TWiki> CS361fall13 Web>Homework4 (revision 3)EditAttach

Homework 4: l337 h4xx0r 5killz - cracking a protected binary

In this homework, we learn about the structure of binary programs by practicing our reverse-engineering skills. A binary program is provided (unique to each student). The program is meant to accept a license key on the command line, verify the key locally, and then call in to a server for activation, after which point the program runs.

Unfortunately, you seem to have misplaced your license key, and no matter how many different keys you try, you can't find a key that works. Thus....

Your mission, should you choose to accept it, is to subvert this program into running correctly without a correct license key, and to do so without calling in to the activation server, revealing your top-secret location.

More specifically, you are to modify this binary executable, changing only a few bytes of the provided binary, to make it appear to work normally, except that it accepts any license key, and does not contact the activation server when run.

Getting Started Cracking

There is no source code provided, nor are you expected to turn in source code for this homework. Instead, we analyze and modify an existing binary. Our main tools for this job: gdb, objdump --disassemble, and readelf -a to analyze and reverse-engineer the program. To edit the program, you may use your hexadecimal editor of choice.

One nice hex editing solution is this: convert the binary to an editable ASCII file with xxd. Edit the file with any editor. Convert back to binary with xxd -r. Don't forget to chmod +x the final file if you want to run it, xxd doesn't do that by default.

One or more of the protection mechanisms in this homework are incompatible with the new address space randomization system in Linux. This makes the template binary crash. Always run your program like this:

LD_LIBRARY_PATH=. setarch `uname -m` -R ./hw4

Note: you are expected to edit the binary, not produce a new binary by reverse-engineering and re-writing in C, nor by disassembling and reassembling. We'll compare the turned-in binary to the original with cmp, and we expect to see only several modified bytes.

A bit of help along the way

The supplied program contains four protection mechanisms that you need to subvert. After you have subverted the first one (a simple key check), the program outputs

License key valid, thank you.

The second one dynamically updates a GOT entry to make the program call real_server_license_validation, which is what you want, instead of what the entry points to in the binary. After you have subverted the second one (this could happen in one step, depending on your approach), it outputs:

Everything seems to be in order. Moving along to server license key validation.

Your program then "activates" with the license server, which reports activations on this page: (not yet active)

Here, the most insidious aspect of the report is the IP address, which identifies you as the license violator, and which is not within your control to change. You must stop this activation from happening. Important function calls for the network activation are connect() and send().

However, you'll find that simply skipping the network activation step results in a broken program: the server sends back binary code with crucial functionality as part of the activation process. You need to capture this binary code, and store it permanently in your program so it can run without activation.

Without the code from the server, the program crashes or doesn't do anything. With the code, it displays a little ASCII animation.

The cracked binary differs in less than 20 bytes, and runs without activating with the server.

New checkout and turn-in instructions

For this homework, a new directory has already been created in your turn-in folder, called hw4. To retrieve it, go to your turn-in folder and type svn up. The folder contains two binaries (orig and hw4), a shared library ( and a Makefile. Note that orig and hw4 is unique to your netid in several ways.

Make your changes to hw4, and svn commit when finished. In addition, create a new file called "patches_applied.txt", where you describe each change you made briefly, in the format , like this:

0af8-0b70 replaced foo with bar to make a better foobar

Edit | Attach | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r3 - 2013-09-17 - 07:53:45 - Main.jakob
Copyright 2016 The Board of Trustees
of the University of
Helping Women Faculty Advance
Funded by NSF