David Teitelbaum has released a very nice, all encompassing intro
Unfortunately, our lives as reverse engineers is not always easy. If all it took to patch an app was a deleted resource or a quick patch, a lot more people would do it. Sometimes we must get a little ‘low-level’, wallow around in the operating system files, single-step an exception handler, or reverse engineer an unknown packer. To have a well-rounded skill set as a cracker, we must know a lot about a lot (or at least where to look about a lot) and it can get pretty technical.
This tutorial is about one of those technical areas: TLS callbacks. It is not easy, nor is it simple, but it can ruin an otherwise nice day of a reverse engineer that doesn’t at least understand the basics of what they are, when they are used, and how to overcome them.
As in all tutorials on my site, the required files are included in the download of this tutorial on the tutorialstools
RadASM is a very good IDE (Integrated Development Environment: think Visual Studio) for developing in most programming languages, though assembly language is where it shines. Not only is it one of the few IDEs out there that will work with assembly language, but the author has also put a significant amount of time and effort into it, making it extremely feature rich and robust. Many people use inline assembly in Visual Studio (using __Asm directives) but you really can’t get the level of control in these big-name IDEs as you can in this product. I used WinASM, a very good product, for years, but when I finally tried RadASM, it felt like someone had created it that really knew assembly language, and the hardships that can bring.
In this series of tutorials I will go over installing RadASM, running it, and creating programs in it, as well as some additional plugins and features. In the download for this tutorial (available on the tutorials
Please keep in mind that this is not an assembly language nor a Windows programming tutorial. It is assumed that both of these have already been learned. If you are rusty (or a beginner) I highly recommend the Windows assembly tutorials by Iczelion. Fortunately, they are also based on RadASM, so the transition should be very easy.
In this tutorial we will be talking about code caves as well as PE sections, and touching on the PE header. We will be adding code caves to two crackmes, both available in the download of this tutorial. We will also be using the Multimate Assembler plugin which is also available in the download, as well as LordPE and CFF Explorer which are available on the tools page. This tutorial, as well as all of my others, can be downloaded on the tutorials
Nowadays, with the plethora of anti-anti-debugging plugins for Olly, you don’t need to know nearly as much as you used to about anti-debugging techniques. But the problem is, without understanding how they work, when we are confronted with a new technique we find that we have no idea how to overcome it. Additionally, learning about anti-debugging techniques helps us understand low-level protections, and is a good introduction to packers.
Anti-debugging is a rather large field, and impossible to cover in one tutorial. I do hope to shed some light on the most used techniques, as well as direct you to getting additional information on some of the more obscure. I have uploaded several documents to the texts section of the tools
In this tutorial, we will be going over a crackme from hell that I wrote specifically for this tutorial. It shows several methods of anti-debugging. It is a very challenging crackme, and as such, this tutorial will be somewhat long and detailed. We will be comparing the source code (in assembly) along side the compiled code in Olly, so dust off that ASM book. As always, you can download all of the accompanying files from the tutorials
In order to make this tutorial a little less painful, I have included a picture of the entire source code, a picture of the entire disassembly (in Olly) with comments, and the assembly project for RadASM with source code, all available in the download of this tut. This way you can refer to the source and disassembly while you progress. I have also included an Olly UDD file with the disassembly fully commented. If you wish to see the crackme fully commented in Olly, just copy this file into the UDD folder in Olly, open it in a text editor, and change the file path at the top to match the path to the crackme.
My suggestion, if you would like to get the most from this tutorial, is to use a clean version of Olly with only my .ini file, meaning no plugins. Many of these techniques will still work with plugins, but this way you can see how they work without any intervention. It will also teach you about what a lot of the options in the various anti-debugging plugins are for. I will personally be using a clean install of Olly to show each technique.
This is part 2 of Working with Visual Basic Binaries. In this tutorial we will be using VB Decompiler which is available in the download from part 1 of this tutorial. We will also be using MapConvert and OllyVBHelper- plugins for Olly, P32Dasm and some additional crackmes, all of which are available in the download of this tutorial on the tutorials
In this tutorial we will go over working with targets written in Visual Basic. Unfortunately, to become a well-rounded reverse engineer, we must know how to deal with these animals as there are many applications written in VB. Because this is a rather large subject, I will split it into two tutorials.
We will be looking at two crackmes, both included in the download of this tutorial. We will also be using VB Decompiler (the Lite version) which is included in the download.
As always, this tutorial, as well as all support files, can be downloaded on the tutorials
I know there has been some discussion in the forums regarding Address Space Layout Randomization (ASLR). For those that don’t know, ASLR is a default setting in Microsoft’s Visual Studio for improved security. What it does is randomize the starting address (OEP) of an executable, making patchers much harder to implement.
In this tutorial I will talk about patchers. A ‘patcher’ is a program that, after finding the patches to an app that makes it do what you want (bypass registration, show goodboy etc), a reverse engineer can use to apply these patches to a fresh copy of the program. Usually patchers are small programs that are sent with an un-modified program (for example, one you download from the manufacturer’s site). After running it, the patcher will apply the patches you wish to the un-modified program, and then the program will be ‘pacthed’.
For example, suppose you download a copy of The Most Awesome Program In The World that has a time trial on it. After investigating this app, you find the patch that, when applied, bypasses the time trial. Now I can set this patch in a patcher, telling it exactly where the instruction to be patched is, as well as what to change the instruction to. I can now send out this patcher instead of the whole Most Awesome Program In The World, telling others to simply download the app from the manufacturer and then run the patcher. When the user runs the patcher, the modifications that we set are applied and now this new app will be patched.
Another thing similar to a patcher is a ‘loader’, but I wil not be going over loaders until we get in to unpacking binaries. Stay tuned for that…
In this tutorial I will be patching a crackme called “Saturday Night Crackme.” Seeing as I didn’t want to get hung up on cracking the app, it is a relatively easy target, though I find it really funny (even though my family is about ready to kill me as it can get on your nerves). I will also be using dUP2, a patcher made by Diablo2002, as well as CFF Explorer. As always, you can download this tutorial on the tutorialstools page.
Time trials are limitations on an application where you only get a certain amount of days or tries before the app stops working. Usually, an application will give you 30 days to try it, after which, it will be disabled. Sometimes, while cracking an application, it is worthwhile to reverse engineer the time trial code as it’s easier to find the registration process when the app is still in trial mode. Also, if you’re lazy, you can simple patch the time trial code and nothing else, giving yourself unlimited time to ‘try’ the app.
For this tutorial, in order to protect author’s and their work, I have downloaded the worst reviewed “file hider” on CNET. Out of 1300 programs of this type, this program was rated dead last. It has been downloaded twice. I believe that the author has stopped any support of it. The name of the app is appropriately named “Secure Data – Hide a File into an Image.exe”. I have shortened the name to “SecureData.exe” just to save myself the typing. I have also not included all of the DLLs for this app, so it will not work completely, but will be fine for this tutorial (How’s that, teddy Rodgers?).
As always, you can download the required files on the tutorials