The basics of electronic security bypassing
Enter into the deep of the world of binaries – well come to my kingdom
Hi everybody, today I will bring some mysterious things to the shining sunny day for you, and give to you a little homework too. I know, in most of case people, no matter young or old like stuff like this. I will introduce through this tutorial, some very basic things about software code, how data are stored in the software, firmware, eeprom and what kind of tools I use to enter into this world. Remember, this is really; basic stuff and I try to write on a human language, not on a language of experts.
Let’s start, all of you got into a situation to use some device with a code or some other stuff what are use some additional information for his operation. Some of as are repair daily electronic equipments of this type. In most of time, we have to decode something, crack the code of a faulty TV device, pin code, and make some settings in the eeprom to an oven for ceramics because the user need higher temp as it is possible to set on the panel.
In most of case, all the data are stored in eeproms, which can be separate on the pcb or inside of the cpu.
Let’s make things clear, the eeprom is a device where are stored preset data of the device. The cpu is the place where are the firmware, or you can say there are the operating system of that device like on the PC the Windows, Linux, Unix etc. and the eeprom is the registry database like on Windows OS or some ini file with the settings on that device.
Time to time people ask me how can I find or know the code for some device or software.
From my side, I never have to know the code. Let us think about. Why should we know a code for entering into a restricted area? What is our mission on that area?
To know the code or to make some setup? Think about that for a minute…
I mean, before you make the first step to decode something or change some setup in a hex editor, you have to know what you wish to happened and calculate your time consumption, tools what you have to use and what method of decoding you have to use in your situation.
I don’t need a key for my house door to enter into my house. I can maybe go into the house through a forgotten or a bad closing window. This is so called software BUG.
Are you know what I mean?
Here is a situation what I prepared for all of you. This is a really simply thing but I hope it will help all of you understand the basic of the cpu firmware works and how to override the mystery.
I wrote simple software. It is working in Windows environment. The software asks you for a username and a password. This can be a car radio code too, but you don’t know all that. What would you do to bypass the restriction?
Here is how I prepare myself to do think like this:
I always make a backup of the original software. Check on what kind of cpu it works and what kind of operating system it need to run. In this case, this is software with the name CrackMe.exe and it runs on PC on a Windows environment. You can download it from here: https://drive.google.com/file/d/0BzCmxPSYmVj2dDRTUFhvdk9uTmM/view?usp=sharing
Now I make a decision what tool should I use, I always use my favorite tools.
– IDA Pro
– HxD Hexeditor
-HIEW Hackers Eye View
OllyDbg is practically an assembler level analysis tool. It is very useful when no source code available.
IDA Pro is a very helpful disassemble tool. I use the implemented function like the graphics analyzer and other functions what comes later to the table.
HxD Hexeditor is a simple but powerful hex editor. I use it to quick analyze the targeted software, reading the header of the software or maybe to change some bytes if it is needed. With this peace software it is possible to write the new code to the bin file of the eeprom of the car radio, which is code protected.
HIEW Hackers Eye View is an old software but my favorite one. Runs on a minimum PC configuration, on MS-DOS operating system even from a floppy too. It is a disassembly, hex editor, text editor. Very powerful.
Let’s start and get the access to CrackME software.
You maybe need the Vbrun60.exe runtime library to run the CrackMe.exe.
Download from here: https://support.microsoft.com/en-us/kb/192461
Here is the picture of the software what I wrote to practice:
The left pic is the main frame what is appearing when you start the CrackMe.exe.
The right pic is the message what you get if you click on the “LOGIN” button on the left side pic. After you press the “OK” button on the right pic, you go back to the main screen of the app or the app quits.
So, can you see some strange problem with the app?
Lets say, your device what you have to recode or crack have a display.
You should put a code or whatever for login or entering in some menu or whatever. In most key you got a message about a wrong input.
This message of wrong inserted login information is in most case the key to crack the app or the device.
Because, after you don this few steps with the app, you got some knowledge how the app works, where is the main part of the app which you have to entering and you got the message in human readable format which in our case is: “You Failed man!…”
In most case, the very basic structure of an app is like this:
- search for a user name and code?
- make a simple jumper to reach the part of the program what we need?
- rewrite a part of the program to overcome the security part?
- Or should we do other possibilities? If you have any other idea its ok…
First I look inside the firmware/eeprom dump or app for any readable strings which could give me maybe the username and password/code.
Open IDA Pro, which you can download from: https://www.hex-rays.com
Drag and drop the CrackMe.exe to the disassemble area where the text is standing:
After this operation IDA Pro will ask for some settings, just press OK.
In this tab are the strings collected. Maybe you can find some interesting words, which can indicate the possibility of the user name and password or the code of the login section on the device.
In this case, there are no data for as.Go back and continue analyzing the data on the “IDA View-A” tab.
What have we now, we can see now the whole stuff of the programmed code of the CrackMe.exe in assembly language.
Do not pay attention to this. Just try to find the word ” You Failed man! Try again”
by the search function or scrolling down.
This text is the text what we are got from the CrackMe.exe when we put an incorrect username and pass and pres the “LOGIN” button.
Press the ALT+T or in the menu click on SEARCH then on TEXT…
Write in the “String” field the text “You Failed man! Try again”, click on “Find all occurrences” and press “OK”.
We are interested on the second line of the result, because there you can see some programming instructions “mov dword ptr…”. We have a starting address where this program is starting to running: 0041E793. So, now double click on this line and you will be directly dropped to the address line 0041E793 with the program instructions stuff.
Here we can see the program instructions which is triggered if a wrong login was made. But! the cpu is landing on this program line because of an instruction before told them to do so. Therefore, we have to find that instruction which triggered the cpu to do so. The same thing is going on if you analyze a firmware of car audio/video equipment or as a told before an oven, which has reached his max preset heating setup or whatever…
Let us see who is the man who told the cpu he should give as a message about a wrong login and not to let as in the program.
On this line, you can see the magic triggers who decide, should we access the whole program or should we be refused. Can you see the command “JZ” on the right side of the address 0041E735? That is our magic man. The JZ means if something is not equal then go to address 0041E78A. I our case, if you check what is after the 0041E78A address then you can see there is the text “You failed man!…”.
IDA Pro show as a several usable infos:
Watch on the left side of the picture, the red dotted line-arrow which shows the program will continue on the line 0041E78A and will not execute the program between the lines 0041E737 and 0041E785, where are our “Congratulation ! You cracked ME! 🙂” text stand what wee need. J
Ok, now we found the security mechanism in the program CrackMe.exe. The same stuff is working on other programs or equipment ( of course not exactly in the same way as in my CrackMe.exe program ). You can read out the firmware from the device cpu which you have to decode and find a right software like IDA Pro but for your type of cpu let say it is a Motorola or a NEC or whatever, and lets play with it…
Now, our next step is to change something somewhere in a direction does the CrackMe.exe let as into after the login button is pressed.
In other word, if your car radio searching for a code let modify the firmware so in a way does they newer search for a code or let you enter any wrong code and they accept them.
Write down the starting address line where you whish to enter into.
It is the line where the JZ command stand, can you remember? JZ is the security guard and he will let as in or not. J
That address is 0041E735 write down ore remember it.
Now is the time to open the program HIEW Hackers Eye View. You can download it from here: http://www.hiew.ru/
Open HIEW and load into the CrackME.exe like on this pic.
Now press F4 on your keyboard and select DECODE option.
You should get a screen like this:
This is similar to IDA Pro content, is it?
Press F5 to go to the desired address, which in our case is 0041E735,
Be careful with the address. It must be the address 0041E735 and you have to write or copy paste it like this: .0041E735 with the dot in front of the first zero.
Can you see now the JZ again? It is the same as in IDA Pro.
Press F3 to edit the CrackMe.exe
Press F2 to open the windows where you can input the new instruction and tell the CPU to resign the JZ worker. Here is the picture it should be on your screen after pressing F2.
Before the number 90 was 74 at the same place in the exe file. Remember now the number 90. We will use them later in the hex editor.
Press the F9 to update the new code and press F10 to quit from HIEW.
NOP is an instruction for No Operation. We changed the program instruction from a comparing instruction to do nothing. Now the cpu will not compare what we fill in the login field but after the pressed login button they will continue to execute every line after the NOP operation.
Let’s start the newly modified app CrackMe.exe to see what it will do:
Here is the result.
You can play with different type of modification to overcome the security let say you can try to send the cpu from the address 0041E735 to the address 0041E737, or you can find the right username and pass too. Who knows, maybe this technique works too… let you a try. J
The code can be stored in the database too or in the eeprom but the JZ or similar instruction will compare the input and the stored data. If you have a device with an eeprom give you a try, backup the content and erase the whole eeprom. Some device will reset itself to a factory default state. Other device will give you an error no, which is a similar thing like the CrackMe.exe and his message of failure…
Let’s see if the CrackMe.exe is a car radio which one is coded.
From some source you got the code how to disable the security on the car radio. In our case this code is the magic number of 90.
If you read out the eeprom with your eeprom programmer you got a bin file. A file which content is written in binary format and so called eeprom dump.
You have to know two things:
- Where to write the code, in which line to write the code
- What to write to the desired location
Let’s compare the original CrackMe.exe with the cracked version. This is a simulation of two eeprom dumps. I use the Compare by content function from TotalCommander.
After compared the two files of CrackMe.exe I got a result screen:
As you can see, the left CrackMe.exe have a red 74 and in the right CrackMe.exe have a red 90. The right CrackMe.exe is the cracked.
Let say the left side is the dump from your car radio which should be unlocked. The right side is the dump from a car radio which is unlocked.
Now, you have to write the number to the place of 74 and save the content to the eeprom of your device.
Now open HxD hex editor or any other hex editor with the capability of content editing and changing option. And write the address 1E735 and press OK.
1E730 + 5 = 1E735
Change the 74 to 90 and save the file by pressing the floppy under the Edit menu.
Start the CrackMe.exe and you can see the app is cracked, or in our simulation, the car radio will not ask anymore for a correct code, you can put whatever code and it will accept them.
This is the very basic principle how to come over security stuff in a program on PC or whatever device.
I hope you enjoy this article and it is useful.
Note: This article is written for learning and education purpose only, and I’m not responsible if something is damaged, misused or whatever in a negative meaning. The readers have to take full responsibilities of whatever action that have made from this article.
This article was prepared for you by Christian Robert Adzic from Novi Knezevac-Serbia
Please give a support by clicking on the social buttons below. Your feedback on the post is welcome. Please leave it in the comments.
P.S- If you enjoyed reading this, click here to subscribe to my blog (free subscription). That way, you’ll never miss a post. You can also forward this website link to your friends and colleagues-thanks!
You may check his previous repair article below: