|
|
 |
|
|
|
|
|
 |
|
|
| fra_00xx
980527 Archimede 1100 NA PC |
Sorry for the publishing delay, Archimede. Your 'personal glory' (sort of :-) is assured. Good work: awaiting more. You drink a lot of beer, choose well: I suggest you to try Leffe Blonde, a very good and widespread beer that you should be able to find in Italy as well. I'm drinking one right now, eheh :-) |
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
First of all you have to produce two identical setup procedures (with
the same files), one on your computer and one on another one.
So you obtain the same setup files stored in C:\My Installation\(Your
App)\Media\Default\Disk Image\Disk1 folder.
Now you have to copy the files built by the second computer on your
PC in order to better follow the different behaviour
of the two programs.
If you start the protected copy by doubleclicking on the file SETUP.EXE
yuo can see a message box which said more or less : 'You must
recompile the file SETUP.INS with the professional
edition of the software.'
A MessageBox ?!?!?!?! Nothing easier than breakpointing this
routine with SoftIce and watch in which file this function is called :
_INS5576!
??
Where is this file ? Use the Windows find tool to see where it's stored.
But pay attention: if you push the OK button
in the MessageBox the program go on and before quitting delete the file,
so perform the search before confirming the message and you'll find our
precious file in the _istmp.dir directory in C:\Windows\Temp with
other two files created temporary by the setup program.
Save a copy on your hard drive and then let the setup program delete
it.
------------------------- Step One : Crack the program -----------------
OK ! If the file _ins5576._mp contains an executable code it must be
a file exe or a dll so we must try to change the extension
and voila' the file _ins5576.exe is the right one (now you can see
the icon).
In order to reach the exact snippet of code where the program execute
the protection routine we can use a very simple method: it's a 'dirty'
method not stilisticly correct and requires a little bit of 'handwork'.
Some +Cracker could twist his face but I often try to walk this street
before passing to a harder attack!
Just after SoftIce popping out in the MessageBox API routine press F12
( execute till first RET instruction
).
Set a breakpoint at the instruction just up (usually the call you are
returning from).Do it for three or four times (until you are in the file
_ins5576.).
Here the occurence you must find:
Set a BP here ---> 004394A0 call User32!MessageBox
You ret here ---> 004394A6 push 01
then F12
Set a BP here ---> 0043D4FA call 0043920E
You ret here ---> 0043D4FF push 01
then F12
Set a BP here ---> 0043B4B0 call 0043D497
You ret here ---> 0043B4B5 pop ecx
then F12
Set a BP here ---> 00437B99 call 0043B3A2
You ret here ---> 00437B9E mov [0048AAEC],
eax
Then let the program ends and execute the good version of setup.exe.
It'll break where you have set the BP but obviously not all because
somewhere the execution of the program change is course and doesn't pass
trought the bad way! Is it all clear ?
If not, take a look at my previos essay where I explain better this
method: WindownloadCrack
I'm finishing my cigarettes... and so my beer! ( I'd better correct my english tomorrow morning).
Ok If all were well done the ICE will pop up only one time at:
00437B99 Call 0043B3A2
It means that between this address and the next breakpoint the program
should have met there is the protection routine. So reload and run the
good version of setup.exe and after the first breakpoint
(00437B99) step through the code and take note of every conditional jump
you meet (JZ,JE,JNZ...etc.) and what the program
does (if he jumps or not). I've found this:
Address: Instr.
Jump or not
.......
43B3C7
JNZ
Y
43B3F1
JNZ
Y
43B413
JNZ
Y
43B445
JNZ
Y
43B498
JNZ
N
43B4A1
JNZ
Y
43B505
JNZ
Y
..... and more.
Ok repeat the same operation with the bad version and look:
All the same behavior till the address: 0043B4A1
where the program doesn't jump.
Before executing the instruction change the result of the test eax,eax
by digit on softice command R FL Z, that change
the flag
on which depend the action of the JNZ,
and release the program (Ctrl+D).
That's ok! The program works fine even if you use the protected version
of it!
Nothing very new in this crack but now we have to keep it permanent.
------------------ Step two : Change a temporary file -----------------------------
First of all I need another beer (I'm not an alcholist but sometimes
I like to spend the night in front of a computer and drink
something tasting bitter.)
Ok! Let's go.We need to know how the setup program (setup.exe is the
program is executed for first) call the code in the
file _ins5576._mp after creating it.
Use WDASM to disassemble it and look for
some Windows routine a program can use to launch a file or a trhead like
CREATEPROCESS or CREATETHREAD
or ...
The WINEXEC function captured my attention
(a little luck and a little experience) and so I decided to breakpoint
it and ran the program.
When ICE pops up I returned from the routine and set a BP just at the
address of the call, in order to stop the program before the call was made
and restart the program once again.
I made it in order to know which value is stored in EAX
just before the call, because this register point to the name
of the file that will be executed.
Yes ! Here we are ! But now we have another problem because the files
aren't load into the memory, yet! So we can't change
a memory location and we must step into the file on the hard drive
after his creation and before his execution.
First of all we need to find a snippet of code in the file SETUP.EXE
to overwrite and then write the code that opens the file and makes the
change.
1.- Look at the imported function called VERSION.VerLanguageNameA
and try to breakpoint it, then run the good application
and wait... nothing breaks. That's good. This function can be overwritten
without compromising the correct progress of the application.
2.- Here the code:
:004025F0 50
push eax
save the value (it point to the file name)
:004025F1 33FF
xor edi, edi
:004025F3 57
push edi
push the parameter for the routine
:004025F4 6880000000
push 00000080
""
"" open if
exist
:004025F9 6A03
push 00000003
""
"" file attributes
:004025FB 57
push edi
""
""
:004025FC 57
push edi
""
""
:004025FD 6800000040
push 40000000
""
"" open in
GENERIC_WRITE mode
:00402602 50
push eax
""
"" use the
filename pointer just ready
* Reference To: KERNEL32.CreateFileA, Ord:0031h
|
:00402603 FF15E4D04000
Call dword ptr [0040D0E4]
:00402609 50
push eax
save the Handle of the file returned from CreateFile
:0040260A 50
push eax
again
:0040260B 57
push edi
push the parameter for the routine
:0040260C 57
push edi
""
""
:0040260D 689FA80300
push 0003A89F
""
""
this is the file position where you' ll make your change
:00402612 50
push eax
""
""
the Handle of the file
* Reference To: KERNEL32.SetFilePointer, Ord:0219h
|
:00402613 FF15A4D04000
Call dword ptr [0040D0A4]
:00402619 58
pop eax
retrieve the Hanlde of the file
:0040261A 57
push edi
parameters...
:0040261B BF9C274100
mov edi, 0041279C ...
generic pointer in the file data location (I decided
to use this location
because all the other WINEXEC
function in the Setup.exe file use it)
:00402620 C70700000000
mov dword ptr [edi], 00000000
(better if zero)
:00402626 57
push edi
...
:00402627 6A02
push 00000002
...
number of byte to write
:00402629 6842264000
push 00402642
...
point to the two byte to write
:0040262E 50
push eax
...
* Reference To: KERNEL32.WriteFile, Ord:027Bh
|
:0040262F FF158CD04000
Call dword ptr [0040D08C]
* Reference To: KERNEL32.CloseHandle, Ord:0018h
|
:00402635 FF15F0D04000
Call dword ptr [0040D0F0]
:0040263B 58
pop eax
retrive the pointer of the file name we have saved at the begin
:0040263C 6A01
push 00000001 This istruction was overwritten
changing the call to Winexec ( see below )
:0040263E 50
push eax
This istruction was overwritten changing the call to Winexec
:0040263F FFD6
call esi
This istruction was overwritten changing the call to Winexec
:00402641 C3
ret
:00402642 40
inc eax
The two value to change into the file
:00402643 90
nop
:00402644 ??
???
:00402645 ??
???
:00402646 ??
???
This function change the TEST EAX,EAX instruction
before the JNZ conditional jump at 43B4A1
like this:
inc eax
nop
That's all! We are at the end of our work!
No sorry, I've forgot a very important thing to do:
We must change the program before it calls the WINEXEC
routine in order to execute our own code.
So the following:
* Reference To: KERNEL32.WinExec, Ord:026Fh
|
:00405876 8B350CD14000
mov esi, dword ptr [0040D10C]
:0040587C 8D85F8FEFFFF
lea eax, dword ptr [ebp+FEF8]
:00405882 6A01
push 00000001
:00405884 50
push eax
:00405885 FFD6
call esi
must be changed like this:
* Reference To: KERNEL32.WinExec, Ord:026Fh
|
:00405876 8B350CD14000
mov esi, dword ptr [0040D10C]
:0040587C 8D85F8FEFFFF
lea eax, dword ptr [ebp+FEF8]
:00405882 E869CDFFFF
call 004025F0
You must overwrite also the two pushing instruction but it's enaugh
to put them at the end of our routine.
Thank for your attention and your patience.
|
|
|
|
homepage links search_forms +ORC students'
essays academy
databasereality
cracking how
to search java-script
warstools anonymity
academy cocktails antismut
CGI-scripts mail_fravia+Is
reverse engineering legal?