VaporNode’s Reverse Engineering Challenge

VaporNode has opened a reverse engineering challenge to the community and if you solve it, you can get 40% off any of their product for the whole of November. The challenge details can be found here

As stated in their website, this challenge requires only static analysis and the coupon or promotional code is in the format of vprn{coupon}.On top of that, another hint I can give is that the string is not global(can’t be see in shift+f12) but hand-crafted in a function’s stack.

It is quite the simple challenge, but nonetheless a fun and interactive way to have their promotions ! (supposedly this is their black friday deal)

 

 

Enjoyed the content ? Share it with your friends !

Win32 Reverse Engineering Tutorial 1 Continued

Win32 Reverse Engineering Tutorial 2

Prerequisites :
Assembly (at least the basics)
– Programming background (at least the basics)

Tools needed :
– ollydbg (download here)

Files :
ReTutorial1.exe (54 downloads) (virustotal here) (sha1 : 3e9bb52e42550e9f180877ef861864d49d0f499d)

note: the file for this tutorial as the earlier part

At the end of this tutorial, you should be able to/have
1. Analyze assembly code and program flow/logic
2. Analyze program flow/logic and make simple modifications
3. Brief interactions with ollydbg software

 

In the earlier part of tutorial 1, you should have been able to get or ‘crack’ the password of the program by looking at the strings through ollydbg. Now, we will attempt to achieve the same result but with a different method (not using the password)

 

Lets get going. Load up the same .exe into ollydbg and you will see a screen similar to the one below

ReTutorial1Cont_Img1

Like we have done in the earlier part of this tutorial, lets search for all referenced string again (refer back to previous post if you don’t know how).

Click on the string that says niraeth-retutorial1 which is the password and you will be bring to a screen like this

Now, we will have to analyze the assembly codes to see how or what we should modify in order to get the Congratulations ! message

We know that a string comparison is being done in the code, but do you know how a string comparison is usually done internally? Take a look at a common implementation of the strcmp below.

int strcmp(const char* s1, const char* s2)
{
    while(*s1 && (*s1 == *s2))
    {
        s1++;
        s2++;
    }
    return *(const unsigned char*)s1 - *(const unsigned char*)s2;
}

The main thing to take note is the *s1 == *s2 and s1++; s2++; . In any kind of comparison, there will always be some sort of comparison operator (== in this case) and a increment or decrement. So as we look at the assembly codes, we will want to keep a watch for the 2 things i have mentioned above. Note that sometimes, the generated code may be different what you expect it to be due to optimizations by the compiler. However, some, if not most part of it should be the same.

If you look at the right column of the assembly codes, you will see some comments i have left there to help you understand better as you read this tutorial.

Take sometime to try and understand the assembly codes and use my comments if necessary. How similar does it look to the strcmp implementation given above? If you wish to take it a step further, try to convert the assembly code into a high-level programming language like C !

Now, i will take some time to explain my thought process as i look at the assembly codes.

Firstly, notice that there are two set of commands that are extremely similar. It starts with a mov, then a cmp, then a jnz . This most likely means that the jnz must be a jump taken when the strings are NOT equal. Why do I say so? Because the loop can only end when
1. String is not equal
2.We reached the end of the string( loop index==strlen(string)+1)

So if the bytes compared were equal, there probably isn’t a need to jump out. The loop should continue on till we detect that we reached the end of the string. Now if you recall how the cmp and jnz operands work, it will be like this

cmp dl, BYTE PTR DS:[ECX] // if dl == byte ptr ds:[ecx], set ZF flag=1
jnz <address>             // jump if ZF is NOT set(when ZF=0)

Now you can take some time to understand or analyze the other minor details of the code, but if you wish to have a reference, refer to my explanation below (the address are based on the image above)

0x00171160:                 // start of loop
  // if( *s1 != s2 )
  // goto 0x00171180;
  MOV DL, BYTE PTR DS:[ECX] 
  CMP DL, BYTE PTR DS:[EAX]
  JNZ SHORT ReTutori.00171180

  // if( *s1 == '\0' )
  // goto 0x0017117C;
  TEST DL, DL
  JE SHORT ReTutori.0017117C

  // if( *(s1+1) != *(s2+1) )
  // goto 0x00171180
  MOV DL, BYTE PTR DS:[ECX+1]
  CMP DL, BYTE PTR DS:[EAX+1]
  JNZ SHORT ReTutori.00171180

  // s1 += 2;
  // s2 += 2;
  ADD ECX,2
  ADD EAX,2

  // if ( *s1 != '\0' )
  // continue;                // loop again
  TEST DL, DL
  JNZ SHORT ReTutori.00171160

  // if code reaches here, it means strings are equal
  // return 0;
0x0017117C:
  XOR EAX, EAX
  JMP SHORT ReTutori.00171185 // goes to the congratulations message

0x00171180:
  // if code reaches here, it means strings are not equal.
  SBB EAX, EAX
  OR EAX, 1
  TEST EAX, EAX
  JNZ SHORT ReTutori.001711AC // goes further down to 'Wrong Message!'

Now if you look at the code above, at the end, the address 0x00171180, it shows that the jnz jumps to a code which outputs the ‘Wrong Message !…’. This means that we definitely do not want our code to be jumping there. To prevent it from jumping there, right click the line that jnz is on, click on ‘Binary’ -> ‘Fill with NOPs’ . Refer to the image below if necessary

After you do so, the line that jnz is on should now change to look like this

Now, lets run the program and see if its working as expected. Click on the blue arrow icon at the top menu bar of ollydbg as shown below

And… you will see that the program outputs Congratulations !

 

CONCLUSION

With this part of the tutorial, you have experienced doing simple analysis on assembly codes with the help of cross referencing the same implementation in a higher level language (strcmp implementation) and do some manipulation to how the program branches (nop-ing the jnz line).

Enjoyed the content ? Share it with your friends !

Win32 Reverse Engineering Tutorial 1

Win32 Reverse Engineering Tutorial 1

Prerequisites :
– Programming background (at least the basics)

Tools needed :
– ollydbg (download here)

Files :
ReTutorial1.exe (54 downloads) (virustotal here) (sha1 : 3e9bb52e42550e9f180877ef861864d49d0f499d)

At the end of this tutorial, you should be able to/have
1. Analyze program flow and logic from important strings in the program
2. Brief interactions with ollydbg

After you have downloaded the executable file, lets get started !
Run the .exe and a console like the one below will pop out.

ReTutorial1_Img1

When they ask you for a password, enter anything – you probably won’t get it right. You should then see an output as shown below

ReTutorial1_Img2

Lets stop and think of how the program logic would look like in code. This will help us better understand the logic, and hence be able to manipulate it to our advantage.

If ( password == "some password" )
    // some code, but we have yet seen what happens when we get the
    // password right
Else
    Print "Wrong password. Please reopen the program and try again !"

Now, if I would to ask you how do we get whatever is in the ‘if’ statement to execute, you will probably say – get the right password. This is one of the way to achieve what we want, but not the only way. You will understand why later on in the tutorials. For now, we will try to get the right password.

Now that we have an idea of how the flow of the program goes, lets open up ollydbg. After opening it, we want to ensure that the debugged program breaks at the entry point of the program. In this tutorial, this setting doesn’t affect anything but it might in the future, so leave the settings as it is. To do so, at the top bar, click Options->Debugging Options->Events tab. Now select the third option ‘WinMain (if location is known)’

 

Press OK to save.

Now, lets debug the program using ollydbg.
Drag and drop the .exe into ollydbg or open the file in ollydbg. After everything is loaded, it should look like this

Now right click anywhere in the top left box(where the assembly code is) and click ‘Search For’ -> All Referenced Strings . A window like this should pop out

Now, double click the line or string that says ‘Enter the password’. The window with assembly codes should come back into focus but with a highlighted line as shown below

 

If we just take a look at the right-most column, we can see 4 crucial strings. “Enter the password “, “niraeth-retutorial1”, “Congratulations !”, “Wrong password. Please reopen the program and try again !”.  So it is quite obvious that the password must be “niraeth-retutorial1” .

At the top bar, there is a blue right arrow icon. Click on it to continue running or executing the program. Turn back to the console window and it will ask you to enter the password

ReTutorial1_Img6_1

ReTutorial1_Img7

Try entering the password now. You will get a message saying “Congratulations !”

ReTutorial1_Img8

 

 

CONCLUSION

With this part of the tutorial, you have seen how easy it is to gain crucial information from the strings that are not encrypted or hidden in the program. These strings allow you to make smart guesses about how the program flows and functions. Of course, like I said earlier, this is not the only way to get the “Congratulations !” message. You may wish to have a break first before continuing to the second part of tutorial 1 where you will see a different method employed to achieve the same result.

Enjoyed the content ? Share it with your friends !

Analysis on modern game anti-cheat

analysis on modern game anti-cheat

 

A brief overview of anti-cheats

Anti-cheats have been in games for about two decades or more already. Anti-cheat systems such as Punkbuster are one of the earlier products that was implemented or integrated into games

The necessity of anti-cheats

Anti-cheats are extremely important to games now as there are many people looking to cheat in games for various reasons – be it money, fun or winning.Regardless of the reason, it always has a detrimental effect to other innocent players, and to the game community and economy.

With information, software and tools readily available with a quick search on google, people are easily able to find ways to cheat in games. These people are often known as Script Kiddies

Current outlook of cheaters

Statistics show that script kiddies make up for about 90% of the hackers in the world. About 6-8% are intermediately skilled, while a measly 2-4% are advanced in this field.

Current outlook of anti-cheats

As cheaters get more advanced, so must the anti-cheats. However, this is a cat and mouse game that unfortunately favors the cheaters or hackers. This is because anti-cheat systems are often reactive security rather than proactive security.

Conclusion

As long as a game exist, it will be targeted by hackers.As long as the game can be ran or played, it can be hacked and probably will sooner or later. The key is to limit and control whatever data that is important (such as in-game currency) on the server side, rather than on the client side(which is the game)

 

Enjoyed the content ? Share it with your friends !

Reverse Engineering Introduction

Reverse Engineering INTRODUCTION

 

What is Reverse Engineering 

Reverse Engineering : the reproduction of another manufacturer’s product following detailed examination of its construction or composition.

Applying the above definition into our context, it would mean breaking a software apart in order to copy it, or reconstruct(modify) it.

Outlook of Reverse Engineering

Reverse Engineering is a tough field and speciality. Knowledge is sparse, experts are scarce. You may have a stackoverflow for programming but there is no comparable equivalent for reverse engineering. Although SO has a reverse engineering sub, it is still a small community whose scale cannot be compared to the community of programmers. Hence, it requires a lot of self-research and independence. Oh and did i mention this ? As you progress in this field, the less people are able to help you. You are on your own !

Use Cases for Reverse Engineering

There are generally 5 use cases for reverse engineering. 3 good ones, 2 bad ones.

Good use case

  1. Software security analysis
  2. Malware analysis
  3. Code recovery (although this is not common but it is a legitimate use)

Bad use case

  1. Cracking
  2. Hacking e.g game hacking

How to Reverse Engineer

Learning how to reverse engineer requires a great deal of patience, perseverance and logical thinking. If you are not passionate about this, you will probably struggle even more, just to give up in the end.

Reverse Engineering requires you to have programming experience, preferably that of a lower-level language like C or Assembly, in order to understand a program’s logic and manipulate it. Also, if you have programming experience, you should have experience with debugging your software – this will come in handy.

For the actual how to reverse engineer, you can see/look out for my various tutorial series that i plan to start on reverse engineering

CONCLUSION

With that, I hope you have a better grasp of what reverse engineering really is. If you are as passionate as I am about this, don’t give up !

 

Enjoyed the content ? Share it with your friends !