Homework 4: l337 h4xx0r 5killz - cracking a protected binary

In this homework, we learn about the structure of binary programs by practicing our reverse-engineering skills. A binary program is provided (unique to each student). The program is meant to accept a license key on the command line, verify the key locally, and then call in to a server for activation, after which point the program runs.

Unfortunately, you seem to have misplaced your license key, and no matter how many different keys you try, you can't find a key that works. Thus....

Your mission, should you choose to accept it, is to subvert this program into running correctly without a correct license key, and to do so without calling in to the activation server, revealing your top-secret location.

More specifically, you are to modify this binary executable, changing only a few bytes of the provided binary, to make it appear to work normally, except that it accepts any license key, and does not contact the activation server when run.

Getting Started Cracking

There is no source code provided, nor are you expected to turn in source code for this homework. Instead, we analyze and modify an existing binary. Our main tools for this job: gdb, objdump --disassemble, and readelf -a to analyze and reverse-engineer the program. To edit the program, you may use your hexadecimal editor of choice.

One nice hex editing solution is this: convert the binary to an editable ASCII file with xxd. Edit the file with any editor. Convert back to binary with xxd -r. Don't forget to chmod +x the final file if you want to run it, xxd doesn't do that by default.

Note: you are expected to edit the binary, not produce a new binary by reverse-engineering and re-writing in C, nor by disassembling and reassembling. We'll compare the turned-in binary to the original with cmp, and we expect to see only several modified bytes.

A bit of help along the way

The supplied program contains four protection mechanisms that you need to subvert. After you have subverted the first one, the program outputs

License key valid, thank you.

After you have subverted the second one (this could happen in one step, depending on your approach), it outputs:

Everything seems to be in order. Moving along to server license key validation.

Your program then "activates" with the license server, which reports activations on this page: http://bits.cs.uic.edu/cs361/activations.txt

Here, the most insidious aspect of the report is the IP address, which identifies you as the license violator, and which is not within your control to change. You must stop this activation from happening. Important function calls for the network activation are connect() and send().

However, you'll find that simply skipping the network activation step results in a broken program: the server sends back binary code with crucial functionality as part of the activation process. You need to capture this binary code, and store it permanently in your program so it can run without activation.

Without the code from the server, the program crashes or doesn't do anything. With the code, it displays a little ASCII animation.

New checkout and turn-in instructions

For this homework, a new directory has already been created in your turn-in folder, called hw4. To retrieve it, go to your turn-in folder and type svn up. The folder contains two binaries (orig and hw4), a shared library (hw4.so) and a Makefile. Note that orig and hw4 is unique to your netid in several ways.

Make your changes to hw4, and svn commit when finished. In addition, create a new file called "patches_applied.txt", where you describe each change you made briefly, in the format , like this:

0af8-0b70 replaced foo with bar to make a better foobar