Thursday, November 27, 2014

RingZer0 Crack Me 1 Walkthrough


This crackme is the 2nd file under the Binaries (Windows/Linux) challenges at It is of course a reverse engineering challenge.

I hope this guide will show some useful techniques to solve this challenge using only simple static analysis without the need to look at the assembly code.

Run the File

We run the file and see the following message box:

When we click OK the dialog closes and the program exits. Obviously there is more to the picture.

Viewing the Resources

During static analysis of the file, we realize it has a binary resource embedded inside of it. The hex begins with 4D 5A, which is the MZ header for PE files. 

As it turns out the program will drop this binary as a DLL tucked hidden away in an AppData folder. We'll simply dump it to disk using Resource Hacker, saving it as crackme1.dll

Inspecting the DLL

We open the DLL using PEView, or alternatively (and often better) PEStudio. We go to the Export Address Table (EAT) and see it exports a function called DisplayMessage.

Run the Exported Function

So in order to run the function, we just have to issue the following command, which uses the rundll32.exe program included with Windows:

No comments :

Post a Comment