Cracking with Ghidra 9
It has been a long time since I cracked some software. I was using W32Dasm, SoftIce and Hex32 back in 1998; they represented the 3 pillars of any respectable reverse engineer and disrespectful cracker. At that time I decided to hibernate the little evil cracker in me to focus on more boring activities, like software development.
20 Years later
NSA just released their internal super secret cybersecurity tool used for the last 10 years to reverse engineer, find bugs and eventually exploit them to hack into evil foreign country systems. All this hype woke up the little cracker that I kept frozen for 20 years :)
In the last 20 years many things have changed, new tools came out (Radare 2, OllyDbg, Hopper, Binary Ninja) and new frameworks (the whole LLVM framework made it so easy build decompilers!). I feel a little bit emotional when I see IdaPro is still one of the best tools out there :’(
So I downloaded Ghidra, updated the JDK on my machine, googled for a crackme app to quickly try it on my macOS, and after 5 minutes I was back into the game.
The crack-me called Sandwich is asking for a serial number, you get an error till you insert the right one. Let’s crack it!
Create a new project in Ghidra (all default options, just choose the project name) and import the application (select the TreeView tab, then drag and drop sandwich.app):
Select the architecture you want to inspect (I will work on the x86 one) double clicking on it and you will get the application analysed and disassembled.
Think like a cracker:
What now? We have what was used to be called a dead list (+ORC, how i miss you!); dead list because is not debuggable, you cannot inspect variables, values in the register and so on. It is so dead you could even print it and use it as a bed time reading :)
We need now to find a way to let the application believe the serial number inserted is always correct!
There are many possible ways you can solve this problem. Sandwich is a very simple crack me app, I expect that whatever technique we use, it should not need more than 1 minute to crack it. Let’s go for the most obvious way: let’s look for the error message string, and then we move back-words to the line of code triggering the error.
In the Symbol Tree panel look for the labels that remind you an error message..”cf_Error!” sounds like a good candidate:
As you can see, cf_Theserialisnotvalid and cf_Tryagain would have been good candidates too. Now right click on the label, select “Show references to” and go to line of code referencing this string:
On the left you have the decompiled x86 code, on the right its C language representation. This is great if you are not so familiar with ARM instructions, Dex bytecode or any other architecture may want to reverse engineer. Look at the C code:
if (cVar1 == 0) {
//bad guy
}
else {
//good guy
}
We need to change the flow here. Now click on the IF instruction, the corresponding asm code is selected:
The first line (TEST AL,AL) is the condition and the second line is the jump that will be executed just in case the condition is false (serial is correct). Change it into a plain jump (just edit it in Ghidra selecting Patch Instruction) replacing it with a JMP or JZ instruction. I am gonna replace it with a JZ instruction. As you can see the C code has been updated as well, now if the condition is true (wrong serial) you are a good guy :)
Just save the project, export the patched binary, chmod +x it, place it inside the Sandwich.app replacing the original binary, launch it and enjoy the success screen whatever serial you try! (If by accident you try a correct one you will get an error :) )
Conclusion:
Reversing and patching an application has never been so easy! Ghidra9 is completely free, multi platform and open source. It can target almost every cpu architecture, it has all the options and tools you may expect from a commercial product but it cannot be used to debug (it is the alternative approach to the Dead Listing Analysis). At the moment as far as I know only Ida Pro 8 can decompile and then debug too supporting such a wide variety of architectures. Ida Pro 8 is quite expensive but if you are a professional I am pretty sure you can afford it.
Ghidra9 could reach soon the same level of IdaPro8 because of the help of the open source community. I will give it another try to reverse some Android APK.
It feels soo good to be back 20 years later and find such a nice tool! See you soon
