Advanced Password Generator v2.4 *CRACKED*
DISCLAIMER:
I AM A NEWBIE REVERSER AS WELL, THUS IT IS VERY, HIGHLY, LIKELY
THAT I HAVE MADE A MISTAKE OR TWO,
OR
THAT I HAVEN'T TAKE THE "BEST APPROACH" SO, BE WARNED!
=)
WHAT
DOES THE PROGRAM DO: Advanced Password Generator will generate
passwords of different lengths, different keys, up to 60 at a
time. Something, most likely, I could code in C, in about 10mins;)
sadly, I spent a lot longer actually cracking it, heh.
TOOLS
NEEDED -
SoftICE
Windows Debugger
HIEW(Hackers
View)
W32DASM
Dissasembler
HexWorkshop
Ok,
before we begin, this program is actually *crippled*, it's
actually missing some code which it needs to be 100%
functionaly(some code, but not much...) we're gonna actually add
our own code, to make the program do what it is intended to do,
even though we don't have the full version =) Ok, so start up the
program, you see that you have "Password Quantity" and
"Password Length" options, but you can only choose "2"
and "3" for Quantity, and only "4" and "5"
for the password length. So, we check around for a registration
box, but there is none, well, when you click on anything other
than the options you're allowed you will get a nice little msgbox
telling you "this is a demo version bla blah", so lets
dissasemble it with w32dasm and see if we can locate that string
reference.
We
fine it here
*
Possible StringData Ref from Data Obj ->"This is demo
version Advanced " ->"Password Generator."
Ok,
refrenced from like 50 locations, gee, I wonder, could those be
the choices that we had? all those choices we're not allowed? yup.
Now, click on GoTo->Code Location and we'll enter in 004011e3,
the very first refrence. 004011E3 0F8411080000 je 004019FA
:004011E9 83F87B cmp eax, 0000007B
:004011EC
0F8408080000 je 004019FA :004011F2 83F87C cmp eax, 0000007C
A
ton of cmp statements followed by conditionaly jumps, ok, write
down 004011e3, we're gonna set a breakpoint on that
in
softice and check out what exactly is getting compared. Ok, out of
wdasm, back to the program, set a bpx on messageboxa to get into
the program so we can set our breakpoint on 004011e3. ok,
breakpoint set? click on an option we shouldn't have access to in
the demo(anything > 5), boom, we land in
softice,
hit F11, now set a bpx on 004011e3. bc 00, get rid of the
messageboxa breakpoint, and now hit 'x' to exit softice. Now what
I did was click on a VALID option first, to see what happens to
it, so click on "2" in Quantity We break again, not
notice we're in all the cmp/conditional jumps, also, take notice
of what eax holds, it holds 0x8b so we'll pass through all the
conditional jumps until we reach here:
:004012E0
3D8B000000 cmp eax, 0000008B
:004012E5
0F8474060000 je 0040195F // we'll take this jump
leads
us to:
:0040195F
6A02 push 00000002 // push 02, remember we chose the valid
quantity of 2
:00401961
8F05AFA34000 pop dword ptr [0040A3AF]
:00401967
C9 leave
:00401968
C21000 ret 0010
Now,
lets do the same except lets click on a quantity we shouldn't have
access to, click on 4, again, we break back
to
all the cmp instructions following by conditional jumps, this time
eax = 0x8d, so we keep tracing till we reach here:
:004012EB
3D8D000000 cmp eax, 0000008D
:004012F0
0F8404070000 je 004019FA // we take the jump
leads
us to:
:004019FA
6A44 push 00000044 //pushing bad messageboxa parameters
*
Possible StringData Ref from Data Obj ->"Register program
now and use full " ->"version"
|
:004019FC
6808A54000 push 0040A508 //..
*
Possible StringData Ref from Data Obj ->"This is demo
version Advanced " ->"Password Generator."|
:00401A01
6832A54000 push 0040A532 //..
:00401A06
FF7508 push [ebp+08] //..
*
Reference To: USER32.MessageBoxA, Ord:0000h
:00401A09
E8C07C0000 Call 004096CE
Now,
check some more of the invalid ones, they'll all bring you to the
same location, but check a the other VALID quantity, 3, you'll
notice it jumps to a different location and push's 03 onto the
stack. Well, I think it's pretty obvious that only 2 and 3
quantity is allowed, the values are hardcoded into the program,
anything else will fail, it's crippled(but not very good). Also,
check out the VALID password length options, you'll see they both
jump to different locations, but again, they PUSH their length as
a parameter, hardcoded. So, how do we crack this? well, at first,
I thought "hrm crippled, deltree c:progra~1advanc~2"
heh, but I thought for a while and decided I would try and
included my own code to enable all the options, cuz it's not
really that hard to do here.
First
thing I did was change 1 VALID location so that it would be a
"global" good guy, so to speak, I did it like this we'll
take first of all, quantity of 2, which we know is good, the good looks like this:
0040195F
6A02 push 00000002 // push 02, remember we chose the valid
quantity of 2
:00401961
8F05AFA34000 pop dword ptr [0040A3AF]
:00401967
C9 leave
:00401968
C21000 ret 0010
we're
going to change this to the following: :0040195F 51 push ecx //ecx
is 0 throughout the checking, so we'll use it to store the correct
parameter 00401960 90 nop // nop for even byte swap :00401961
8F05AFA34000 pop dword ptr [0040A3AF] :00401967 C9 leave :00401968
C21000 ret 0010
The
reason I did this, is because we will be adding our own code to
the program, when we choose a bad value, instead of jumping to the
bad messageboxa, we'll make it jump to our code, our code will
then mov ecx,correctval and then jmp 0040195f where ecx will be
pushed instead of those lame hardcoded values, and boom, we get
the right quantity.
Before
we can add our own code, we'll need to get some free space to do
it. I read a tutorial on resizing section of the PE file, so thats
what we're gonna do, it's not very hard, not at all. First, load
up the exe into Hexworkshop, scroll down a few lines until you see
.rsrc[the last section in the pe] in your data window, to the
right you'll see the bytes 00E0 0200 0018
0018
is the raw size of the .rsrc section, 0018 = 1800h, we're gonna
add 200h, which is 512bytes to it, so change 0018 to 0020, now
it's 2000 -- 512 bytes we can use, more than enough...now go to
the end of the file, and right click and choose "insert"
insert 512 DECIMAL, filled with 0x0. Now that we have resized the
.rsrc section, we go to the end of it which is D200h, now to make
sure you've fixed the .rsrc section alright, we're gonna put our
name at this location, click in the data window where the little
cursor is, and type your name. Now, if all is well, when we break
into softice, our name shoudl be in memory at 42f800(i got this
value by adding the virtual offset with the raw size of the .rsrc section) and then adding the image base to it(check the included
pe.txt for information regarding the pe file format).
Provided
you following all the steps correctly, you should see your name in
memory when you break into apg24.exe and do a
d
0042f800, that means we have effectively added 512 bytes to the
program, which we can use to add our own code, very
neat..
Ok,
I hope you still have that breakpoint set, if not, scroll back up,
and set it again. Click on the invalid option for quantity of "4".
Now, again, we'll go through all the compares/conditional jumps,
whenever you get to this code:
:004012EB
3D8D000000 cmp eax, 0000008D
:004012F0
0F8404070000 je 004019FA
We're
going to change je 004019fa to je 0042f800 // our space, where we
can make it do what we want;) so when you get to this place, do a
"a 004012f0" and change it to je 0042f800, hit enter,
enter again, now execue the jump now, depending on the value of
your name, you'll have different instructions there, they mean
nothing, it's only caused by our name do this, a eip (assemble
instruction pointer, next instruction to be executed) now, type
mov ecx,4 hit enter, and then type jmp 0040195f // jump to the
good code, where it will push ecx, which is now 4. now execute the
instruction, and boom we take the jump into the good part, instead
of pushing the hardcoded value as the parameter to the function,
ecx gets pushed which we set to 4, now do a bd * to disable
breakpoints exit softice, now hit generate, wow, 4 passwords!@ it
works.
Question
is, how do we make it permanent?#@ Easily done, first, We'll
change the conditional jump which is supposed to jump to the bad
messageboxa to a conditional jump which jumps to our code, with a
hex editor, make the following changes:
0F8404070000
-> 0F840AE50200
Now, go to D200h (in hexworkshop) the beginning of our code, remember?
we'll add the instruction for our mov and jmp, type in the
following [make sure you start at D200h, and type in the CODE
window, not the DATA.. not where you typed your name]
type
this: B904000000E95521FDFF, save it, and close it.
Now
run the program, and click on quantity 4, and it works!
w000000000t. I have cracked this program 100%, yes, I actually
wasted that much time on getting it all cracked, it's not hard,
just tedious, but once you see how the first option is done, it's
very
easy to do the rest yourself, if you want to waste time like i did
that is.. heh .. :>
1.)
Advanced
Password Generator *CRACK* -
metaray!abrams
2.)
News
Generator v3.0.17 *KEYGEN* -
metaray!abrams
3.)
Introduction
to PAM - Bryan Ericson
4.)
Taxonomy
of Communications Intelligence
- Psyops
5.)
A
look into Wiretapping - Psyops
