How to Disassemble a Program with IDA-PRO – Instructions and Examples

Code with C | Programming: Projects & Source Codes Forums Miscellaneous How to Disassemble a Program with IDA-PRO – Instructions and Examples

This topic contains 0 replies, has 1 voice, and was last updated by  GloriaFine 4 months, 2 weeks ago.

  • Author
    Posts
  • #12525

    GloriaFine
    Member

    Would you like to learn how to Disassemble and Reverse a software program ?? Here is guide where you can understand how to do it.

    Tools you will need : IDA – PRO the best Disassembler – Debugger Available, Hexplorer or any Hex Editor, Windows Notepad, and Some knowledge of Assembly Language.

    I have recently posted 3 Programs on this Forum, and I can give detailed information as to how they were Reversed,
    what was changed, and how the code to change was found.

    I use IDA PRO VERSION 6.5 and IDA PRO is posted on this forum, and Hexplorer is available on Sourceforge.

    How about starting with Creature Animation 1-62 Pro a 64 bit Program, and was very easy to crack, or maybe AppyGen 5-5 it’s a 32 Bit App and Game Creator for Mobile Phones, and was not a difficult program, taking less than an hour.

    Gather up your tools, and Lets get started.

    Selected the AppyGen program as the 1st example as it is a 32 Bit Program. Download, and Install the Program.

    On 1st start by Clicking AppyGEN.exe you will see a message box saying: “Please Activate your AppyGEN Copy First”, Click OK, and TurboActivate.exe will be called by AppyGEN.exe for Activation, and will put up an Activation box.

    LESSON 1: Let’s get started by opening, and Disassembling a file with IDA.

    1. Start the 32bit version of IDA by clicking on idaq.exe in the IDA Folder, Click on File, Click on Open, and Open TurboActivate.dll, when IDA opens the File, at messagebox select use Debug Info, but answer no when Ida says search for the Debug Info File as it won’t be found. 
    2. When the Auto Analysis is finished lower left corner then save the Database,
    3. Click on the Exports Tab, and Lets take a look at the Export Functions called by AppyGEN.exe.  You will see Activate : ActivateEx, IsGenuine, and IsGenuineEx.
    4. Click on IsGenuineEx, and you will go to the Function, and see public IsGenuineEx
    5. Select the Text “IsGenuineEx” Right Click, and Copy
    6. Place you mouse below S U B R O U T I N E, and Press the ; semicolon key, and paste the text
    7. The Text will now show up throughout the De-compiled database in all references to the Function, and you can do the same with Labels, and DATA to have a friendly referenced name throughout by creating your own Debug Info
    8. Right Click on: text:10015B81 push ebp, and Select Add Break-point, Now when the Program is run in the Debugger it will stop on the Break-point
    9. You can now run the Program one step at a time by using the F7 Key, or the F8 Key the F8 Key steps over Calls, the F7 key goes in, The F8 key will be the most used key, The F9 key is a let her rip, and run until reaching a break-point.
    10. To run the program you will need to Click on Debugger, and select local Win Debugger, and also Click on Debugger, Process Options and Select the Application that starts the Program AppyGEN.exe. You can’t run a dll, because the dll is called by the exe
    11. DO NOT RUN THE PROGRAM BECAUSE IT IS A HASSLE TO GET TO THE CODE IN AppyGEN.exe, and we will run the Code in lesson 2

    SEE THE CODE BELOW:

    We want to run this code, and not jump. To not jump while running the program in the Debugger : move the mouse to the Next line of code, Right Click, and set the IP Address to that Instruction. IP is the Instruction Pointer Register which is a line Instruction counter.

    ACTIVATION CODE IN AppyGEN.exe

    LESSON 2 : HOW TO FIND THE CODE THAT ACTIVATES THE PROGRAM !

    1. Start the 32bit version of IDA by clicking on idaq,exe in the IDA Folder, Click on File, Click on Open, and Open AppyGEN.exe
    2. When the Auto Analysis is finished lower left corner then save the Database
    3. 1st thing to do when Debugging a program is to find what to change in the Program, and set some Breakpoints to stop at when running using the F9 Key,
    4. Move the Scroll Bar to the start of the Program, and also notice the Colored bar at the top, The pointer should be all the way to the left
    5. The blue is the code section, the yellow brown is the library code, and data on the right side, black is nothing,
    6. Click on Search, Click on Select Text, and check box Find all Occurrences,
      WHAT TO SEARCH FOR EXAMPLES: activate, Activated, trial, serial, license, and in our case Label : aAppygenActivat ; “AppyGEN Activated”
    7. SEARCH FOR aAppygenActivat When the search is finished then open the Tab of the found results
    8. Click on the found text, and you will go to : 00685E8A mov edx, offset aAppygenActivat ; “AppyGEN Activated
    9. Notice the text:00685E70 jz short loc_685E96 LINE above, Right Click on the Line and select Add Break-point
    10. Notice the cmp [ebp+isActivated], 0 Compare Variable isActivated to 0 = false, and Jump is Zero is the next Instruction, WE DON’T WANT TO JUMP !
    11. Notice the mov ecx, offset aTurboactivate_ ; “TurboActivate, exe” on Line below, we don’t want to go there as that is the Activation Box  that we saw when the program was 1ST STARTED, and the Line call @Vcl@Dialogs@ShowMessage was the pop-up message box
    12. Now go to the top of the PROCEDURE, Right Click and Select text : Unit1::softwareactivate
    13. Go to Line below PROCEDURE Press ; semicolon, and Paste the text into the box, Now a reference to this call will show as a ; comment throughout the entire program when it is run, RIGHT CLICK ON TOP LINE, and SELECT ADD BREAK-POINT
    14. To run the Program, Click on Debugger, Select Start Process
    15. The program will break when you hit the top of the Procedure Unit1::softwareactivate Break-point
    16. You can Step through the code using the F8 Key, or run to the next Break point using the F9 KEY
    17. When you get to the Instruction: jz short loc_685E96 then move the mouse to the next line, Right Click, and Select set the IP
    18. Now hit the F9 Key and let the program run, it should start up, and display Activated on bottom of Box
    19. If you get an Exception Pop up Box then Click on Pass Exception to the Program to continue

    In the Next Lesson we will learn how to locate the code that needs to be changed, and how to change it.

    LESSON 3 : HOW TO MODIFY THE FOUND CODE

    The jump that we didn’t do is not the code that needs to be changed to Activate the Program
    SEE CODE BELOW :

    The mov al, 1 is a MOVE 1 = NUMBER 1 to REGISTER al THE NEXT INSTRUCTION IS MOVE THE 1 IN Register AL TO VARIABLE isActivated

    1. 1 = true, and zero = false isACTIVATED must be equal a 1, or true, it is Actiated
      If the program is using this code : If isActivated then Begin ( do this list of instructions ) END ELSE Begin ( do this ) End;
    2. The above example is in Pascal since this program is written in Pascal, and All programing Languages are converted to Hex Numbers by the compiler, and each number Represents an Instruction for the CPU to Process  Assembly Language is an easy to understand Instruction for each Hex Number Instruction
    3. jz is JUMP IF ZERO, A cmp = compare or a test instruction sets the Flags Register, and the JUMP IF ZERO checks if the Zero Flag is set The Hex number 74 Instruction is jz = jump if zero, Hex number Instruction 74 24 is JUMP 24 BYTES AHEAD IF ZERO FLAG IS SET Hex number 75 = jnz A JUMP IF NOT ZERO
    4. In order to not jump we can eliminate the Instruction 74 24 Completely by NOPing it out, the number 90 is a NOP and that stands for NO OPERATION POSSIBLE, We can replace the 74 24 with 90 90, and the CPU will skip over it to the next Instruction in the list A better way to do it is to Change 74 24 to 74 00 jump zero bytes ahead, or don’t jump, but move to the next Instruction
    5. This would be a Crackers Dream, a 1 byte crack, but no such luck, because other functions may check if the isActivated Variable is a 1. So we need to do a couple of Instructions to make sure.
    6. The above Instruction is a 2 byte Instruction, and if you change any Instructions then you must keep the same numbers of bytes, or The program will crash. To change an Instruction from jz, or jnz to JUMP Change the 74 or the 75 to EB which is an unconditional JUMP.
    7. To change a jnz JUMP IF NOT ZER0 to a JUMP which is a ( FAR JUMP more than 256 bytes ) : EXAMPLE: 0F 85 3B 11 00 00 replace the 0F 85 with 90 E9, the 1st Byte is Noped out and the E9 is an Unconditional JUMP, the last 4 bytes is the number of bytes to jump.
    8. The FAR JUMP is a 6 Byte Instruction, and if you replace it with a 2 Byte jmp Instruction then you need to replace the other 4 bytes with 90 90 90 90, or when the CPU executes the next 4 bytes the program will crash
    9. In IDA click on Jump, Click on Jump to Address, and Paste 00685DF1 into the jump box, and place a Break-point on that Address  text:00685DF1 call @Turboactivateunit@TurboActivate@IsGenuine$qqruiuioo ; TurboActivate::IsGenuine
    10. ALSO PLACE A BREAK-POINT ON THE LINE BELOW : WE WILL RETURN TO LINE BELOW ON EXIT OF CALL
    11. This is the call that calls the IsGenuineEx External function in TurboActivate dll.
    12. Run the program until it Breaks at this address, and Press the F7 Key to step into the CALL.
    13. Jump to Address, or Scroll down until you see this code below, and set a break-point. We are going to change the 2 to a 1 later.

    USE THE F8 KEY, or F9 KEY TO RUN THE PROGRAM TO RETURN TO THE LINE BELOW BREAK-POINT WHERE THE CALL WAS ENTERED

    IN THE NEXT LESSON WE WILL LEARN HOW TO CHANGE THE CODE WITH A HEX EDITOR

    LESSON 4 : HOW TO CHANGE THE AppyGEN.exe CODE WITH A HEX EDITOR

    1. We need to make 2 changes to the program to make sure it is Activated Correctly
      One change is to set the Variable isActivated to a 1 = true, and the 2nd change is to Function called because it may be called by other parts of program.
    2. We want the function unit@TurboActivate@IsGenuine to return a 1, since the 2 is Not Activated
    3. The code at address text:00685DF9 checks Var 6 for 0, 1, 2, 4, and we sure as hell don’t want to jump to 685E11 after xor eax, eax because al = 0, and IsActivated will be set to a 0 = not activated. Zero is probably trial, 1 = Activated, 2 = Not Activated, and only the programer knows what the hell a 4 is.
    4. NOW YOU WILL FIND OUT ABOUT NOTEPAD :
      With Mouse Select text from text:00685DA4 ; =============== S U B R O U T I N E TO : text:00685F08 retn
    5. The retn is a Return near, the end of the Function
    6. Copy and Paste the text into a File Named DEBUG,TXT
    7. Place mouse on Following Line and Click: text:00685E0D jmp short loc_685E11 Click on IDA’s Hex View-A Tab, and open the Hex view for Address 00685E0D
    8. Select the whole line, and Press the CTRL and C Key to copy the Line, and Paste it below the text:00685E0D jmp short loc_685E11 Paste it 3 times
    9. The top line is the original Hex code, the 2nd line is the Hex Code we will search for, and the 3rd line is the changed Hex Code
    10. Now remove the address from the 2nd line, and also remove all spaces this is the Hex Code we will search for with Hexplorer

    CHANGE 1 :

    CHANGE 2:

    1. To find the Hex Code open Hexplorer, open File AppyGEN,exe with Hexplorer
      Click on Edit, Click on Find, and paste the Hex Code from Line 2 only the numbers into the Hex Box
    2. Hit F3 key to make sure it’s not found more than 1 time. If it is then reopen IDA Hex View-A, and Copy – Paste, and add the next line of Hex Code to the First, remove the spaces, and search again for 32 bytes of code.
    3. Another way to find .exe File Offset : Open the Hex calculator in Hexplorer, and select Hex
    4. Enter change 1 – IDA FILE OFFSET INTO THE CALCULATOR 00685E0D, and Subtract 400C00 from the offset to get the File Offset,
    5. do the same for change 2 subtract 400C00 from the IDA offset.
    6. Click on View, Click on go to Address, and enter this value into the Box
    7. Verify you have the correct Hex Code to change, and then change it, Do this for both the Changes
    8. Always save a copy of the File you are changing so you don’t have to Re-Install in case you screw up
    9. Save the Debug.txt file, and the IDA Database for reference as you may want to do the next version.
    10. As you watch the code while running a program in the Debugger you will learn, and get better at cracking.

    Congratulations, you have Reversed your 1st Program, and it only took 2 bytes !

You must be logged in to reply to this topic.