The recruitment process in big corporations usually takes a long time, so I was contacted two months later to set the logistics for a first interview. Since I possess 13 years of uninterrupted experience in reversing and securing software applications, I did not undergo through an exhaustive preparation. I just simply reviewed my CV and I asked myself possible questions.
The day of the interview, which took place at 6:30pm (my local time), was a tiring working day, but I was ready for it. The phone rang and after a short warm up, the security expert leading the chat described the recruitment process:
- A technical interview with a table composed by 3 members (That was actually the interview that I was about to have. Usually, candidates are informed in advance when these sorts of interviews are planned. However, that was not the case for me!!!! Nonetheless, I was still feeling confident);
- In case of passing the interview, a challenge would be sent so that I could show my skills. The challenge was actually a crackme;
- A face-to-face interview.
So well, the first interview
began. Without preparation at all, I fortunately managed to impress the panel
of security experts bombing extremely technical questions over 70 MINUTES!!! I
was not expecting such a technical and complex interview on the phone. It was
so technical that I had to dig into the deepest knowledge I had previously
gained in the area of Reverse Engineering. In total, I would say that I
probably answered around 40 questions. These are a few of them:
At the end of the interview, I knew that I had succeeded because their voices shouted enthusiastically. In fact, they sent me the crackme two days later. Here is how it looks like:
- Which are your major achievements in the field of Reverse Engineering?
- How did you implement RSA? In which context ?
- Tell us how your digital signature cryptosystem works.
- How do you ensure that your anti-tampering technique is not bypassed?
- How does your anti-debugging technique work?
- Tell us how AES decrypts data.
At the end of the interview, I knew that I had succeeded because their voices shouted enthusiastically. In fact, they sent me the crackme two days later. Here is how it looks like:
Figure 1
As per described in Figure 1, the
challenge consisted of discovering 3 passwords for different levels that were
disabled. Additionally, the crackme was secured with Themida, one of the toughest software protections.
Figure 2
That was a big hit between the
eyes, but by properly configuring one of my best friends, OllyDBG, I just got
rid of Themida and its debugger detection techniques. So, I started to reverse
the crackme to find out the passwords.
1. Level 1 password: A simple search of a referenced string ("Level 1 - ENABLED") leads to the point where the password for the first level is checked ("Encrypts the entered password" and "Compares two encrypted passwords" are just comments that I added).
1. Level 1 password: A simple search of a referenced string ("Level 1 - ENABLED") leads to the point where the password for the first level is checked ("Encrypts the entered password" and "Compares two encrypted passwords" are just comments that I added).
Figure 3
I will not reveal the algorithm, but basically, the entered password is encrypted and the resulting value compared with another encrypted string. Obviously, the decrypted string is the password that enables the first level, and by reversing the right code, that password can be obtained.
Figure 4
The password is actually the
company name and so, it will not be revealed.
2. Level 2 password: This password is not easy to find due to
garbage code that complicates the identification of the relevant Assembly
sentences that validate the entered value. However, by patiently skimming the
code, it is possible to detect a lack of comparison instructions. Therefore,
the few ones that appear are tell-tales.
Figure 5
This comparison
instruction (see Figure 5) is the one that checks for the correct password based on some
hardware ID, in this case, the CPU ID, which is obtained via a supplementary
Assembly instruction used to determine the processor type: CPUID.
Figure 6
The password for the
second level is computed via simple XOR instructions applied to the values of
registers EAX, EBC, ECX, and EDX. Hence, this password technically varies on
different computers (unless same hardware).
Figure 7
As Figure 6 shows, CPUID
is called with EAX=0 (XOR EAX,EAX) to obtain the CPU's manufacturer ID string - a twelve
character ASCII string stored in EBX, EDX, ECX - in that order. The highest
basic calling parameter (largest value that EAX can be set to before calling
CPUID) is returned in EAX.
3. Level 3 password: To
make things worse, the third password is even harder to find than the one for
the second level. Garbage code combined with an obscure code flow and almost
endless cycles complicate the identification of the key parts that allow for
gathering this password. By simply debugging the code, the chances of
succeeding are minimal. Therefore, it is crucial to set Olly to log executed
commands into a file and let the application run.
Figure 8
Next, by starting a
simple text file search of comparison instructions like CMP, light appears at
the end of the tunnel.
Figure 9
The instruction CMP ECX,EAX actually compares the
entered password with the valid third password at that particular moment. So,
when using a test password, for example let’s say A1B2C3D4, the correct password can be found in EAX:
Figure 10
The reason why I
said “at that particular moment” is because the right value expires depending
on the Time Stamp Counter (TSC) - a
64-bit register present on all x86 processors since the Pentium which counts
the number of cycles since reset. YES !!!! It is not always the same. Since the
Assembly instruction RDTSC returns
the TSC in registers EDX:EAX, only the highest byte contained in EDX is kept
and the rest of this DWORD is zeroed. Thus, a value like 00000687 in EDX
becomes 00000600 and then it is copied to EAX to perform the comparison at
address 0x41659C (See Figure 10). As EDX depends on what RDTSC returns, the Level 3 password
changes periodically as it increases like 00000700, 00000800, 00000900,
00000A00, etc.
Figure 11
In summary, the crackme
represents a very interesting challenge for reverse engineers. The calculations of
passwords do not only depend on a hardware ID, but they are also reliant on a
counter for the number of processor cycles. While the Level 2 password is likely to
vary among different computers, the Level 3 password periodically changes on the
same machine.
In general, the same protection
implemented in a real case scenario will require the development of a password
generator (see below) to make sure that passwords can rapidly be calculated on
any machine at any time.
Figure 12
To impress the recruitment team,
not only did I write a detailed report of how to reverse the crackme, but also I
developed the password generator (see Figure 12) which has a timer so that the Level 3 password
is updated at regular intervals (twice a second), as well as the Time Stamp
Counter.
This has undoubtedly been one of
the most exciting and enjoyable recruitment processes I
have ever been through. The outcomes? Well, the recruiters were delighted and said that the third interview would only be a matter of formality. They offered me a very important salary and agreed to cover all relocation expenses, which were huge in this particular case. Sorrowfully, I cannot see this interest from local companies and recruiters, to whom in general I would describe as very arrogant, rude, reckless (read my previous post) and impolite.
Everything was set properly to accept the proposal. However during this recruitment process, I was granted a research position as a PhD student at University, which unfortunately clashed with this job. Considering that a PhD might be a unique opportunity in life, I sadly had to turn thumbs down to what could have potentially been the job of my dreams. I just trust that there will be more coming in the future, HOPEFULLY !!!
Everything was set properly to accept the proposal. However during this recruitment process, I was granted a research position as a PhD student at University, which unfortunately clashed with this job. Considering that a PhD might be a unique opportunity in life, I sadly had to turn thumbs down to what could have potentially been the job of my dreams. I just trust that there will be more coming in the future, HOPEFULLY !!!
CJ
