Log in

View Full Version : Reverse Engineer Windows Software Code protection.

AmazingTrans
August 23rd, 2012, 17:20
Hi there,

I have a automation program that inside has many files of codes. The files can be locked with a login and password. When I double click a locked file, I will get a windows popup box that already has the login information and I just have to enter a password. If the password is wrong it will say the password is not correct. If the password is lesser than 5 characters, it will say to enter more than 5 characters.

Things I have done so far:
Code:
1) Loaded the exe file into PeiD v0.95. 

Entrypoint: 0006996F 

File Offset: 00068D6F

Ep Section: .text

Subsystem: Win32 GUI

Nothing found [Overlay]*



Not sure what I should do here or these information meant because the tuts i saw had ep section as upx and mine is .text.

Moving On.
Quote:

2a) I opened the file with OllyDbg. The whole program opened. Now when i open a project file in the program, OllyDbg step through until I get a
Exception E06D7363 - use Shift+F7/F8/F8 to pass exception to program. So I press Shifft-F8, it stepped through, and paused there.
I run it again, and this time i Press Shift F7, it stepped through untill an error dialogbox pops-up.
Don't know how to step because memory at address 1C2F54F6 is not readable. Try to change EIP or pass exception to program.

2b) I restarted the program, and ran again. This time i use Shift-F9, the whole thing ran. I went to the program and i don't see the rest of my code files. Seems like the project is not fully loaded properly. I guess Shift-F9 skipping exception is not what i really wanted.
When i said the code files not loaded: For those who used visual studio : vb. in the solultion project there are many files. Now, after i ran the program, imagine the project is there but all the files are missing. This goes the same with my program here.
What should I do here?


My question here is:

1. What should I do from here now on?

2. What other program do i need to finish this reverse engr. ?

3. Is there any program where after I enter the password incorrectly, i would like the program to run to the address of the popup box that gives me the wrong password.
I have tried softice on Win XP sp 2, the whole system went BSOD on me.

Hope to hear from someone.!

Cheers!
AmazingTrans
August 23rd, 2012, 17:48
More progress,

Eventhough, I don't have the files. I am able to import the protected source code. Hurray.
Now, when i double click my protected source code, the dialog box pops up. Apparently, the ollydbg does not respond at all. Even when the dialog box pops up. When, I entered the wrong password, the ollydbg which the program runs does not step through any code. Now the question comes to, maybe the file that I double click is running on another dll / exe / something.
I used procexplorer from sysinternal, and find a windows process cursor. I pointed that to that dialog box, and it leads me to the program file.exe that is opened with ollydbg.

Now what should i do?
AmazingTrans
August 23rd, 2012, 21:37
I am able to track all the way to the dll file that is in-charge of the password protection. There is so many JE, JMP, JNZ going on. I don't know what to do next.

I have the text file which is about 23mb. What can i do that somebody can assist me?
AmazingTrans
August 26th, 2012, 16:44
Experts...

I did a step through ollydbg and at a certain location, the "thread xxxxxxxx terminated, exit code 0."

Is there anyway i can set up a trace to figure out where it actually got terminated?
blabberer
August 27th, 2012, 02:24
thread Creation Starts in userMode From BaseThreadStartThunk

and Ends In ntdll!ZwTermainateThread()

BaseThreadStartThunk Calls
BaseThreadStart / LPTHREAD_START_ROUTINE / kernel32!ExitThread

which calls NtdllZwTerminateThread

all the magic Lies Inbetween

set a bp on these apis and trace by hand once the whole sequence

you will get to know more than you can ever hope to get answers from forums / boards / newsgroups
_genuine
August 27th, 2012, 09:37
You can also take a quick look at the call stack windows on olly after a termination, there usually is some trails of information on what was executed before arriving to the terminated thread. (the button labeled 'K')
AmazingTrans
August 27th, 2012, 10:02
Awesome boys, I will take a look with the method you have.
My first program i learn to crack was little piano and that was like 10 years ago. And I played with some normal program, but now i have this huge programs that calls all kind of DLLs, and code that draws rectangle, windows. Not even sure where the real thing lies.

But I'll try for now.

THanks!
Indy
August 28th, 2012, 10:07
Quote:
thread Creation Starts in userMode From BaseThreadStartThunk

False.
blabberer
August 28th, 2012, 14:24
Quote:
[Originally Posted by Indy;93200]False.


do we want to muddy the waters for a noob

if he hasn't mucked with pdbs he would have problems even finding the BaseThreadStartThunk
how is he going to Find KiUserApcDispatcher or further up

Code:




lkd> !thread 860c9590

THREAD 860c9590  Cid 0d24.08a0  Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable

    a921e7d4  SynchronizationEvent

Not impersonating

DeviceMap                 e1340868

Owning Process            0       Image:         <Unknown>

Attached Process          863f0588       Image:         createthread.exe

Wait Start TickCount      13813501       Ticks: 86444 (0:00:22:30.687)

Context Switch Count      3             

UserTime                  00:00:00.000

KernelTime                00:00:00.000

Win32 Start Address 0x00401000

Start Address kernel32!BaseThreadStartThunk (0x7c8106f9)

Stack Init a921f000 Current a921e758 Base a921f000 Limit a921c000 Call 0

Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr  Args to Child              

a921e770 80500cf0 860c9600 860c9590 804f9d72 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])

a921e77c 804f9d72 00000000 860c9590 a921e7cc nt!KiSwapThread+0x46 (FPO: [0,0,0])

a921e7a4 80638fc4 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])

a921e884 8063a099 863f0588 00000000 a921e8bc nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])

a921e8a8 8063a1cb a921e8bc 00000001 a921ed64 nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])

a921e934 804fcb42 a921ed10 00000001 00000000 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])

a921ecf4 8053e0a1 a921ed10 00000000 a921ed64 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])

a921ed5c 8053e7b1 00000000 7c90e451 badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])

a921ed5c 7c90e451 00000000 7c90e451 badb0d00 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ a921ed64)

00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x1


Code:


lkd> dt nt!_KTRAP_FRAME a921ed64

   +0x000 DbgEbp           : 0

   +0x004 DbgEip           : 0x7c90e451

   +0x008 DbgArgMark       : 0xbadb0d00

   +0x00c DbgArgPointer    : 0x3947c8

   +0x010 TempSegCs        : 0xa921ed98

   +0x014 TempEsp          : 0xa921edcc

   +0x018 Dr0              : 0

   +0x01c Dr1              : 0

   +0x020 Dr2              : 0

   +0x024 Dr3              : 0

   +0x028 Dr6              : 0

   +0x02c Dr7              : 0

   +0x030 SegGs            : 0

   +0x034 SegEs            : 0x23

   +0x038 SegDs            : 0x23

   +0x03c Edx              : 0x3947c8

   +0x040 Ecx              : 0x390000

   +0x044 Eax              : 0x401000

   +0x048 PreviousPreviousMode : 1

   +0x04c ExceptionList    : 0xffffffff _EXCEPTION_REGISTRATION_RECORD

   +0x050 SegFs            : 0x3b

   +0x054 Edi              : 0x7c92770a

   +0x058 Esi              : 0x390000

   +0x05c Ebx              : 0

   +0x060 Ebp              : 0

   +0x064 ErrCode          : 0

   +0x068 Eip              : 0x7c90e451

   +0x06c SegCs            : 0x1b

   +0x070 EFlags           : 0x202

   +0x074 HardwareEsp      : 0x50fd20

   +0x078 HardwareSegSs    : 0x23

   +0x07c V86Es            : 0x80541e02

   +0x080 V86Ds            : 0xf73e8b85

   +0x084 V86Fs            : 0x85f61010

   +0x088 V86Gs            : 0


Code:




lkd> .thread /p /r /P 860c9590

Implicit thread is now 860c9590

Implicit process is now 863f0588

Loading User Symbols

.....

lkd> dd 0x50fd20 l8

0050fd20  7c901166 00000000 7c900000 00000000

0050fd30  00010017 00000000 00000000 00000000

lkd> dt nt!_CONTEXT Eip 0050fd30

   +0x0b8 Eip : 0x7c8106f9

lkd> ln 7c8106f9

(7c8106f9)   kernel32!BaseThreadStartThunk   |  (7c810705)   kernel32!BaseProcessStartThunk

Exact matches:

    kernel32!BaseThreadStartThunk = <no type information>



Code:




EAX 00401000 createth.ThreadProc

ECX 00390000

EDX 003947C8

EBX 00000000

ESP 0050FD20  <-------------

EBP 00000000

ESI 00390000

EDI 7C92770A ntdll.7C92770A

EIP 7C90E450 ntdll.KiUserApcDispatcher

C 0  ES 0023 32bit 0(FFFFFFFF)

P 0  CS 001B 32bit 0(FFFFFFFF)

A 0  SS 0023 32bit 0(FFFFFFFF)

Z 0  DS 0023 32bit 0(FFFFFFFF)

S 0  FS 003B 32bit 7FFDC000(FFF)

T 0  GS 0000 NULL

D 0

O 0  LastErr ERROR_SUCCESS (00000000)

EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)

ST0 empty +UNORM 38C8 0013FCBC 78AB2A99

ST1 empty -UNORM FF18 00000000 0013FF08

ST2 empty +UNORM 0001 78B1CB64 0000000A

ST3 empty -1.7863225356269886700e-3463

ST4 empty -UNORM FFFC 40000060 00000000

ST5 empty +UNORM 1EA0 003930B8 78B538C8

ST6 empty 0.0

ST7 empty 0.0000000000153202670e-4933

               3 2 1 0      E S P U O Z D I

FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)

FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1



Code:




7C90E450 ntdll.KiUserApcDisp>LEA     EDI, DWORD PTR SS:[ESP+10]

7C90E454                     POP     EAX                                            ;  ntdll.LdrInitializeThunk

7C90E455                     CALL    NEAR EAX                                       ;  createth.ThreadProc

7C90E457                     PUSH    1

7C90E459                     PUSH    EDI                                            ;  ntdll.7C92770A

7C90E45A                     CALL    ntdll.ZwContinue



Log data, item 0

 Message=[esp+10+0xb8]  = 7c8106f9  esp+10  = 50fd30



7C8106F9 kernel32.BaseThreadStartThunk         XOR     EBP, EBP
AmazingTrans
August 30th, 2012, 22:10
blabberer,

Thanks for the info. Knowing the terms actually will help me to learn more and dig deeper.
AmazingTrans
September 12th, 2012, 10:10
Hi guys,

I was able to find the location of the username & password using agentransack. It points me to location for eg: 155 username?Morse?Password??91823... I notice that the 155 means it is at line 155.
I opened the file using IDA and in Hex View, i was able to find the location of the username.. but on the view the text end it shows u.s.e.r.n.a.m.e.?.M.o.r.s.e
In the future how do i do a search username without the space or .?
What other program would anyone recommend to view and edit other than IDA?
aqrit
September 12th, 2012, 13:30
u.s.e.r.n.a.m.e. is UNICODE (wchar)
AmazingTrans
September 21st, 2012, 09:02
Quote:
[Originally Posted by aqrit;93240]u.s.e.r.n.a.m.e. is UNICODE (wchar)


aqrit, yup i understand it is UNICODE. I guess what software do most people use to edit? for example i want to change u.s.e.r.n.a.m.e to t.e.s.t.e.r. ?
instead of entering the dots, is there software that omit the dots? just username then i change it to tester?
blabberer
September 27th, 2012, 14:44
they are not dots
a unicode char is 16 bits or 2 bytes and english alphabets dont consume more than eight bits or one byte so the unconsumed byte remians as 0x00 and since 0x00 is not a printable character it is dumped as dot by most of the hex editors

with some code like this

Code:


#include <stdio.h>



int main (void) {



        char testfoo[] = {'A',0x0,'M',0x0,'a',0x80,'Z',0x7b };

        int i;

        for (i=0;i<sizeof(testfoo);i++)

        {

                if ( testfoo[I] < 0x20 || testfoo[I] > 0x7f)

                {

                        printf("*";

                }

                else

                {

                printf("%C",testfoo[I]);

                }

       }

       return 0;

}



result



A*M*a*Z{


Code:


CPU Dump

Address   Hex dump                                         ASCII

004F2A86  4C 00 6F 00|77 00 20 00|6D 00 65 00|6D 00 6F 00| L o w   m e m o

004F2A96  72 00 79 00|21                                   r y !


ollydbg can edit unicode strings in place as well as ascii strings use ctrl+e