Zi_Crakme

September 2nd, 2011 3 comments

 

 

 

Zi _Crackme (Download crackme)

 Zi_Crackme

=========

This is a simple crackme, and it took only 5 minutes to crack fom a noobe like me. Here comes the solution:

 

Target Study

=========

Run the target. You see something like the below:

We need to change the registration routine, so that whatever the input we give, it accepts it.

 

Fire the olly. Now, the problem is how do we reach the routine where this serial registration is shown. I tried looking at call stack, but of no help. What to do now ?

 

Lets use the “animate” feature of the olly to reach near this registration routine. Do “animate over”, and whenever you get the serial registration screen, there should be a call which lead to the screen. So, breakpoint the call, do F9, step in(F7), and “Animate over” again. Doing this again and again will take you closer to the registration routine.

 

 

When we follow the above strategy, we see something like:

Stepping over the code, we see the following:

 

If the EAX is 0, then CMP EAX,0 will set the zero flag, and the JNZ will lead to the wrong serial. So, we need to patch the code somewhere here. There can be many possibilities, and for that brain usage is strictly recommended ;) I will simply NOP the JNZ instruction, and check if it runs es, it fine. Yes, I can see the message “Well Done”.

 

But But But ……. OOPS !! Address A50183 is allocated at runtime, so we cannt directly change the instruction to nop. We need to write a loader for it.

 

So, here is the script for loader(I am using RISC Loader creater)

O=risc_Zi _Crackme.exe: ;Output filename

F=Zi _Crackme.exe: ;File to patch

 

T=50000: ;Patching times

P=00A50183/0F,85,20,00,00,00/90,90,90,90,90,90: ;Patch the JNZ

$

However, the loader this script will create doesnt work. :( So, I tried out some more reversing and found the reason. The address A50000h gets populated with instructions after you have entered the serial. In the meantime you enter the serial, the loader has already finished.

 

By reversing in depth(again using animate over and F7 trick), I found the following instruction to be responsible for copying the code.

 

10099FE3 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]

 

He He…. so everything is clear now. The code from the location specified by ESI gets copied to the location specified by EDI. Think… think .. think.. !! You only need to change the corresponding instruction from ESI.

 

EDI = 0A50000

ESI = 1016cb5c

 

A50183-A50000=183h

So, adding 183h to ESI

1016cb5c+183h=1016CCDF

 

You will notice that it is the same JNZ instruction at address 1016CCDF. Its your wish now whether to directly patch it, or change the address in RISC loader creator script.

The new RISC loader script is:

 

O=risc_Zi _Crackme.exe: ;Output filename

F=Zi _Crackme.exe: ;File to patch

 

P=1016ccdf/0F,85,FC,FF,FF,FF/90,90,90,90,90,90: ;Patch the JNZ

$

 

 

Yippie !!!! it works beautifully.

 

 

CHEERS !!!! :)

 

 

 

 

 

 

 

 

Rebuilding Spotlight’s Index on OS X (Manually)

August 20th, 2011 1 comment

After doing a number of disk clean up and optimizations, I found myself in the circumstance of OS X’s spotlight returning no results. Whether I searched for a keyword in Mail, or by Spotlight using Command-Space, I got no results backs – just an empty list for my troubles.

It turns out there’s a neat utility out there called Rebuild Spotlight Index 2.7 that does all the grunt work for you. Problem is, it didn’t work for me. What’s going on is actually fairly trivial, and it’s possible to simply do everything via the command line.

The metadata utilities need to run as root, so to see what your drive is up to, you’d enter something like: sudo mdutil -s /

This shows the status on the root volume.

To turn indexing on for a volume, you enter: sudo mdutil -i on /

And, to force Spotlight to rebuild its index, you simply erase the master copy of the metadata stores on the volume like this: sudo mdutil -E /

However, while I did all this, Spotlight was still not building the indexed for me.

Here’s how I solved it, using just the Terminal.

First, I wanted to see the schema file, so I printed it out using to the standard input using: sudo mdimport -X

At the bottom of the schema listing, I say a reference to a schemaLocation, and took a shot in the dark that perhaps that Spotlight’s index rebuilding needed to check data against its schema before it would start. To do that, it might need network access, if not back to the local machine. And, for good measure, I went to check the date/timestamp on the Spotlight directory using:sudo ls -la /.Spotlight*

While most of the files had the timestamp of when I tried to delete the index, not all the files had the current date and time. Additionally, the file sizes were not growing, a good indication the index was not being rebuilt.

Then, I did the following commands to ensure indexing was on, the spotlight metastore was really gone, and that I wanted it rebuilt:

sudo mdutil -i on /

rm -rf /.Spotlight*

sudo mdutil -E /

The moment I did the last command, this time the system sprung to life, the directory /.Spotlight-V100 was created, and the files inside it were growing quickly. Spotlight on the toolbar showed a progress bar, indicating the system would be done indexing in a bit.

Disable Spotlight Indexing in Mac OS 10.6 – Snow Leopard

August 20th, 2011 No comments

Disabling Spotlight in Snow Leopard is pretty easy, launch the Terminal and type the following command:

sudo mdutil -a -i off

This tells the Spotlight manager to disable all indexing on all volumes, the command will require your administrative password to execute.

Re-enabling Spotlight in Mac OS X 10.6 Snow Leopard is just as easy, just reverse the command to:

sudo mdutil -a -i on

Now Spotlight indexing will be back on and work as usual.

Setting up proxy for apps in android emulator

August 16th, 2011 3 comments

Proxy for Android apps not working even after u tried all proxy settings in emulator? Is your android proxy setting only working for browser not for apps in emulator?

In some of the previous posts(http://hakers.info/site/2011/08/setting-up-proxy-for-android-emulator/) we saw how to setup a proxy for android emulator using settings available in emulator itself. The problem with that approach is that it works only for the browser, it does not work with the apps installed inside the emulator. As I couldn’t find any solution for this problem in android emulator I thought of finding a work around to perform this task. One workaround I found is that we should use the base machine itself to capture the packets which emulator (the apps in emulator) is sending.

We can use many network analyzer tools like wireshark etc to capture and analyze the packets but using these tools you can only capture the packets, there is no option to tamper the packets at runtime. If there is a requirement in which you just have to capture the packets and analyze them wireshark will suffice the needs. But if you want to tamper the request and response(which we normally do using Paros/fiddler in web applications) you need to have a tool which can capture network packets and has a capability to intercept and tamper them.

Read more…

Binary-auditing training package – Manual decompilation, Exercise 8

August 13th, 2011 No comments
This problem statement is part of binary-auditing package. This needs
to be converted to HLL

Problem:(Assembly code)

sub_408138 proc near
000 push ebx
004 push esi
008 mov esi, edx
008 dec esi
008 test esi, esi
008 jl short loc_40816F
008 inc esi
loc_408142:
008 xor edx, edx
008 mov dl, [eax]
008 xor ebx, ebx
008 mov bl, cl
008 add edx, ebx
008 test edx, edx
008 jge short loc_40815B
008 mov ebx, 100h
008 sub ebx, edx
008 mov edx, ebx
008 jmp short loc_408169
loc_40815B:
008 cmp edx, 100h
008 jle short loc_408169
008 sub edx, 100h
loc_408169:
008 mov [eax], dl
008 inc eax
008 dec esi
008 jnz short loc_408142
loc_40816F:
008 pop esi
004 pop ebx
000 retn
sub_408138 endp

 
Pseudo/High Level code:
var_esi = var_edx;
var_esi -- ;

if(var_esi >=0)
var_esi++;

do
{
var_edx=0;
LOWER byte of EDX=*var_eax;  //EAX supplied from outside

var_ebx=0;
LOWER byte of EBX=LOWER byte of ECX;  //ECX supplied from outside

var_edx=var_edx+var_ebx;

if(var_edx<0)
{
var_ebx=100h;   //256
var_ebx=var_ebx-var_edx;
var_edx=var_ebx;
}
else
{
if(var_edx>100h)
var_edx=var_edx-100h;
}

*var_eax=LOWER byte of EDX
var_eax++;
}while(--var_edx!=0)

Installation and Configuration of DHCP Server in Active Directory Domain

August 12th, 2011 No comments

 

Installing the DHCP Service

You can install DHCP either during or after the initial installation of Windows 2003 Server or Advanced Server, although there must be a working DNS in the environment. To validate your DNS server, click Start, click Run, type cmd, press ENTER, type ping friendly name of an existing DNS server in your environment, and then press ENTER. An unsuccessful reply generates an “Unknown Host My DNS server name” message.
Read more…

binary-auditing RCE exercise

August 11th, 2011 1 comment
As a part of learning reverse engineering and enhancing RCE skills, I was going through binary-auditing tutorials. This is manual decompilation exercise 7.

Problem: This is the code to be analysed:

proc near
000 push ebx
004 push esi
008 xor ebx, ebx
008 mov [eax], ebx
008 mov ebx, ecx
008 dec ebx
008 test ebx, ebx
008 jl short loc_408135
008 inc ebx
loc_40810E:
008 mov ecx, [eax]
008 shl ecx, 4
008 movzx esi, byte ptr [edx]
008 add ecx, esi
008 mov [eax], ecx
008 mov ecx, [eax]
008 and ecx, 0F0000000h
008 test ecx, ecx
008 jz short loc_40812D
008 mov esi, ecx
008 shr esi, 18h
008 xor [eax], esi
loc_40812D:
008 not ecx
008 and [eax], ecx
008 inc edx
008 dec ebx
008 jnz short loc_40810E
loc_408135:
008 pop esi
004 pop ebx
000 retn
sub_408100 endp

Read more…

Categories: MalwareAnalysis Tags:

DNS Server Configuration

August 10th, 2011 No comments

Configure Distributed File System(DFS)

August 8th, 2011 2 comments

Setting up proxy for android emulator

August 8th, 2011 3 comments

Facing some issues in setting up a proxy from android emulator??

This article will tell you the steps you need to follow to set up the proxy for android applications using emulator.  For this you require three basic things i.e “Machine Connected to internet”,”Android SDK”,”Proxy Tools (Paros, Fiddler, Burpsuit etc)”. If we are ready with all these software, the first step is to setup the proxy server using any of these tools like paros, fiddler, burpsuit etc. I’ll show you how to do it with paros.

In paros go to Tool>>Options>>Local proxy and enter the address(127.0.0.1 for localhost) and port number(e.g. 8080) on which you want your proxy server should listen. Please refer to the screenshot below for the options page in paros.

Android Proxy Paros Settings

Android Proxy Paros Settings

Read more…

Switch to our mobile site