Hey guys,

Thanks for watching part 2 of the reverse engineering series.  HUGE thanks to Chris Gates of LSO as well as Pedro D’Aquino whose solution I drew heavily on in order to create a logical walkthrough of how to solve the Crackme.

Crackmes are pieces of software that allow people to gain practical experience in reverse engineering without having to resort to less legal means of exercising their skills.  There are numerous sites out there that offer them.

Chris Gates, a friend of mine, started releasing crackmes as contests awhile back, and I covered one of them on 3×07.  The basic overview of this particular executable is that there are 4 buttons that appear in a GUI when the program is launched.  The top 3 buttons play tones, and the bottom button plays 3 tones that are supposed to match the top 3 tones.  Initially, they do not match, so it is up to you to figure out how to modify that executable in order for it to match.

We use Lutz Roeder’s .NET Reflector to open up the .exe initially, as it looks like managed code.  From there, after a little looking around, it’s apparent that something is amiss with this code, and that it’s not displaying like it should.  The problem is that the real .exe is compressed within this using something called NETZ.  In the show we go through how to unpack this .exe.  Here is the full python script:

#import zlib library
import zlib
#open the file which contains the compressed executable
fZip = open(”zipped.zip, “rb”) #we use ‘b’ as it is a binary file
#create the file in which we will store the unpacked exe
fUnzip = open(”Crackme03Original.exe”, “wb”)
#read the contents of the zipped file
compressedData = fZip.read()
#..and unzip it
uncompressedData = zlib.decompress(CompressedData)
#Write it to the file and we’re done!
fUnzip.write(uncompressedData)
fZip.close()
fUnzip.close()
exit()

After this, we open up the new .exe in .NET Reflector and find that the main windows form is called Form1, and Play_Click gives us a big tell that we’re closing in what we have to modify.  The program is checking the tones through comparision of hardcoded values of an array against hardcoded constants.  If you look in the dropdown menu under the toolbar there should be an IL selection, which shows the way the array is initialized.

Hovering the mouse over the instruction should give you the bytecodes you need.  From there, it’s as simple as converting hex and replacing values as shown in the segment.

For the full solution, please head over to LSO and to Pedro’s solution.  All the credit goes to him as he has an extremely good writeup that is very easy to follow.

See you next time!

PS:  cowboy informed me that there is a plugin for .NET Reflector called ReflixII that will help patch the .exe a little easier than manual hex editing.