Tools Used 010 Editor, IDA, and Sora Engine (Modified Cheat Engine... Used it to find the hex values for ASM operations)
.
Text -
Quote:
Title: Cracking a linux application
Application: LiteSpeed 3.3.3
Tools:
IDA Pro Advanced (32-bit)
Any HexEditor
Welcome to cracking litespeed
Before we start actually doing any thing your going to need a couple things IDA Pro Advanced
and of course a hex editor I'm using 010 editor.
----
Next your going to need to download the latest version of litespeed so lets do that now.
Once you have it your going to need a trial key to use that is already expired... you can get on here
http://rapidshare.com/files/131728554/trial.key.html
Once obtained the key your going to want to test your application to see what it outputs once expired/out
----
So I've already got it downloaded on the linux machine I'm ssh'd into so I'll go ahead and run the installer with the expired key.
So now we have a expiration method to get rid of.
Lets begin.
-------
We open up the lshttpd binary with IDA and wait for IDA to finish it's complete analysis.
-------
Well now that I'm back in IDA after it crashed for a moment we will start cracking.
First thing we need to do is look at the text string that was output into our shell.
Simple enough we can just search in IDA for the text string and Xref.
------
There we go found it, next thing we do is double click on it.
As you can see now we have no actual code in this location only the text string it's self...
But well check out the cross reference listed.
-----
Now if we look at this a bit we can tell what it's doing
.text:080606E7 jz short loc_80606FC
The location 80606FC contains almost the same text string but leaves out trial...
Were using the trial so we don't have to worry about this jump.
.text:080606DD jle short loc_806075C
How ever when we look at this jump it continues to start the server and displays
our "OK Trial will expire in..." meaning the server has been started and the trial has not expired.
-----
So were going to need to change this jle to a jmp so we always start our server
expired or not.
So we higlight the jle and look at our hex window
7E is JLE in Hex.
So now were going to use a hex editor to change this JLE to a jmp
How were going to find it in hex is in the IDA hex window highlight a large portion of hex around it...
And simply search for that in the hex editor.
----
And here we have it
Now we need to find out what the hex is for the operation JMP
I'm going to use a game hacking utility which is a modified version of cheat engine
to figure this out.
So now we know that JMP is EB instead of 7E so... were going to go back into our hex editor
and Change that then re open the exe with IDA...
----
Once open were going to let it go for a little bit so it has time to fill in the area with it's code
and then were going to go, to the location 080606DD to look at the JMP to the start up method.
text:080606DD jmp short loc_806075C
This is our new code so lets test this new binary out on the server and try and reinstall this.
----
[OK] Your trial license key will expire in -106 days!
As you can see we have successfully cracked one part of the license checking.
Lets continue to install it and then we'll see if it runs properly.
----
[ERROR] Failed to start the web server. For trouble shooting information,
please refer to documents in "/opt/lsws/docs/".
Looks like were having a new issue so lets check litespeeds logs to see what might have happened.
----
[ERROR] [LICENSE] License key operation failure: ERR T.2: Your trial license has expired
So there is more then one check for the license key.
[NOTICE] Thank you for using LiteSpeed Web Server, the license key has expired, if you are satisfi...
----
So what were going to need to do now is check out the text string "Thank you for using..."
And see what we can do to make litespeed ignore this.
Once again go to the cross reference.
----
.text:0804C739 jz loc_804C85D
Here we just have a check for updates...
How ever this jump...
.text:0804C758 jns short loc_804C784
Leads to another start up method... so we will just make this a jmp just like we did the JLE.
So 79 in hex is the operation JNS were going to change this to a JMP so EB
----
Forgot to mention that after you crack only the first method it will delete your key if you run it...
So you have to re download it.
[OK] Your trial license key will expire in -106 days!
Looks like we successfully started so far...
Lets check if it's really running.
----
Seems to be down lets check our process list for it.
Hmm not up... lets check our logs again then?
----
[WARN] Your license key will expire in -106 days, renew your license key before it expires, hurry
Looks like we've changed the "Thankyou," into this now.
But theres still one problem here...
[ERROR] [LICENSE] License key operation failure: ERR T.2: Your trial license has expired
So lets go ahead and tell litespeed to ignore this as well.
----
Try not to search for the whole string the end after : is just a %s/generated in memory... so it wont be in the strings.
Lets go ahead and go to the cross reference then see what we go here.
.text:0806098C jnz loc_8060A3C
We wouldn't want to change this to an jump as it would just tell us it failed to decrypt or license key.
Nor this
.text:08060952 jnz loc_8060CA4
It would simply tell us it failed to connect to the licensing server.
Hmm but if we look back at the failure to decrypt license key it's actually got jumps before it hits the decryption failure
meaning it can still avoid the decryption failure and continue to start so this is where we should look at.
----
It seems here
.text:08060A7A jnz short loc_8060A8C
Is after we have successfully decrypted the license key but are continuing to start the server.
So lets go back up to 8060A3C and change that to a JMP
obviously we wont fail to decrypt our key so it should continue to start litespeed.
... mistype 0806098C is the address we want to go to not 8060A3C
----
Were going to repeat the same thing as what we did before and change the operation to a jmp
here it seems the JNZ is 0F in Hex...
So lets go look it up.
----
We change 0F to EB to make it into a jmp... and hopefully were good to go for cracking litespeed.
----
So this should be our last time testing hopefully it works.
Seems it deleted our license key again.. redownload it and we'll be fine...
Ok so far...
----
Lets check out the logs, No expired messages lets see if the web server is running...
---
Thats the end of this tutorial have fun cracking guys...
credits to deadly data from the defaced =)
.
Text -
Quote:
Title: Cracking a linux application
Application: LiteSpeed 3.3.3
Tools:
IDA Pro Advanced (32-bit)
Any HexEditor
Welcome to cracking litespeed
Before we start actually doing any thing your going to need a couple things IDA Pro Advanced
and of course a hex editor I'm using 010 editor.
----
Next your going to need to download the latest version of litespeed so lets do that now.
Once you have it your going to need a trial key to use that is already expired... you can get on here
http://rapidshare.com/files/131728554/trial.key.html
Once obtained the key your going to want to test your application to see what it outputs once expired/out
----
So I've already got it downloaded on the linux machine I'm ssh'd into so I'll go ahead and run the installer with the expired key.
So now we have a expiration method to get rid of.
Lets begin.
-------
We open up the lshttpd binary with IDA and wait for IDA to finish it's complete analysis.
-------
Well now that I'm back in IDA after it crashed for a moment we will start cracking.
First thing we need to do is look at the text string that was output into our shell.
Simple enough we can just search in IDA for the text string and Xref.
------
There we go found it, next thing we do is double click on it.
As you can see now we have no actual code in this location only the text string it's self...
But well check out the cross reference listed.
-----
Now if we look at this a bit we can tell what it's doing
.text:080606E7 jz short loc_80606FC
The location 80606FC contains almost the same text string but leaves out trial...
Were using the trial so we don't have to worry about this jump.
.text:080606DD jle short loc_806075C
How ever when we look at this jump it continues to start the server and displays
our "OK Trial will expire in..." meaning the server has been started and the trial has not expired.
-----
So were going to need to change this jle to a jmp so we always start our server
expired or not.
So we higlight the jle and look at our hex window
7E is JLE in Hex.
So now were going to use a hex editor to change this JLE to a jmp
How were going to find it in hex is in the IDA hex window highlight a large portion of hex around it...
And simply search for that in the hex editor.
----
And here we have it
Now we need to find out what the hex is for the operation JMP
I'm going to use a game hacking utility which is a modified version of cheat engine
to figure this out.
So now we know that JMP is EB instead of 7E so... were going to go back into our hex editor
and Change that then re open the exe with IDA...
----
Once open were going to let it go for a little bit so it has time to fill in the area with it's code
and then were going to go, to the location 080606DD to look at the JMP to the start up method.
text:080606DD jmp short loc_806075C
This is our new code so lets test this new binary out on the server and try and reinstall this.
----
[OK] Your trial license key will expire in -106 days!
As you can see we have successfully cracked one part of the license checking.
Lets continue to install it and then we'll see if it runs properly.
----
[ERROR] Failed to start the web server. For trouble shooting information,
please refer to documents in "/opt/lsws/docs/".
Looks like were having a new issue so lets check litespeeds logs to see what might have happened.
----
[ERROR] [LICENSE] License key operation failure: ERR T.2: Your trial license has expired
So there is more then one check for the license key.
[NOTICE] Thank you for using LiteSpeed Web Server, the license key has expired, if you are satisfi...
----
So what were going to need to do now is check out the text string "Thank you for using..."
And see what we can do to make litespeed ignore this.
Once again go to the cross reference.
----
.text:0804C739 jz loc_804C85D
Here we just have a check for updates...
How ever this jump...
.text:0804C758 jns short loc_804C784
Leads to another start up method... so we will just make this a jmp just like we did the JLE.
So 79 in hex is the operation JNS were going to change this to a JMP so EB
----
Forgot to mention that after you crack only the first method it will delete your key if you run it...
So you have to re download it.
[OK] Your trial license key will expire in -106 days!
Looks like we successfully started so far...
Lets check if it's really running.
----
Seems to be down lets check our process list for it.
Hmm not up... lets check our logs again then?
----
[WARN] Your license key will expire in -106 days, renew your license key before it expires, hurry
Looks like we've changed the "Thankyou," into this now.
But theres still one problem here...
[ERROR] [LICENSE] License key operation failure: ERR T.2: Your trial license has expired
So lets go ahead and tell litespeed to ignore this as well.
----
Try not to search for the whole string the end after : is just a %s/generated in memory... so it wont be in the strings.
Lets go ahead and go to the cross reference then see what we go here.
.text:0806098C jnz loc_8060A3C
We wouldn't want to change this to an jump as it would just tell us it failed to decrypt or license key.
Nor this
.text:08060952 jnz loc_8060CA4
It would simply tell us it failed to connect to the licensing server.
Hmm but if we look back at the failure to decrypt license key it's actually got jumps before it hits the decryption failure
meaning it can still avoid the decryption failure and continue to start so this is where we should look at.
----
It seems here
.text:08060A7A jnz short loc_8060A8C
Is after we have successfully decrypted the license key but are continuing to start the server.
So lets go back up to 8060A3C and change that to a JMP
obviously we wont fail to decrypt our key so it should continue to start litespeed.
... mistype 0806098C is the address we want to go to not 8060A3C
----
Were going to repeat the same thing as what we did before and change the operation to a jmp
here it seems the JNZ is 0F in Hex...
So lets go look it up.
----
We change 0F to EB to make it into a jmp... and hopefully were good to go for cracking litespeed.
----
So this should be our last time testing hopefully it works.
Seems it deleted our license key again.. redownload it and we'll be fine...
Ok so far...
----
Lets check out the logs, No expired messages lets see if the web server is running...
---
Thats the end of this tutorial have fun cracking guys...
credits to deadly data from the defaced =)
