The second (highlighted) one is the place where we came from (szUrl being passed to the checksum calculation). We can view them by pressing CTRL+X in IDA:Īs you can see, it is referenced from three places in the code. So, our goal is to have szUrl filled in such a way that it will give us the valid checksum: 0x3B47B2E6.įirst, let's have a look at the external references (xrefs) of the variable szUrl to find out how is it used and where is it set. The output of this function (at this point we can guess that it is some checksum) is going to be compared with the hardcoded one. So there is some variable (IDA automatically named it szUrl, suggesting that it will be used somewhere as a URL) that is passed to a function sub_403380. Let's go inside the function and see where exactly is it set: This value is set in the function above: sub_4014F0. The success of the check will depend on the value of AL registry (AL=0 leads to failure). The code is not obfuscated, and we can easily see that this message comes after the check: The only way to understand it more is by looking inside. There is no password prompt whatsoever-we just see the failure message on the screen. So far, we know that the CrackMe is finished when we get a flag in the following format: When we run the CrackMe, the first thing we see is the following banner: For dynamic analysis: ImmunityDbg/OllyDbg/ 圆4dbg.For static analysis: IDA (demo version is enough).Basic understanding of the RunPE techniqueįor the analysis environment, I used Windows 7 32bit on Virtual Box, with an Internet connection.ĭuring the analysis, I used the following tools:.Detecting XOR-obfuscated payload and decoding it.Noticing common evasion tricks (antidebug, anti-vm, etc.) and bypassing the checks.The techniques/skills that we wanted to exercise in the CrackMe are: Like always, the demonstrated solution is just one of many possible approaches. The CrackMe was intended to be simple, yet to demonstrate various techniques commonly used by malware-that's why we hoped it would be a good learning experience for the beginner malware analyst. But if you still find something unclear, please don't hesitate to ask in the comments. I am going go into detail so that even someone with little experience in reverse engineering will not feel lost.
So I promised to present my own solution in a step-by-step tutorial to the CrackMe. I got several questions from people who were stuck and needed some more explanation/guidance. Thanks to all of you who sent in your write ups! Some of the links are included in the appendix. First, the challenge was created to serve internal purposes, but then it was released to the community on Twitter and triggered a lot of positive response. The topic of this post is a Malwarebytes CrackMe-an exercise in malware analysis that I recently created.
0 kommentar(er)
