Homework 4: l337 h4xx0r 5killz - cracking a protected binary

In this homework, we learn about the structure of binary programs by practicing our reverse-engineering skills. A binary program is provided (unique to each student). The program is meant to accept a license key on the command line, verify the key locally, and then call in to a server for activation, after which point the program runs.

Unfortunately, you seem to have misplaced your license key. Thus....

Your mission, should you choose to accept it, is to subvert this program into running correctly without a correct license key, and to do so without calling in to the activation server, revealing your top-secret location.

More specifically, you are to modify this binary executable and library, changing only a few bytes of the provided binary, to make it appear to work normally, except that it accepts any license key, and does not contact the activation server when run.

Getting Started Cracking

There is no source code provided, nor are you expected to turn in source code for this homework. Instead, we analyze and modify an existing binary. Our main tools for this job: gdb, objdump --disassemble, and readelf -a to analyze and reverse-engineer the program. To edit the program, you may use your hexadecimal editor of choice.

One nice hex editing solution is this: convert the binary to an editable ASCII file with xxd. Edit the file with any editor. Convert back to binary with xxd -r. Don't forget to chmod +x the final file if you want to run it, xxd doesn't do that by default.

One or more of the protection mechanisms in this homework are incompatible with the new address space randomization system in Linux. This makes the template binary crash. Always run your program like this:

LD_LIBRARY_PATH=. setarch `uname -m` -R ./hw4

Note: you are expected to edit the binary executable and library, not produce a binaries by reverse-engineering and re-writing in C, nor by disassembling and reassembling. We'll compare the turned-in binary to the original with cmp, and we expect to see only several modified bytes.

A bit of help along the way

The supplied program contains four protection mechanisms that you need to subvert. After you have subverted the first one (a simple key check), the program outputs

License key valid, thank you.

The second one dynamically updates a GOT entry to make the program call real_server_license_validation, which is what you want, instead of what the entry points to in the binary. After you have subverted the second one (this could happen in one step, depending on your approach), it outputs:

Everything seems to be in order. Moving along to server license key validation.

Your program then "activates" with the license server, which reports activations on this page: http://bits.cs.uic.edu/cs361/activations.txt

You'll note that the server accepts any license key. However, the most insidious aspect of the report is the IP address, which identifies you as the license violator, and which is not within your control to change. You must stop this activation from happening. Important function calls for the network activation are connect() and send().

However, you'll find that simply skipping the network activation step results in a broken program: the server sends back binary code with crucial functionality as part of the activation process. You need to capture this binary code, and store it permanently in your program so it can run without activation.

Without the code from the server, the program crashes or doesn't do anything. With the code, it displays a little ASCII animation.

The cracked binaries differ in roughly 20 bytes total, and the program runs without activating with the server.

New checkout and turn-in instructions

For this homework, a new directory has already been created in your turn-in folder, called hw4. To retrieve it, go to your turn-in folder and type svn up. The folder contains a binarie (hw4) and a shared library (lib.so). It may be a good idea to keep a copy of the original files around for reference, though if you misplace them, it's always available through svn.

Make your changes to hw4, and lib.so and svn commit when finished. In addition, create a new file called "patches_applied.txt", where you describe each change you made briefly, in the format , like this:

hw4: 0af8-0b70 replaced foo with bar to make a better foobar