Description of the Exercise:
Imagine that you have just implemented a C/C++ version of a Windows® 32-bit console application called “Password Vault” that helps computer users create and manage their passwords in a secure and convenient way. Before releasing a limited trial version of the application on your company’s Web site, you would like to understand how difficult it would be for a reverse engineer to circumvent a limitation in the trial version that exists to encourage purchases of the full version; the trial version of the application limits the number of password records a user may create to five. This limitation is very similar to limitations found in many shareware and trialware applications that are available on the Internet. The C++ version of the Password Vault application was developed to provide a non-trivial application for reversing exercises without the myriad of legal concerns involved with reverse engineering software owned by others. The Password Vault application employs 256-bit AES encryption, using the free cryptographic library crypto++, to securely store passwords for multiple users—each in separate, encrypted XML files.
Software for the Exercise:
Solution to the Exercise:
For instructional purposes, an animated tutorial that demonstrates the complete end-to-end reverse engineering of the C/C++ Password Vault application was created using Qarbon Viewlet Builder and can be viewed using Macromedia Flash Player. The tutorial begins with the Password Vault application and OllyDbg already installed on a Windows® XP machine.
Posted on May 6th, 2009 | By: teodoro
Comments are closed.