PDA

View Full Version : newbie stuck with target in OllyDbg

c_bauer
February 21st, 2015, 19:06
Hi !

[Preface: beginner here, so this might sound really basic or even silly to some folks, anyways, here goes ...]

The app (32bit, on Win7 x64) I'm trying to reverse checks a license file at Startup. I use plain vanilla OllyDbg v2.01, no plugins.

I set breakpoints on CreateFileA, CreateFileW, ReadFile and ReadFileEx.
I can see that CreateFileW gets hit and among all the other params, I can see that the license file path is hardcoded in the app.
The file handle is successfully returned in EAX, therefore I stepped through all invocations of ReadFile(Ex) and expected it to eventually read from that file.

But - I don't ever see ReadFile(Ex) with that file handle ...

The license file gets opened several times, each with some file handle as return value, but no matching call to ReadFile.

Interesting: In the 'Executable Modules' view, Olly Shows several of them as type 'Hidden'.

To sum it up: what kind of anti-RE work is the app doing here ?

App: http://www.filedropper.com/bten (download button approx. in the middle of the page)
Password: The first five Digits of a famous logarithm base (no comma)

regards
Chris
blabberer
February 22nd, 2015, 03:28
maybe the application is using memory mapped files.
Code:


#include <windows.h>

#include <stdio.h>

void main (void) {

    HANDLE hFile,hMapFile;

    if ( (hFile = CreateFile("licence.dat",0xc0000000,0,0,3,80,0)) != INVALID_HANDLE_VALUE ) {

        if( (hMapFile = CreateFileMapping(hFile,0,0x2,0,0,0)) != NULL) {

            printf("%s\n",(char *)MapViewOfFile(hMapFile,4,0,0,0x20));

        }

    }

}


if you compile and run the code above it will print the contents of pre existing file licence.dat without going through ReadFile
Code:


type licence.dat

hello my dear licence file are you doing well do you have any problems should i

reject this application as a crack attempt just tell me ok ciao



noreadfile.exe

hello my dear licence file are you doing well do you have any problems should i

reject this application as a crack attempt just tell me ok ciao
c_bauer
February 22nd, 2015, 22:25
Thanks blabberer!

I bp'ed CreateFileMapping / MapViewOfFile et al, but no joy.

Some time ago, I watched some of Lena's reversing tutorials but IIRC there was no license file tut (or I missed that one).

After all, ReadFile has to be called somewhere someplace, since it's the OS's primitive for reading a file, right ?
Ok, so what should I check for next ?

Throw some buzzwords at me, I'm happy to learn.

best,
Chris
blabberer
February 24th, 2015, 05:21
Run process monitor and filter File activity may be look for IRP_MJ_READ filter file name in path / details or best set aside few days and single step the whole shebang one step at a time there is no alternative to that methodology

Quote:


After all, ReadFile has to be called somewhere someplace, since it's the OS's primitive for reading a file, right ?


may be yes may be not one may be they are calling an internal function say ntdll!NtReadFile ?

may be you close the handle for the Createfile and see where it crashes thereby leaking the place where the handle is used ? may be move the file after handle is created and let it pop up a messagebox saying cant read file and thereby disclosing identity ? may be corrupt the file and see if it spits out the file is corrupt and look at stack may be arbitrarily flip some flags to confuse it
c_bauer
February 24th, 2015, 12:55
Sounds like excellent advice.
I will give it a shot and report back...

Still, those 'hidden' modules that I don't know about (and Olly can't access) seem suspicious.

Chris