• WinDbg
• CFF Explorer

The second part of the article discusses how to modify binaries that are obfuscated. For simplicity and clarity, I will not use obfuscated binaries. Doing this, allows the reader to understand what is actually happening. In the demo I will completely ignore the name of the methods or the actual, non-obfuscated, code.

I recommend reading the first part, if you didn’t already. It provides some information that might be needed to understand theis second part.

The same ‘TrialApp.exe’ binary is used. The current approach, as opposed the the former one, is:

1. Load the application in debugger and break the execution when the trial message is displayed.
2. Get the call stack
3. Find the address of the trial check method
4. Remove the call

1. Load the application in debugger and break the execution when the trial message is displayed

WinDbg can be obtained for free from Windows SDK (see the Microsoft Downloads website). If you are running a 64 bit OS, make sure you start the 32bit version of WinDbg (should be in Program Files (x86)).

Load ‘TrialApp.exe’ in WinDbg by clicking File -> Load Executable. In order to run it you have 3 options:

1. Type ‘g’ and press ENTER
2. Press F5
3. Click Debug -> Go

The application will start and the execution will stop when the message box is displayed. Is actually waiting for the user to click OK. At this point break the execution by pressing Debug -> Break.

Before being able to debug the .NET application, 2 DLLs needs to be loaded. They help the debugger ‘understand’ the .NET internals. The actual paths might differ on your configuration. Anyway, make sure you load the 32 bit version of these files (the 64 bit version are in the Framework64 folder). The .load command loads external libraries.

.load c:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll
.load c:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

2. Get the call stack

A call stack is associated with a thread. Before getting the stack we need to figure out which is the thread for which we want it. Execute the following command and inspect the output…

!threads

There are two thread having IDs 0 and 2. Is quite easy to decide which is the main thread since just one of them is Single Thread Apartment (STA). Switch to the main thread and display the CLR stack using the following commands:

~0s
!clrstack

3. Find the address of the trial check method

OK! You’re still with me? If yes, then take a look at the result of the last command. It displays the call stack of the main thread. Notice that OnCreateControl calls OnLoad, OnLoad calls From1_Load, etc. In the case of obfuscated code, the name would probably be strange and you would have to analyze each method in depth. Because the code was JIT compiled the call to the trial check was inlined.

Let’s take a look at the IL code for Form1_Load. To do this, first we need the address description of the MethodDesc structure of method. The ip2md command returns the structure. The argument is the IP address of the method. After this, just dump the IL for the address specified in MethodDesc. I want to make on observation here: if you look at the MethodDesc structure you can see the mdToken field. This field specified the table and the row in the table for the this method (the row corresponding to this method is the 6^th, because the index starts at 0).

!ip2md 003f01f9
!dumpil 00176304

In case of obfuscated code, you would probably see just a call instruction to some cryptic method. It makes no difference. We can see that at IL_0001 (relative to the start of the method) we have a call and this instruction uses 5 bytes in the file (0006-0001 = 0005; in hex)).

Having the size of the instruction, its position and the row of the method in the methods table we can proceed further. Open CFF Explorer and load the assembly.

Navigate to .NET Directory -> MetaData Streams -> #~ -> Tables. Look for the Method table in the new tree and select the entry with number 5. Copy its RVA value.

4. Remove the call

With the RVA in hand (on clipboard :-) ), remove the call just like in the first part of the article. Replace the call bytes with zeros. One observation: we must also remove the instruction before the call (ldarg_0; opcode 02; no arguments). So, zero 6 bytes starting at the first in the method.

In other words, replace:

00 00 0A 02 28 08 00 00 06 2A 1E 02 28 06 00 00
06 2A 66 02 7B 02 00 00 04 2C 10 72 01 00 00 00

with

00 00 0A 02 28 08 00 00 06 2A 1E 00 00 00 00 00
00 2A 66 02 7B 02 00 00 04 2C 10 72 01 00 00 00

Run the application. The trial check is gone.

Before reading any further you should understand that each protection measure (as long as the cracker can access the source code) is useless. Is just a matter of time, for a motivated person, before she will bypass any protection.

For the demo, we are going to use a very simple Windows Forms Application that will display a message box with a trial message and will exit after that. The goal is to show a few techniques that will prevent the application from exiting (and will remove the trial message).

The code for the ‘trial’ application is kept in just one class. There is just one variable for checking the trial and we’ll consider that is always true – it makes no difference if there was a function call to determine if the trial has expired.

public partial class Form1 : Form
{
    bool hasExpired = true;

    public Form1()
    {
        InitializeComponent();
    }

    private void Form1_Load(object sender, EventArgs e)
    {
        CheckTrialApp();
    }

    private void CheckTrialApp()
    {
        if (hasExpired)
        {
            MessageBox.Show("Trial has expired");
            Application.Exit();
        }
    }
}

The binary used was compiled on the x86 Release configuration with VS2010 having .NET 4.0 as target framework. The IL Disassembler from VS2010 and a free application called CFF Explorer are used to view and edit the binary.

Opening the ‘TrialApp.exe’ file (the target binary) in IL Dissasembler will reveal all the statements from each method. This is important but, more important is the RVA of the method containing the trial check, the bytes for each statement and their position relative to the RVA.

By knowing the RVA you are able to navigate to that address using CFF explorer and locate the bytes for the calls. Even without seeing the actual bytes, one is able to locate the calls (and their length) by looking at the offsets (ie: the byte 2C is located 0006 bytes from the beginning of the implementation) – more on this in Part2.

Having access to all this information gives not one but many possibilities of bypassing the trial check:

1. Remove the two calls to Application.Exit and MessageBox.Show.
2. Change the if check.
3. Remove the ‘CheckTrialApp’ call from ‘Form1_Load’.

This post will cover just the first two possibilities, since the third is similar to the first.

1. Remove the calls to Exit and Show

The bytes from the method implementation:

         02 7B 02 00 00 04 2C 10 72 01 00 00 70
28 16 00 00 0A 26 28 17 00 00 0A 2A

A call to a method has the opcode 28. The next 4 bytes following the opcode represent the location of the method in the methods table (you can see this table using CFF explorer).

Now here comes the magic: in order to remove the calls to Exit and Show, one must  replace with NOP, all the bytes associated with these methods. Basically we are going the introduce a NOP byte (00) for each byte in the call.

         02 7B 02 00 00 04 2C 10 72 01 00 00 70
00 00 00 00 00 26 00 00 00 00 00 2A

That’s all. Save the file and the trial is bypassed.

2. Change the if check

If you look in the disassembled IL you can see that at offset 0×6 we have a brfalse.s opcode. This is a branch instruction that will branch to offset 0×18 (IL_0018) if false. However, in the case of ‘TrialApp’, since hasExpired is always true, the branch will never take place and the code following it will be executed.

In order to change the meaning of the code – in other words “give the trial message if the application has NOT expired” – the check will be changed. Currently, is checking against false using the instruction brfalse.s, having the opcode 2C. By looking on MSDN, the opcode for brtrue.s can be found: 2D. Replacing 2C with 2D will make the branch happen always.

The method inside the binary, after replacing the brfalse.s opcode:

         02 7B 02 00 00 04 2D 10 72 01 00 00 70
28 16 00 00 0A 26 28 17 00 00 0A 2A

That’s all. The message box will not be displayed since the body of the if statement is no longer executed.

There are some techniques that will make cracking difficult. Obfuscating the code is one of them. However, part 2 of this article will cover the modification of obfuscated binaries.

Maybe you don’t have problems like the one above but I am having problems with an Western Digital 500GB Essential Edition connected to the router so I decided to upgrade it’s firmware to a DD-WRT version (v24 std final). It’s a small Linux distribution that can be installed on many routers.

It brings a lot of new features:

• Advanced banwidth management
• DDNS support
• Ad network support
• Hotspot support
• MAC Address Clone
• Advanced DHCP options
• Advanced Wireless configuration (mode, frequency, encryption, mac filter, etc)
• XBOX and PSP connection
• System log, traffic log, network map
• SSH connection
• A lot of filters for MAC, hostname, IP, etc.
• Overclocking (!)
• New web UI
• Wake On Lan
• etc.

See the difference between the classic Asus firmware and DDWRT:

This guide is for Asus but a similar process can be applied to any router from the Supported Hardware List. Step 1 and 2 are different but the others are the same.

Very important: Before you read any further and/or try a firmware upgrade note that I am not responsible for any hardware/software/human (hope not) damages/injuries. Try to be sure that you have a backup supply for the router and PC because a power shortage in the middle of the upgrade process makes your router useless!

I recommend to read the entire guide before you try anything.

Before you begin make sure that you have the following:

1. Asus WL500G Premium :)
2. Windows Xp (I was not able to upgrade from Vista – Asus utilities are quite stupid)
3. A pencil or pin because the reset button is almost impossible to be pressed with the finger.
4. The original firmware from Asus Download (in case of upgrade failure)
5. DD-WRT Firmware. Today, when I’m writing this post, the latest version is v24 final. Download it from here. I recommend “std generic” version.
6. Asus Utility from the router CD or Asus download center.
7. Putty or some other telnet client.
8. Network cable (upgrade cannot be done by wireless!)
9. Administrative rights on the workstation connected to the router.
10. Some UPS for router and PC.
11. Internet connection.
12. Optional: external USB Drive (HDD, memory stick or card reader with card)

Step 1 (preparing the router):

Reset the router to it’s default settings by holding the reset button – on the back of the unit – pressed for aprox. 5 seconds until the power led flashes.

Connect the network cable to router (one of the LAN ports) and PC. Set your PC IP address to 192.168.1.1 . The last “1″ (one) can be replaced with any number between 1 and 254.

Step 2 (installing the ddwrt firmware):

Disable the firewall on the PC from which you are upgrading and start Asus Firmware Restoration with administrative rights.

Now we need the router in Restore Mode. Unplug the power cord; press and hold (!!) the reset button while plugging the power cord. The power led should blink slowly.

In the firmware restoration utility select the bin file downloaded from ddwrt, choose upload and hope for success. Do not interrupt the process!!

After the process is complete the unit reboots. Start a web browser and type http://192.168.1.1 . If you see a popup window asking for credentials than you have done it. If not… you are quite unlucky :(

The default credentials for DDWRT are root/admin (user/password).

Step 3 (web interface configuration from DDWRT):

Configure whatever you need in the web interface and set the internet connection.

Asus WL500G Premium has 8 MB of ROM memory and the std version of the firmware uses ~3.6. We need to be able to use the rest of the space for the installation of drivers and other needed application.

The remaining space from ROM is called JFFS (Journalling Flash File System) and needs to be cleared before you can write on it.

Log in to the web interface of the router, go to Administration tab and choose on JFFS2: Enable and on Clean JFFS2: Enable. Apply the settings and reboot the router.

You should see, after reboot, that JFFS2 has some free space (the value might differ).

Step 4 (installing software – telnet)

Install and start Putty. On protocol choose Telnet and type the IP of the router (default is 192.168.1.1). When asked for credentials, the user name is “root” whether you changed it or not and the password is the one that you have set from web interface or “admin” by default.

ipkg is the application used for software installation and upgrade. The first thing that must be done is to update this application. For this type “ipkg update” in the console. If errors appear make sure that you are connected to Internet and restart the router.

Step 4.1 (USB and ext3 drivers):

Because ddwrt does not include USB drivers we need to manually install them. For this type the following command “ipkg -force-depends install kmod-usb-core kmod-usb2 kmod-usb-storage“. If this command fails try it again – I had problems with it the first time.

If you are planning to add an USB drive that this one must be formated as ext2, ext3 or fat32. I recommend ext3 and if the drive is an HDD partition it like this: first partition 1 GB for optware (you’ll see in a few moments what is this) and the rest as one big partition. Let’s install the ext3 drivers “ipkg install kmod-ext3″. Replace ext3 with “ext2″ or “vfat” for other file systems.

Step 4.2 (prerequisites):

Not needed if no USB storage drive is available or don’t want Optware.

We are going to use the first partition from the HDD to store optware. For this, mount the partition in the opt folder: “mount -t ext3 -o noatime /dev/discs/disc0/part1 /opt“.

Let’s install Optware: “wget http://pastebin.ca/raw/876251 -O – | tr -d ‘\r’ > /tmp/optware-install.sh” and then “sh /tmp/optware-install.sh“.

Output should be like this:

Checking system config ...
Using 192.168.1.1 as default gateway.
Using the following nameserver(s):
nameserver 192.168.1.30
Warning: local nameserver is different than gateway!
Check config or enter:
  sed -i s/192.168.*/192.168.1.1/ /tmp/resolv.conf
to correct this.
Installing package uclibc-opt_0.9.28-13_mipsel.ipk ...
Connecting to ipkg.nslu2-linux.org[140.211.166.82]:80
uclibc-opt_0.9.28-12 100% |***********************************************|   832 KB 00:00:00 ETA
Updating /opt/etc/ld.so.cache
/opt/sbin/ldconfig: can't create /opt/etc/ld.so.cache~ (No such file or directory)
Installing package ipkg-opt_0.99.163-9_mipsel.ipk ...
Connecting to ipkg.nslu2-linux.org[140.211.166.82]:80
ipkg-opt_0.99.163-9_ 100% |***********************************************| 75896    00:00:00 ETA
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/Packages.gz
Inflating http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/Packages.gz
Updated list of available packages in /opt/lib/ipkg/lists/optware
Successfully terminated.
Installing uclibc-opt (0.9.28-12) to /opt/...
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/uclibc-opt_0.9.28-12_mipsel.ipk
package uclibc-opt suggests installing ipkg-opt
Configuring uclibc-opt
Updating /opt/etc/ld.so.cache
Successfully terminated.
Installing ipkg-opt (0.99.163-9) to /opt/...
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ddwrt/cross/stable/ipkg-opt_0.99.163-9_mipsel.ipk
Configuring ipkg-opt
Successfully terminated.

Step 4.3 (create a startup script that loads the modules):

This step is not necessarily if you don’t want to share a printer and/or usb storage drive from router.

Now we have installed the modules but we want them to load when the router starts. Also we are going to mount the partitions and load any optware application from the /opt folder.

Originally created for the Linksys NSLU2 Unslung firmware, Optware is the name of the additional software packages available.

Start a telnet session. We are going to use “vi” text editor. A few vi commands that we are going to use are:

• press “i” once to enter the edit mode.
• press “esc” once to exit de edit mode.
• press “d” + “d” while not in edit mode to delete a line.
• type “:wq” while not in edit mode to exit and save.

For additional commands see http://www.cs.colostate.edu/helpdocs/vi.html.

First create a folder named “config” in /jffs/etc with the command “mkdir /jffs/etc/config“.

Now in this folder we are going to place our startup script (named “usb.startup”). Let’s create a new file with vi: “vi /jffs/etc/config/usb.startup“. Please note that anything that is after a “#” until the end of the line is comment and will be ignored; you can also not write that lines. Press “i” to enter the edit mode and type the following:

(
unset LD_PRELOAD
export PATH=/bin:/usr/bin:/sbin:/usr/sbin
export LD_LIBRARY_PATH=/lib:/usr/lib
echo "Inserting modules for USB disk support..."
insmod  /jffs/lib/modules/2.4.30/usbcore.o
insmod  /jffs/lib/modules/2.4.30/ehci-hcd.o
insmod  /jffs/lib/modules/2.4.30/scsi_mod.o
insmod  /jffs/lib/modules/2.4.30/usb-storage.o
insmod  /jffs/lib/modules/2.4.30/sd_mod.o
insmod  /jffs/lib/modules/2.4.30/jbd.o
#Change the following line is using another filesystem or remove it if you don't have external drive
insmod  /jffs/lib/modules/2.4.30/ext3.o
echo "Waiting for modules to initialize disk access..."
sleep 20
export LD_LIBRARY_PATH=/jffs/lib:/jffs/usr/lib
export PATH=/jffs/bin:/jffs/sbin:/jffs/usr/sbin:/jffs/usr/bin:/bin:/sbin
echo "Mountint disk partitions..."
export LD_LIBRARY_PATH=/lib:/usr/lib
mount -t ext3 -o noatime /dev/discs/disc0/part1 /opt
mount -t ext3 -o noatime /dev/discs/disc0/part2 /mmc
# provide Optware search paths
unset LD_LIBRARY_PATH
export PATH=/opt/bin:/opt/sbin:/bin:/sbin:/usr/sbin:/usr/bin
echo "Starting Optware programs..."
if [ -d /opt/etc/init.d ]; then
    for f in /opt/etc/init.d/S* ; do
        [ -x $f ] && $f start
    done
fi
) > /tmp/optware.log 2>&1

Press “esc” and type “:wq” to save and exit.

The result of the script can be seen, after reboot in “/tmp/optware.log”. Just open this file with vi.

Just making this file will not load it at startup. We need to mark it as executable: “chmod +x /jffs/etc/config/usb.startup“.

After making this, go to the web interface in Administration -> Commands and type:

for I in `/bin/ls /jffs/etc/config/*.startup`
do
    sh $I &
done

Choose “Save startup”. Now the router will load any file ending with “.startup” from /jffs/etc/config.

Step 5 (almost done – installing Samba):

Samba is an application that will allow you to share the USB drive connected to the router as a network drive. (cool, huh? :) )

Reboot your router and then after this start a telnet session. Type the following commands, one at a time:

/opt/bin/ipkg update
/opt/bin/ipkg install samba2
/opt/bin/ipkg install xinetd
/opt/etc/init.d/S10xinetd start
/opt/etc/init.d/S80samba start

Reboot.

Step 6 (configure Samba):

Samba’s default port is 901 so type in a browser “http://your.router.ip:901″ (default is http://192.168.1.1:901″) and the credentials are “root” for user, whether you changed it or not, and the password is the one you provided in ddwrt web interface (default is “admin”).

In the globals tab choose “root” for the guest account and press “Commit changes”. Not doing this will not allow you to write to the network drive.

Now make folders and share them :)

Done.

Step 7 (troubleshooting):

If you have any problems please feel free to contact me or write on ddwrt forum. Some more detailed guides and advanced topics can be found here.

DD-WRT Installation on other devices

DD-WRT USB Storage Guide

Optware Installation Guide