Reversing NUTCracker.exe [Archive] - RCE Messageboard's Regroupment

View Full Version : Reversing NUTCracker.exe

Holmes.Sherlock

January 18th, 2012, 20:57

Hi All,

I am new to RCE, however a long back I studied a bit on it & cracked/reversed a few CrackMe/KeyGenMe exercises. Recently, I have come across another cracking exercise, a binary called "NUTCracker.exe". The challenge is to extract a key out of it. With my present knowledge & expertise, I am unable to solve it. Can you please guide me to crack the challenge as well as learn the tricks & techniques?

The binary is here ("http://www.4shared.com/file/165wyyk2/NUTCracker.html").

rendari

January 19th, 2012, 16:08

What have you tried thus far?

-rendari

Holmes.Sherlock

January 19th, 2012, 20:05

Quote:

[Originally Posted by rendari;91743]What have you tried thus far?
-rendari

I have put a BP on the read access of the string "Input password". After providing the input & pressing "Enter", I tried to "Step Over" instructions by pressing F8 in IDA. But, then I got lost. Please don't laugh at my stupidity. I am new to RCE & will try to learn it.

rendari

January 20th, 2012, 18:01

It's ok, we all started somewhere

Consider using OllyDBG instead of IDA for debugging on Windows. You will want to set a breakpoint around here:

Code:

00C9112B  |. 68 AC41C900    PUSH NUTCrack.00C941AC                   ; /Arg2 = 00C941AC ASCII "Input Password: "

00C91130  |. 50             PUSH EAX                                 ; |Arg1 => 70460D58

00C91131  |. E8 BA120000    CALL NUTCrack.00C923F0                   ; \NUTCrack.00C923F0

00C91136  |. BF 0F000000    MOV EDI,0F

00C9113B  |. 83C4 08        ADD ESP,8

00C9113E  |. 89BC24 1C01000>MOV DWORD PTR SS:[ESP+11C],EDI

00C91145  |. 899C24 1801000>MOV DWORD PTR SS:[ESP+118],EBX

00C9114C  |. 889C24 0801000>MOV BYTE PTR SS:[ESP+108],BL

00C91153  |. 899C24 5001000>MOV DWORD PTR SS:[ESP+150],EBX

00C9115A  |. A1 C040C900    MOV EAX,DWORD PTR DS:[<&MSVCP100.?cin@st>

00C9115F  |. 8B08           MOV ECX,DWORD PTR DS:[EAX]

00C91161  |. 8B49 04        MOV ECX,DWORD PTR DS:[ECX+4]

00C91164  |. 6A 0A          PUSH 0A

00C91166  |. 03C8           ADD ECX,EAX

00C91168  |. 8BF0           MOV ESI,EAX

00C9116A  |. FF15 AC40C900  CALL DWORD PTR DS:[<&MSVCP100.?widen@?$b>;  MSVCP100.?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z

00C91170  |. 0FB6D0         MOVZX EDX,AL

00C91173  |. 52             PUSH EDX

00C91174  |. 56             PUSH ESI

00C91175  |. 8D8C24 1001000>LEA ECX,DWORD PTR SS:[ESP+110]

00C9117C  |. E8 0F170000    CALL NUTCrack.00C92890

00C91181  |. 83C4 08        ADD ESP,8

... and start tracing, trying to figure out what is going on

If you're having more trouble, consider checking out the lena151 tutorials on tuts4you.

Holmes.Sherlock

January 20th, 2012, 20:02

Thank you rendari