Sunday, 3 August 2014

Setting up and cracking! [Mac]


By on 10:56

Intro
Hello, and welcome to my tutorial. If you – like me – are a Mac user, who’s been looking to get into Reverse Engineering, you’ve probably already Google’d around, finding nothing but useless stuff (Although, a few Mac RE’s actually exists. I’ll link my favourite in the ’Credits’). Well, I sat down one day, and just began reading, and suddenly, I had a working setup and a CrackMe solved.
So, here’s my tutorial :-)

Disclaimer
What you do with this knowledge, I am NOT responsible for. The example included is a simple CrackMe, but should You choose to crack some expensive software, I am not to blame if something happens to you! I simply shared some knowledge.
The method I’m using, is just one of many. This is just to get you started. You should be able to find another way to crack it when you’re done here.


Software
Well, do solve Part 2, we’re going to need some software. First of all, you should have XCode installed. It’s a tool for Apple Developers, but AFAIK it’s available for everyone else too.
Next, you’re going to need OTX. There’s multiple version available loads of places on the internet, but you’ll need the latest. IF you download one of the older versions, you wont have access to disassembling x64 binaries. You can download the latest from here:

Quote:http://otx.osxninja.com/builds/trunk/
using SVN. 

You’ll need to compile this yourself in XCode, but that’s as easy as opening the .xcodeproject file, and ’Archive’ the application, and share it to your destination of choice.
Now you’ll need Class-Dump, this can be downloaded from here:

Quote:http://www.codethecode.com/projects/class-dump/

We’re also going to use GDBInit. A nifty script created by one of the most helpfull Mac RE’s I’ve seen. This tool can be downloaded from here:

Quote:http://reverse.put.as/gdbinit/

Be sure to download the newest version. When this is done, you’ll have to move it into your user’s folder, and rename it .gdbinit. This can be done via Terminal like this:

Quote:mv ~/Downloads/gdbinitVERSION ~/.gdbinit

Of course, you replace the ’gdbinitVERSION’-part with the filename of the file you downloaded. And the path of it’s not in the Download-directory.

Another great tool to get is ’Hopper Disassembler’. It’s on the Apple Mac AppStore, and is worth every penny (Actually, it’s pretty cheap!). If you can’t afford this, GDB will do just fine for now.
You could choose to use IDA instead, but that’s really your choice. I chose to use Hopper and GDB for doing this. :-) 


Using GDB
For this CrackMe we’ll be using GDB debugger. This comes with XCode (Or OS X, not sure TBH). This is used in the Terminal.
There’s a few things you should know about GDB. When using gdbinit, we’ll have to first start GDB, like this:

Quote:gdb

Now we’ll choose our ’target’ file, with the following command:

Quote:exec-file ~/MyFolder/MyFolder2/File.app/Contents/MacOS/File

As you see, the .app file you normally launch, is actually just a folder. I’m not going to explain how this works, but just that you’ll find the ’real’ executable in the Contents/MacOS/ folder.
To find out what’s actually happening while debugging the app, we’ll have to set some breakpoints. This can be done like this:

Quote:break *0x11

But, you can use functions, lines and other methods too. So if you want to know when the app is checking the length of a string, you can use the following:

Quote:break [NSString length]

Really, if you know how Objective-C works, this should be easy enough. :-)

To continue when the breakpoint has been reached, just write ’c’ or ’continue’, and the app will continue execution.

We’re also going to have to actually run the app. This can be done by either writing ’r’ or ’run’.
When the app is being paused by a breakpoint, you can exit the app by writing ’kill’, or simply CMD+Q the app while it’s running.

We’re also able to read from these addresses. With a simple command like this:

Quote:x/s *0xADDRESS
This’ll output a string. 

A list of other types: 

- o(octal)
- x(hex)
- d(decimal)
- u(unsigned decimal)
- t(binary)
- f(float)
- a(address)
- i(instruction)
- c(char)
- s(string)
- T(OSType)

But looking at the app isn’t enough for us. We want to change some values too. This can be done with the ’set’ command. It’s actually as simple as it seems. Can be done like this:

Quote:set $eax = (int) 0x12345

Of course, this can be done with addresses too.

We’re also going to use the ’cfz’ command, which’ll make the je, jne and so on not to be followed. Simply skipping the jump.

For most of these methods, theres more options that what I listed, but this is the basics, and it’s all we need to solve the CrackMe.
If you want to know more about GDB, look at the help, or go Google around.

The cracking part
Well, seems like we’re finally ready to crack something! Yay!
The CrackMe we’re going to use, can be downloaded from here:


I made my own CrackMe too, if you guys want it, I’ll upload it to so you can have a go at it. (Although, it’s VERY easy!).

We’re going to need to know what we’re up against, so what we want to do, is to find all functions and global variables. This can be accomplished by using class-dump. The following command should do it:

Quote:class-dump ”Path/To/File/Challenge #1.app/Contents/MacOS/Challenge #1” >> classdump.txt

This will dump the variables and functions in a file named classdump.txt. This will be in your current working folder (seen by using ’pwd’ in Terminal).
When we open this file, we see a few functions. My classdump.txt looks like this:


Quote:/*
* Generated by class-dump 3.3.4 (64 bit).
*
* class-dump is Copyright © 1997-1998, 2000-2001, 2004-2011 by Steve Nygard.
*/

#pragma mark -

/*
* File: /Users/Christian/Desktop/Challenge #1.app/Contents/MacOS/Challenge #1
* UUID: B4FB5C47-4F51-F65D-E63B-9B5652A2346D
* Arch: Intel 80x86 (i386)
*
* Objective-C Garbage Collection: Unsupported
*/

@interface Level1 : NSObject
{
id errorSheet;
id incorrectSerialSheet;
id mainWindow;
id nameField;
id registeredSheet;
id serialField;
id welcomeSheet;
BOOL hasBeenRegistered;
}

- (void)awakeFromNib;
- (void)applicationDidFinishLaunching:(id)arg1;
- (void)continueWelcomeButton:(id)arg1;
- (void)quitCorrectSerialButton:(id)arg1;
- (void)okErrorSheetButton:(id)arg1;
- (void)okIncorrectSerialButton:(id)arg1;
- (void)cancelButton:(id)arg1;
- (void)unregisterButton:(id)arg1;
- (void)emailResults:(id)arg1;
- (void)verifyRegistration:(id)arg1;
- (BOOL)isRegistered;
- (BOOL)validateSerial:(id)arg1 forName:(id)arg2;
- (BOOL)applicationShouldTerminateAfterLastWindowClosed:(id)arg1;

@end

The method ’verifyRegistration:’ seems like something we could use.
Now we want to get the ASM-code of this application. It’s time to use OTX. Open OTX, and drag the binary file into the window. It should recognize it, and you should be able to save the dump.
This file is a little longer, so I’m not going to post the content, but it should be the same.

In most ASM-dumps, you’re probably not going to have such ’good’ output. Everything I get my hands on, I’ll have to find the addresses using another app (Hopper), and then find the address, but in this case, we got the method names before the ASM code, which allows us to search for our function. Now search for

Quote:-(void)[Level1 verifyRegistration:]

and you’ll get to the function that gets called when you press the ’Register’-button.


I assume you know some ASM before beginning this, so you should be able to spot where the action happens. But if not, here’s the ’if’-statement that we’re going to tamper with: 


Quote:+174 0000293c e81d270000 calll 0x0000505e -[(%esp,1) validateSerial:forName:]
+179 00002941 84c0 testb %al,%al
+181 00002943 0f84f500 je 0x00002a3e
+187 00002949 a100400 movl 0x00004000,%eax standardUserDefaults
+192 0000294e 89442404 movl %eax,0x04(%esp)

Start up Terminal, load up GDB and the Challenge #1 as previously explained..
Now we want to set a breakpoint on the address, so that we can stop it from jumping to the ’bad’ message.
This is done by using this:

break *0x00002943
Now we’ll run the app, simply by calling ’run’.
The app will open, and you’lle be presented with a window telling you about the rules and so. Continue, and you’ll see ’Name’ and ’Serial’ textfields. Write whatever you want, and press the ’Register’-button. This will pause the app and should focus the Terminal window.

Write ’cfz’, press enter and the crack is actually done. But since our app is still in pause, we have to tell it to continue running, by using the ’continue’ or ’c’ command.

Now the app will tell us that it’s registered succesfully, GJ! :-)

Now, as said in the ’Disclaimer’, this is not the only way, but it’s by far the easiest IMO.

Credits
There’s only one guy that I’ll show you, it’s fG.
This guy made a tutorial, that everyone is able to follow, and the blog is worth following. He’s also the author of various tools, including gdbinit. You can find multiple CrackMe’s on his site, and links to other sites.
The blog can be found here: http://reverse.put.as/

The End
If you found any errors or something weird in the tutorial, just let me know, and I’ll fix it ASAP. 
Feel free to ask questions, and I’ll do my best to answer them. :-) 

About Chirag Arya

Chirag is a young guy who is blessed with the art of Blogging,He love to Blog day in and day out,He is a Website Designer, Certified Hacker and a Certified Graphics Designer.

0 comments:

Post a Comment