You can see in the below image that it uses cmp to check if the value matches to 1. The only difference you would find would be the kernel level calls and the DLLs which would be of Windows rather than the libraries of Linux. je at 00007FF70E2F80D2 is taken and mov al,1 is not executed.
Now continue running the binary till it reaches the point where it checks the return value of the binary as to whether its Zero or One, which is at address 000000000040160C. Now save the file and your will never see the nag screen again! Olly can’t handle 64 bit applications and if you try to load the 64 bit WinRAR to Olly it will probably notice you about how it couldn’t load the file. Double click the search results to go to that address location in the CPU tab. Once you have compiled the binary, let’s load it up in x64dbg. In this post, I will be using x64dbg since I wasn’t able to find a version of x64 Immunity debugger or Olly Debugger to reverse engineer the binary.
Then watch what happens when we press F9 again. dil is the least significant byte of the rdi register. This means the jump will be taken when the zero flag ZF and the carry flag CF are set. Press OK and press F9 to continue execution. The main reason for that is because I can see a jmp statement and a call statement right above it. So now the je has basically been erased and execution will continue at 00007FF70E2F80D4. We found the registration routine by tracing back from the evaluation copy string. Okay, lets get back to our only useful find: If you put a breakpoint on there and resume (F9) the program, you notice that the breakpoint is actually getting hit within a second. We do the latter first because this can be easily checked by setting a hardware write breakpoint at 7FF7B92848E4. thanks, this is useful since i am studying about reverse engineering. Choose either x64dbg or x32dbg according to, if the file is 64 bit or 32 bit respectively. Memory addresses mentioned in this tutorial are likely to be different on your system. This is the same as disassemble main in GDB. ", Copyright 2015 Extreme Hacking | All Rights Reserved | Cyber Suraksha Abhiyan | Site Protected by Sadik Shaikh |, Advanced Ethical Hacking Institute in Pune, CEHv8 CHFIv8 ECSAv8 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Center For Advanced Security Training in India, IT Security Training Information Security Traning Courses in Pune, Houston consulate one of worst offenders in Chinese espionage, say U.S. officials, Shocked I am.
This is the same as disassemble main in GDB. Step over some more instructions and you will see a few JE’s. April 23, 2018 The instruction at 00007FF6A403AE4A should now be mov ecx, 368 as show below: Press F9 or the right arrow a couple of times until the application is running without pausing at a breakpoint. Logically, the string evaluation copy will be shown when the registration routine has decided that the application is not registered. Right now the jump is not taken because we will end up in the instructions right after this jne. This tells us the target hash multiple license formats, which we can and will exploit. We have a look inside that routine by right clicking on the row and goto Follow in Disassembler -> click on the address. You can also see in the register that our password is still pass123 and inspite of that it has printed it’s the correct password. As for now, our primary aim is to find the actual password and secondary aim is to modify the RAX register to Zero, to display ‘Correct Password’ since our check_pass() function returns 0 or 1 depending upon whether the password is right or wrong. However, below are alternatives along with the download links which you can choose. We have only patched the executable to show another string. To load the binary into x64dbg, below is the commandline you can use:.\x64dbg.exe crack_mex64.exe pass123.
If you see the above image, 3 lines below our code where the password is loaded onto the register, you will test EAX, EAX at address 0000000000401590. And crack_mex64.401636 is nothing but our printing of ’Correct Password’ at address 0000000000401636. The instruction at 00007FF70E2FAE07 that decides if the jne is taken, cmp byte ptr ds:[7FF7B92848E4],dil, compares the byte located at memory address 7FF7B92848E4 with the contents of the dil register. Trace back a bit trough the instructions in x64dbg. At 00007FF7B91EAE20 a conditional jump is done, ja, which means jump above. You can also download the binary from my repo mentioned above.
Now 32 bit applications runs fine on 64 bit but not vice versa. Enter evaluation copy in the search box below. The application is now running without pausing at any break points. Chetan Nayak Click on the row with je and press space, enter nop and tick “keep size” and “fill with NOP’s”. Welcome to this short, introductory tutorial for using x64dbg by Mr. Exodia. Break at the beginning of the routine. www.extremehacking.org The string in the title bar has now changed to only xx days left to buy a license. Whenever variables are passed on to another function, you will see them here. If nothing is found, make sure you are in the winrar.exe memory region by going to the Symbols tab and double clicking winrar.exe. Lets take a look at the next one: Oh! You might already have seen due the bytes between the last 2 addresses are minimal that they are really close to eachother: If tried figuring out what that function is used for, but I noticed it isn’t executed at all.
We test this by changing 369 to another constant from the string table. WinRAR has a 32 and 64 bit installer, whereas the previous target (Internet Downloader Manager) only has a 32 bit installer. In this blog however, we will be using the same source code of the binary but compile and debug it in Windows. This usually means the function we are in is inside a thread, which matches the behaviour of the nag screen. Can i use some points in my assignment? Code: I’ve copied the address where the second JE jumps to and modified the first JE to a JMP and have it jump to that address. When the application starts it must somehow check if the application is registered. That looks alright, it seems like call 13F136D20 is the method to parse the license key, meaning that the JE 13F197D3B afterwards will decide whether the license is valid or not, interesting. So when the jne is taken we get into the registration flow.
After exiting a routine call the return value is stored in rax. Blog writings about tech, programming, reverse engineering, machine learning, Winrar 64-bit (version 5.40 and 5.60 are tested).
So, unlike GDB where we can supply the argument inside the GDB; in Windows, we will have to supply it during the loading of binary via the command line itself. However, since we are only focusing on x64, we will have to use x64dbg which supports both x86 and x64 disassembly. This means that the result of cmp byte ptr ds:[7FF7B92848E4],dil will be 0 and ZF will be set. Save my name, email, and website in this browser for the next time I comment. That’s why I decided to reverse engineer it and write a tutorial upon it. This is nothing but our argument loaded into the function check_pass(). Once it is there, you can see our password pass123 loaded on to the RCX register from RAX register. The evaluation copy string is not in the title bar any more and the “about” window also shows that the application is registered to “” (empty). I was storing some files on my webserver and my WinRAR license was past its due date (like a really long time) and the nag screen annoyed me as fuck. I prefer to use the Mingw-x64 compiler, but some also use clang x64. Make sure you use a 64-bit version of g++ compiler else it will compile but won’t work.
: Immunity Debugger is an awesome tool if you are debugging x86 binaries. So, I fired up Google and started looking for license keys and I found out that if you purchase a key, you will get a file named ‘rarkey.key’ or ‘rarreg.txt’.
Right click on the row where the cmp instruction is and goto Follow in Dump -> Constant: 7FF7B92848E4. The completes our primary motive of getting the plaintext password.
Advanced Ethical Hacking Institute in Pune. More specifically, trace back which instructions preceded the instruction at 00007FF6A403AE4A, how did we get there? So, this is the point where our interesting function starts.
We test what execution path will be taken around this instruction mov al,1 by setting a break point at the beginning of the routine at 00007FF70E2F80A8.
The EAX is a 32 bit register which is the last 32 bits of the RAX register. Apparently this is not the registration flow we are looking for. Once you have downloaded the required debugger, you can compile the source code which is uploaded on my Git repo here. These constants are used in the executable to load the string mapped to it. So the byte was written at 00007FF6F0E78FAB, with the instruction mov byte ptr ds:[7FF6F0F148E4],al. Copyright © 2020 | WordPress Theme by MH Themes, Security Assessment of the IBM i (AS 400) System – Part 1, Detection of Data Exfiltration using PCR (Producer Consumer Ratio) on Elastic Stack, Bypassing Detection for a Reverse Meterpreter Shell, A Detailed Guide on OSCP Preparation – From Newbie to OSCP, Malware development – Welcome to the Dark Side: Part 3, Reverse Engineering x64 for Beginners – Windows. Have a look at the instructions surrounding the instruction where the constant 369 is used. Once, the binary is loaded, you will see six windows by default. Set a break point at 00007FF70E2FAE0E and restart the application.
Only the last couple of bytes should be the same. Enter evaluation copy and click search. Memory addresses mentioned in this tutorial are likely to be different on your system. I’ll be using x64dbg, but if you are on 32 bit and you are using Olly the steps shouldn’t differ that much (the debuggers are very look a like). Once, the above screen is loaded, we will first search for strings in our binary. Hmm, that’s unexpected behavior as that would skip our patch. How to crack WinRAR Needed. In short. This is however a re-posting of my own blog from here.
The application window states that this is an evaluation copy: If you think of how this application was written, somewhere in the code a decision must be made (if/else statement) to show the string evaluation copy instead of something else like registered.