Thursday, November 27, 2014

RingZer0 Crack Me 1 Walkthrough

Introduction


This crackme is the 2nd file under the Binaries (Windows/Linux) challenges at www.ringzer0team.com. It is of course a reverse engineering challenge.

I hope this guide will show some useful techniques to solve this challenge using only simple static analysis without the need to look at the assembly code.

Run the File


We run the file and see the following message box:


When we click OK the dialog closes and the program exits. Obviously there is more to the picture.

Viewing the Resources


During static analysis of the file, we realize it has a binary resource embedded inside of it. The hex begins with 4D 5A, which is the MZ header for PE files. 

As it turns out the program will drop this binary as a DLL tucked hidden away in an AppData folder. We'll simply dump it to disk using Resource Hacker, saving it as crackme1.dll


Inspecting the DLL


We open the DLL using PEView, or alternatively (and often better) PEStudio. We go to the Export Address Table (EAT) and see it exports a function called DisplayMessage.


Run the Exported Function


So in order to run the function, we just have to issue the following command, which uses the rundll32.exe program included with Windows:


No comments :

Post a Comment