10.2 Cracking Minesweeper with PIN.
.text:0000000140043E22 ror r10d, 2
.text:0000000140043E26 add r8d, 5A827999h
.text:0000000140043E2D and r11d, r12d
.text:0000000140043E30 or r11d, eax
.text:0000000140043E33 mov eax, ebx
Let’s google 5A827999h constant... this looks like SHA-1! But why would RAR use SHA-1 during encryp-
tion?
Here is the answer:
In comparison, WinRAR uses its own key derivation scheme that requires (password length 2 +⤦
Ç11)4096 SHA-1 transformations. ’Thats why it takes longer to brute-force attack⤦
Çencrypted WinRAR archives.
(http://www.tomshardware.com/reviews/password-recovery-gpu,2945-8.html)
This is key scheduling: input password hashed many times and the hash is then used asAESkey. This is
why we see the count of XOR instruction is almost unchanged during we switched to bigger test file.
This is it, it took couple of hours for me to write this tool and to get at least 3 points: 1) probably check-
summing; 2)AESencryption; 3) SHA-1 calculation. The first function is still unknown for me.
Still, this is impressive, because I didn’t dig into RAR code (which is proprietary, of course). I didn’t even
peek into UnRAR source code (which is available).
The files, including test files and RAR executable I’ve used (win64, 5.40):
https://github.com/DennisYurichev/RE-for-beginners/tree/master/DBI/XOR/files.
10.2 Cracking Minesweeper with PIN
In this book, I wrote about cracking Minesweeper for Windows XP:8.3 on page 802.
The Minesweeper in Windows Vista and 7 is different: probably it was (re)written to C++, and a cell
information is now stored not in global array, but rather in malloc’ed heap blocks.
This is a case when we can try PIN DBI tool.
10.2.1 Intercepting all rand() calls
First, since Minesweeper places mines randomly, it has to call rand() or similar function. Let’s intercept all
rand()calls:https://github.com/DennisYurichev/RE-for-beginners/tree/master/DBI/minesweeper/
minesweeper1.cpp.
Now we can run it:
c:\pin-3.2-81205-msvc-windows\pin.exe -t minesweeper1.dll -- C:\PATH\TO\MineSweeper.exe
Duringstartup,PINsearchesforallcallstorand()functionandaddsahookrightaftereachcall. Thehookis
theRandAfter()functionwedefined: itisloggingaboutreturnvalueandalsoaboutreturnaddress. Hereis
a log I got during run of standard 99 configuration (10 mines):https://github.com/DennisYurichev/
RE-for-beginners/tree/master/DBI/minesweeper/minesweeper1.out.10mines. The rand() function
was called many times from several places, but was called from 0x10002770d just 10 times. I switched
Minesweeper to 1616 configuration (40 mines) and rand() was called from 0x10002770d 40 times. So
yes, this is our point. When I load minesweeper.exe (from Windows 7) into IDA and PDB from Microsoft
website is fetched, the function which calls rand() at 0x10002770d called Board::placeMines().
10.2.2 Replacing rand() calls with our function
Let’s now try to replace rand() function with our version, let it always return zero: https://github.
com/DennisYurichev/RE-for-beginners/tree/master/DBI/minesweeper/minesweeper2.cpp. During
startup, PIN replaces all calls to rand() to calls to our function, which writes to log and returns zero. OK, I
run it, and clicked on leftmost/topmost cell: