I am practicing reversing skill using OLLdbg under windows.
there is an interactive window asking you input, let's say "serial number". My question is when user operate on the window, it is hard to locate related data flow within the debugger window. For example, if I click "F9", we can view the instruction flow; but When inputing on the window, I can't know which instructions have been executed.
My target is to find some jump instruction and change it, so that I can bypass the correct input requirement. I think the instruction should be quite close to instruction related to arg#, and related to TEST command.
Looking for hint or trick. Thanks.
One thing you could do is type something in the text field and then use an application such as Cheat Engine to find out where in the memory these characters are stored. Then you can put a memory (on access) breakpoint on the address of the first character in ollydbg. Then press the button that verifies the serial. When an instructions accesses this part of the memory it will break. You're inside a part of the code that verifies your string. Now from here you have to try to understand what the code is doing to find the instruction you want to alter.
Depending on how secure the application is, this will work. With a more secure application this most likely won't work. When your just starting reverse engineering I suggest you find some easy applications made for cracking and work your way to the more secure applications. A site where you can find many of these "crackmes" is crackmes.de. Also i can suggest lene151's tutorials here. Some of the best tutorials I've seen on reverse engineering.
Related
I have a pretty good project task management system going in Microsoft Access, but one feature I'm still missing is some type of 'quick entry' like facility often found in many good productivity applications.
This is how it would work:
Scenario 1:
You're in another application, working on a few things, and you just remember something that needs to get done. You hit your predefined shortcut: CTRL + ALT + T (again, from outside Microsoft Access) and it brings up a small access form with a text box in to which you can type what needs to get done, e.g.
Inform key stakeholders of concerns regarding timeline
you hit return and that gets saved as a record in Microsoft Access instantly.
An alternative, and slightly more complex scenario...
Scenario 2:
As above, but you want to add further details besides the task name, such as the person you need to speak to, and a due date. The input in to the text box could look like this:
Inform #Sally of concerns regarding timeline >+3
Where '#' tells access to populate a field called 'Contact' with 'Sally' (unless it already exists) and '>+3' is interpreted by access to mean a due date 3 days from today.
How difficult are Scenario 1 and Scenario 2 to perform? What level of VBA/programming knowledge would be required?
Thanks,
I would say it requires a fair amount of confidence in VBA.
You need to register a global hot-key; that is, a keyboard-combination that can be captured from outside the Access application. It requires win-api calls. Here is some code.
You need to know where to place these calls. I believe you have to put them in a standard module, not in the form's class module. (I haven't double-checked this, it's late.)
You need to have a little understanding about what this code is doing. NEVER attempt to type this api-code - copy it from a reliable source, exactly as it is!! You don't need to fully understand the code, but you need to know how (and when) to call each function.
Once you've registered the hot-key then your VBA needs to bring your application to the front and display your form, and focus it. Reliably bringing the application to the front may also require api-calls.
Once your form is opened (and focused) you can have a button on it to parse the information in its textbox. However, if you are designing the form anyway, I would add checkboxes, comboboxes, etc., rather than trying to parse a complex sentence/ statement.
Okay, so I have this small procedural SVG editor in Clojure.
It has a code pane where the user creates code that generates a SVG document, and a preview pane. The preview pane is updated whenever the code changes.
Right now, on a text change event, the code gets recompiled on the UI thread (Ewwwww!) and the preview pane updated. The compilation step should instead happen asynchronously, and agents seem a good answer to that problem: ask an agent to recompile the code on an update, and pass the result to the image pane.
I have not yet used agents, and I do not know whether they work with an implicit queue, but I suspect so. In my case, I have zero interest in computing "intermediate" steps (think about fast keystrokes: if a keystroke happens before a recompilation has been started, I simply want to discard the recompilation) -- ie I want a send to overwrite any pending agent computation.
How do I make that happen? Any hints? Or even a code sample? Is my rambling even making sense?
Thanks!
You describe a problem that has more to deal with execution flow control rather than shared state management. Hence, you might want to leave STM apart for a moment and look into futures: they're still executed in a thread pool as agents, but instead of agents they can be stopped by calling future-cancel, and inspecting their status with future-cancelled?.
There are no strong guarantees that the thread the future is executing can be effectively stopped. Still, your code will be able to try to cancel the future, and move on to schedule the next recompilation.
agents to indeed work on a queue, so each function gets the state of the agent and produces the next state of the agent. Agents track an identity over time. this sounds like a little more than you need, atoms are a slightly better fit for your task and used in a very similar manner.
I'm working with a time sensitive desktop application that uses p/invoke extensively, and I want to make sure that the code is not wasting a lot of time on CAS stackwalks.
I have used the SuppressUnmanagedCodeSecurity attribute where I think it is necessary, but I might have missed a few places. Does anyone know if there is a way to monitor the number of CAS stackwalks that are occurring, and better yet pinpoint the source of the security demands?
You can use the Process Explorer tool (from Sysinternals) to monitor your process.
Bring up Process Explorer, select your process and right click to show "Properties". Then, on the .NET tab, select the .NET CLR Security object to monitor. Process Explorer will show counters for
Total Runtime Checks
Link Time Checks
% Time in RT Checks
Stack Walk Depth
These are standard security performance counters described here ->
http://msdn.microsoft.com/en-us/library/adcbwb64.aspx
You could also use Perfmon or write your own code to monitor these counters.
As far as I can tell, the only one that is really useful is item 1. You could keep an eye on that while you are debugging to see if it is increasing substantially. If so, you need to examine what is causing the security demands.
I don't know of any other tools that will tell you when a stackwalk is being triggered.
I mean, I always was wondered about how the hell somebody can develop algorithms to break/cheat the constraints of legal use in many shareware programs out there.
Just for curiosity.
Apart from being illegal, it's a very complex task.
Speaking just at a teoretical level the common way is to disassemble the program to crack and try to find where the key or the serialcode is checked.
Easier said than done since any serious protection scheme will check values in multiple places and also will derive critical information from the serial key for later use so that when you think you guessed it, the program will crash.
To create a crack you have to identify all the points where a check is done and modify the assembly code appropriately (often inverting a conditional jump or storing costants into memory locations).
To create a keygen you have to understand the algorithm and write a program to re-do the exact same calculation (I remember an old version of MS Office whose serial had a very simple rule, the sum of the digit should have been a multiple of 7, so writing the keygen was rather trivial).
Both activities requires you to follow the execution of the application into a debugger and try to figure out what's happening. And you need to know the low level API of your Operating System.
Some heavily protected application have the code encrypted so that the file can't be disassembled. It is decrypted when loaded into memory but then they refuse to start if they detect that an in-memory debugger has started,
In essence it's something that requires a very deep knowledge, ingenuity and a lot of time! Oh, did I mention that is illegal in most countries?
If you want to know more, Google for the +ORC Cracking Tutorials they are very old and probably useless nowdays but will give you a good idea of what it means.
Anyway, a very good reason to know all this is if you want to write your own protection scheme.
The bad guys search for the key-check code using a disassembler. This is relative easy if you know how to do this.
Afterwards you translate the key-checking code to C or another language (this step is optional). Reversing the process of key-checking gives you a key-generator.
If you know assembler it takes roughly a weekend to learn how to do this. I've done it just some years ago (never released anything though. It was just research for my game-development job. To write a hard to crack key you have to understand how people approach cracking).
Nils's post deals with key generators. For cracks, usually you find a branch point and invert (or remove the condition) the logic. For example, you'll test to see if the software is registered, and the test may return zero if so, and then jump accordingly. You can change the "jump if equals zero (je)" to "jump if not-equals zero (jne)" by modifying a single byte. Or you can write no-operations over various portions of the code that do things that you don't want to do.
Compiled programs can be disassembled and with enough time, determined people can develop binary patches. A crack is simply a binary patch to get the program to behave differently.
First, most copy-protection schemes aren't terribly well advanced, which is why you don't see a lot of people rolling their own these days.
There are a few methods used to do this. You can step through the code in a debugger, which does generally require a decent knowledge of assembly. Using that you can get an idea of where in the program copy protection/keygen methods are called. With that, you can use a disassembler like IDA Pro to analyze the code more closely and try to understand what is going on, and how you can bypass it. I've cracked time-limited Betas before by inserting NOOP instructions over the date-check.
It really just comes down to a good understanding of software and a basic understanding of assembly. Hak5 did a two-part series on the first two episodes this season on kind of the basics of reverse engineering and cracking. It's really basic, but it's probably exactly what you're looking for.
A would-be cracker disassembles the program and looks for the "copy protection" bits, specifically for the algorithm that determines if a serial number is valid. From that code, you can often see what pattern of bits is required to unlock the functionality, and then write a generator to create numbers with those patterns.
Another alternative is to look for functions that return "true" if the serial number is valid and "false" if it's not, then develop a binary patch so that the function always returns "true".
Everything else is largely a variant on those two ideas. Copy protection is always breakable by definition - at some point you have to end up with executable code or the processor couldn't run it.
The serial number you can just extract the algorithm and start throwing "Guesses" at it and look for a positive response. Computers are powerful, usually only takes a little while before it starts spitting out hits.
As for hacking, I used to be able to step through programs at a high level and look for a point where it stopped working. Then you go back to the last "Call" that succeeded and step into it, then repeat. Back then, the copy protection was usually writing to the disk and seeing if a subsequent read succeeded (If so, the copy protection failed because they used to burn part of the floppy with a laser so it couldn't be written to).
Then it was just a matter of finding the right call and hardcoding the correct return value from that call.
I'm sure it's still similar, but they go through a lot of effort to hide the location of the call. Last one I tried I gave up because it kept loading code over the code I was single-stepping through, and I'm sure it's gotten lots more complicated since then.
I wonder why they don't just distribute personalized binaries, where the name of the owner is stored somewhere (encrypted and obfuscated) in the binary or better distributed over the whole binary.. AFAIK Apple is doing this with the Music files from the iTunes store, however there it's far too easy, to remove the name from the files.
I assume each crack is different, but I would guess in most cases somebody spends
a lot of time in the debugger tracing the application in question.
The serial generator takes that one step further by analyzing the algorithm that
checks the serial number for validity and reverse engineers it.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
We're doing an "Amazing Race" kind of event, and thought it would be cool to have CDs that could only play once... like a "this message will self destruct in 5 seconds..."
Any thoughts on how to do this? I was thinking it could be a compiled HTML website that would write a cookie and only play once. I don't want to write to the registry (don't want to depend on windows, don't want to install anything, etc).
I also don't care if it's hackable... This is a one-time fun event, and I don't really care too much if people could remove the cookie or something.
Any other ideas?
If the content is HTML and run inside a normal browser window, then a cookie may work but there are caveats:
User runs the CD once when IE is the default browser. User runs at a later time, when Firefox is the default browser so cookie cannot be checked.
The browser's security settings may be locked down to prevent use of script so the cookie cannot be set (more of an IE problem).
An alternative might be Flash's equivalent of cookies, but if script was locked down then the same may be true for Flash.
If you used Flash to create the content, you could then use a wrapper program such as Zinc to produce cross-platform executables of the content.
Then, the Flash could use its version of cookies (local shared objects) to determine when the content has been displayed - write to the LSO the first time and read from it thereafter.
I would say encrypt (part of) the contents of the disc with a unique one time pad, that you request from a server that does a read directly followed by a delete of the decryption key. You could write an identifier on each disk so you can use multiple disks, each with a unique key.
This requires network access and some encryption tools, but a very simple implementation would do what you want it to do, is feasible, and it would be 'unbreakable' unless the one time pad is captured and stored.
If just for fun, this should be secure enough.
You can create a volatile registry entry. It will only exist untill the computer is restarted. This solution is very much "hackable", but it is simple and may suffice for what you want to do.
Take a look at the REG_OPTION_VOLATILE here.
Will the computers this is run on have internet access? You can easily load up a remote url (execute 'start http://yoururl.com' from autorun.inf), store the cookie and prevent it from being loaded again if the cookie exists.
If it's allowed to be hackable, then I'd just go with a simple solution of HTML + JavaScript, requiring (say) a GUID to enter, with some silly obfuscation in the code to validate the GUID.
What I mean by silly obfuscated validation is something like putting together a big array of ROT13'ed GUIDs, then adding code to only accept the Math.floor(PI * E + 32/(new DateTime()).getYear())'th GUID in the array, and ROT13 it again using sufficiently uncommented/unclear code, then check the user input against the result. Do it all in one line for kicks, or generate the GUIDs in some pseudo-random manner using a known seed... you get the idea :).
The only snag might be if IE doesn't allow local JavaScript? Hmm, looks like they'd need to deal with the InfoBar thing :(.
You could also set a registry key that would prevent playing, though this could be bypassed.
I think your best bet is to use Rewritable media for this. You can create your application easily, like HTML site or something like that, and after the last link or last page, however you decide to do you could execute a script with some command-line burner that would erase the rewritable media, or even write an ISO that you keep in CD with a text file or a flash that explains that the CD is lost forever.
Give a look at some Command Line Burners. Linux have several, that isn't worth to mention here, for windows you can use Cheetah CommandLine Burner among several others.
If you wish to do a CD without depending on the installed OS you should give a look at LIVE CDs. FreeDOS is a choice for "DOS Compatible applications" or my suggestioon you use a Linux live CD.
Also you will have several options for small HTTP servers, like lighthttpd and even browsers in several flavors from text interfaces to the graphical ones.
Good luck on the race :D. Great idea BTW!
Make a Java Swing application. That will not require Internet and it runs on Mac, Windows, and Linux. You can write to the file system for the lock. System.getProperty("user.home") gives you the home equivalent for the platform. You might have to include a jre in your CD.
Not quite what you're looking for, but you could put in on re-writable media and have an executable over-write itself (or part of itself).
I don't know if a CD-RW could do that automatically, or if you would have to look at cheap USB sticks.