Thursday, April 30, 2009
Wednesday, April 29, 2009
My Old Blog, rediscovered
I thought this was long gone! :-)
http://web.archive.org/web/20060509150535/www.kristianhermansen.com/wordpress/
Win32 RCE HOWTO with IDA Pro: uncrippling “MP3 to SWF converter”
http://web.archive.org/web/20060509150535/www.kristianhermansen.com/wordpress/
Win32 RCE HOWTO with IDA Pro: uncrippling “MP3 to SWF converter”
So, I was interested in converting some of my band’s MP3 recordings into SWF files for easy playback via our website. It’s not that I like Flash that much, but more that it is such a wide-spread plugin that I can almost 100% guarantee that the client will be able to play the file and consume the recording (assuming they have speakers!). However, Flash technology is not Open Source by any means. This proves difficult when you run Linux and there are not many free alternatives to creating Flash content. The one site that looked promising was down for some reason (http://www.openswf.org).
Well, I searched google and stumbled upon an MP3 to SWF converter for Windows which would seem to do the job.
http://www.hootech.com/mp3_to_swf_converter/
I downloaded the trial. All looked well, but the shit software would only let me save half of the MP3 files and only up to five at a time! What a load of crap!?!?!? So, what else could I do but invest some of my time into finding a way around that little problem 
You see, many programmers (especially win32 guys) have no idea that their “intellectual property” is just an amazingly constructed stream of bits that happen to do what they want when executed on the right hardware and software platforms. The problem is that this stream of bits can be manipulated any way we want if we have some idea of how the software works. Enter the most prolific tool in the reverse engineer’s arsenal — DataRescue’s IDA Pro.
Using even the old free version of IDA Pro, much can be accomplished. IDA Pro is a very advanced software disassembler and debugger. However, DataRescue does not offer it up for sale to anyone but legitimate corporations and organizations. When asked about this over the phone directly, they told me that the policy was meant to prevent piracy of their product. They refused to sell me the product even at the price of over $900, more than the MSRP. However, this leaves you, me, and every other inquisitive mind left to locate the software by some other means (or use the free version). The problem is that many add-ons require more recent versions of IDA Pro — such as Halvar Flake’s very nice vulnerability assessment tools. If they won’t sell it to me even if I offer them more money than MSRP, well…hrmm…uhhh..wtf!??!
I was told by an employee of DataRescue (via their forum) that they would not mind personal use of the product for now, as long as at some point in the future when I am using it for business purposes (to generate income) that I should purchase the full version under my company name. In fact, while doing work for my employer, I did indeed have access to a fully licensed version of IDA Pro which I used only at work in my daily routines. It is a great tool, and if you are able to purchase it, and they will let you, I highly suggest that you do. Don’t go for the Advanced version unless you will be working with software that runs on less common processors (microwaves anyone?). Just get the Standard version. 4.7/4.8 are fine, but 5.0 will be coming out very soon and appears to drastically revamp the Graph generation code.
OK, so now I assume that you have a copy of IDA Pro. For our purposes, you will also need a hex editor. I suggest you use UltraEdit or Winhex. UltraEdit is nice, but I haven’t used it too long. I am more familiar with Winhex and also dig the ability to open disk/memory/processes in RAW edit mode, which is a very cool feature. I don’t know if UltraEdit supports this, but other than that it seems to be a nice editor. Grab either one. We will only be using the most basic features here.
OK, so now we can move on to the real thing! Let’s start reversing this shitty little program, shall we?? Grab the exact version that I am using (2.0 build 628) to make sure that the code hasn’t been altered since this posting, and then install it –> mp3_to_swf_setup.exe. After you have got it running, play around with it to get an idea of how it works. Add a whole directory of your MP3 files to the application with the “ADD FOLDER” button and try converting them with the “CONVERT ALL” button. You will immediately notice a dialog window indicating that this software is a trial version and that you need to pay $29.95 to uncripple the software. Notice that it only converts up to five songs at a time and that only half of each song is converted as well. However, we will soon see that only a few bits in the right places will cause the software to invoke the registered functions already within the program. One would normally pay for some type of registration code via their website and enter it into the application. Since programs like this already have the “registered” code within the app, we don’t actually need to pay for the registration. We can get at that code ourselves with little effort
Now, let’s open up IDA Pro and get started! Choose to disassemble a New file.
Choose the Windows PE executable option.
Browse for the C:\Program Files\HooTech\MP32SWF\MP32SWF.exe file.
Check IMPORTED DLL OPTIONS and click Next.
Click Next again.
Enter C:\WINDOWS\system32 for the DLL directory, uncheck RENAME DLL ENTRIES, then click Next.
Click Next on the final wizard window to invoke the analysis on the selected binary. IDA will now load the file into the database and start analyzing it until completion.
When IDA finishes analyzing the binary, a beep will sound on the speakers and a message will note the completion at the bottom of the screen.
We may now start to delve deeper into the binary anlysis. First, we will locate the string that popped up during the trial version’s CONVERT ALL operation by using the ALT+T shortcut.
We find the trial nagging text string sitting in the DATA section of the binary, exactly where is should be. Notice the cross reference from the TEXT section:
DATA XREF: sub_40E2E0+94
The function begins at address 0×0040e2e0, and our reference to the data segment trial string appears 0×94 bytes into the function.
If we hover our mouse over this reference, it will show a small sample of the calling function. Using the scroll wheel on your mouse will expand and collapse this sample so that you don’t need to keep jumping back and forth between calling functions. This is a really nice feature of IDA.
Click on the cross reference and hit ENTER to jump into it.
By a quick investigation there doesn’t seem to be much going on here, so let’s now jump to another reference which is actually immediately before it within the same function:
sub_40E2E0+58
Just for the record, any loc_XXXXXXXX indicator means that there is some jump instruction pointing at this location. If you see something like sub_XXXXXXXX, this indicates a subroutine which can be referenced with the CALL instruction — which will create a new stack frame. jmp instructions do not create a new stack frame!
Well, this seems to be juicy! We see a whole bunch of test and jz jump instructions in a row. Hover your mouse over the jmp references and look for some strings which may help us determine the flow of execution. See anything? Did you notice that every jz instruction points to something that says “MP3 to SWF Converter … This is a trial version”?
However, notice that the final unconditional jmp instruction may lead to running the code that we really want 
We can guess at this since it includes the string “MP3 to SWF Converter” just as above, but does not include the string “trial version”. This may work out for us!
Before we get to trying to patch the binary just yet, let’s mark our current progress with a comment in IDA about our findings, or what we think we have found. You can do this by putting your cursor on the line to comment and hitting SHIFT+; to bring up a text entry box. Since we are not sure yet, let’s make the comment say “convert MP3 files like we registered???”
OK. We think that we’ve found something. So, let’s modify the original binary to change the jz instructions that pointed our unregistered trial at the crippled code. Since we assume our unregistered copy of the software will fail every one of these checks, let’s change the instructions from jz to jnz. The hex value for a jz instruction is 0×74, while jnz is 0×75. In order to make these changes, we should probably fire up our hex editor of choice, UltraEdit.
Choose File -> Open, then browse to the same executable we were analyzing at C:\Program Files\HooTech\MP32SWF\MP32SWF.exe
So, now that we have it open, just scroll through the program with the hex editor and notice some things. You will see your string representations of data on the right side, along with the actual hex values in the middle. Poke around. You will soon notice that the addresses in IDA do no correspond to the addresses in the actual binary. The offset is very similar, however, and all we need to do is subtract 0×00400000 from IDA’s virtual address space to get our real address space. The location of the jz instructions that we are concerned about begins at 0×0040E338 in IDA’s virtual address table. So, let’s check out 0×0000E338 in UltraEdit. We can use the shortcut key CTRL+G to jump to a specific location in the binary.
Notice that this lands us right on top of a jz instruction, with a hex value of 0×74. There should be four jz instructions in very close proximity to each other that we will need to change.
Let’s go ahead and change the four values of 0×74 in this small section to 0×75. You can do this by selecting the value with your cursor and typing, duh The final edit should look like this.
Will it work? Let’s go ahead and save it as a new file to find out!
*** DO NOT DESTROY YOUR ORIGINAL EXE!!! ***
Now just execute the newly modified executable and try converting some MP3 files as we did previously.
Look ma, no crippled softwarez!!!
We have successfully defeated the trial check in this MP3 to SWF conversion function without much effort. I leave any further modifications as an exercise to the motivated student How about creating your own valid keygen so that patching the original binary is not necessary?
–
Kristian Hermansen
http://kristianhermansen.com/wordpress
****************************************
You are free to copy and distribute any part of this informational HOWTO as long as original credit is given to the author of the content…
****************************************
4 Responses to “Win32 RCE HOWTO with IDA Pro: uncrippling “MP3 to SWF converter””
Tuesday, April 28, 2009
Tuesday, April 21, 2009
Thursday, April 16, 2009
Obama's 2008 Tax Return, > $2 million
Monday, April 13, 2009
Wednesday, April 1, 2009
Subscribe to:
Posts (Atom)
Dan Says:
February 7th, 2006 at 1:19 pm
This is the most interested and informational thing I’ve read in a long time. Awesome
M03hr3 Says:
February 8th, 2006 at 8:52 am
Thx for this great Tut on this complex Field…..managed to make the keygen now
Kernelman Says:
March 9th, 2006 at 12:30 am
Best of the Best.
Awesome.
rylisa Says:
March 10th, 2006 at 10:51 am
it was a real gud article to read and to learn…
gr8 work and gud job for the work and thnks for takin time out and preparing the paper to spread knowledge