Apps 7 to 15

Apps 7 to 15

By SySTeM | 14257 Reads |

0     0

Hey again, HBHers.

It’s been a long time since I’ve written an article, and I promised I’d write one on apps 7 through 12, but instead, I’ll go one better and do apps 7 through to 15 ;)

This is not intended to be a guide, it is meant to be an in-depth walkthrough of the challenges, to help people get a better grip on them.

This contains ALOT of spoilers, and if are just looking for subtle hints, the forum is a better place to ask.

App 7

This app is simple, open in Olly, search for all referenced text strings, bam, password’s right there.

App 8

This one’s a bit harder than just searching for text strings. This app, when you open it, initializes a timer, one that when ends, quits the program, but this timer goes so fast, by the time the program is running, the time is up. For this app you’ll need VBReformer 3.7 (The newer versions suck).

Okay, so open up VBRefomer, and open app8.exe inside it, now you should see “text5”, click this, and then go to the Edit Properties tab, you’ll notice in the Caption part it says visible=0, change the 0 to 1 so that the text will show up, then underneath where it says Visible, make that True instead of False. That’s the first part done. You’ll also see that in the side panel, if you go to Text1 (the password box)‘s properties, it’s disabled, so enable that also. If you go to the File menu, you can save the modified file as a new binary, so save the current modifications as “app8_1.exe”, then run it, you should see something in red next to the password box. As you can see, the timer is still effective, so it’s not possible to type the password and hit enter, so instead we have to, in VBReformer, change the textbox’s default text, from PasswordBox, to what we have in red. Now we need to make the enter button either able to tab to, or shortcut key’d (&nter). This way we can just press ctrl+n, and it’ll enter the password.

Now, if we open up Olly, and open up our modified app8_1.exe, then search for the text strings, we should see “Cra” and “gas”, if you double click the “gas” string, a few lines down you’ll see a “vbaStrCmp” (string comparison) at 004021C7, then a few more lines down (00402213), you’ll see a JE, which takes you down to the message box of “Well done for getting this far…”, now, we can press space to change the operation, so instead of a JE, you want a JNZ, or just a NOP, this will stop the program from jumping, and will continue to give you the HBH password. (This can be done in a more simplistic way, but I wanted people to work with other programs to get used to using them, you can’t rely on Olly for evvverything.)

App 9

This app is pretty straight forward, open up Olly and open the app up inside it, hit F9 to run the program, enter any random data for your name and “code”, then search for all referenced text strings, you should see the value you inputted, and above or below it should be a hexadecimal string, this should be your code ;)

App 10

In this app, if you open it up in Olly and search for the text strings, you’ll see a hexadecimal string, then if you run the app, and input “test”, search for all referenced text strings yet again, and another hex string should appear, same length as the previous one. Now, when we usually see hex, it’s split up into two, AA, AB, AC, AD, etc etc, so split the hex string you’re given, and that should tell you the length. Now if we imagine that each character is getting put into hex (through an algorithm), we can work out what the characters will be. The first set of two in the original string is “60”, and the “t” from “test” gives 67, so if we work backwards and input “sest” instead of “test”, we see that “s” must be the first character. I’m sure you can work the rest out from there :p

App 11

For this app you’ll need .NET Reflector. Once you have this, open it up and open app11.exe in it. Expand “HBH App Challenge”, and you should see “Form1”, expand this and you’ll see Command1_Click_1, which is an event handler for when you enter the password. Right click this and hit “Disassemble”, this should bring up the code in the side bar. You should see something like “Interaction.MsgBox((“Congratulations: The password for HBH is: “ & str27), MsgBoxStyle.Information, “Correct!”)”, this is obviously the message box you see when you enter the correct password. Now, str27 is a variable, so if we look at the str27 variable, we see it’s a concatenation of other variables which build up to a password. You should be able to work the password out from this.

App 12

This is one of my apps and is pretty simplistic to beat, though the idea is you code a bruteforcer to beat it. But anyways, I’ll show you how you can beat it in olly debug. So, standard procedure, open up olly etc etc, scroll down in the app til you see “Please enter the password”, a few lines down from this will be a comparison to a hex value, so open up “calc.exe”, turn scientific mode on, and convert hex to decimcal, simple.

App 13

This is another one of my apps, and again is fairly straightforward. If you open it up with Olly, you can see that it seeds a random number based of the current time, functions “time”, “srand”, and “rand” show this quite clearly. Now if we know it’s based around time, we can create a batch file which runs two instances of the app within the same time frame. So open up notepad/notepad2, or your favourite ascii editor, and type this: start app13 start app13

Then save as “app.bat”, run it, and you should see the windows popup. Now, in one of the windows, type any random password, the computer should beep and tell you it’s wrong, and give you the password it wanted, then, use that password in the second instance, as it should be the same. Congrats, half way there. This is where most people PM me and say “your app is broken, the password doesn’t work.”, well to all of you, you only did part 1, part 2 is to work out real password from what you’re given. If you’re unsure of this, read up on converting signed and unsigned integers, you can do it using the Windows calculator ;)

App 14

This application took a while for me to get my head around, but once I worked out what it was doing, it was pretty simple. In the code section, above “Good Job!…”, there is a comparison which takes place, breakpoint that CMP, and run the app. Type whatever you want as the serial, and hit enter, the app should then pause and you’ll be at the breakpoint. Just below the CPU window it shows you what’s being values are being put onto the stack, as well as the current value of EAX. In this we can see a value being put onto the stack, and due to the CMP’s nature, we can safely assume that it’s the password, again it’s in hexadecimal, so open up “calc.exe” and convert. That should be your HBH pass :)

App 15

This app was developed by kaksii, and is based on a real-life “trial software” situation of which it checks how long you’ve had the software. When you open this it tells you it’s expired since 1999, and seeing as it’s 2008, that was a longggg time ago. So what can you do? Time travel is not an option, but fortunately Windows lets us modify the date and time, so if you click the clock in the system tray and go to adjust date/time, you can go back to before 1999.

Now, run the app again, and it should say “This is a free trial. Please register!” or something similar. So if we open up our trusty Olly Debug program, we can see how this application functions. If you click the “About” button, it tells you cracking is not possible due to an algorithm made by kaksii, but I assure you, it is definitely possible.

Okay, so if you do the standard search for all text strings, you’ll see a unicode string containing “You are registered…”, if you double click that string, it takes you to the specific code section, now, if we scroll up a bit, we see alot of VB functions being used, and as this is before the check, we can presume this is the algorithm kaksii was talking about. Most importantly, we see “CALL DWORD PTR DS:[401068]”, this references “vbaStrCmp”, a string comparison, so above this, the variables must be getting set to be compared.

So, if we breakpoint the code section, from 00729589 down to 007295AB, (vbaHresultCheckObj to vbaStrCmp), this will give us an accurate display of what happens when we try to register. Okay, so everything’s breakpointed and ready to go, so hit F9 to run the application, and then go press “Register”. Type any random string into the textbox, and hit enter, you should then reach your breakpoints, step through until you reach “MOV EDX,EAX” (007295A3), as EAX is what is going to be getting compared, (PUSH EAX - 007295AA), you will notice EAX in the registers window turns to a unicode string, which also appears beneath the CPU window. This will contain your password to register

I hope you enjoyed this article, I know there was a lot of spoilers in it, but that was mentioned previously.

Comments, feedback, rating, etc all welcome and wished for :)

Thanks for reading.

~system.