Intoduction to Cracking - (Part II)

Summary of Part I

In Introduction to Cracking - (Part I), we saw that .NET Reflector makes our lives easy by decompiling .NET apps accurately to any .NET language. We saw some limitations of Reflector too : It can't de-obfuscate assemblies, cannot unpack packed assemblies, cannot decrypt encrypted assemblies. We will discuss about those issues in this article.

Introduction

Rarely we find .NET assemblies that are not obfuscated, because they are prone to instant decompilation by Reflector. .NET assemblies are found obfuscated, packed, encrypted or protected by a multiple combination of these techniques. Let me clear that by packing we don't expect to gain compression, rather we gain protection (we'll see how ...)

We will mainly talk about de-obfuscating simple obfuscations and unpacking known packers in this article.

Obfuscation and De-obfuscation

Observe the following code snippets :

Snippet 1 : Code without obfuscation
Code: vb.net

Quote :

Private Function SHABytes(ByVal MStr As String) As Byte()
Dim SHAProvider As New System.Security.Cryptography.SHA1CryptoServiceProvider
Dim GetBytes(), RetBytes() As Byte
GetBytes = System.Text.Encoding.ASCII.GetBytes(MStr)
RetBytes = SHAProvider.ComputeHash(GetBytes)
Return RetBytes
End Function

Snippet 2 : Code with obfuscation
Code: vb.net

Quote :

Private Function A(ByVal B As String) As Byte()
Dim C As New System.Security.Cryptography.SHA1CryptoServiceProvider
Dim D(), E() As Byte
D = System.Text.Encoding.ASCII.GetBytes(B)
E = C.ComputeHash(D)
Return E
End Function

Snippet 1 is instantly understood at first sight. But Snippet 2 is not. It's obfuscated with simple variable renaming. It can be understood, but after a bit closer observation. This kind of obfuscation is the weakest and can be readily de-obfuscated by careful observation.

Now, take a look at the following snippets :

Snippet 1 : Code without obfuscation
Code: vb.net

Quote :

Private Sub CheckSerial(ByVal MStr As String)
If MStr = "T-26832-GST" Then
TextBox1.Text = "WRONG SERIAL !"
Else
TextBox1.Text = "CORRECT SERIAL !"
End If
End Sub

Snippet 2 : Code with obfuscation
Code: vb.net

Quote :

Private Sub A(ByVal B As String)
If C(B) = "]$;?1:;$NZ]" Then
D.Text = C("^[FGN)ZL[@HE)(")
Else
D.Text = C("F[[LJ])ZL[@HE)(")
End If
End Sub

The obfuscation done here is Variable Renaming + String Encryption. All strings are stored encrypted by simple XOR encryption with base 9 (i.e. a = a XOR 9). When the text is compared or printed to the textbox, it is re-XORed .
This obfuscation, although better than the previous, can be still cracked easily, without aid of software !

The better obfuscation techniques that are difficult to crack can be achieved by using Obfuscators e.g. {smartassembly}. But remember, although difficult it's not impossible to crack obfuscated assemblies

The obfuscators can apply a variety of techniques to make assemblies extremely difficult (rather painful) to crack. They may use ILDASM to disassemble it, then change the code with something that performs similar function but in a complicated way and then re-assemble with ILASM. They may additionally encrypt the assemblies and while running, the assembly will be decrypted in memory and then be executed.

Two of my friends Karupica and UFO PU55Y developed a de-obfuscator for the {smartassembly}. They named it {smartkill}. It's currently in Ver.0.6 and perhaps not being developed further.

Packing and Unpacking

What packers do is, they compress the program and then combine this compressed data with the decompression code it needs, into a single executable. When the program gets executed, the compressed executable essentially unpacks the original executable code, then transfers control to it. So, when you try to decompile a packed exe, you would end up with an error !

This is a quote from Wikipedia :

Quote :

Quote :

Quote:
Executable compression is also frequently used to deter reverse engineering or to obfuscate the contents of the executable (for example, to hide the presence of malware from antivirus scanners) by proprietary methods of compression and/or added encryption. Executable compression can be used to prevent direct disassembly, mask string literals and modify signatures. Although this does not eliminate the chance of reverse engineering, it can make the process more costly.

Several popular exe packers are available today : UPX, ASPack, PESpin, PELock, PEPack etc...Unpacking exes manually is possible but is incredibly painful. Thanx to crackers, we have several unpacking tools

Tools

Applications :
(1) {smartkill} Ver.0.6 (http://rapidshare.com/files/11166936..._v0.6.rar.html)
(2) PEiD Ver.0.95 (http://www.peid.info/)

PEiD can identify a huge array packed/encrypted exes. It is a very nice price of software and it's functionality can be extended by several plugins. The KANAL (Krypto ANALyser) plugin helps you identify crypto-signatures inside exes.

Setup ...

None of these tools require installation. Simply unzip/unrar them to any folder you like, and start using them! Plugins for PEiD are easy to install and instructions can be found on the website, so I'm not explaining here.

Action !

(1) Using PEiD
Using PEiD is fairly easy. Simply drag an exe and drop it on PEiD window and PEiD will instantly show you the statistics. You can get the compiler used, it's version, the PE entropy .. lots and lots of useful stuff.
I'll discuss about specific functions of PEiD, when we encounter their need (in up-coming parts ..).

(2) Using {smartkill}
Well, now that you know how to use Reflector, open any {smartassembly} obfuscated assembly in it. You will see all function names and string names are encoded. It does not display any string but displays a hexadecimal ID that uniquely identifies that string.

For example, the following snippet :
Code: vb.net

Quote :

TextBox1.Text = "Serial accepted !"

might look like :
Code: vb.net

Quote :

□.□ = □.□.□(0x31f5)

What {smartkill} does is it can identify what the hell does 0x31f5 stand for. It can successfully recover the encoded string "Serial accepted !".
Well {smartkill} can do lot more than that, it can remove "StrongNames", it can fix 2.xx algo which renders a cracked application useless, it can patch exes and much more... (I will discuss that in the up-coming parts ... )

I think it's enough for this part.

I will discuss {smartkill} in details and will also talk about cracking other languages like c, c++, vb etc... later.

Till then take care and good bye ..

Thanks for reading this part and thanx for the excellent response to Part I.