Reversing CrackMe with Ghidra (Part 1)
Vložit
- čas přidán 27. 07. 2024
- Reverse Engineer CrackMe0x00.exe with me using Ghidra!
Fix .text functions names in Ghidra:
• Ghidra: Fix .text func...
Download CrackMe0x00 at:
github.com/Maijin/Workshop201...
How to Install Ghidra on Windows:
• How to Install Ghidra ...
Ghidra Overview:
• Ghidra Overview - Věda a technologie
This is great man. I'm in the process of learning about reverse engineering and Ghidra, and this series is helping me out a TON. Thanks for doing it!
Thanks!
You're amazing! You explain well and show everything in a very relaxed way. I fell in love with Ghidra after watching this video.
Thanks a ton, Eyan!
Thank you for these uploads - very helpful walkthroughs and the pacing makes it easy to follow along.
I'm glad you found it helpful 😊
Great video, very instructive. Thanks for taking the time to walk me through topics that are easier to understand than explain! You do it great though!
Really great. This helps noobs like me to get my feet wet. With so much info out there and the newness of ghidra its really hard to find something that is basically "Getting started with RE using Ghidra"
Also, starting at crackme 3....thank you for going into the test function and doing the RE there too. Extra mile effort. Awesome.
Thanks a ton!
Ghidra is still pretty new so good info is hard to find. I'm glad this video was able to help you out!
@@stryker2k2 Puoi fare altre lezioni,con esempi pratici. Grazie prof
Thank you for making this very beginner friendly by the way. Most may find the pacing slow and patronizing, but it's great for complete noobs like me who learns best by doing and getting straight into it. I bet everyone, even my nana, can learn something from this - I certainly most have!
wait until she finds out about anti-decompiler and anti debugger
This was such a great tutorial. I can't thank you enough. You made things so clear.
Thanks a ton, rlee!
A lot of value in here. Thanks mate
Very good and thank you very much. I hope you continue the series with more complex subjects. Malware analysis, packers and VM protect.
Hello again! Yes... Packers and VM Protect! Not anytime soon but, yes, definitely! Especially Themida packer... it's a straight kick in the teeth and I would love to make a video on Reversing it!
My hero! Thanks again for the videos! What a great tutorial! Notably, your instruction tempo is great as well as your lack of saying "um" a lot is fantastic, which means you're easy to listen to and follow, lol.
Thanks, Ghee!
I like what you did with your username! I caught on as soon as I said it out loud.
@@stryker2k2 @27:27 you said that we completed it but we didn't insert any password in the program to ensure we actually got a correct password. We did figure out what the program does when we have the correct password, but...what's the password for 0x3? lol
Ghee-Air-Moe @17:59
Thank you!!! Very interesting video. Everything was perfectly explained!
Thanks, Patryk!
This is really helpful, I'm trying to start learning the RE process and you walking through the steps makes this super understandable. I hope your channel gets more attention, this is great!
That's awesome to hear! I'm glad my videos are helping! :)
And this is going to be the serie I am following to teach me the basics :D
As of right now, it is a scrambled series of some-what random topics. For example, I just published a new Ghidra video today about the new Emulator tool they have. The only thing that remains constant is the simplicity and elaboration in my 'series'.
Excellent video. You are a great instructor.
Thanks, Bryce!
incredibly useful tutorial thank you for making this
My pleasure!
Thank you!!! Very interesting video.
great stuff, thank you!
Ghidra does a lot of the function naming automatically now which is so nice. Still the best tutorial, even in 2023. 😄
Thanks! I need to check out the new Ghidra version!
Sir, you're awesome, your explanation is very clear. Please do more video on CrackMe challenge with Ghidra, or maybe IDA Pro, or x64dbg.
Thanks a ton! I love making Ghidra videos. I'm sure there will be more CrackMe videos in the future! I just posted a new Ghidra video today about their new tool, the Emulator.
Super helpful! Thanks!
Glad it was helpful!
you're a great teacher
Thanks a ton, Đăng!
Thanks for showing which keys you're pressing
It always bugged me when I watch some keyboard master fly through a program using shortcuts with no explaination. I promised myself to never be that guy :D
Awesome video
Thanks!
Little late to the party but I solved the 4th example a bit differently by pure coincidence. I thought it was counting string length so I entered "123456789012345". The code stops whenever it hits 15 so as soon as it got to the first "5" it gave me the Ok lol. Made more sense when I looked up sscanf
Nice! Running into cool little discoveries like that is always fun.
"Yes, it very much is for real." lmao
You are rocking
Thanks a million, Paul!
I got mine to work as I simply used Windows 10 and not use my box thats running Windows 11. However, what type of language are Crack 0,1,2 running? I see a lot of if then statements.
Could not open these executable files in ghidra (error as "select library to open it") and even in cmd. Gives error as "can not start due to incompatibility with 64bit version of windows. How to do I replicate these?
Can you suggest me ex4 how to crack which tool
Mine won't import all at once. I have to do it one by one.
For crackme4, I entered '12345678912345' and it still passed. Also, if I type '1' and then 14 other characters - digits, alphabetic, punctuation - it still passes. I don't quite understand why. Evidently I don't fully understand how sscanf works...
Edit: I think I figured it out. The loop exits when the counter reaches 15. Whatever follows is irrelevant. So, 12345 works, as will 12345xxxxxxx... The first five digits add to 15. The loop exits, so whatever follows is ignored.
Sir how can we play .rio extention video into any another player
tnx for the video
I had some issues reversing Python executables as well in the past. I'll make sure to record a video if I ever throw a Python executable into Ghidra.
tanck you, conteúdo incrível bem legal mesmo. didática incomparável.
Obrigado!
good stuff!
I'm lad you liked it!
@@stryker2k2 Interesting comment indeed ! I'm glad
I got things under control. Disregard all previous chat post. However,,,,,, Quick Question, On my WIndows 11 I notice I have choose Data Type Manager, Symbol Tree etc. and Decompiler all indivisually as they dont show up all at same time like on Windows 10. How can I get it all show up on 1 display like yours as individual pains
I have not yet installed Ghidra on Windows 11. But, when I do, I will look into this.
What theme are you using here?
Could you upload it?
thanks
Excellent question! Dark Mode is available in Ghidra natively.
You can follow enable Dark Mode by following along with my instructions in the linked video:
czcams.com/video/IL60yGDbRGw/video.html
Are these crackme files safe to be run on a ghidra directly installed on my windows without a vm?
I always suggest running executables in VMs. With that said, these crackmes are safe for use on your bare-metal Windows machine.
How exactly are you planning to fix the message about debugging information being missing from the PE file? It's good that you've learned that pressing OK on the message doesn't cause any catastrophes. Would be even better if you just read and understood it though ;-)
Thank you for that! Indeed just pressing OK is the easy way! Nevertheless, I did research that error and I've been able to describe the error message more to the viewers in the new video!
Thank you for pushing me to grow!
czcams.com/video/Eu9YC1Jq1Do/video.html
Very helpful! If I may ask, How can I search for a png image embedded in a 10Mb exe binary? Say if I want to patch it out.
Funny you ask! One of my next videos is going to be on how to detect malicious droppers. In which, the executable payload would be embedded into the dropper the same fashion as an image would be. Maybe I'll make the 'payload' an image instead.
@@stryker2k2 Very cool. Thank you. I used Restorator.exe to search for the image but no luck. the program is MagicMusicVisuals.exe and it has an encrypted shell. I know software cracking can be bad but well for educational purposes...
I get a different popup when hovering over the address in crackme0x02, it doesn't convert. Struggling to figure out how your Ghidra is coming to that conclusion, also tried active analysis in r2 and I can't get it :/
I have also been having issues recently with the Decompiler pop-up not showing up. I'm making the assumption that you are hovering above "0x52b24". In the Assembly Code, that line is read as "CMP EAX, dword ptr [EBP + local_10", in which the Ghidra Decompiler has read the value in that location and translated it to 0x52b24. Now, if the instructions said "CMP EAX, 0x52b24"... I believe that the decompiler would give us a pop-up showing us different variable translation (integer, unsigned integer, etc).
I do not know exactly why this is. But, for CrackMe0x02, the pop-up doesn't show up for me anymore either. Here is my work around... (see screenshot below)
nc.strykersoft.us/index.php/s/mHkzfHYziBEetSs
Interesting: when i pass input [000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
] its not == 15 but it works fine ... do i overflowing the buffer??? UPD: i think i am - there is a fixed input char array size :)
IOLI Crackme Level 0x04
Password: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Password OK!
Whoooaaaaa... I'll have to check that out!
@@stryker2k2 I spent sometimes trying to solve this challenge and I noticed that the challenge can be solved once we supply digits add up to 15 at the beginning no matter how many digits we supply as password afterwards. for example , if we start the password with digits 96 , it will be okay and challenge will be solved even if the password we type is 96999999999999999999999999 or whatever digits we might add later. The code break once we reach to total 15 , then all other values in the password are ignored and while loop ends. In addition to that , if we supply 54 zeros or more , the challenge also will be solved strangely. I'm not sure if the decompiler failed to generate correct representation for the assembly or there was a logic mistake in the challenge code itself !!
I notice my Ghidra goes through all steps I can drag Crackme file over to GUI and it does everything as in video,, But after I analayze I dont understand why it doesn't seem to display output. Im running Windows 11 but Im not sure why after being prompted to analayze it doesn't display anything in code Browser. I tried "FILE > Open and still NOTHING. Any suggestions or tips
Shoot me a message on Twitter @stryker2k2 and I'll see what I can do (when I get back to my computer on Monday)
does anybody not get the value in different data types when hovering over the hex code, cuz i don't, i only get "Signed integer Compiler specific size) and the length
Interesting... maybe there is a selection at the 'Auto-Analyze' menu at the beginning you didn't select? I'll poke around my Ghidra and see if I can replicate that... but, I can't promise anything.
Same problem , cannot find the solution.
@@akhattukenov8987 Try to enable extension "GnuDisassembler", that worked for me for some reason.
I actually cant see those Decimal's while hovering over the Hex , i know i can simply covert them online but what's the reason for not showing while hovering over ?
I have also been having issues recently with the Decompiler pop-up not showing up. I'm making the assumption that you are hovering above "0x52b24". In the Assembly Code, that line is read as "CMP EAX, dword ptr [EBP + local_10", in which the Ghidra Decompiler has read the value in that location and translated it to 0x52b24. Now, if the instructions said "CMP EAX, 0x52b24"... I believe that the decompiler would give us a pop-up showing us different variable translation (integer, unsigned integer, etc).
I do not know exactly why this is. But, for CrackMe0x02, the pop-up doesn't show up for me anymore either.
@@stryker2k2 exactly, and am beginner so not that friendly with Ghidra and concepts
Regarding the ".text" function names. It is because the binary has 2 symbol names per function. One is the real name the other the section name ".text". This is most likely because it was compiled by gcc with -ffunction-sections.
You can delete the ".text" labels before analysis and it is fine. See my video: czcams.com/video/WENXr6iDu8A/video.html
You are amazing! Your video is very clear and concise. I will implement that fix in the next video!
I also put your link in the description of this video.
Hey, how do you find main in C++ program that was compiled with MSVC compiler ? Entry point is just some CRT startup code, but no signs of main being called after that.
Shoot me a screenshot of the Entry Point code to my Twitter (@stryker2k2). There are two possibilities. 1) a new thread is being launched with the Main Function being passed as a parameter or 2) the binary is a DLL/SO library file
@@stryker2k2 nevermind, found it, just had to check every single function there was in entry point and following all labels in ASM. I still have no idea how to do this consistently.
@@Antagon666 Every compiler does it a bit differently. You'll get there :)
Can you show a video on AUTODESK Maya any version would be great.
I have no experience with AUTODESK Maya... but I love learning and making videos! I'll see what I can do!
hi stryker how are you? I wanted to ask you for information. This tutorial is also good for those paid software that hides the cracks so as not to crack the program? a thousand thanks
Ghidra and these tutorials were created to make reading assembly code easier and learn basic reverse engineering. Doing anything further is up to your ambition and imagination.
@@stryker2k2 I understand you do to download that file from github you must first disable a setting in the windows defender then you have to block the exceptions in windows defender and you have to put the download folder then you have to use the edge browser then do as you did in the video and save the file in the download folder and then do as you did in the video for safety I have removed the option to download unknown files from the browser in the registry Wednesday afternoon I do everything calmly thank you very much and good evening carlo 👍
@@stryker2k2 excuse me if I wrote to you in private in a video where it has nothing to do I hope I was not too eppertinent?
A little tip: you don't have to drag and drop onto the dragon, you can just double click the project name :) (or, while the project is selected, just click the dragon)
Thank you for bringing this up! Because of this comment, I've used that little tip in every video since! You rock!
When I try crackme0x02 it does not give the information when I hover over the number in the decompiler
Any ideas
I have also been having issues recently with the Decompiler pop-up not showing up. I'm making the assumption that you are hovering above "0x52b24". In the Assembly Code, that line is read as "CMP EAX, dword ptr [EBP + local_10", in which the Ghidra Decompiler has read the value in that location and translated it to 0x52b24. Now, if the instructions said "CMP EAX, 0x52b24"... I believe that the decompiler would give us a pop-up showing us different variable translation (integer, unsigned integer, etc).
I do not know exactly why this is. But, for CrackMe0x02, the pop-up doesn't show up for me either. Here is my work around... (see screenshot below)
nc.strykersoft.us/index.php/s/mHkzfHYziBEetSs
@@stryker2k2 Thank you very much/ Is there a way to see the registers and stack in Ghidra?
There is not, unfortunately. I use x64dbg for reading stack, registers, and heap. Would a x64dbg video be something you would be interested in?
I usually have both Ghidra and x64dbg up at the same time when I work. Maybe showing that work flow would be beneficial?
tell me how to reverse 0x50?
I can't help with 0x50! But... I can help with 0x05!
Check out my new video at czcams.com/video/Eu9YC1Jq1Do/video.html
Does this work with windows 11
Yes, it does.
Does it matter where u download code? Crackme file
Right Answer: Yes, it matters. Download challenges from official sources. HackTheBox is a great source for crackme challenges and has Virtual Machines you can use with Ghidra pre-installed.
Less Right Answer: No, it doesn't matter. As long as you are running in a Virtual Machine on a physical computer with no important files and disconnected from all networks (air-gapped), then you can download challenges from anywhere.
Hey striker I have a question for you if you could PM me my follow of yours I’m looking to see if you can help me with that ma’am no programmer I’m just barely learning how to operate how to use the G Dr. and I think that you might be able to help me out with a problem here
Ok speech to text hates me
Why did you include the pointless comments in the beginning?
This pointless comment will be in the beginning of my next video 😊
The dark theme is perfect here. Can you share the code please? great video by the way ;)
The link to the code can be found at 3:13 in the video
@@stryker2k2 I meant the script for the dark theme. I've downloaded a python script before but its color customization was awful to say the least
@@abdullah5246 I didn't find any good theme scripts. I used one of Ghidra's default themes. You can see the video where I walk through making a dark theme here -> czcams.com/video/Cgukr7v9eg0/video.html
@@stryker2k2 Amazing, thank you!
@@abdullah5246 My pleasure
Interestingly, my output is already different from yours on the very first challenge as my _mainCRTStartup returns the following:
void _mainCRTStartup(void)
{
__set_app_type(1);
/* WARNING: Subroutine does not return */
___mingw_CRTStartup();
}
Any ideas why it's so different from yours?
Ghidra does an automatic analysis everytime you launch a new program the Ghidra disassembler. Of course Ghidra, in theory, should decompile CrackMe_0x00 the same way everytime on any system. But I've noticed that sometimes when I recompile (green recycle arrows at the top of the decompiler), it changes what it believes is the best translation on the fly.
Also, there is a possibility that I may have a few extra analysis options selected that you don't that duplicate some of the analysis task.
With that said, if you look at the CrackMe_0x00's assembly code at 7:20, you'll see that __mingw_CRTStartup is only called once. So you're automatic analysis is probaly more accurate than mine in this case.
Disassemblers are very good but are not perfect. Reverse Engineering is more of an artform and less of a science.
Can't see a thing. I do not have a microscope...
I completely agree! I have learned a lot about producing CZcams content since then; namely that font size is important!
My newer videos are easier to read and I will probably re- record this series in the future as well!
@@stryker2k2 I am glad to read that you realize this and have fixed this problem. Big text is essential on CZcams educational videos. People might not have the luxury of large 42inch 4K monitors and might be limited to small 20inch 1080p monitors. Best of luck with your videos.
@@jasonking1284 Very true and thank you!
why is this video and its Part 2 (czcams.com/video/Eu9YC1Jq1Do/video.html ) so long? how can I get more manageable bits so I can easily watch them? its just impossible to view this video if this channel keeps on this sloppy method.
is there any other channel which shows videos about using ghidra to understand binaries in short chunks, like one video per binary or 10 minutes maximum.
since it seems unlikely that this video get broken up, does somebody have it broken up into small pieces so I can see if its good or just waste of time?
My CZcams Studio flagged this comment as "Likely Spam"... and I can see why. Nevertheless, I have Approved it because you bring up a really good point.
There are other Ghidra videos on my channel that are shorter that you can watch and learn from.
But, it seems that a series of short 5-10 minute videos would be super beneficial to you and others.
I don't know of any channels that have "Bite-size" Ghidra videos but, thanks to this comment, my channel will soon have a bite-size ghidra series; quite possibly revisiting the CrackMe series as a starting point.
Until then, Raj, would it help if I put timestamps in the Description so that you can quickly navigate to the individual projects?
@@stryker2k2 Timestamps are chapters with a bookmark, should help !
i cracked "CrackMe0x00" in 2 minutes.. (I got almost no knowledge of debugging..) :/
i used "x64dbg" tho..
but i didn't reverse it.. Oops.....
@@malte0621 x64dbg is awesome! So is Noriben, SysInternals, and RegSnapShot. They all make finding the answer super simple!
Congratulations on solving it! Now, if I may make a suggestion... solve it by using Ghidra 😁
Hey I have email account. and dont have twitter. Can we do zoom I can provide you my email. I notice My decompiler doesn't pop up anymore.
Please I want to tell you that the quality of videos is low and for the seek of tutorials it's better to de the normal design of any software, not the dark chocolate.
Thank you for your feedback. This video was one of my first ones and definitely lacked polish.
Many of my newer video now have that polish. I have upgraded from my Logitech C9200 webcam to a new Sony A6000 and have also changed the resolution so that the text inside of Ghidra is MUCH larger. I have also purchased studio-quality lighting to make it easier to record in the night time!
CZcams is not my job. It is a hobby. But it is a hobby that I enjoy and I want to make the highest quality videos I can. I appreciate the feedback!
Lastly, I have done multiple polls... and dark mode stays. Sorry! But I'm glad to know that there is at least one light-mode lover out there!
Thanks again!
Bro No Offense But.. Every time I search RE Tutorial Whatever it's ghidra or not..i got disappointed... because every video ifsabout Like Reversing "Enter Your Password:" C Program.. XD... I Never Seen A Tutorial About Unpacking VMProtect And Something More Complex... Or How a Packer Works And How To Defeat Theme... How Obfuscation Works And How APIMonitor Help TO RE A Malware.... Can You Please Make A Tutorial About It...
Absolutely! Themida, UPX, and other packers have been a pain in my side at work! I'd love to make a video series on those!
My next few videos are going to build on what I've done here. So, expect another video on the CrackMe series (0x05 - 0x09), then another video reversing my own crafted malware (maldev.exe)... then after that I'll turn my attention to packers and VM protect.
Unfortunately, it will not happen as quickly as we all would want it to. But it will happen!
@@stryker2k2 It Doesn't Have To Be Quick.. Just Need A Proper Guideline... :)
I second this. I'd like to see SOMEONE, ANYONE do a reverse video on something super complex
Malware 👽
Yep! Well, no... it is not... but it is always best to assume that everything is malware! Which is why we learn and teach Reverse Engineering! 😊