Testing a new app mission

Learn to reverse engineer through some common application security methods.
Forum rules
DO NOT POST ANSWERS OR SPOILERS! [IE: Mission Links, Mission File Names/Pages, Scripts/Code, etc.]

Posting these will result in warnings/bans!

Testing a new app mission

Post by sanddbox on Sat Jan 29, 2011 5:07 pm
([msg=53010]see Testing a new app mission[/msg])

Proxy post; see below.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Testing a new app mission

Post by Wells on Sat Jan 29, 2011 5:10 pm
([msg=53013]see Re: Testing a new app mission[/msg])

Hi guys.

I've just spent the day creating a new application challenge, and I need some testers to try and pass it. This is to get a gauge on the difficulty and to perhaps offer some more clues in the final version that goes on the HTS site.

Here is the link to the windows application: http://dl.dropbox.com/u/4282405/app19.zip

You will need .NET 3.0 or later to run the front-end GUI app. Don't worry though, you won't have to be stepping through MSIL or anything, the actual license validation is done in a native DLL written in C.

If people have problems with the .NET requirement let me know and I might be able to create a straight win32 version. You could even write a program to call the DLL's verification function yourself if you know how. In fact that could make the challenge more interesting.... just a verification .dll, no .exe at all. What do you think?

Anyway, you have to generate a valid license file just like in app18. The license file must use your HTS user name for when you upload to the site (which isn't available yet). If the app tells you the file is valid with no patching, then you have succeeded.

I will post more information and hints soon.

-- Sat Jan 29, 2011 5:36 pm --

PS: Here are some hints/starting points if you get stuck:

http://dl.dropbox.com/u/4282405/app_19_hints.txt

UPDATE

I updated the app so it only requires .NET 3.0. This should be on pretty much any XP or later machine so you shouldn't have problems running it anymore. Let me know how it goes.

UPDATE 2

I just added a little run-time code modification/decryption. That should keep you on your toes :)
Wells
New User
New User
 
Posts: 23
Joined: Wed Jan 19, 2011 3:57 am
Blog: View Blog (0)


Re: Testing a new app mission

Post by mainhax on Sat Aug 06, 2011 2:57 pm
([msg=60627]see Re: Testing a new app mission[/msg])

Great challenge - I was able to complete it without any of your hints, but it was considerably harder than 17/18. I was a bit saddened that I was able to find the (high-level) file structure in text format inside the binary, but I found it so late it only did me good to get names.
After having spent an hour on the key generation, the last check in HTSVerifyUserLicense was mind-boggling; I ended up bruteforcing it. I would like to create a solution that reverses it somehow, instead of bruteforcing it. :)
Just a note though - you are leaking a file handle and some memory in HTSVerifyUserLicenseFile if the license file does not get parsed correctly.

EDIT: Of course now I read your hints - apparently this was the correct way. There must be a better way. Oh btw you can LoadLibrary your key_verification.dll and simply use your methods and then write a bruteforcer - that's easy if you don't want to write your own key generation routines. I chose to write my own though. :P
mainhax
New User
New User
 
Posts: 3
Joined: Tue Aug 31, 2010 6:15 am
Blog: View Blog (0)


Re: Testing a new app mission

Post by mShred on Sat Aug 06, 2011 3:08 pm
([msg=60628]see Re: Testing a new app mission[/msg])

mainhax wrote:Great challenge - I was able to complete it without any of your hints, but it was considerably harder than 17/18. I was a bit saddened that I was able to find the (high-level) file structure in text format inside the binary, but I found it so late it only did me good to get names.
After having spent an hour on the key generation, the last check in HTSVerifyUserLicense was mind-boggling; I ended up bruteforcing it. I would like to create a solution that reverses it somehow, instead of bruteforcing it. :)
Just a note though - you are leaking a file handle and some memory in HTSVerifyUserLicenseFile if the license file does not get parsed correctly.

EDIT: Of course now I read your hints - apparently this was the correct way. There must be a better way. Oh btw you can LoadLibrary your key_verification.dll and simply use your methods and then write a bruteforcer - that's easy if you don't want to write your own key generation routines. I chose to write my own though. :P

I think Wells will be flattered to hear this. Good job though.
Image

For those about to rock.
User avatar
mShred
Administrator
Administrator
 
Posts: 1742
Joined: Tue Jun 22, 2010 4:22 pm
Blog: View Blog (2)


Re: Testing a new app mission

Post by mainhax on Sat Aug 06, 2011 3:17 pm
([msg=60629]see Re: Testing a new app mission[/msg])

mShred wrote:
mainhax wrote:Great challenge - I was able to complete it without any of your hints, but it was considerably harder than 17/18. I was a bit saddened that I was able to find the (high-level) file structure in text format inside the binary, but I found it so late it only did me good to get names.
After having spent an hour on the key generation, the last check in HTSVerifyUserLicense was mind-boggling; I ended up bruteforcing it. I would like to create a solution that reverses it somehow, instead of bruteforcing it. :)
Just a note though - you are leaking a file handle and some memory in HTSVerifyUserLicenseFile if the license file does not get parsed correctly.

EDIT: Of course now I read your hints - apparently this was the correct way. There must be a better way. Oh btw you can LoadLibrary your key_verification.dll and simply use your methods and then write a bruteforcer - that's easy if you don't want to write your own key generation routines. I chose to write my own though. :P

I think Wells will be flattered to hear this. Good job though.


Heh thanks - it was a great deal of fun!
mainhax
New User
New User
 
Posts: 3
Joined: Tue Aug 31, 2010 6:15 am
Blog: View Blog (0)


Re: Testing a new app mission

Post by Wells on Tue Aug 09, 2011 12:08 pm
([msg=60711]see Re: Testing a new app mission[/msg])

mainhax wrote:Great challenge - I was able to complete it without any of your hints, but it was considerably harder than 17/18. I was a bit saddened that I was able to find the (high-level) file structure in text format inside the binary, but I found it so late it only did me good to get names.
After having spent an hour on the key generation, the last check in HTSVerifyUserLicense was mind-boggling; I ended up bruteforcing it. I would like to create a solution that reverses it somehow, instead of bruteforcing it. :)
Just a note though - you are leaking a file handle and some memory in HTSVerifyUserLicenseFile if the license file does not get parsed correctly.

EDIT: Of course now I read your hints - apparently this was the correct way. There must be a better way. Oh btw you can LoadLibrary your key_verification.dll and simply use your methods and then write a bruteforcer - that's easy if you don't want to write your own key generation routines. I chose to write my own though. :P


Really glad to hear someone has done it! Hopefully it can be put on the actual site soon and you can get points.

I know the .dll functions are public and can be LoadLibrary'd - I thought I'd leave that in as an alternative route. The extra check is meant to be brute forced, I don't see how you can 'reverse' that. It was meant to be a little surprise for anybody trying to generate a key by choosing an arbitrary seed and letting the program generate the key for them.

Thanks for the information on the leaks, I won't bother to fix them now although I'll add that to a TODO in case I need to release any fixes/updates in the future.

FYI there's also a timing attack in the key verification code (it exits early instead of iterating the entire key) which I never bothered to fix. I'm don't think it's a viable thing to attack though.

Cheers,

Wells

EDIT:

If you PM me a license file I can arrange to have points given to you :)
Wells
New User
New User
 
Posts: 23
Joined: Wed Jan 19, 2011 3:57 am
Blog: View Blog (0)



Return to Application

Who is online

Users browsing this forum: No registered users and 0 guests