Proj 13. IDA Pro Challenges (10 pts + 30 extra)

What you need:

Purpose

You will use IDA Pro Free to disassemble and analyze Windows executable files.

Downloading the Files to Examine

If you are using the VM handed out by your instructor, the files you need are already on the disk in the C:\IDA folder.

Otherwise, download these files into the C:\IDA folder.

Initial Recon

First let's run the program to find out what it does. Click Start, type in CMD, and press Enter to open a Command Prompt window.

Execute these commands:

cd \IDA
dir
crackme-121-1.exe
A "Usage" message appears, as shown below. The program is asking for a password.

We now have some strings from the program to give us a starting point: "Usage", "crackme", and "password".

Launching IDA Pro Free

Start IDA Pro Free.

When you see the IDA window shown below, click the OK button.

Click "I Agree".

In the "Welcome to IDA!" box, as shown below, click the New button.

In the "About" box, click the OK button.

Loading the EXE File

In the "Welcome to IDA" box, click the New button.

In the "New disassembly database" box, click "PE Executable", and then click OK, as shown below:

In the "Select PE Executable to disassemble" box, navigate to C:\IDA\crackme-121-1.exe and double-click it.

In the "Welcome to the PE Executable file loading Wizard" box, click the Next button, as shown below:

In the "Segment Creation" box, click Next.

In the "File loading" box, click Finish.

A box pops up saying "...the input file was linked with debug information...", as shown below. Click the Yes button.

Viewing Disassembled Code

In IDA Pro, find the "View-A" pane, which shows boxes containing code linked to other boxes in a flowchart style. Maximize this pane, by clicking the button indicated by the arrow in the figure below:

Close the "Graph Overview" box in the lower right corner.

Drag the lower border of the "View-A" pane down, to make as large a viewable area as possible.

From the IDA menu bar, click Search, Text.

Search for crackme as shown below.

Click OK.

Right-click in the "View-A" box and click "Fit window", as shown below:

You should now see the entire program shown as six boxes connected by lines, as shown below. (Ignore the two extra boxes at the upper left):

For this project, I have labelled the modules with letters as shown below:

Right-click in the "View-A" box and click "Zoom 100%", as shown below:

Click and drag the "View-A" display as needed to make module A visible, as shown below:

The assembly code is hard to read, but you don't need to understand it all. Focus on the last two instructions:

cmp     [ebp+arg_0], 2
jz      short loc_4113C2

This compares some number to 2 with the cmp (Compare) operation, and jumps to a different module if it is 2, using the jz (Jump if Zero) operation.

C Source Code

Here is the actual C source code for the file you are disassembling. Module A is the assembly code for the first "if" statement, labelled with the yellow "A" box below:

Drag the "View-A" display to make Module C visible, as show below:

Notice the gray readable text on the right side, saying "Usage: crackme-121-1 password".

This module pushes those characters onto the stack with a push command, and then calls the printf function with the call   ds:_imp_printf command.

The figure below shows the C statements that comple to the "C" module:

Follow along in IDA Pro and make sure you see what each of the six modules do, and how they correspond to the C source code.

Finding the Password

Drag the "View-A" screen to show module "B", as shown below:

The password "topsecret" is visible.

Running the Executable

Click Start, type in CMD, and press Enter to open a Command Prompt window.

In the Command Prompt window, execute these commands:

cd \IDA
crackme-121-1 wrongpassword
crackme-121-1 topsecret
You should see the message "You found the password!", as shown below:

13.1: Recording Your Success (10 pts)

Find the word covered by a green box in the image above.

Use the form below to record your score in Canvas.

Name or Email:
Word:

13.2: crackme-121-2 (10 pts extra)

Analyze crackme-121-2 in the C:\IDA folder. Find the password.

It is very similar to crackme-121-1. Use IDA Pro to find the password, and run the program with the correct password, so you see a "Congratulations" message.

Use the form below to record your score in Canvas.

Name or Email:
Complete command line like this:
     crackme-121-1 topsecret

13.3: crackme-121-3 (10 pts extra)

Analyze crackme-121-3 in IDA. Find the correct command line.

It is very similar to crackme-121-1. Use IDA Pro to find the password, and run the program with the correct password, so you see a "Congratulations" message.

Use the form below to record your score in Canvas.

Name or Email:
Complete command line like this:
     crackme-121-1 topsecret

13.4: crackme-121-4 (10 pts extra)

Analyze crackme-121-4 in IDA. Find the correct command line.

Use the form below to record your score in Canvas.

Name or Email:
Complete command line like this:
     crackme-121-1.exe topsecret

Integrated with Canvas 9-25-18