the program (by pressing F5) and enter "aaaaaaa" (7 a's) as password. The program will stop at address 0040299F. We will now press F9 to continue execution. The program will halt again at 0040299F and we will be prompted by the "ACCESS DENIED" message. We an now conclude that the first letter isn't an "a". Since the check is case sensitive we also try "Aaaaaaa" we repeat the other steps and notice this gives us the same result. However we can now try all the letters in the alfabet. We do that and we see that when we enter "Haaaaaa" ollydbg jumps to the second breakpoint, when we press F9 rather than display the bad message. Congratulations, you just found the first letter of the password! Our first letter is 'H'
We repeat all the steps listed above, and discover that "H4aaaaa" gets us to the 3rd breakpoint. Since it's tedious to go through all the checks of the previous letters we change the JE's into JNE (or JNZ same comment as above). Now he wont bother us for the other letters and jump right to the letter we are trying to find.
change:
0040299F . 0F84 2C010000 JE CRACKIT3.00402AD1
in
0040299F . 0F84 2C010000 JNZ CRACKIT3.00402AD1
If you now type "a4aaaaa" he won't check for the first letter and still go on to checking the second. We also already know the 2'nd letter so we also patch the next JE to JNZ.
Now you can repeat these steps to find the other 7 letters of the password.
I hope this tutorial provided good guidance for crackit3 and that you learned something from it!
BasTijs
http://www.net-force.nl
(Translation by Rhican)
thanks! it was really helpful.
ReplyDeletecould you please crack homeoquest.com fro me, or guide me how it can be done with with tools.
ReplyDeleteregards,
TechPre