![Page 1: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/1.jpg)
Breaking Protection 1
Breaking Protection
![Page 2: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/2.jpg)
Breaking Protection 2
Overview Here, we discuss cracking examples Examples are not from real software
o “Crackme” --- program designed for studyingcracking/protection techniques
Why learn cracking?o So that you can better protect softwareo “…protection technologies developed by people
who have never attempted cracking are nevereffective!”
![Page 3: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/3.jpg)
Breaking Protection 3
Patching Consider the following application
o KeygenMe-3 by Bengaly No useful info here What to do? Enter some data
and see whathappens
![Page 4: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/4.jpg)
Breaking Protection 4
Patching Get invalid serial number message:
Now what? OllyDbg, of course…
![Page 5: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/5.jpg)
Breaking Protection 5
Patching Looking for message box
![Page 6: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/6.jpg)
Breaking Protection 6
Patching What about lpk.dll?
![Page 7: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/7.jpg)
Breaking Protection 7
Patching Imports/exports
![Page 8: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/8.jpg)
Breaking Protection 8
Patching References to MessageBoxA
OK, now what?
![Page 9: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/9.jpg)
Breaking Protection 9
Patching Third
MsgBoxAreference
![Page 10: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/10.jpg)
Breaking Protection 10
Patching Now patch it in OllyDbg…
…success
![Page 11: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/11.jpg)
Breaking Protection 11
Keygenning Spse program asks for ID & serial number Such a program may have keygen algorithm
o Generate a “key” or serial number based on ID Attacker might want access to keygen
algorithm Why?
o To generate many valid ID/serial number pairso Why isn’t 1 such pair sufficient?
![Page 12: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/12.jpg)
Breaking Protection 12
Ripping Keygen Algorithm Goal is to create working copy of keygen
algorithm Just for creating valid ID/serial number
pairs This code can be “ripped” from the
application Following example is from…
o KeygenMe-3 by Bengaly
![Page 13: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/13.jpg)
Breaking Protection 13
Ripping Keygen Algorithm Code Part 1
![Page 14: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/14.jpg)
Breaking Protection 14
Ripping Keygen Algorithm
CodePart 2
![Page 15: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/15.jpg)
Breaking Protection 15
Ripping Keygen Algorithm Code Part 3
![Page 16: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/16.jpg)
Breaking Protection 16
Ripping Keygen Algorithm Take a
look atKey4.00401388
![Page 17: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/17.jpg)
Breaking Protection 17
Ripping Keygen Algorithm Code for keygen
algorithm… Uppercase asm is
ripped from app Note: there is no
need to understandthe details!
![Page 18: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/18.jpg)
Breaking Protection 18
Ripping Keygen Algorithm Insert previous code into console app
And try it out…
![Page 19: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/19.jpg)
Breaking Protection 19
Advanced Cracking: Defender Application developed to demonstrate
protection techniqueso “…similar to what you would find in real-
world commercial protection…”
Difficult, but not impossibleo “…all it takes is a lot of knowledge and a
lot of patience”
![Page 20: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/20.jpg)
Breaking Protection 20
Defender Interface Launch without command-line options
![Page 21: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/21.jpg)
Breaking Protection 21
Defender Interface Launched with “random” username/serial number
![Page 22: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/22.jpg)
Breaking Protection 22
Defender: Linked Modules Load into OllyDbg and look at Executable
Modules windowo Gives exe modules that are statically linked
Just standard stuff here
![Page 23: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/23.jpg)
Breaking Protection 23
Defender: Imports/Exports Imports/exports
Only API called is IsDebuggerPresent?o This is very strange
![Page 24: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/24.jpg)
Breaking Protection 24
Defender: DUMPBIN
Anything? Still just
one API? What
aboutsummary?
![Page 25: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/25.jpg)
Breaking Protection 25
DUMPBIN /HEADERS Try long listing --- find the following
……………………………………………………………
![Page 26: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/26.jpg)
Breaking Protection 26
DUMPBIN /HEADERS And…
……………………………………………………………
![Page 27: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/27.jpg)
Breaking Protection 27
DUMPBIN /HEADERS And…
……………………………………………………………
![Page 28: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/28.jpg)
Breaking Protection 28
DUMPBIN /HEADERS And…
……………………………………………………………
![Page 29: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/29.jpg)
Breaking Protection 29
Strange Section Names May be indication that program is
packed What to do? Try unpacking Will only work if it is standard packer
![Page 30: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/30.jpg)
Breaking Protection 30
Defender: PEiD Try PEiD for common packers Nothing interesting…
![Page 31: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/31.jpg)
Breaking Protection 31
Defender: Initialization Want to figure out where “Bad key,
try again” msg comes fromo But, Defender does not call any API???o So, no obvious place to set break point
What to do? Look at initialization routine…
![Page 32: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/32.jpg)
Breaking Protection 32
Initialization Disassembly I
![Page 33: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/33.jpg)
Breaking Protection 33
Initialization Disassembly II
![Page 34: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/34.jpg)
Breaking Protection 34
Initialization Disassembly III
![Page 35: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/35.jpg)
Breaking Protection 35
Initialization Disassembly IV
![Page 36: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/36.jpg)
Breaking Protection 36
Initialization Disassembly V
![Page 37: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/37.jpg)
Breaking Protection 37
Initialization Consider this code
fs register for thread-related infoo What’s at offset “+30”?
![Page 38: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/38.jpg)
Breaking Protection 38
Initialization For any thread fs:0 is “Thread
Environment Block” (TEB) What to do? Look up the TEB data stucture…
![Page 39: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/39.jpg)
Breaking Protection 39
TEB
At +30 we have PEBo Process Environment Block
Just like TEB, but for a processo Program access +c in PEB
So, program accesses PEB via TEB
![Page 40: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/40.jpg)
Breaking Protection 40
PEB
What is at +c in PEB?o _PEB_LDR_DATA
Go look at that data structure…
![Page 41: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/41.jpg)
Breaking Protection 41
_PEB_LDR_DATA Program get +c here too
LIST_ENTRY Look at data structure (next slide)
![Page 42: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/42.jpg)
Breaking Protection 42
LIST_ENTRY Goes to offset +0 here
o That is, LIST_ENTRY again
![Page 43: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/43.jpg)
Breaking Protection 43
LIST_ENTRY Goes to offset +18 here
o That is, DllBase
![Page 44: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/44.jpg)
Breaking Protection 44
What Does it all Mean? After all of that, program has found
base of some DLL Dump loader data structures
o InLoadOrderModuleList fromPEB_LDR_DATA
o Next slide…
![Page 45: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/45.jpg)
Breaking Protection 45
Initialization
![Page 46: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/46.jpg)
Breaking Protection 46
Initialization Bottom line? The function at 00402EA8 obtains in-
memory address of NTDLL.DLL Program must communicate with OS
o And this is a highly obfuscated way to(begin to) do so!
![Page 47: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/47.jpg)
Breaking Protection 47
Initialization Then what? Next, goes to function at 004033D1 Listing starts on next slide…
![Page 48: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/48.jpg)
Breaking Protection 48
Function at 004033D1
![Page 49: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/49.jpg)
Breaking Protection 49
Function at 004033D1
![Page 50: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/50.jpg)
Breaking Protection 50
Function at 004033D1
![Page 51: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/51.jpg)
Breaking Protection 51
Function at 004033D1
![Page 52: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/52.jpg)
Breaking Protection 52
Function at 004033D1 Boxed part
represents12 pages of“data”
Why all ofthis dataembeddedin code???
![Page 53: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/53.jpg)
Breaking Protection 53
Function at 004033D1 “Data” is probably encrypted code
o Goes from 4034DD to 403CE5
What about unencrypted parts? Looks like a big if-then-else
o But one clause looks like it’s “dead”
So look at the “live” branch…
![Page 54: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/54.jpg)
Breaking Protection 54
Function at 004033D1 Note XOR at 403431
o Appear to be XORing within a loopo Note that XORing a constant value
Beginning at 4033DD we see 4034DD putinto [ebp-20h], via the stacko What’s special about address 4034DD??
At 403410, use [ebp-20h] to get initialaddress for XORing
Aha --- the decryption loop!
![Page 55: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/55.jpg)
Breaking Protection 55
Decrypted Code Use OllyDbg and breakpt at end of
decryption loop (40346B) Then OllyDbg shows the following
Tell OllyDbg to re-analyze codeo Reveals many pages of decrypted code
![Page 56: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/56.jpg)
Breaking Protection 56
Decrypted Code Code digs thru NTDLL’s PE header
o Gets export directory
For each export, “performs aninteresting … bit of arithmetic oneach function name string”
Code is on next slide…
![Page 57: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/57.jpg)
Breaking Protection 57
Unusual Calculation
Debugger: [ebp-68] islen. of current stringo [ebp-64] has its address
Then for each char instring, shifts left byits index, modulo 24
What the… ? It’s a “checksum”
![Page 58: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/58.jpg)
Breaking Protection 58
NTDLL After all chars have been processed…
What’s going on here? Looking for an export entry (NTDLL)
that has “checksum” 39DBA17A Put a breakpoint on line after JNZ…
o …and [ebp-64] shows you what was found
![Page 59: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/59.jpg)
Breaking Protection 59
Allocate Memory It turns out that it callso NtAllocateVirtualMemory
Which is (undocumented) native APIequivalent of document APIo VirtualAlloc
It’s for allocating memory pages
![Page 60: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/60.jpg)
Breaking Protection 60
Read Time-stamp Counter Code to call NtAllocateVirtualMemory What is RDTSC?
o “Read time-stamp counter”
o A 64-bitcounter,incremented ateach tick
![Page 61: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/61.jpg)
Breaking Protection 61
Parameters Timestamp bits ANDed with constant 2nd parameter
to memory alloc.function
Look at functionprototypeo Undocumented
![Page 62: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/62.jpg)
Breaking Protection 62
Base Address 2nd param points to “base address” This is where
memory will beallocated
![Page 63: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/63.jpg)
Breaking Protection 63
Allocate Memory What just happened? Generated a “random” number using
timer Use this random number as location
(base address) for allocated memory Interesting idea!
![Page 64: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/64.jpg)
Breaking Protection 64
Parameters Consider also 4th parameter
o This gives the allocated block size
Loaded from [ebp-4] Code on next slide involved with find
block size…
![Page 65: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/65.jpg)
Breaking Protection 65
Parameters Consider 4th parameter Recall [ebp+8] is
NTDLL base addr Accesses PE hdr Ptr to PE hdr
stored in [ebp-74] Get offset +1c
![Page 66: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/66.jpg)
Breaking Protection 66
Parameters PE header ==> What’s at +1c?
o That is, at +4 inOptionalHeader
SizeOfCode
![Page 67: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/67.jpg)
Breaking Protection 67
Size Calculation Code below related to size calculation Value read from [ebp-7c] points into
NTDLL headero Beginning of NTDLL’s export directory
Q: What’s at offset +18? A: NumberOfFunctions
![Page 68: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/68.jpg)
Breaking Protection 68
Block Size Final preparation of block size
So computed block size is…o NTDLLcodesize + NumExports * 8 + 8
Why? Not clear at this point…
![Page 69: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/69.jpg)
Breaking Protection 69
Checksum Another strange checksum
o This time, NTDLL’s export list
Includes following 2 lines:
First, is function’s checksum Second is function’s RVA
![Page 70: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/70.jpg)
Breaking Protection 70
Interesting Code More “interesting” code
![Page 71: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/71.jpg)
Breaking Protection 71
Memory Copy Code on previous slide is a common
“sentence” in assembly code A memory copy
o REP MOV repeatedly copies DWORDSfrom address at ESI to address at EDIuntil ECX is 0
So, what is being copied?
![Page 72: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/72.jpg)
Breaking Protection 72
Memory Copy ESI is loaded with [ebp+8] Why is that familiar? NTDLL’s base address Then increment by value at [eax+2c]
o BaseOfCode
EDI gets addr of new memory block
![Page 73: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/73.jpg)
Breaking Protection 73
What Just Happened? To recap… Memory allocated at random location In this memory, write a table of
o Checksums of NTDLL exported functionso Corresponding RVAs
Finally, write a copy of entire NTDLLcode section
![Page 74: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/74.jpg)
Breaking Protection 74
Data Structure
Representation ofdescription on previousslide
![Page 75: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/75.jpg)
Breaking Protection 75
What’s Next? After this, next function starts with…
Followed by…
![Page 76: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/76.jpg)
Breaking Protection 76
Searching For… What does this do?
Goes thru export table… …looking for checksum 190BC2 That is, looking for a specific API
![Page 77: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/77.jpg)
Breaking Protection 77
Found It —But What Is It? This is what happens when entry found
Where have we (just) seen offset +4? Apparently, that’s the RVA
o Gets added to “base address” of NTDLL
![Page 78: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/78.jpg)
Breaking Protection 78
Leaving User Mode Later, we have this…
…which (eventually) calls this
SYSENTER is “kernel-mode switch”o So cannot follow with OllyDbg
![Page 79: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/79.jpg)
Breaking Protection 79
What Now? How to determine which system call? Three choices…
o Switch to kernel mode debugger (SoftICE)o Find RVA from checksum table (it’s probably
the same as actual RVA in NTDLL)o Find system call based on order in checksum list
(and hope order wasn’t changed) Author chooses first option — SoftICE
![Page 80: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/80.jpg)
Breaking Protection 80
System Call First, it goes into KiSystemService
o All system calls go thru this functiono Look for CALL EBX, which transfers to actual
system callo In this case, it’s NtAllocateVirtualMemoryo Again???
Then back to user mode… …and program calls NtCreateThread
![Page 81: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/81.jpg)
Breaking Protection 81
Thread and Then… After creating thread, calls
“function” 006DEF20 Find that this is NtDelayExecution
o Equivalent to SleepEx This should “cause new thread to
execute immediately” Then calls “function” 403A41
![Page 82: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/82.jpg)
Breaking Protection 82
Function 403A41 Function call just skips ahead 30 bytes Those 30 bytes consist of…
Function’s only purpose is to avoid“executing” this string!
Then searches for 2 more “functions”o 6DEF20 and 1974C
![Page 83: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/83.jpg)
Breaking Protection 83
SoftICE Disappears Before getting to function 1974C,
SoftICE disappearso Defender has quit
Apparently, secondary thread haskilled primary threado Secondary thread that was just created
![Page 84: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/84.jpg)
Breaking Protection 84
Reversing Secondary Thread This code is encrypted, like before Set breakpoint after it’s decrypted Obtain code on next few slides…
![Page 85: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/85.jpg)
Breaking Protection 85
Function at 00402FFE (I)
More deadcode at line4030C7?
Note RDTSCat line 403007
![Page 86: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/86.jpg)
Breaking Protection 86
Function at 00402FFE (II) Note second
RDTSC
Subtractedfrom firstRDTSC ???
![Page 87: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/87.jpg)
Breaking Protection 87
Function at00402FFE (III) Infinite loop at
line 4030C2? Comparison with
constant at line403077…
What “function”is 1BF08AE?
![Page 88: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/88.jpg)
Breaking Protection 88
“Function” at 1BF08AE Stepping into this, the compare
(almost) always fails This code is checking a to see if
process is pausedo Recall the 2 calls to RTDSC
If paused, process is terminated What’s the purpose?
![Page 89: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/89.jpg)
Breaking Protection 89
Defeating “Killer” Thread Patch code to avoid check…
However, you cannot save this changeo So, must do this in each debug session
Why can’t you save this change?o Not clear at this point… we’ll see later
![Page 90: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/90.jpg)
Breaking Protection 90
“Function” 1974C This one is not a call into kernel Instead, code contained in NTDLL How to determine what API?
o Use RVA or its order in tableo Author uses order in export table
Finds result on next slide…
![Page 91: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/91.jpg)
Breaking Protection 91
Loading KERNEL32.DLL
What is LdrLoadDll? Native API version of LoadLibrary What DLL is it loading? We saw a name earlier: KERNEL32.DLL
![Page 92: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/92.jpg)
Breaking Protection 92
Loading KERNEL32.DLL As with NTDLL, Defender generates
checksum/RVA table Then inserts code section of
KERNEL32.DLL
![Page 93: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/93.jpg)
Breaking Protection 93
After Loading KERNEL3.DLL Another “function” skips 30 bytes or so What are those bytes?
Defender’s welcome messageo Ready to be printed out!
![Page 94: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/94.jpg)
Breaking Protection 94
KERNEL32.DLL Next, obfuscated call to something in
KERNEL32.DLL What could this be?
No need to work too hard… …this must be printing welcome msg
![Page 95: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/95.jpg)
Breaking Protection 95
Re-Encrypting At end of this function, we have
JMP is far away, but we’ve been there…
![Page 96: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/96.jpg)
Breaking Protection 96
Re-Encrypting
![Page 97: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/97.jpg)
Breaking Protection 97
Re-Encrypting Dead code … NOT! This code very similar to decryption
o Convincing “dead code”? But actually encryption code
o Computes checksum of encrypted codeo Jumps to end of encrypted code
Why re-encrypt???
![Page 98: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/98.jpg)
Breaking Protection 98
Back at the Entry Point
Blah
![Page 99: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/99.jpg)
Breaking Protection 99
Back at the Entry Point Blah
![Page 100: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/100.jpg)
Breaking Protection 100
Parsing Parameters Blah
![Page 101: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/101.jpg)
Breaking Protection 101
Parsing Parameters Blah
![Page 102: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/102.jpg)
Breaking Protection 102
Parsing Parameters Blah
![Page 103: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/103.jpg)
Breaking Protection 103
Processing Username Blah
![Page 104: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/104.jpg)
Breaking Protection 104
Processing Username Blah
![Page 105: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/105.jpg)
Breaking Protection 105
User Info Formula used to validate user input
![Page 106: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/106.jpg)
Breaking Protection 106
User Info Blah
![Page 107: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/107.jpg)
Breaking Protection 107
User Info Blah
![Page 108: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/108.jpg)
Breaking Protection 108
User Info Blah
![Page 109: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/109.jpg)
Breaking Protection 109
Unlocking Code
![Page 110: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/110.jpg)
Breaking Protection 110
Brute-Forcing
![Page 111: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/111.jpg)
Breaking Protection 111
Brute-Forcing Blah
![Page 112: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/112.jpg)
Breaking Protection 112
Brute-Forcing Blah
![Page 113: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/113.jpg)
Breaking Protection 113
Brute-Forcing Blah
![Page 114: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/114.jpg)
Breaking Protection 114
Brute-Forcing Blah
![Page 115: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/115.jpg)
Breaking Protection 115
Brute-Forcing Blah
![Page 116: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/116.jpg)
Breaking Protection 116
Brute-Forcing Blah
![Page 117: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/117.jpg)
Breaking Protection 117
Brute-Forcing Blah
![Page 118: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/118.jpg)
Breaking Protection 118
Brute-Forcing Blah
![Page 119: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/119.jpg)
Breaking Protection 119
Brute-Forcing Blah
![Page 120: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/120.jpg)
Breaking Protection 120
Brute-Forcing
Blah
![Page 121: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/121.jpg)
Breaking Protection 121
Brute-Forcing Blah
![Page 122: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/122.jpg)
Breaking Protection 122
Brute-Forcing Blah
![Page 123: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/123.jpg)
Breaking Protection 123
Brute-Forcing Blah
![Page 124: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/124.jpg)
Breaking Protection 124
Brute-Forcing Blah
![Page 125: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/125.jpg)
Breaking Protection 125
Brute-Forcing Blah
![Page 126: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/126.jpg)
Breaking Protection 126
Brute-Forcing Blah
![Page 127: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/127.jpg)
Breaking Protection 127
Brute-Forcing
![Page 128: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/128.jpg)
Breaking Protection 128
Cracking Defender: Summary
![Page 129: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/129.jpg)
Breaking Protection 129
Protections in Defender
![Page 130: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/130.jpg)
Breaking Protection 130
Localized Encryption
![Page 131: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/131.jpg)
Breaking Protection 131
Obfuscation
![Page 132: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/132.jpg)
Breaking Protection 132
Time-Stamp Thread
![Page 133: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/133.jpg)
Breaking Protection 133
Decryption Keys
![Page 134: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/134.jpg)
Breaking Protection 134
Inlining
![Page 135: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/135.jpg)
Breaking Protection 135
Conclusions
![Page 136: Breaking Protection - cs.sjsu.edu fileBreaking Protection 2 Overview Here, we discuss cracking examples](https://reader030.vdocuments.mx/reader030/viewer/2022040700/5d5547f988c99367778b8f0b/html5/thumbnails/136.jpg)
Breaking Protection 136
Assignment Rip keygen code from “keygen.exe”
o http://www.cs.sjsu.edu/~stamp/CS286/progs/keygen.exe.zip
Make a separate app that generates validserial number for given ID/username
Test on each of following ID/usernameso aaaaao qwerto qwerty