Reverse Engineering a Linux/X Target
Don't call us, we'll call you...
student
Not Assigned
20 July 1998
by +ReZiDeNt
Courtesy of Fravia's page of reverse engineering
slightly edited
by fravia+
fra_00xx
98xxxx
handle
1100
NA
PC
+ReZiDeNt's essays are always welcome! And this one should be of great interest for all the (growing mass) of Linux lovers. For all other readers: listen to me:
You have surely a Linux system on some CD-ROM cover you bought, have a look. Install Linux and fly! If you'r just lazy, think it over! The moment you have installed Linux on your PC you will for the FIRST TIME IN YOUR LIFE (since old Dos forgotten memories) experience the r aw power of your machine! Ahh! The windows chains fall clattering on the floor! Free, free at last!
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate (x)Advanced ( )Expert

A journey into the realm of Linux - if you're interested in Linux (and more specifically X) targets, this might be of some benefit to you.

Reverse Engineering a Linux/X Target
Don't call us, we'll call you...

Written by +ReZiDeNt

Introduction



Before I begin I want to make it clear that this essay has not been

written to supply lamers with a serial number - if that's what you're

after then you can leave the class now, you won't have much joy here. I

also don't want to see people releasing serial numbers/keygens/patches for

this application based on the contents of this essay - if you do, you will

be regarded as a lamer by +all.



The object of this exercise is to shed a little light on how to reverse

engineer Linux (and more specifically in this case, X-Windows) programs.

It isn't all that often that you come accross a Linux program that isn't

free - the vast majority of Linux applications are freely redistributable

and come with complete source code (indeed, you are sometimes required to

compile the application yourself), making reversing them a touch

pointless. However, here is an essay dealing with reversing an X

application. The target is MXaudio, a GUI MP3 player for X-Windows.

MXaudio comes bundled with Xaudio, which is a commandline MP3 player, both

of are apparently built using the Xaudio SDK. I will use version 1.0b for

this exercise, it is available from:



	http://www.xaudio.com/download.html





I don't know what the latest version is, but the protection has probably

not changed much (if any), knowing what +we do about protectionists.



This MP3 player has all the usual features, such as playing files from the

Internet, support for playlists, a nice digital display etc. It also seems

to have some support for a radio interface, but all that is beside the

point. I should perhaps mention that there are plenty of *free* MP3

players for Linux/X around, so I'm a little surprised that this one is for

sale (although the terms seem to indicate that you can evaluate it

indefinitely, unless you are a commercial or goverment entity), even if it

is only $10. In any case all this is irrelevant, since we are only going

to see how this thing works before discarding (or registering) it.


Tools required

DDD (Data Display Debugger)

dasm by SiuL+Hacky (thank you!)

IDA (optional)

A good (quick) text editor - I use joe and vi in console mode, and NEdit in X (unfortunately NEdit can't handle massive files though)

Target's URL/FTP

Xaudio for Linux

Program History


I have absolutely no idea :-)
Essay


Let's start!



When you run mxaudio a nagscreen pops up. The nagscreen has a button

saying "Enter License Key", which when pushed, calls up a little dialog

box prompting us to enter our key. The dialog box has three buttons,

labeled "OK", "Cancel" and "Clear". If we enter a few random alphanumeric

characters and push "OK" we are informed that the license key we entered

is invalid and we are given the choice of entering it again.



So let's make a dead listing - I personally don't like the AT&T asm

format, but that is how objdump (used by the excellent dasm Perl script by

SiuL+Hacky) does things, so that's what I'm using. I suggest you do as I

did, and also make a dead listing in IDA (which may apparently be run from

dosemu - can anyone confirm?). That way you can look to IDA when you're

having a hard time getting your head around the AT&T syntax and you need a

dose of the old familiar format :-)



Searching (case insensitive) inside our dead listing for "enter license

key", we find the first occurence, and it turns out to be quite

interesting:





Possible reference to string:

"Enter Key:"



0806ada6 pushl  $0x819daf7



Possible reference to string:

"Enter License Key"



0806adab pushl  $0x819db02

0806adb0 pushl  %esi

0806adb1 pushl  %ebx

0806adb2 call   0807c35c      ; this call seems interesting...

0806adb7 addl   $0x28,%esp

0806adba jmp    0806adbd





Let's look at the function at 0807c35c. It turns out that this function is

really quite long, and since I don't like showing huge lumps of

disassembled code, I'll instead first explain a little about how X-Windows

works (or rather, how I believe it works :-)), so please bear with me.



In Micro$haft Windoze programming everything (e.g. buttons, labels,

textboxes and so on) is a "window". In X-Windows these are, it seems,

instead called "widgets". Each widget has a user-defined "callback"

function (a pointer to a function) associated with it that is called by

the windowing system whenever certain events occur to that widget (e.g. if

the widget is a button, whenever the button is pushed). This system is

different to the Micro$haft Windoze system in which you must intercept

each event and then find out which window (e.g. widget) is affected. I'm

not entirely certain as to whether all X programs use this system, as I'm

not an X progammer - can anybody enlighten me about this?



For more information on X-Windows programming I suggest you either get a

hold of a book on X programming (if you can find one) or visit the GTK

website (http://www.gtk.org) where you can download the GTK libraries

(GIMP Toolkit, one of many APIs for X programming) together with a pretty

good tutorial on using it. The tutorial should help to give you an idea

about how things work in X...alternatively there are other tutorials on

the Internet covering programming with Motif etc.



Since the validation of the license key must be done after pushing the

"OK" button, finding the callback function for this button would certainly

be a good place to start. Browsing through the function (at 0807c35c) we

see quite a few calls to "XtAddCallback" - how interesting. Looking a

little further our Geiger counter begins to click as we see the below

code:





0807c3df pushl  $0x807c52d    ; address of the callback function



Possible reference to string:

"okCallback"



0807c3e4 pushl  $0x81b4c49

0807c3e9 pushl  %esi



Reference to function : XtAddCallback



0807c3ea call   0804fdf0      ; associate the function with the OK button





So now we have the address of the callback function that is called when

the OK button is pushed. Let's take a look at it:





0807c52d pushl  %ebp

0807c52e xorl   %eax,%eax

0807c530 movl   %esp,%ebp

0807c532 subl   $0x8,%esp

0807c535 pushl  %ebx

0807c536 movl   %eax,0xfffffff8(%ebp)

0807c539 movl   0x8(%ebp),%edx

0807c53c movl   0xc(%ebp),%ebx

0807c53f pushl  %eax

0807c540 leal   0xfffffffc(%ebp),%eax

0807c543 pushl  %eax



Possible reference to string:

"textString"



0807c544 pushl  $0x81b524c

0807c549 pushl  %edx



Reference to function : XtVaGetValues



0807c54a call   0804f3c0      ; get the contents of the text box

0807c54f pushl  %eax

0807c550 leal   0xfffffff8(%ebp),%eax

0807c553 pushl  %eax



Possible reference to string:

""



0807c554 pushl  $0x81b2afb

0807c559 movl   0xfffffffc(%ebp),%eax

0807c55c pushl  %eax

0807c55d call   08151ad0      ; this call is uninteresting for us...

0807c562 addl   $0x20,%esp

0807c565 movl   0xfffffffc(%ebp),%eax

0807c568 pushl  %eax

0807c569 pushl  %eax

0807c56a call   0810d930      ; as is this one

0807c56f addl   $0x8,%esp

0807c572 movl   0x4(%ebx),%ecx

0807c575 testl  %ecx,%ecx

0807c577 je     0807c58a

0807c579 movl   0xfffffff8(%ebp),%edx

0807c57c testl  %edx,%edx

0807c57e je     0807c58a

0807c580 movl   0xc(%ebx),%eax

0807c583 pushl  %eax

0807c584 pushl  %edx

0807c585 call   *%ecx         ; hmm...this looks promising!

0807c587 addl   $0x8,%esp



Referenced from jump at 0807c577 ; 0807c57e ;



0807c58a pushl  %eax

0807c58b movl   0xfffffff8(%ebp),%eax

0807c58e pushl  %eax



Reference to function : XtFree



0807c58f call   0804f580

0807c594 pushl  %eax

0807c595 pushl  %ebx



Reference to function : __builtin_delete



0807c596 call   08178540

0807c59b movl   0xfffffff4(%ebp),%ebx

0807c59e movl   %ebp,%esp

0807c5a0 popl   %ebp

0807c5a1 ret





Well well, looks as though we're going to have to have to pull out our

debugger and try a little of the "live" approach to find out the value of

ecx in the call at line 0807c585. This is where DDD comes in handy. DDD is

not a bad debugger, (although the latest version 3.x which I'm using is

pretty unstable, you might want to stick with 2.x) and a big thank you

goes to SiuL+Hacky for making me (and +others) aware of it.



So fire up DDD and load mxaudio (File -> Open Program). Now set a

breakpoint at line 0807c585 (make sure you're in the command window of

DDD):





	(gdb) break *0x0807c585





For those new to DDD, don't type in the "(gdb)", that's the debugger

prompt. Now type "run" and mxaudio will load. When the nagscreen is

displayed push the "Enter License Key" button and enter some random

numbers/letters before pushing "OK". DDD will now snap and you can

disassemble the current line by typing the following commmand:





	(gdb) x/i $eip





You might want to close the source window (View -> Source Window) and

instead open the machine code window (View -> Machine Code Window). Make

sure you have the option to display machine code set (Source -> Display

Machine Code) as well.



OK, so now we are at line 0807c585 and we can now see the value of ecx and

thus determine the location of the function that is about to be called.

Select "Status -> Registers" from the DDD menu or type "info registers" -

you will see that the value of ecx is 0x806af1e, so we can now look up the

function in our dead listing:





0806af1e pushl  %ebp

0806af1f movl   %esp,%ebp

0806af21 subl   $0x30,%esp

0806af24 pushl  %edi

0806af25 leal   0xffffffd0(%ebp),%eax

0806af28 pushl  %esi

0806af29 pushl  %ebx

0806af2a movl   0x8(%ebp),%edi

0806af2d pushl  %eax

0806af2e pushl  %edi

0806af2f call   08090c7f  ; this is the one! The license validation call

0806af34 movl   %eax,%esi

0806af36 movl   $0x1,0x8203c68

0806af40 addl   $0x8,%esp

0806af43 testl  %esi,%esi

0806af45 jne    0806af75





Looking at the call to 08090c7f at line 0806af2f, our Geiger counter goes

beserk and we immediately "feel" we are in the right place - there is a

call to strlen and instructions comparing registers to 0x2D (the '-'

character, present in all too many serial numbers). This function is

obviously the license key validation routine (it is called from two

places, the function we came from and one other location, 0805f4e7. If you

check out the other caller you will see a call to fopen and fgets just

before this validation routine is called, so it is obviously reading the

license key from the license file on startup, if it is present).



As I said before I do not like huge dumps of disassembled code and the

purpose of this essay is not to provide you with a ready-made crack, but

rather to illustrate an approach. Therefore I will only show excerpts of

the license key validation routine, and will leave it as an excercise to

the reader to investigate more thoroughly.





Referenced from call at 0805f4e7 ; 0806af2f ;

.

.

.

Reference to function : strlen



08090cb5 call   08050a30

08090cba addl   $0x8,%esp

08090cbd movl   %eax,%eax

08090cbf cmpl   $0x1e,%eax           ; is the code > 30 chars?

08090cc2 je     08090cce             ; carry on if so

08090cc4 movl   $0xfffffffe,%eax

08090cc9 jmp    080911ea             ; else beggar off

.

.

.

08090d0f addl   $0x4,%eax

08090d12 cmpb   $0x2d,(%eax)          ; is the 5th char a '-'?

08090d15 je     08090d21              ; carry on if it is

08090d17 movl   $0xfffffffb,%eax

08090d1c jmp    080911ea              ; else beggar off

.

.

.

08090d49 pushl  %eax                  ; a character from the license key

08090d4a call   08090bbc              ; is passed to this hex to int

08090d4f addl   $0x8,%esp             ; conversion routine, called

08090d52 movl   %eax,0xffffffc4(%ebp) ; repeatedly throughout this

.                                     ; validation process

.

.

08090d9a addl   $0xd,%eax

08090d9d cmpb   $0x2d,(%eax)         ; is the 14th char a '-'?

08090da0 je     08090dac             ; go on if it is

08090da2 movl   $0xfffffffb,%eax

08090da7 jmp    080911ea             ; else beggar off

.

.

.

08090ec0 movl   0xc(%ebp),%eax       ; load value of the 19th - 22nd

08090ec3 movw   0x28(%eax),%dx       ; chars into dx

08090ec7 cmpw   %dx,0xfffffffe(%ebp) ; are they what they should be?

08090ecb je     08090ed7             ; carry on if so

08090ecd movl   $0xfffffffd,%eax

08090ed2 jmp    080911ea             ; else beggar off







The above check compares the value of the 19th to 22nd chars of the

license key to a generated number (this number depends on the earlier

characters in the license key). If the numbers match the validation

routine will continue. Since we already know that the license key is 30

characters longs and has a hypen ('-') as the 5th and 14th characters, we

can set a breakpoint at 08091004 and enter a license key such as:





	1212-12121212-1212121212121212



	

We can then run up to the check above where it can been seen that the

value of dx is 1212. To see the value that it should be, use the following

command:





	(gdb) x/w 0xfffffffe+$ebp

	



The last 4 digits of the value printed are the ones that should be at the

19th to 22nd position in the license key - in this case the value is 31e7,

so we can modify the license key like so:



	

	1212-12121212-121231e712121212

	



Now the validation routine will continue over the previous check until it

reaches the below (final) check:





08091001 movl   0x2c(%eax),%edx       ; load 23rd to 30th chars into edx

08091004 cmpl   %edx,0xfffffff8(%ebp) ; are they correct?

08091007 je     08091013              ; you're registered!

08091009 movl   $0xfffffffc,%eax

0809100e jmp    080911ea              ; else beggar off

	

	

The following command will then show the last 8 characters which should be

at the 23rd to 30th position in the code, giving a valid license key which

will register the program:



	

	(gdb) x/w 0xfffffff8+$ebp

	

	

No, I'm *not* going to tell you what those characters are, that's not the

object of this exercise - instead I recommend you try it for yourself and

see just how much fun reversing Linux is (then of course you should either

delete this app or register it).



I think (or at least hope) that this essay should provide anyone who wants

to delve further into reversing an X application with a starting point,

and perhaps show how one can locate the code associated with a specific

"widget", which is often a good place to start.



Before the bell rings I have one final assignment, your homework: get

Linux and install it on your computer. Use it, and enjoy it. Then convert

someone else to it, and install it on their computer, and get them to

convert someone else...and so on. Linux is great OS, and will easily do

what you want (this entire essay has been constructed with Linux -

completely M$ free!) and more.





Good Hunting,

+ReZiDeNt



July 1998





Greetz go to:



fravia+ (keep up the good work!), SiuL+Hacky (great Linux essays!),

Hackmore+Readrite, Mammon, The+Intern and the rest of the Visual Assembler

team, and last (but in no way least) +ORC!





Final Notes

Get Linux NOW! 

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?