How I cracked 010 editor as an RE challenge
The other day I tried to think of a nice challenge for beginner RE ehnthusiastics that would like to get experience from some practical real world exercises and not just CTFs. Don’t get me wrong, I’m the number 1 fan of CTFs and it’s a great way to optimize your learning curve, but sometimes — it feels unreal.
There is nothing more thrilling for me personally than opening a program to it’s curbs and understanding it’s structure and how we can maneuver it to our needs and this is why I decided to try and crack a trial program just for research purposes.
Unfortunately for 010 editor’s authors — this is the program I chose and I say “unfortunately” because when you get into the curbs of a program you also get to say all of the programmers mistakes, but more on that later ;)
For those of you who are not familiar with 010 editor:
But before diving in I just want to emphasis that reversing a program is legal, but cracking a program and using it is by all means illegal. Therefore, this article is only for research purposes and studying. Please don’t use this as a method to crack a program and steal it.
First things First
1. opening in IDA
Usually my first step is to open a file in pestudio and understand it’s structure, but here this stage was redundant because I know exactly which file I’m reversing and why. So I dived right in to IDA64.exe with the 010editor.exe file.
This is the part where I like to start off with Lumina — Lumina is a fanatastic tool enriched by researchers for researchers.
I elaborated on Lumina and Lumen in my previous article:
Under the assumption that someone had already investigated 010editor before me, I had a feeling this could progress my research quite a lot and I wasn’t wrong:
lumina: applied metadata to 311 functions.
Finding the WinMain wasn’t hard even without Lumina and with Lumina it was already found — but in this kind of research, unfortunately heading to the start of the program won’t be beneficial because there is just too much setup code that will waste time investigating. With that, I headed to the next stage of the investigation.
2. Looking for meaningful strings
I headed to the strings window to look for some meaning full strings regarding the trial version time and membership.
I found this string useful:
and also this strings in the same flow:
Every time I found a flow or string that interested me — I placed a breakpoint there.
Going over the flow of those strings, brought me to the next part of the research — going in depth in some meaningful flows
3. meaningful flows
Analyzing the code with the meaningful strings, I knew I am looking for an authentication of the serial number. I was looking for either a complex math routine, or more likely, some internet connection that would authenticate the serial number.
I found the following routine nearby the registration:
In this routine I could see an http check just before a big switch with options according to the result from the http check.
One more interesting flow I found, which later turned out to be the most important one — is the routine of the password check:
In this flow, a password is being checked and something happens if it is accepted and passes all the check — but we will leave that part to the dynamic analysis.
The start of this function is definitely another useful place to place a breakpoint in.
4. Debugging
At this part, it is safe to say I have enough knowledge about interesting parts of the flow and we can start the dynamic analysis.
This part reminds me of playing at the casino — you start debugging the program hoping that one of you BPs catches.
Lucky for me, when pressing the “Check Licence” in 010 Editor trial version, I got to one of my breakpoints.
After catching a breakpoint starts the interesting part of Reverse engineering the flow and understanding the authors intentions according to the code.
Playing with the memory leading to conclusions
While reverse engineering the routines I had some beautiful insights about the way the programmers of 010 decided to design the code:
Main data structure
Turns out that the developers of the program decided they want one big global class that will save all the variables and also load them. This was definitely a vector for further research — should I find the place this DS is stored and manipulate it?
Reversing this DS got me to an interesting part in the code flow:
As we can see, this DS stored in rax has two fields — the saved start date and the current date.
This is definitely a flow we can patch so the trial would never end. We can also patch the current date to a past date and see 9999 days left in trial mode.
Security checks
Swimming in the code showed some security checks that I didn’t waste time researching (and almost led to a huge mistake) but scanning it fast showed checks regarding dates and password formatting.
Pwn Options
There are plenty of ways to crack 010 now that we know pretty much how they check the trial version and the serial key, I will focus on 2 clean and easy ways to crack the program:
1. Playing with the saved time and time checks
I can patch every comparison between the date now and the date downloaded in so it will give 9999:
Now — everytime it will calculate the number of days left it will be 9999.
Side note-I totally forgot about the tampered clock message at this point.
The problem is — Turns out the developers added a security check that the maximum days left is not bigger than 30 days. If it is, a red flag is raised and saved in the program and the trial automatically expires. When seeing this, I was courious to see if any data about the cracker (me) is sent to the company. I always research on a disconnected virtual machine so I wasn’t afraid that anything would be sent, but it was still interesting to see how much effort the developers put on security. Turns out that the answer is not that much because apart from expiring the trial, nothing else happens.
2. Playing with the serial check
This pitfall made me stick with the other option — playing with the serial number check such that I will get the full version. This option is usually better because it also grants any other features that the full version has and the trial doesn't.
For this part, I had to dive in the main flow of the serial number check mentioned above.
The chosen cracker
In this part I will go over the flow of the serial number check and all the places needed to be modified:
- First branching:
First check — about the state we are in. Here for example, after expiring my trial I would get a JNZ but I want the zero in the cmp so I modified the instruction.
2. Connect to website and check correctness of the serial number:
In this branch, left part goes to check the legitimacy of the serial number with the program server. This is the last thing I wanted and thats why I patched all this part out.
3. Last branching:
Honestly, I don’t even know what the check was here and it doesn’t matter, as long as I got to the routine that prints that the password was accepted.
4. debugging and checking if it works:
Looks like it did :)
There was one more patch I didn’t document — the patch where I jump over the correctness of the serial format.
To sum up all the patching (including the serial format):
Profit
End notes
I think this exercise is a great learning opportunity to deal with a massive amount of code and a real software, not just a custom made CTF challenge aimed specifically for it to be completed.
With that said, I once again remind that patching and using any kind of software is plagirism and illegal.
This article is only for educational purposes and you are not allowed to use it in order to crack 010editor and use a cracked 010editor or to distribute a cracked version of the program.
About me
I am a cyber security researcher with quite a bit of experience, especially in the field of Reverse Engineering.
Lately I decided to give myself some free time to just research and write about anything that comes up to my mind from CTF challenges to General ideas and even some POCs regarding cyber security. This way I can practice two of my hobbies — Reverse Engineering and Writing.
If you’ve found this article interesting and want to hear more from me you can subscribe to my channel.
I made myself a challenge to post every two weeks and up until now it looks like more of a two month routinue, but let’s see what happens.
