Actual combat: PC client reverse cracking under Windows

Category: Tag:

0X00 Why I wrote this article

For novices, it seems that WEB security has a very complete knowledge system and vulnerability discovery process. Friends who are just getting started always like to choose the web direction as their own development direction, because the penetration test for the web system seems to be an achievement The feeling is higher, and many novices think that the web seems to be easier to learn. However, for PC client vulnerabilities discovery, because it involves some computer and operating system low-level knowledge, many people are afraid to understand, and in fact, PC client vulnerabilities are better than Everyone imagines it is much easier, even you don’t need to be proficient in assembly language to easily find PC client vulnerabilities, but assembly language is the basis of PC client vulnerabilities, it is best to learn it well.

In addition, discovering PC client vulnerabilities is the same as discovering WEB vulnerabilities. Both require care and patience. You must learn to pay attention to every detail and understand how the system and software work together. This article focuses on the discovery of PC client vulnerabilities under Windows, and does not involve advanced memory attacks such as ROP and memory overflow techniques.

0x01 tools

PC client vulnerability mining is mainly based on reverse engineering and process monitoring.

For reverse engineering, I recommend two tools, one is static analysis: IDA pro, and the other is the best used in dynamic debugging: Ollydbg. The tools can be downloaded directly.

Process monitoring tools are mainly divided into process local behavior monitoring and process network behavior monitoring.

Local behavior monitoring tools I recommend: ProcessExplorer process monitoring and Autoruns process monitoring, these two tools are not well-known, but they are very useful.

ProcessExplorer process monitoring



Autoruns process monitoring tool

There is also a tool in the local monitoring tools that specifically monitors the registry. Here are the following recommendations:


Process Monitor: A powerful registry monitoring tool that can add filtering rules, which is very convenient.

Regshot: A registry backup and comparison tool that can find out which values in the registry have changed by saving snapshots and comparing snapshots.


RegfromApp: It is also a process monitoring tool, you can select a process to track its modification to the registry.

Of course, Wireshark is used as a network behavior monitoring tool. Of course, there is another tool that is also very useful. It is a tool of the Year Alliance, called WSExplorer (process capture).






The packet capture tool WSExplorer is very convenient. The left side is the process and the right side is the captured data packet.

With the above tools, we can know what the program does on our computer, and then we can start the next step of vulnerability discovery.

0x02 defect

For developers, it is impossible to develop a program that is completely free of loopholes. Especially when the size of this program is very large, it must have loopholes. What we need to know is which locations are prone to loopholes;

Authorization and authentication vulnerabilities of the client:

Generally, genuine client software is equipped with an authorization authentication module. The purpose of these authorization authentication methods is nothing more than “the person who bought it can use it, and the person who didn’t buy it can’t use it”. The general verification is in the form of a registration code and is related to the individual. The machine code of the computer is bound to each other, or bound to a certain personal authentication mechanism to achieve the purpose of verification. Authorization vulnerabilities can lead to serious consequences such as software and functions being cracked, and the circulation of pirated programs. Authorization authentication vulnerabilities are often caused by developers not paying attention to the confidentiality and security of authorization authentication during development.

Vulnerabilities of the client’s network service:
Such vulnerabilities are generally caused by the client’s failure to perform strict authentication when sending or receiving data packets, which can lead to unconditional invocation of high-level services.

Vulnerabilities in client function logic:
Such vulnerabilities are generally caused by the unreasonable design of client functions, which can lead to serious consequences such as unauthorized access.

Client overflow vulnerability:
This type of vulnerability includes a relatively difficult piece of reverse engineering, which is mainly caused by the error management of memory during development or the execution logic of the program itself.

This article only introduces the first three vulnerabilities.

0x03 actual combat

Vulnerabilities in client function logic:
Mining such vulnerabilities should mainly focus on the logic between client functions, similar to Web logic vulnerabilities. But the difference is that functional logic vulnerabilities are also included in the part after decompilation. Under normal circumstances, the jump logic on the key call function is modified to mine the vulnerabilities. The main reason is that the client logic is too simple and fewer are used. Logical judgment. Such vulnerabilities are not common on fully functional clients.

Authorization and authentication vulnerabilities of the client:
1. Crack based on local registry:

Although some software uses the network for authorization verification, due to the verification flaws in the design of trial times, it can lead to an unlimited number of trials by modifying the registry, resulting in “can be used without payment”, that is, authorization authentication loopholes appear. This is the case for the following client program. When we just open it, we will prompt that there are 29 trials left.

Now we open Process Monitor and use the filtering function to add a whitelist so that Pm only displays relevant information about the process



Add filtering whitelist, only show the process

After that, stop all captures, close and restart the client. After repeated repetitions, we monitored that every time the client is opened, it will automatically do a RegsetValue (registry value modification), as follows:

After testing, it is found that the remaining number of trials is the integer 30 minus the value under a key named Nowtimes in the registry.

So we write a BAT script, modify the value pointed to by the client, and let it run automatically when the client starts, and the number of trials can be locked to 30, which will not decrease.

Reg add HKCU\Software\Client name\a location /v Nowtimes /t REG_DWORD /d 0 /f



This vulnerability is mainly because the authentication method is too simple. It is written directly into the registry without networking or encryption, and the key name is so simple and easy to understand called “Nowtimes”. This type of vulnerability in the registry is still relatively exploited and exploited. Simple, but the problem is that there are many such vulnerabilities, so everyone should pay attention to the registry when discovering vulnerabilities. In addition, if monitoring is prohibited in the registry, we can use REGshot to save the before and after snapshots for comparison and analysis.

2. Hosts deception cracking based on network authorization verification

This part of the content requires some knowledge of reverse engineering. This time the cracked client did not have a trial mechanism, so we turned to its network verification mode to see how the client’s network authorization verification method works.

Just enter a registration code.

Just enter a registration code and click OK. According to the pop-up error window, locate the client’s registration detection and verification function. Drag in OLLYdbg to find the string “Incorrect registration code”, and trace it to the assembly window.


So we got the server address for registration authorization. In order to further verify, we use wireshark to analyze the network request when the client registered.


<>It can be seen that the client carries our machine code and several other data and requested the server’s /verifycheck/login.php

Going back to our assembly window, we can see several unicode codes, the suspected server returns, and record them.


Directly use the browser to access, you can find that the return value is the same as one of the record values of the assembly window, so we guess we can construct a fake server, modify the hosts file of the host to realize the request redirection, and let our server return the registration success information .


Modify the hosts file to bind the server domain name to the ip address of our own fake server

Constructing different payloads on the server can get different responses from the client, indicating that the vulnerability is half successful.


At this point we can exclude other payloads to determine that a formatted date return value is a sign of successful registration. So we construct a formatted time, and reopen the client to enter any registration code to register, you can see the successful registration window.


The final payload



The reason for this vulnerability is that the data when the client software verifies the registration code return is too simple, and it is very easy to construct a successful registration return. And the client’s decompilation ability is also very poor, and sensitive information can be seen directly after decompilation. When mining this type of vulnerability, we need some basic knowledge of reverse engineering and some basic knowledge of computer networks, focusing on the communication data between the client and the network server, and using packet capture tools to mine the vulnerability.

Vulnerabilities of the client’s network service:

Since the loopholes that I want to use as examples have not been fixed yet, I won’t include examples here. Network service vulnerabilities are discovered mainly by the analysis of client network requests. The main tools are the aforementioned process capture tool and Wireshark. Most network service vulnerabilities are caused by the fact that the client’s network request is not verified or adopted. The authentication method with very low security, so that anyone can request this network service in the legal name of the client, and realize the call of the private network service interface without permission. It often appears in the audition service of the client’s VIP paid resource, the client’s paid query function interface, etc., insecure client requests can be intercepted and analyzed, and then unauthorized calls to resources or interfaces without authorization can be achieved. When mining such vulnerabilities, we need to pay more attention to the network transmission level of the client, and analyze every function of the client through the network server as much as possible to conduct vulnerability mining.



There are no reviews yet.

Be the first to review “Actual combat: PC client reverse cracking under Windows”

Your email address will not be published. Required fields are marked *