Monday, October 26, 2015

Customizable aspr_ide.dll With Source Code

Sometimes, after unpacking an asprotect target, the application may still rely on the functions and procedures provided by asprotect in its aspr_ide.dll. While the sdk allows for custom functions to be added to it, the generic functions include  CheckKeyAndDecrypt, SetUserKey, GetHardwareID, GetTrialExecs, GetExpirationDate, GetRegistrationKeys, CheckKey, GetModeInformation, GetRegistrationInformation, GetTrialDays, GetKeyDate, and GetKeyExpirationDate. The aspr_ide.dll and its source code provided below simulate all of these functions and return the correct values to register the application. Using the delphi source code, you can modify it to fit the requirements of your target.

aspr_ide.dll Download:


Source Code Download:

Thursday, August 27, 2015

Delphi Tips: Hashing a String With Delphi Encryption Compendium(DEC)

Today, I wanted to use the Delphi Encryption Compendium(DEC) to hash a string. It is a little bit difficult to figure out how to use the components since they are poorly documented, but after a few minutes, I came up with this. At first, I tried to use the CalcBinary function, which allows you pass a string to it. It worked fine, but it is limited due to the fact that it would cast all input strings as an ansistring type. As a result, I switched to the CalcStream type to overcome this limitation. Here are two functions which you can use to calculate an MD5 hash for either a UnicodeString or AnsiString. These functions can be easily converted to a different hash type simply by changing the declaration and create type. The available hash types are: 
THash_MD2, THash_MD4, THash_MD5, THash_RipeMD128, THash_RipeMD160, THash_RipeMD256, THash_RipeMD320, THash_SHA, THash_SHA1, THash_SHA256, THash_SHA384, THash_SHA512, THash_Haval128, THash_Haval160, THash_Haval192, THash_Haval224, THash_Haval256, Thash_Tiger, THash_Panama, THash_Whirlpool, THash_Whirlpool1, THash_Square, THash_Snefru128, THash_Snefru256, and THash_Sapphire
You can specify haval rounds like this: hash.rounds:=3; //(3,4,and 5 are valid round types.)

Uses DECHash, DECFmt

Function GetMD5_Unicode(input: UnicodeString):String;
var
val: tStringStream;
hash: tHash_MD5;
len: int64;
Begin
val:=tStringStream.Create;
len:=length(input)*2;
val.Write(input[1], len);
val.Seek(0, soFromBeginning);
hash:=tHash_MD5.Create();
result:=string(hash.CalcStream(val, len, TFormat_HEX));

hash.Free;
val.Free;
End;

Function GetMD5_Ansi(input: AnsiString):String;
var
val: tStringStream;
hash: tHash_MD5;
len: int64;
Begin
val:=tStringStream.Create;
len:=length(input);
val.Write(input[1] ,len);
val.Seek(0, soFromBeginning);
hash:=tHash_MD5.Create();
result:=string(hash.CalcStream(val, len, TFormat_HEX));

hash.Free;
val.Free;
End;


The Delphi Encryption Compendium(DEC) can be downloaded here:
https://github.com/winkelsdorf/DelphiEncryptionCompendium/releases
 
Until next time, happy programming and reversing. :)

Friday, August 7, 2015

Gilisoft Password Recovery Tool












Gilisoft Password Recovery Tool is a simple utility that allows you to recover the master password for 4 Gilisoft applications.

This utility has been successfully tested on the following Gilisoft programs and versions:
  • Gilisoft Exe Lock 5.0.0
  • Gilisoft File Lock 10.0.0
  • Gilisoft USB Lock 5.5.0
  • Gilisoft Privacy Protector 7.0.0

Download:
https://mega.co.nz/#!4sVhWD7b!Ziz0GatsIyjMrMga6MJXr_kuolbtG1kthh_2Gz6R5AA

Source Code:
https://mega.co.nz/#!F4sBVK6Z!twyh3gbZkj9ZUCH9-7NQhqHQ2fUYYfZP_JK8n9Q1Gis

Monday, June 1, 2015

String Xoring Utility 1.0

























String Xoring Utility 1.0 is an application that will xor encrypt a text string, output it in an array format, and generate a decryption routine for both C++ and Delphi. This will help a programmer hide sensitive strings in their code. Since this will prevent the encrypted text from showing up in string references, this will make reverse engineering slightly more difficult.

Download:
https://mega.co.nz/#!AlUFyAzQ!2EMpQdIUraxsU8b_v3L-S_j5QmFV3dBkg3A0Oo8J2tM

Source:
https://mega.co.nz/#!slcUjIYS!sl0EKHmdUjXOBTOYrQEpeM4zkw44Vix8aG9v11qcxnU


Sample Programs + Source:
https://mega.co.nz/#!AokSXSZK!zUjQgfpTqng6h1uqcd2XMlwaRb3XY7ViLrZih2XZ9Ds

The program is 100% free and open source. However, if used for commercial purposes, a small donation would be greatly appreciated, though not required.

Saturday, May 23, 2015

Random Serial Generator 1.0















Random Serial Generator 1.0 is a simple application that allows you to generate a random serial number for testing license algorithms or implementing them into your own application.

Features:
1. Predefined Character Sets: A-Z, a-z, 0-9, 0-F, 0-f, 0-9 + A-Z, 0-9 + a-z, and 0-9, A-Z, + a-z.
2. Define a Custom Character Set.
3. Input length in either Decimal or Hexadecimal format.
4. Insert Dashes in Insert or Replace Mode.

I did not add any size limits on the input length, so use large numbers with caution. 

VirusTotal Scan (100% Clean):
https://www.virustotal.com/en/file/eb970e0cd75d0324f9ef3b81ad1198377e08ac82b3f51f0222183dc8d6815ac3/analysis/1432434294/

Download:
https://mega.co.nz/#!x18TRabY!9eKZ4H7FyJ8Lt6xz9uBj8s2yZwEZy55AbLvuqtyrT98

Source Code:
https://mega.co.nz/#!c1UwVYQZ!VQVLdrfRDfnDnOB7_DHtXPNjlAKgEobxXbpN7mFEkSk

This software is 100% free and open source. It comes with no warranty.

Icon borrowed from: http://www.iconarchive.com/show/aeon-icons-by-kyo-tux/Sign-LogOff-icon.html

Saturday, May 9, 2015

Hashing Utility Extended 1.0















Hashing Utility Extended 1.0 is an extended version of Hashing Utility 2.0 which supports 77 types of character encoding sets and 14 types of hash encoding schemes.

Supported hash algorithms:
SHA1
SHA256
SHA384
SHA512
MD2
MD4
MD5
HAVAL(ALL)
RIPEMD128
RIPEMD160
RIPEMD256
RIPEMD320

Supported String Encoding:
ANSI
US-ASCII
UNICODE
UNICODEFFFE
ISO-8859-1
ISO-8859-2
ISO-8859-3
ISO-8859-4
ISO-8859-5
ISO-8859-6
ISO-8859-7
ISO-8859-8
ISO-8859-9
ISO-8859-13
ISO-8859-15
WINDOWS-874
WINDOWS-1250
WINDOWS-1251
WINDOWS-1252
WINDOWS-1253
WINDOWS-1254
WINDOWS-1255
WINDOWS-1256
WINDOWS-1257
WINDOWS-1258
UTF-7
UTF-8
UTF-32
UTF-32BE
SHIFT_JIS
GB2312
KS_C_5601-1987
BIG5
ISO-2022-JP
ISO-2022-KR
EUC-JP
EUC-KR
MACINTOSH
X-MAC-JAPANESE
X-MAC-CHINESETRAD
X-MAC-KOREAN
X-MAC-ARABIC
X-MAC-HEBREW
X-MAC-GREEK
X-MAC-CYRILLIC
X-MAC-CHINESESIMP
X-MAC-ROMANIAN
X-MAC-UKRAINIAN
X-MAC-THAI
X-MAC-CE
X-MAC-ICELANDIC
X-MAC-TURKISH
X-MAC-CROATIAN
ASMO-708
DOS-720
DOS-862
IBM037
IBM437
IBM500
IBM737
IBM775
IBM850
IBM852
IBM855
IBM857
IBM00858
IBM860
IBM861
IBM863
IBM864
IBM865
CP866
IBM869
IBM870
CP875
KOI8-R
KOI8-U

Supported Hash Encoding:
HEX
BASE64
MODBASE64
BASE32
BASE58
UU
QP
URL
Q
B
URL_OAUTH
URL_RFC1738
URL_RFC2396
URL_RFC3986

Download:
https://mega.co.nz/#!ogcy3a4T!0D5SAMZ5mdeBJkTYYr7-GTivPMS77MRcWUL-HWE8g3s

Source:
https://mega.co.nz/#!ooUE0JQT!_peZ4Qw-C_xa42D8uuDalPsH-47FmunyMw8tus0_Wpg

This software uses the Chilkat Delphi Libraries:
http://www.chilkatsoft.com/delphiDll.asp

Sunday, February 8, 2015

The Exaggerated Promises of ClickLocker: An Unpacking Tutorial
















ClickLocker is marketed as a digital security solution that allows a content author to easily manage their digital rights by enabling them to regulate access to their ebook, video, or software product. While the ClickLocker website claims that "ClickLocker provides the industrial-strength security you deserve", this is a blatant exaggeration and misleading statement. When we think of industrial-strength security, we assume that this implies the use of cryptography. However, this is not the case with ClickLocker. In this tutorial, we will reverse engineer the ClickLocker Demo application to show you how easy it is to extract an embedded file without the need of a valid license code. To begin, let's download the demo application below.

Demo Application:
http://www.clicklocker.com/ClickLockerDemo.exe

After you have finished downloading, let's scan the file with a protection scanner. In this example, I used ExeInfoPE.
















As we can see, the target application is simply compressed with UPX. This is quite common with most clicklocker applications I have encountered. To remove this, we will simply use the UPX command line utility with the -d parameter to decompress the target.














Now that it is unpacked, we can begin debugging the application. However, before we start, I will give you a quick rundown of how ClickLocker works so that we can understand how the unpacking process works.






















When you start a clicklocker protected application, it will ask you to enter a license code to unlock the program. Once you have entered the 8 digit key, it will connect to the clicklocker server and to verify the license code. Once it checks the license key, it will return 1 of 5 possible strings from the server. Those strings are "good", "bad", "new", "used", "expired", or "suspended". By looking at these, I am sure you can guess that the value we need returned by the server in order to unlock the program is "good". When we enter the key 12345678, chances are, that the server will return the value "bad". In order to exploit this, we will just need to change the returned value to "good". Once the license has been verified, the program will extract the file to the TEMP directory under a random name, apply a super hidden attribute, execute the file, and then delete it. Our goal is to arrive directly after it extracts the file to disk and before it applies the super hidden attribute. To begin, let's go ahead and open the application in Ollydbg and search for all referenced text strings.



First, let's set a breakpoint on all 4 references to the string "good". Afterwards, we need to search for the string "Authenticated Successfully!" This value is returned after the unlocking process is successful. Once you have the breakpoints set as in the picture above, let's start the program in ollydbg and enter the key "12345678".
















After clicking Unlock Now, we will break on one of our "good" breakpoints.















Once we arrive here, we can see that both EAX points to the "bad" string returned from the server while ECX contains its size of 3. In order to trick the program into believing it was authenticated by the server, we need to change the string "bad" to "good" and the size in ECX to 4, which is the length of the new string. Let's follow the dword of EAX in the dump so that we can alter the string value.














Now, let's simply change the value to "good".













Once you are finished, we just need to change the value of ECX to 4 so that it is the same length as our new string.















Now, let's run the program. If everything was done correctly,  we should arrive at the "Authenticated Successfully!" string 2 breakpoints later.




At this point, we simply need to press f8(step over) 8 times to arrive here:





At this point, follow the value of EDX, which was assigned by the instruction at 4DBF26 in the dump to get the path and name of the file that will be extracted.





Let's note this path and file name and press F8. After the called routine is finished, it will have extracted the protected file to the temp directory under the name we had above. Let's open our temp directory and find it.








As you can see, we have found our extracted file. If for some reason you are unable to see your file, it may  already have a super hidden attribute which is often the case with PDF files. In that case you need to change your folder settings to show hidden files and uncheck the option which says hide protected operating system files.






























After doing this, you should be able to find your file. If I recall correctly, a pdf file may have a .tmp extension in order to better hide it. Once you have found the file, you can simply move it to a new directory, rename it if you like, and use the command line parameter attrib -s -h filename.ext to remove the supper hidden attribute if needed.




















Once you are finished, you have successfully beaten this protection. Let's run the application to verify:

























Now that we are finished, I must state that the goal of this tutorial was NOT to teach you how to pirate a ClickLocker protected product, but rather to show you that this product is not as strong as their website implies. A good DRM management software would employ encryption that could not be broken without a valid decryption key being supplied by the server upon activation. This is far from the case with ClickLocker. While my goal here is not to defame ClickLocker, I hope that you will consider these factors before using their low security product. Until next time, happy reversing.

Tuesday, January 27, 2015

An Introduction To x64dbg


















Welcome to this short, introductory tutorial for using x64dbg by Mr. Exodia. The goal of this tutorial is to teach you some of the fundamentals of the x64dbg and show you how closely its features and flexibility resembles its close cousin Ollydbg.While x64dbg is still in an alpha stage, its bugs are minor and few with only a crash happening under unlikely conditions.

1. The Configuration.
Configuring x64dbg is quite simple since the menu is much more concise than ollydbg, making the process much more user friendly. To access the configuration dialog, simply go to the Options menu and click Preferences. In the first tab labeled Events, you can configure what events you want x64_dbg to break on when they occur.
















The configuration in the screenshot above is what I typically recommend and use for simple debugging. The options here are just like those found in ollydbg 1.10 with a few additional features. Here is the gist of what these features do.

System Breakpoint: When loading a new process, the will cause x64dbg to break in the system function which initializes the application you are attempting to debug.

TLS Callbacks: The TLS Callback is a function which is called before the main application runs. This can set parameters or even be used by certain protectors to implement anti-debug technology. This allows you to break on this function.

Entry Breakpoint: This causes x64dbg to break on the Entry point on the application. For general debugging, this is the only breakpoint you will need to have checked.

DLL Entry: This will break on the entry point of any DLL which is loaded by the process you are debugging.

Thread Entry: This will break on the first instruction of any new thread initialized by the current process.

Attach Breakpoint: When this is checked, it will cause x64dbg to break in the DbgUiRemoteBreakin function when attaching to an active process. If unchecked, it will attach without suspending the process.

DLL Load/DLL Unload: This will break in the system function when a new library(DLL) is loaded into or unloaded from the active process. The DLL Load breakpoint occurs before any of its code is executed.

Thread Start/Thread End: This allows us to break in system when our debugged application initializes or terminates a thread.

















In the Engine pane, you will find a few advanced settings for the debugging engine. This should just be left as default in most cases, but here is a rundown of how they work.

Enable Debug Privilege: This allows you to attach to system processes.
Breakpoint Type: This feature allows you to try different types of breakpoints if your program detects or blocks the default INT3.
Undecorate Symbol Names: This makes symbol names look cleaner. It is an aesthetic feature.

















In the Exceptions pane, you can tell x64_dbg which exceptions you would like to ignore and pass to the program. Leaving this blank will let x64_dbg break on every exception. If you want to ignore all exceptions, add the range 0-ffffffff using the Add Range button. The Add Last button will allow you to add the most recent exception which the program you are currently debugging incurred to the ignore list.

















We can use the Disasm pane in order to change the appearance of the disassembled instructions. Here is a gist of what these options do.

Argument Spaces: This will put a space after every argument changing mov rax,rdx to mov rax, rdx. It essentially puts a space after every comma.

Memory Spaces: This puts a space in between memory reference instructions and their operators. This causes mov eax, byte ptr ds:[edx+18] to look like mov eax, byte ptr ds:[edx + 18].

Uppercase: This changes all of the text to uppercase.

Autocomments only on CIP: This will remove all comments, including references from the current disassembly except at the instruction pointer.

















The Misc tab allows you to configure x64_dbg to be the Just in Time Debugger so that the system can attach it to a process whenever a problem occurs.

1. Debugging x64_dbg Sample:
 In order to make this tutorial a little more hands on, I created a little program called x64_dbg Sample. It and its source are available for download directly from the x64_dbg sourceforge directory at the following link:
http://sourceforge.net/projects/x64dbg/files/extra/

Once you have downloaded this, extract it from the archive and let's open it in x64_dbg. To do so, you can start x64_dbg and drag and drop the file into the disassembly window or use the File -> Open option to do the same. Alternately, you can let the default x64_dbg program automatically register a shell extension for you so you can open files through the right click menu.



Once you have opened it and you had previously configured the event settings to Entry Point only, you should be at the entry point of the main module. In the interface, you will see that x64_dbg has many of the same shortcut keys as ollydbg.





















In the debug menu, you can see that x64_dbg has the same hotkeys as Ollydbg. These commands provide some of the key operations that you will need to use in your regular debugging activities.

Run(F9): This starts or resumes the process normally.

Run(skip exceptions) (Shift+f9): This will resume the process while passing the current and all following exceptions to the process.

Pause(F12): This suspends the current process.

Restart(Ctrl+F2): This terminates the debugged process and reloads it.

Close(Alt+F4): This terminates and unloads the debugged process.

Step Into(F7): This allows us to enter a routine or execute the next step in a repeat instruction.

Step Into(skip exceptions)(Shift+F7): This allows us to enter a routine or execute the next step in a repeat instruction while passing the current exception to the application.

Step Over(F8): This allows you to execute an entire subroutine or repeat instruction without stepping through it instruction by instruction.

Step Over(skip exceptions)(Shift+F8): This allows you to execute an entire subroutine or repeat instruction without stepping through it instruction by instruction while passing the current exception to the application.

Execute Till Return(Ctrl+F9): This resumes the process until a return instruction is executed.

Execute Till Return(skip exceptions)(Ctrl+Shift+F9): This resumes the process until a return instruction is executed while passing the current exception to the application.

Breakpoints:
When you are debugging, one of the primary features you want to use is called breakpoints. There are 3 main types of breakpoints. We will briefly discuss these here.

Execution Breakpoint: This is the most common and most used type of breakpoint. When you toggle a breakpoint on a specific address, this tell the debugger to stop when that address is reached in the execution. To use this, simply press the F2 when over an address you would like to break on.

Memory Breakpoint: A memory breakpoint is used to pause an application when a specific area of memory is either accessed, written to, or executed. This is handy when you want to determine when or if a specific area of memory is used by the program. This is available in the right click menu of the memory map window and dump pane.

Hardware Breakpoint: A hardware breakpoint is used to pause an application when a particular address is either written to, read, or executed. This is specifically useful to determine when a particular variable is set. This can be used for byte, word, and dword reads and writes. This feature is available in the right click menu of the hex dump.

Let's Begin:
Now that we have a general understanding of the features in x64_dbg, we can begin debugging our first target. We already have our target loaded into x64_dbg, so let's Run it by pressing F9. As you can see, the application begins to run with the debugger attached to it. At this point, we can pause the application in x64_dbg and take a look at a few of its features. To pause the application, press F12.






























When we pause, we arrive inside of a break-in thread created by x64_dbg. In order to get back to the main thread, we simply click the threads tab and double click on the one labeled main.









Once we arrive in the Main Thread, we can start stepping through the routines and analyzing the call stack. The Call Stack window gives you an extensive list of the functions and procedures(routines) which brought you to your current location. You can use this window to analyze these routines and learn about your application's execution routine. Just double click the one you would like to follow in the disassembler.



The Memory Map pane will show us all of the sections or regions of RAM  allocated to and by our application and its dependencies.

























Let's go ahead and resume the process by pressing F9. Let's attempt to enter the fake password '123456' into the application and see what message is returned when we click Check.


As we see, this is not a valid password because of the message 'Authentication Failed. Invalid Password!' Now that we know the message, let's use the built-in find referenced strings function in x64_dbg to see if we can locate this string inside of the application.To do this, we first need to verify that we are currently inside of the application module. Once this is verified, we can either click on the 'A' button on the top pane of x64_dbg, or left click in the disassembly pane and go to Search for -> String references.


This will build up a listing of all of the strings referenced in the application's code. Once you build up a list, we can use the search pane to filter the list and find the location of this string. However, since this is small application, a simple scroll to the bottom will reveal the location of where our string is referenced, as well as some other interesting strings.




Double clicking any of these will take you to their location in the disassembly pane. You can also toggle a breakpoint on these references by simply pressing F2. Let's follow the 'Authentication Failed..' string and see where it takes us.




In the picture above, I have set a breakpoint at the beginning of the function which checks our password. I have also added some comments beside of a few of the calls so that we can understand this a little better. If we were to step through this using f8, which steps over the calls, we can see the process. Let's toggle the breakpoint at the beginning of this function using F2, enter the value of 123456 into the password box and click Check. We will immediately break on our breakpoint. As we step, you will notice that we will get the password we entered in the text field and then hash it with the built in algorithm.



As we can see, our password is being run through a digest or hashing algorithm and being compared to a precalculated value which is stored in the program as a string. To determine which hash algorithm type this program is using, we can use my software hashing utility to compare the results for the string '123456'. In the debug sample, the hash returned for '123456' is 'e10adc3949ba59abbe56e057f20f883e'. Let's see which algorithm produces the same.



It appears that our hash algorithm is MD5. Since the hash is compared to a hardcoded value, it may take a long time to bruteforce or recover the original password. Using x64_dbg, we have the ability to patch or modify the instructions so that it can accept any password as valid. In the code above, our hashes are compared. If they are equal to each other, the program tells us the password is valid. If not, we are told it is invalid. Using the built in assembler, we can change the location of where the comparison jump lands. That means if we change it to the next instruction, it will always show that the password is valid regardless of what we enter. To use the assembler, we simply press the space bar when we are over top of the instruction we want to change.



Normally, this would jump to VA 59EA68 if the password is invalid. Here, we will simply change the address to 59EA5A so that it will always go to the valid password code regardless of what we enter into the field. After we click OK, the instruction is immediately modified in memory. Now that we have patched, let's test the '123456' password again.




As you can see, anything we enter now will be the correct password. However, this patch only affects the memory of the process. Once we restart the program, this patch will be gone. If you want to make this patch permanent, you can save this to disk. This will make a modified copy of our executable that will always accept a fake password. To do so, we open the patch dialog by clicking the button with the bandage on it at the top.




Once this is opened, we can check the patch you want to save, and this click Patch file. This will allow you to save the modified program directly on disk under any name that you specify.

Now, since we know how the algorithm works, let's see if we can break the password. Online there are multiple databases that will check if they have a solution to your hash. In order to copy the built in hash as a string, we need to follow the value in the dump.To do so, right click on the instruction which points to the built in hash and go to Follow in Dump -> Address.



 Now that we are in the dump, we need to highlight the hex values of the hash string, right click, and the click edit.







This will allow us to simply copy the string directly to our clipboard. Now that we have the hash, we can paste it into a hash solver such as the one available at hashkiller.co.uk.




Amazingly, it has found a solution saying that the password is ba321c. Let's open the unmodified program or restart the one in our debugger and try this value in the password field.








Using our minds and taking this simple approach, we have found the password.

This concludes this introductory tutorial for x64_dbg. This is a very powerful reverse engineering tool that offers a wide range of features and flexibility to accomplish even the most difficult tasks. We are very fortunate that the author has made this free and open source. We should always take the time to thank the developer who has worked hard on this with a small donation or contribution. I hope you found this tutorial helpful. If you have any questions, feel free to ask them below. Until next time, happy reversing.


Saturday, January 3, 2015

Hashing Utility 2.0 With Unicode Support


















Hashing Utility v2.0 is a small utility coded in Delphi which gives the user the ability to calculate hashes and CRC values from a string using either ASCII or Unicode encoding. It supports the following hash types:
  • MD4
  • MD5 
  • SHA-1
  • SHA-256
  • SHA-512
  • TIGER-192
  • CRC-16
  • CRC-32
The tool is free for both home and commercial use and is open source.

This tool uses the DCPCrypt 2.0 library for hash functions.
http://www.cityinthesky.co.uk/opensource/dcpcrypt/

Download:
https://mega.co.nz/#!48k0WLQD!_Dq9UJGlQ6MGs1zS2WtiLD83smSCd9N4sRQagRpUzX8

Source:
https://mega.co.nz/#!Zs9j1SbL!IOvRdoevkMQzCI-NKqnp0Nxa6eJQ6246CAkZLxD_4Mc