[Giagnocavo]Michael::Write() - Cracking code 3: Cracking an obfuscated .NET assembly

Friday, November 26, 2004

Cracking code 3: Cracking an obfuscated .NET assembly

Intro
It's been a while since I wrote anything that interesting, so I figured for Thanksgiving, I'd go ahead and do so. Merry Thanksgiving. The first article in this “series“ is here.

Cracking .NET programs can be just like cracking any other program. In this article, I'm going to use the same approach as I did last time. I threw together a quick little program called CrackMe2. CrackMe2 has a really cool feature called “Reverse Text”, however, it's only available to registered users. What's a poor boy to do?

Target
First, we try registering. Since we don't have a valid code (we don't even know what one looks like), we get an “Invalid serial.“ MessageBox. OK, so now we know that the program does something when we click a button, and if the serial is wrong, we get a MessageBox.

Darn, 123 didn't work.

Well, the first step in cracking is defining our target and it's location. Our target is the code that's deciding to say “Invalid serial.” instead of “You're registered!”. Where's the “bad code“ that needs to be fixed? Well, with a .NET assembly, our first information is gained by taking a look with IL DASM.

View of the obfuscated CrackMe2 assembly

Oh no! It's obfuscated (thanks to Ivan Medvedev's Mangler). Let's assume this is a big application and that we'll never find what we're looking for just by going through the IL. Just by glancing at the hierarchy, we don't know that much more than when we started: There's a form with code.

Seeing past the names
Now certainly, we can do static analysis and try to find out where the bad code is. One way would be by getting the strings (Ctrl+M in IL DASM, scroll to the bottom), and then grep the IL for ldstr , and work from there. In fact, that's a pretty quick and easy way to locate certain parts. However, lets pretend the strings are encrypted/dynamically generated, and that's not viable. So, let's start debugging.

[Michael@MAO C:\]$ cordbg CrackMe2.exe
Microsoft (R) Common Language Runtime Test Debugger Shell Version 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.

(cordbg) run CrackMe2.exe
Process 4488/0x1188 created.
Warning: couldn't load symbols for c:\windows\microsoft.net\framework\v1.1.4322\mscorlib.dll
[thread 0x1510] Thread created.
Warning: couldn't load symbols for C:\CrackMe2.exe
Warning: couldn't load symbols for c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll
Warning: couldn't load symbols for c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll

[0004] mov         ecx,98543Ch
(cordbg)

cordbg is a command line debugger that ships with the .NET Framework SDK, and it's just loaded the CrackMe2.exe and related assemblies. Just like before, we're going to go ahead and set a breakpoint and find out where we are in the program, and work from there. So, let's breakpoint the MessageBox.Show function. We use IL-similar syntax to specify the function name: NameSpace.ClassName::Method.

(cordbg) b System.Windows.Forms.MessageBox::Show
Breakpoint #1 has bound to c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll.
#1      c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll!System.Windows.Forms.MessageBox::Show:0      Show+0x0(native) [active]
(cordbg)

Then, we tell cordbg to go until it breaks by typing go. The form comes up, and we enter a serial number: 123.

(cordbg) go
Warning: couldn't load symbols for c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll
break at #1     c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll!System.Windows.Forms.MessageBox::Show:0      Show+0x0(native) [active]
Source not available when in the prolog of a function(offset 0x0)

[0000] push        edi
(cordbg)

Bingo, we're stopped at a MessageBox. We want to know who called this function, since most likely, that will lead us to the critical code section we need to fix. So, we ask cordbg where are we?

(cordbg) where
Thread 0x1510 Current State:Normal
0)* system.windows.forms!System.Windows.Forms.MessageBox::Show +0000 [no source information available]
                owner=(0x00ac36b0)
                text=(0x00ad5854) "Invalid serial."
1) CrackMe2!CrackMe2.Form1::AAAAAAAAAAAAAAAAAAAA +0070 [no source information available]
                AAAAAA=(0x00ac8400)
                A=(0x00aca86c)
2) system.windows.forms!System.Windows.Forms.Control::OnClick +005e [no source information available]
                e=(0x00aca86c)

9) system.windows.forms!ControlNativeWindow::OnMessage +0013 [no source information available]
                m=(0x0012ef04)
--- Managed transition ---

We see what's expected. Somewhere in Win32 code, a message was sent, and we see the OnMessage called and bubbling up all the way to the Control::OnClick, and then user code. We can look at all the arguments along the way, and that's useful for more complex scenarios (say, when a registration function calls another passing the serial number or validation code).

At any rate, we've got something to go on: The name of the function that calls the MessageBox: CrackMe2.Form1::AAAAAAAAAAAAAAAAAAAA (20 A's). We're done with cordbg (quit). Our next stop is to read the bad code.

Looking at the bad code
Using IL DASM (see above), I navigate to the CrackMe2.Form1::AAAAAAAAAAAAAAAAAAAA method. Inside is relatively straighforward code. First, there's a try/catch that has an Int32::Parse call in it. The result is stored in local 0. So we now know the code is numeric. Immediately after the catch handler, we have this snippet:
IL_0022: ldloc.0
IL_0023: ldc.i4.1
IL_0024: and
IL_0025: ldc.i4.1
IL_0026: bne.un.s   IL_0035
IL_0028: ldarg.0
IL_0029: ldstr      "Invalid serial."
IL_002e: call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(class [System.Windows.Forms]System.Windows.Forms.IWin32Window, string)

Load the local (the number entered), then load the number 1, and AND them. Then, load one, and if they are not equal, jump to IL_0035. If they are equal, execute the following instructions, which quite obviously say “Invalid serial.”. AND'ing a number with 1 and comparing to 1 is a check to see if the number is odd. So, at this point, we can write a keygenerator that produces... even numbers. A keygenerator is always preferred to a patch, however, generally speaking, finding the algorithm might be a bit harder. Then, there's always the possibility that the check actually does something hard to fake (i.e., uses RSA or talks to a hardware dongle/web service). So, let's go on and patch this code.

At IL_0035 (the target of the branch if the number is even), we have some code that does activation work and then proceeds to say “Thank you...”. Simple sample. Now, let's make the fix.

Simple Patching
With IL DASM and IL ASM, we have a really easy way to make patches. Simply run ildasm /out=CrackMe2.il CrackMe2.exe, and IL DASM will dump all the IL required for that assembly to a nicely formatted file. All we have to do is goto the bad method and fix up the IL. I think the most unintrusive fix would be to add “br IL_0035” to the top of the method. That would branch immediately to the good code, and the product would activate on any serial number entered.

However, some obfuscators try to stop IL DASM round tripping, and that might stop some posers in their tracks. The IL obfuscator I'm going to give away for free will do this, for example. (Actually, my free obfuscator would make this tutorial a bit harder because of how it handles names -- we'd have to actually get a token instead.)

Assuming we can't use IL DASM/ASM, what can we do? Use a hex editor.

Binary Patching
When we can't reassemble an entire program, we can patch certain opcodes instead. Tools like OllyDbg have a built-in assembler so we can easily make patches to the x86 code. For IL, I'm not aware of any such tool. Another issue with binary patching IL is that we have to ensure the resulting IL is fully correct and is able to be JIT'd to native code. If our patch ends up screwing with the IL in a way that makes it incorrect, we'll get a runtime exception from the execution engine. Let's try to create a binary patch that jumps from the beginning of the method right to the good code, at IL offset 0x0035.

First, in IL DASM, turn on “Show bytes”, under the View menu. This allows us to see the actual bytes that make up the opcodes. Now, lets look at the beginning of the critical function:

// Method begins at RVA 0x2434
// Code size       78 (0x4e)
.maxstack 2
.locals init (int32 V_0)
.try
{
    IL_0000: /* 02   |                  */ ldarg.0
    IL_0001: /* 7B   | (04)000002       */ ldfld      class [System.Windows.Forms]System.Windows.Forms.TextBox CrackMe2.Form1::AAAAAAAAAAAA
    IL_0006: /* 6F   | (0A)000026       */ callvirt   instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
    IL_000b: /* 28   | (0A)000027       */ call       int32 [mscorlib]System.Int32::Parse(string)
    IL_0010: /* 0A   |                  */ stloc.0
    IL_0011: /* DE   | 0F               */ leave.s    IL_0022
} // end .try

This code is protected in a try block. We could go and remove the try block, but that's modifying more code. Generally speaking, we should aim to patch as little code as possible to ensure we don't accidentally screw something up. So, we're going to deal with the try block and fix it from within. The ECMA specifications for .NET will come in handy here. Specifically, Partition III, CIL. This can be found in the .NET Framework SDK folder, under “Tool Developers Guide\docs”. It's also available from MSDN, here.

The first instinct is to say, hey, let's change IL_0000 to a br to IL_0035, and NOP out the remainder of the try block. However, that'd create illegal code, since you can't branch out from a try block, you must use the leave opcode instead. So, let's rewrite the method to simply leave to IL_0035. Here's the description of the leave opcode:

The leave instruction unconditionally transfers control to target. Target is represented as a signed offset (4 bytes for leave, 1 byte for leave.s) from the beginning of the instruction following the current instruction.

The formats (in hex) are DD <4 bytes> for leave and DE <1 byte> (as shown above), for leave.s. We'll use leave.s, just to be efficient :). Since the total size for leave.s is 2 bytes, we calculate the offset to 0x35 from 0x02 (since our leave instruction is at 0x00). Subtraction tells us we must have an offset of 0x33. Hence, our leave instruction in hex looks like: DE 33. Since that'd leave the IL in an incorrect state, we must nop out the rest of the try block. The hex for nop is 00.

Open the assembly in your favorite hex editor, and let's find the method. IL DASM gives us the RVA, but for now we'll just search for a specific byte sequence. The IL DASM Show bytes allows us to easily find our place. Do note that the way tokens are displayed ((04)000002, for example), is reverse from how they are stored. Depending on the size of the app, you might need to search on quite a large number of bytes, since IL sequences are most likely repeated. For this case, we're going to search on the last bit: “0A DE 0F”. No other matches found, so this is the one.

As when programming, in cracking we have many ways to solve a problem. Many of them can be considered “right”. We could make a simple one-byte patch by allowing any number as a valid serial. This has the merit of ensuring the local int is assigned, and well, being only a one-byte edit. The leave.s opcode is at offset 0x11, so add 2 to that amount and we get 0x13. 0x35 - 0x13 = 0x22. So by changing “0F” to “22”, we'd have our crack. However, let's stick to the original plan and jump right to the good bits from the beginning.

In the hex editor, we back up a bit until we find the 02 7B 02 00 00 04 part (ldarg.0, then load the textbox field). At the 02, we drop our leave.s IL_0035 payload, which is DE 33. Then, we nop out (00) everything until the end of the 0A DE 0F part. The resulting hex for the try block is thus: DE 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00. Save the file as CrackMe2.cracked.exe.

Satisfaction
Run the program. Type in anything for the serial. “Thank you for registering.” The second textbox activates. We've won access to the coveted “Reverse Text” function. Write up an .NFO, ensuring to remind people to purchase software to support the authors. Then kick back and play a game of KSpaceDuel.

Download the program itself (Right click and save as, since it's a .NET assembly and IEExec will try to run it otherwise): CrackMe2.exe (24 KB). Or, download the source: CrackMe2.cs.txt (4.81 KB).

Was this post interesting, helpful, stupid, or lame? Leave a comment and help me improve.

Code | IL | Security

Friday, November 26, 2004 5:22:20 AM UTC

Comments [13] | Trackback Tracked by:
"http://reversengineering.wordpress.com/2007/08/05/cracking-code/" (http://rever... [Pingback]
" Como crackear assemblies..... con nada de experiencia" (la visión de un ingeni... [Trackback]

Saturday, November 27, 2004 4:34:56 PM UTC

You have made an assumption that assembly is not strong named. And if a person has gone to the extent of obfuscating then its pretty much guranted that he has SN assmbly too. Do you think fixing IL for SN assmebly will keep the hash intact?

ThirdEye

Saturday, November 27, 2004 5:29:48 PM UTC

You are right -- I didn't make any mention of strong naming. I'll discuss how to get around that kind of stuff next time. However, in summary, strong naming is not going to be an issue. SNs prevent accidental corruption (say, from downloading), or a malicious person sending you code. It doesn't stop the local user from modifying the assembly -- that's not even a design goal.

Michael Giagnocavo | mggAT NOSPAMAtrevido dot net

Tuesday, November 30, 2004 3:14:40 AM UTC

ur good

kornolio

Tuesday, November 30, 2004 2:52:37 PM UTC

First of all - great post. It brings happy thought back in time when similarly methods could crack just about any game within a half hour.

Assuming that it is not possible to write something completely secure: Are you planning to write a finalizing post where you give us your thoughts about how to go 99% of the way to repel all script kiddies or whatever the likes are called today?

Lars Buur | larsAT NOSPAMhubia dot dk

Wednesday, December 01, 2004 4:07:28 AM UTC

Lars, no need to assume: It is impossible to write something that's 100% secure from modification, if the attacker controls all aspects (hardware, software). If you can control one aspect (say, putting part of the code on a web service) then that'll do it.

You can try to put code into hardware too. 3D Studio MAX did that at one point. Some variable or data about the scene was stored on the dongle. Thus, after extended usage, the program would act in a very peculiar manner. Autodesk was able to know who had pirated the app, since the behaviour only appeared in cracked versions. However, I believe the success of this method was because it was subtle. It didn't crash the program, didn't refuse to startup. To a cracker, it appeared to work. Only advanced users who were REALLY using the program were affected. I'm still against hardware for other reasons as I've written elsewhere on my site (mainly it adds unnecesary burden to endusers) .

As far as repelling script kiddies... I doubt many of them can read any IL at all, so by compiling and not shipping source, you're safe :). But seriously, I don't believe that repelling script kiddies is actually an issue at all. Script kiddies don't write cracks. They download and apply 'em.

I'm writing an obfuscator (well, in beta, about to release), and it includes a lot of fun tricks (type obfuscation, same-name obfuscation, encypted loader), which I feel will put a strong enough deterrent against weak crackers. As always, with enough determination and skill it's always possible to crack something.

It all depends on the application: what you're hiding, what you're protecting against -- threat modelling. I think next I should write on how to threat model your app and design countermeasures, as far as cracking goes.

Michael Giagnocavo | mggAT NOSPAMAtrevido dot net

Wednesday, June 15, 2005 6:18:12 PM UTC

Great article! Thanks :)

I tried to use ILASM to compile the modified IL version (simple, non-binary patch) but got an error:

C:\Dev\ReversingSpike>ilasm CrackMe2.il /output=CrackMeFixed.exe /resource=CrackMe2.Form1.resources /resource=CrackMe2.res
Multiple resource files not allowed. Option /resource=CrackMe2.res skipped

Microsoft (R) .NET Framework IL Assembler. Version 1.1.4322.2032
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.
Assembling 'CrackMe2.il' , no listing file, to EXE --> 'CrackMeFixed.exe'
Source file is ANSI

Assembled method Form1::.ctor
Assembled method Form1::Dispose
Assembled method Form1::AAAAAAAAAAAAAAAAAAA
Assembled method Form1::AAAA
Assembled method Form1::AAAAAAAAAAAAAAAAAAAA
Assembled method Form1::BAAAAAAAAAAAAAAAAAA
Creating PE file

Emitting members:
Global
Class 1 Fields: 7; Methods: 6;
Resolving member refs: 65 -> 65 defs, 0 refs
Could not create output file, error code=0x80070714

***** FAILURE *****

Apparently having multiple resource files is not allowed, yet ILDASM created them. How can I use ILASM to retain all of the original resources?

Thanks again,

Drew Noakes

Drew Noakes

Wednesday, June 15, 2005 6:48:23 PM UTC

You just need to reference the single .res. The resource files, IIRC, are automatically pulled in. Also, using ILdasm on obfuscated assemblies will almost always fail, if the obfuscator is any good.

However, I don't believe 0x80070714 is related to the multiple resources. Email me the original diassembling and the modifications you've done and I'll take a look at it.

Michael Giagnocavo | mggAT NOSPAMAtrevido dot net

Wednesday, May 09, 2007 2:33:21 AM UTC

" The hex for nop is 00. " - You killed everything childish in me ...

How can you write a cracking tutorial and then write a shit like that ???

Reversing is for people with BRAIN , you are not one of those so just please don't try anymore - o.k.

setekh | dmgAT NOSPAMcryptomail dot org

Wednesday, May 09, 2007 2:39:47 AM UTC

setekh:
"You killed everything childish in me", what are you talking about? And what is wrong with my statement?

Anyways, this whole series is just to show people who would never have looked into this that reverse engineering (even as simple as my examples) can be fun!

Michael Giagnocavo

Monday, July 14, 2008 11:01:05 PM UTC

Great tutorial. I learned a lot. I had one problem though. When trying to debug using cordbg, I got this error msg.

Error: hr=0x80070057, The parameter is incorrect.

Not sure why.

ghoti

Saturday, October 04, 2008 6:29:30 PM UTC

Because of postes like this one, I've never ever say "It's impossible!".
Thanks Michael!

rrossenbg

Monday, December 14, 2009 12:05:52 PM UTC

What if file was signed?

www.google.com/accounts/o8/id?id=AItOawnJbAU5dv8HdSsIu8Ti9lizxNcTZ6ATQYc | noneAT NOSPAMnone dot com

Monday, May 10, 2010 7:02:30 AM UTC

Hi!
First of all I would like to thank you for taking a momment in creating this tutorial.
Now,the reason for my writing to you.I am a newbie in this field and am using this as a guide to look in to the realms of creating minor programs in future I have studied your first article an now am going thru Article No:3 but the problem I am facing is from the part 'Seeing past the names' where you've started the Debugging process. My question is Are we to write the code below in Window SDK CMD Shell?or somewhere else please clarify the exerpt is given below.

[Michael@MAO C:\]$ cordbg CrackMe2.exe
Microsoft(R)Common Language Runtime Test Debugger Shell Version 1.1.4322.573
Copyright(C)Microsoft Corporation 1998-2002.All rights reserved.

Here again I am using Windows SDK v.7 So what should be the code for me?
How do I Run cordbg?

please suggest
Thanks for everything.
bye.

Imran | himran99AT NOSPAMyahoo dot com

OpenID
Please login with either your OpenID above, or your details below.

Name
E-mail
Home page

	Remember Me
Comment (HTML not allowed)
Enter the code shown (prevents robots):
Live Comment Preview