Application of reverse engineering 0x01

Starting out in reverse engineering

MITRE ATT&cK

Thanks for stumbling upon my blog i hope you are healthy and doing great in this hard time. Let’s Talk about what we have touched so far , if you don’t know about what i am talking about please do check out my previous blog . Till now we have talked about how our high level code in C or any other high level language works in assembly with the help of registers and stack. In upcoming blogs we are going to talk how knowledge from the previous blogs can be used to exploit a code or to make it behave differently than how it supposed to behave which includes patching binaries, buffer overflows and format strings. If you feel you are not ready you can always go back to read my previous blog or you can just take up the challenge and keep on reading i will try to keep this blog very simple.


Patching binaries

I am sure till now you must have came across a paid software which wants you to enter a product key before you start using it so that it can verify a genuine user have you wondered how can it be bypassed i am sure you have to be honest we all have. One of the way to bypass this mechanism is to patch the application’s binary .


what does patching binaries actually means? image

When you come across any software/application there is a way you can alter its code according to your choice but you will have to change the binary because the application that we use are in the compiled form and we do not have access to its source code so to change the code we have to take help of a debugger and disassembler which will show us the code in assembly and we are now ready to deal with assembly if not you know what to do ;) . Let us look at an example how we can alter a code of an application or how we can patch a binary .


Getting our hands dirty

I have wrote a basic console application in C which requires a product key to print the successful message . You can use many ways to bypass product key requirement you can either figure out product key by reverse engineering or you can patch the binary or you can find out if there is any vulnerable code which you can exploit. Figuring out product key is pretty simple for my program you can try it out yourself here we are going to focus on binary patching .

image

Above message is shown when application start and if you enter a wrong product key it will show “Wrong product key!” message like this.

image

So we now know how application works and messages it shows so we can use these messages as a reference for the code we want to patch. We are going to use x64dbg for this example. You can get source code and executable here. Now let us open the executable in x64dbg and this is how it looks.


So we now know how application works and messages it shows so we can use these messages as a reference for the code we want to patch. We are going to use x64dbg for this example. You can get source code and executable here. Now let us open the executable in x64dbg and this is how it looks.


Don’t get overwhelmed after watching so many line of code we just have to deal with particular line of code which we are yet to find. So how are we going to find those line you ask? It is a simple method we just have to find the line of code which is associated with the string which we saw in terminal above . If you look closely in x64dbg window you will find a tab named References it is empty right now we will have to scan for strings in our executable first. For that do the following steps correctly as shown below.


After clicking on String references x64dbg will scan the executable for all the strings present . After the scanning is complete go to References tab now you can find that all the string in executable will be listed there. Can you find something familiar there?


Hmm the highlighted text look familiar can you remember where we have seen it ? Exactly this is the text which was shown when executable was executed . If you look a little above you will find a text which indicates what message will be printed if we got the product key correct so double click on highlighted text and it will take us to the corresponding code.


This snippet of code look like it is the main function of our application. If you look closely there is a cmp used at address 0x00401499 you probably now know what is cmp used for if not then google it its pretty straight forward. So cmp here is probably comparing our entered product key to some value, told you finding product key for the application is pretty easy.But we are here to patch the binary so lets focus on that first. So the result of cmp will decide if jne(jump if not equal) will be executed or not. If we check where jne is pointing(0x004014A7) you will notice that it is calling a function let’s check out that function .


According to the text that is shown on the right side we can predict that this function will get executed if we enter wrong product key. So we are clear now that we don’t want this jne to be executed .Since we don’t know the product key this jne will be executed every time so what we can do is we can change jne(jump if not equal) to je(jump if equal) so when the product and user input will be same then only this jump will be taken which is not going to happen because we don’t know correct product key. So whenever you enter the wrong product the jump will not be taken and instead function just after jne instruction will be called .Let us look at that function now.


Yes this seem to be the right function to be executed after a correct product key. So let us now change jne to je by double clicking the instruction.


Now to save the changes click on File >> Patch file >> Patch file and save it with whatever name you want . If you run this file again no matter what input you provide to it ,it will always shows “You can now access me”. This was a very basic example which i created for you to make you understand how binary patching works . In real world there multiple application of patching for example :- Sometimes a malware can detect if it is being executed on a virtual machine or not and it can stop executing which is an issue for the analyst because analyst want the malware to execute so he/she can perform behavioral analysis successfully so analyst use binary patching to reverse the logic of malware so it can run on a virtual machine .We will definitely touch on malwares in the later blogs.

About upcoming blog :

In the next blog I will be covering you how a vulnerable code can be exploited with the help of reverse engineering techniques . I am planing to be more frequent from now on so be prepared for the awesome journey we are going to have . Keep practicing to get better because that’s the only solution. Till then happy reversing !!


Blog by: Gaurav yadav [@n0s1kh1ya]