1 / 136

Breaking Protection

Breaking Protection. Overview. Here, we discuss cracking examples Examples are not from real software “Crackme” --- program designed for studying cracking/protection techniques Why learn cracking? So that you can better protect software

abbott
Download Presentation

Breaking Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Breaking Protection Breaking Protection 1

  2. Overview • Here, we discuss cracking examples • Examples are not from real software • “Crackme” --- program designed for studying cracking/protection techniques • Why learn cracking? • So that you can better protect software • “…protection technologies developed by people who have never attempted cracking are never effective!” Breaking Protection 2

  3. Patching • Consider the following application • KeygenMe-3 by Bengaly • No useful info here • What to do? • Enter some data and see what happens Breaking Protection 3

  4. Patching • Get invalid serial number message: • Now what? • OllyDbg, of course… Breaking Protection 4

  5. Patching • Looking for message box Breaking Protection 5

  6. Patching • What about lpk.dll? Breaking Protection 6

  7. Patching • Imports/exports Breaking Protection 7

  8. Patching • References to MessageBoxA • OK, now what? Breaking Protection 8

  9. Patching • Third MsgBoxA reference Breaking Protection 9

  10. Patching • Now patch it in OllyDbg… • …success Breaking Protection 10

  11. Keygenning • Spse program asks for ID & serial number • Such a program may have keygen algorithm • Generate a “key” or serial number based on ID • Attacker might want access to keygen algorithm • Why? • To generate many valid ID/serial number pairs • Why isn’t 1 such pair sufficient? Breaking Protection 11

  12. Ripping Keygen Algorithm • Goal is to create working copy of keygen algorithm • Just for creating valid ID/serial number pairs • This code can be “ripped” from the application • Following example is from… • KeygenMe-3 by Bengaly Breaking Protection 12

  13. Ripping Keygen Algorithm • Code Part 1 Breaking Protection 13

  14. Ripping Keygen Algorithm Code Part 2 Breaking Protection 14

  15. Ripping Keygen Algorithm • Code Part 3 Breaking Protection 15

  16. Ripping Keygen Algorithm • Take a look at Key4.00401388 Breaking Protection 16

  17. Ripping Keygen Algorithm • Code for keygen algorithm… • Uppercase asm is ripped from app • Note: there is no need to understand the details! Breaking Protection 17

  18. Ripping Keygen Algorithm • Insert previous code into console app • And try it out… Breaking Protection 18

  19. Advanced Cracking: Defender • Application developed to demonstrate protection techniques • “…similar to what you would find in real-world commercial protection…” • Difficult, but not impossible • “…all it takes is a lot of knowledge and a lot of patience” Breaking Protection 19

  20. Defender Interface • Launch without command-line options Breaking Protection 20

  21. Defender Interface • Launched with “random” username/serial number Breaking Protection 21

  22. Defender: Linked Modules • Load into OllyDbg and look at Executable Modules window • Gives exe modules that are statically linked • Just standard stuff here Breaking Protection 22

  23. Defender: Imports/Exports • Imports/exports • Only API called is IsDebuggerPresent? • This is very strange Breaking Protection 23

  24. Defender: DUMPBIN • Anything? • Still just one API? • What about summary? Breaking Protection 24

  25. DUMPBIN /HEADERS • Try long listing --- find the following • …………………………………………………………… Breaking Protection 25

  26. DUMPBIN /HEADERS • And… • …………………………………………………………… Breaking Protection 26

  27. DUMPBIN /HEADERS • And… • …………………………………………………………… Breaking Protection 27

  28. DUMPBIN /HEADERS • And… • …………………………………………………………… Breaking Protection 28

  29. Strange Section Names • May be indication that program is packed • What to do? • Try unpacking • Will only work if it is standard packer Breaking Protection 29

  30. Defender: PEiD • Try PEiD for common packers • Nothing interesting… Breaking Protection 30

  31. Defender: Initialization • Want to figure out where “Bad key, try again” msg comes from • But, Defender does not call any API??? • So, no obvious place to set break point • What to do? • Look at initialization routine… Breaking Protection 31

  32. Initialization Disassembly I Breaking Protection 32

  33. Initialization Disassembly II Breaking Protection 33

  34. Initialization Disassembly III Breaking Protection 34

  35. Initialization Disassembly IV Breaking Protection 35

  36. Initialization Disassembly V Breaking Protection 36

  37. Initialization • Consider this code • fs register for thread-related info • What’s at offset “+30”? Breaking Protection 37

  38. Initialization • For any thread fs:0 is “Thread Environment Block” (TEB) • What to do? • Look up the TEB data stucture… Breaking Protection 38

  39. TEB • At +30 we have PEB • Process Environment Block • Just like TEB, but for a process • Program access +c in PEB • So, program accesses PEB via TEB Breaking Protection 39

  40. PEB • What is at +c in PEB? • _PEB_LDR_DATA • Go look at that data structure… Breaking Protection 40

  41. _PEB_LDR_DATA • Program get +c here too • LIST_ENTRY • Look at data structure (next slide) Breaking Protection 41

  42. LIST_ENTRY • Goes to offset +0 here • That is, LIST_ENTRY again Breaking Protection 42

  43. LIST_ENTRY • Goes to offset +18 here • That is, DllBase Breaking Protection 43

  44. What Does it all Mean? • After all of that, program has found base of some DLL • Dump loader data structures • InLoadOrderModuleList from PEB_LDR_DATA • Next slide… Breaking Protection 44

  45. Initialization Breaking Protection 45

  46. Initialization • Bottom line? • The function at 00402EA8 obtains in-memory address of NTDLL.DLL • Program must communicate with OS • And this is a highly obfuscated way to (begin to) do so! Breaking Protection 46

  47. Initialization • Then what? • Next, goes to function at 004033D1 • Listing starts on next slide… Breaking Protection 47

  48. Function at 004033D1 Breaking Protection 48

  49. Function at 004033D1 Breaking Protection 49

  50. Function at 004033D1 Breaking Protection 50

More Related