⚠️ 🚧 Warning!! : This post is about reverse engineering
Back in the old days, there used to be pirated version of software/games which were available on the torrent. All these software/games came with an nfo file, which can be opened in notepad that contains instructions on how to crack the game/software, and along with that came the keygens/patch/cracks. a small application with dope music....🎼
🏁 The Intro
When you click on the patch it will do some magic and you open the software it will be licensed.
Out of curiosity, I searched for a random app with a subscription to test, which had a trial version. I am not going to disclose the software here and will be focusing only on the methods that I used to crack the software.
🧠 How the software worked
The software checks the license every-time it starts and then redirects to the application, so every-time you open the software it presents you with a login screen where you enter your credentials and it redirects to the dashboard.
🐾 Starting Point
Initially my experience with MITM Attack(Man in the Middle) came to the rescue. Basically MITM is an agent that acts as a proxy, which means all the requests and responses will pass through the agent. I used Charles Proxy which can be used as a proxy for an MITM attack.
Normal Flow: The software connects to the server directly
MITM: The software connects through the proxy and we will be tapping the request and response that the software is making.
Imagine the green witch as Charles Proxy.
I started analyzing the requests that the app is making using Charles Proxy and found that the app is making a request to the http://domain.com/api which contained a large json about the license details, I looked for a clue and it had a json key called "days_left" so if I could change the response, I can control my subscription and use the software to set any end date.
Majority of windows applications will be running on top of .net framework and will have the helper functions in the DLL file, I was thinking a way around and found dnsspy , a tool which can show you contents of the library file. I searched for the API endpoint in the DLL files after importing them to dnsspy, and found the url in a constants file.
🗞️ Next Plan
Next steps are very easy, we have the modified json response with days_left set to 999999999 and also the API endpoint URL from the DLL file.
Step 1: I wrote a simple node.js script which returned the modified response whenever the API endpoint is called.
Step 2: I changed the endpoint in the DLL to point to my script ie: http://localhost:9000
I replaced the original DLL file with the modified one!! And voila it worked!!!
💬 Connecting the dots
Some of the software's can easily be hacked by changing a few lines, for eg, if the library is having a function that returns whether the license is valid or not, then we can change it to return true always. This depends on the level of security that the developer has incorporated into the software.
🛠 Fixes that I can think of to prevent this attack
Transport data over HTTPS (It doesn't solve this issue, but while inspecting the payload (information that is sent out by the app), the attacker won't be able to see the payload, unless he installs a remote certificate.
Rather than relying on the json data, use some cryptographic algorithms to decrypt/encrypt the data (the attacker still has access to client code, from which he can find the decryption logic and apply it on the payload to get the value and replay the same)
SSL Pinning to prevent the connection to other endpoints (did it during android development)
If you have any more suggestions, please let me know in the comments.
Being truly "secure" is a myth.
Disclaimer: This is for educational purpose only
Thanks for reading!!