Reverse Engineer Simple Application with IDA Pro 5
https://stackoverflow.com/questions/9054706
-
20-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
This application is the first application challenge on the site hackthissite.org.
The idea is to find the serial. When you enter the serial number and press ok, it pops up a message box with a password for the challenge if correct, or a message saying the serial is wrong. To solve the challenge you are supposed to find the password which is in plaintext in the binary at 0x1670FE.
I was trying to find IDA Pro where the string you enter is compared to the serial in the binary.
I want to be able to find where it's compared, be able to change the jump to allow it to accept any wrong password, or change it so it accepts any password.
I can't seem to do this. I've found where the message box is displayed (by searching for Messagebox and adding breakpoints), where it pushes the addresses of the "Sorry" or "Correct" strings on to the stack.
I've tried adding breakpoints on the addresses of these strings and on the Serial itself, but it doesn't seem to work. IDA doesn't seem to recognise these as strings, they don't show up in the sting window.
I've also tried to follow this function back but I reach a point where I can't seem to go back any further.
Any help, information, or tips would be greatly appreciated. I really want to know how to figure this kind of problem out.
Sorry if it is a very basic question.
Thanks.
Solution
I wasn't able to solve this using IDA Pro, so I gave it a go using Ollydbg.
By setting the serial to something like "TEST", after pressing Authenticate, I was able to find that string in memory or the serial itself.
By setting a breakpoint on the serial memory access, I was able to work backwards and find the comparestring function where it compared the two strings.
A little while after this, it checks if edx is greater than 2 and performs a jump. I set this to an unconditional jump and a little while after that it seems to check again if the strings are the same length, which I set to always true too.
Now the program gives the password regardless of what you enter.
Interestingly, it seems that there is 5/6 valid serials, that maybe it generates from the one in memory or gets from somewhere else. When you enter an invalid serial, it compares it to each of the serials until it finds a match and then displays the message box for success or failure.
It was a pity I couldn't find the answer to this in IDA Pro, but I think ollydbg was the better tool for the job.
If I went back in IDA and looked again, I would probably now be able to find the check.
OTHER TIPS
There is a HINT given, probably you may not have noticed. Its saying that the password is in plain-text format.
So can you try to find more on how to know the strings inside a binary.
Reverse Engineering doesn't always imply opening with a dis-assembler or debugger.
There are commands like strings, hexdump etc., know more on that.
Hope it helps. :)
