Log in

View Full Version : Reversing Query - Please Help!!! (BTW first RCE query on the new Board) ???


ReD_AnT
October 28th, 2000, 11:08
Hi Friends,

First of all I am thankful to +Sandman, +tsehp for maintaining this wonderful place in spite of all odds. I hope that now we don't have to move again for a long time...

I am a newbie reverser and in need of some help.
I am trying to crack MerakMail for windows 9x version : 2.10.340 (not the pro version)
(URL : www.icewarp.com or www.merakmail.com).

I have found that the main protection is located in the files config.exe and control.exe.
I disassembled config.exe,looked for the relevant strings, found quite a few, was trying to look the conditional jumps just before the error messages........
Now I am facing a peculiar problem.....Some of the jumps point to the middle of an instruction... (i hope I am making myself clear!).
Given below is the relevant piece of code :-

---------------The Jumps------------------
:004A2591 7373 jnb 004A2606 ---> while 5 byte instruction begins at 04A2605
:004A2593 66756C jne 004A2602
:004A2596 2E004572 add byte ptr cs:[ebp+72], al
:004A259A 726F jb 004A260B
:004A259C 7200 jb 004A259E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A259C(C)
|
:004A259E 0000 add byte ptr [eax], al
:004A25A0 52 push edx
:004A25A1 65 BYTE 065h



-------The locations pointed to by jumps---------

:004A25FE 8B00 mov eax, dword ptr [eax]
:004A2600 E847D9FAFF call 0044FF4C
:004A2605 6830200000 push 00002030

* Possible StringData Ref from Code Obj ->"Warning"
|
:004A260A 681C264A00 push 004A261C

* Possible StringData Ref from Code Obj ->"Your trial version has expired."
|
:004A260F 6824264A00 push 004A2624
:004A2614 6A00 push 00000000



WinDasm gives an error while trying to execute these jumps..... Call/Jumps unsuccessful.

There r many such jumps....

I couldn't understand this at all... what is happening?
Is the code there just to fool the crackers ?
or some runtime patching is happening ?
or some anti-disassembler is there ?

I tried to see what happens at these jumps at runtime. So I loaded Softice and ran the program.
The program runs fine but when I click the register button (which remains enabled) nothing happens....... When softice is NOT loaded, then on clicking the register button a box with a filled up reference key and 2 blank text boxes comes-up (which r meant to input the licence no.)

So there is some debugger detection inside the program....
How to find which type of detection is there? How to get to it ? and how to disable it ?


Please guide me! I am a newbie and please don't flame me for asking such silly questions...
(Maybe i have picked up a real tough proggie... But I think it is great opportunity to learn...)

Thanks a lot in advance and sorry for such a long post...


ReD_AnT ???

esther
October 28th, 2000, 12:59
Sorry Read above post on RE:

esther

Quote:
ReD_AnT (10-28-2000 01:08 a.m.):
Hi Friends,

First of all I am thankful to +Sandman, +tsehp for maintaining this wonderful place in spite of all odds. I hope that now we don't have to move again for a long time...

I am a newbie reverser and in need of some help.
I am trying to crack MerakMail for windows 9x version : 2.10.340 (not the pro version)
(URL : www.icewarp.com or www.merakmail.com).

I have found that the main protection is located in the files config.exe and control.exe.
I disassembled config.exe,looked for the relevant strings, found quite a few, was trying to look the conditional jumps just before the error messages........
Now I am facing a peculiar problem.....Some of the jumps point to the middle of an instruction... (i hope I am making myself clear!).
Given below is the relevant piece of code :-

---------------The Jumps------------------
:004A2591 7373 jnb 004A2606 ---> while 5 byte instruction begins at 04A2605
:004A2593 66756C jne 004A2602
:004A2596 2E004572 add byte ptr cs:[ebp+72], al
:004A259A 726F jb 004A260B
:004A259C 7200 jb 004A259E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A259C(C)
|
:004A259E 0000 add byte ptr [eax], al
:004A25A0 52 push edx
:004A25A1 65 BYTE 065h



-------The locations pointed to by jumps---------

:004A25FE 8B00 mov eax, dword ptr [eax]
:004A2600 E847D9FAFF call 0044FF4C
:004A2605 6830200000 push 00002030

* Possible StringData Ref from Code Obj ->"Warning"
|
:004A260A 681C264A00 push 004A261C

* Possible StringData Ref from Code Obj ->"Your trial version has expired."
|
:004A260F 6824264A00 push 004A2624
:004A2614 6A00 push 00000000



WinDasm gives an error while trying to execute these jumps..... Call/Jumps unsuccessful.

There r many such jumps....

I couldn't understand this at all... what is happening?
Is the code there just to fool the crackers ?
or some runtime patching is happening ?
or some anti-disassembler is there ?

I tried to see what happens at these jumps at runtime. So I loaded Softice and ran the program.
The program runs fine but when I click the register button (which remains enabled) nothing happens....... When softice is NOT loaded, then on clicking the register button a box with a filled up reference key and 2 blank text boxes comes-up (which r meant to input the licence no.)

So there is some debugger detection inside the program....
How to find which type of detection is there? How to get to it ? and how to disable it ?


Please guide me! I am a newbie and please don't flame me for asking such silly questions...
(Maybe i have picked up a real tough proggie... But I think it is great opportunity to learn...)

Thanks a lot in advance and sorry for such a long post...


ReD_AnT ???

gAnZ
October 29th, 2000, 02:55
I'll try to help you.

ReD_AnT
October 30th, 2000, 13:54
Hi Friends,

To Esther :
Thanks a lot for the help...
I used +FP's frogsice and found out that indeed it was doing the debugger check.
The check was meltice... using the CreateFileA technique...
But still the app. is far from being cracked...

To gAnZ :
Thanks a lot for offering ur help...
I am looking forward to it...

I am grateful to both of u guys..
------------------------------------

What i have done ?

To stop the debugger detection I patched the cmp eax,-1 part at both the checks (check for SICE at : cs:0049382F and check for NTICE at cs:0049386B)

But the App. is perhaps having some kind of CRC check : when I ran the patched config.exe i got this nice message :
" a protection error occured..blah blah .. the app cannot be run .. program might be infected with a virus or CRACKED."

(Frankly speaking, (though this sounds like a lamer) this app. is the first one, with anti-debug protection and crc checks etc, that I am doing...)


So again I am in a fix... :-(
Any suggestions/advice?


ReD_AnT ???

esther
October 31st, 2000, 08:26
Hi Red_Ant,
I'm fixed too ??? hehhe this is a delphi prog.I am not experience enough to reverse this prog.
others might able to help ,Sorry
post again with a BIG Help you would probaly get one.btw I'm still trying,hope can find some answers.did you notice the reference key
strange is'nt it....it seems that its a empty shell...

cya
regards
esther

goatass
October 31st, 2000, 09:11
You said that this is a delphi program ? Have you tried using DeDe to decompile it ? just a suggestion.

goatass

esther
October 31st, 2000, 11:30
Hi Goatass,
Thanks for the input,I simply forgot that,
Thanks again

regards
esther

ReD_AnT
October 31st, 2000, 17:21
Hi Esther,

So now I have a fellow reverser who is working on this app. too... Thanx a lot brother.

Yep, I too had found out that it was written in Delphi (some string refs also point that out).
And I too forgot DeDe... thanx Goatass for pointing that out :-)
Esther u r right, maybe I should post again with a BIG help...to get some answers...

Btw don't u think that this target is worthy enough of being selected as a target for one of the projects here...(it will certainly give newbies like me a chance to learn some advnaced techniques)
What do u say?

Btw I couldn't understand what u were saying about the reference key, shell etc? Sorry!!! Could u please elaborate a little bit?

Thanks a lot once again...

Regards.

ReD_AnT ???
(still confused)

Hey gAnZ where r u? U promised that u'll help!!!

C_DKnight
November 1st, 2000, 12:36
hey guys I saw this thread last nite and downloaded the app which (unfortunately?) was the PRO version.. well anyways I just took the ordinary version and saw its code didnt differ that much from the analysis what I came up with the PRO version..

I traced a _lot_ and found practically nothing useful.. just some arithmetic stuff done here and there but no solid part that'd clearly create the valid serial some FPU code in few parts which I'd say checks the remaining days (toggle FPU registers in SoftICE with "wf" or at least does something with it .. not sure though

Overmore it really requires a lot tracing to finally find the place where the messagebox pops up .. and its rather funnily created (small excerpt from somewhere ):

:00450350 53 push ebx ; Save process ID?
:00450351 83C4E4 add esp, FFFFFFE4
:00450354 8BD8 mov ebx, eax
:00450356 8BD4 mov edx, esp
:00450358 8BC3 mov eax, ebx ; Load it to eax
:0045035A E841FFFFFF call 004502A0 ; Trace

---------------------------------------------------------

Behind the call dwells PeekMessageA which I belive checks which Process ID is being processed and sets flags according to that

Finally follows TranslateMessage & DispatchMessageA of which the latter is the one to 'create' the messagebox.

Since the code location is called all the time it's of no use to do any patching here...

Well thats all the 'useful' information I could so far gather.. more to follow if/when I figure out something. I know I might understood things wrongly as I'm only in a newbie level so please dont hesitate to correct this text if possible. Please also post your progress (if any) on this msgboard Thx

-C_DKnight

C_DKnight
November 2nd, 2000, 09:16
woo finally made some sort of useful progress... again was working with the PRO version but I hope the main code structure matches with the normal version...

Did a string search as I was a bit frustrated already and my eyes caught these two strings: <Demo Version> and <Full Version>

Selected either.. scrolled up some code to find interesting bits.. and I did!
after scrolling up a few conditional jump spots there was a call to somewhat
a lengthy routine.. the keycheck routine I bet. The downside is that it's _quite_ lengthy one and has several checks and some 'encryption' (xor, rol) instructions which then compare with your serial and the encrypted one (sortof).. but I'm still working on this to find a way to the final compare (cmp eax,ebx if I recall) without having to set dozens of "r fl z"

Hopefully I can fully reverse the algorithm but even if I didnt, so far this 'project' has proved to be a valuable experience, thx to Red_Ant

-C_DKnight

ReD_AnT
November 5th, 2000, 17:11
Hi C_DKnight,

Thanks for your help ;-)
I was really stuck up... nothing seemed to work out...
You are probably right the protection scheme is perhaps the same in both the versions.
I searched for <Demo> in WinDasm and I found it in the non-pro version too.
And then I moved around a bit in that piece of code and yes interesting stuff...
Few comparisons and conditional jumps.
Btw u must have noticed that other than <Demo> and <Full Version> there is another type ie the <Unlimited>...what would that mean??? some sort-of time-unlimited demo version.
Tracing,tracing and more tracing and still no luck...
But even if the proper jumps are found, the patching won't work, because of CRC checks etc so at least serial-fishing and then maybe a keygen must be done. Is there any way of killing the CRC-checks?
This target has really gone out of hand
Again one old question : what happens to those jumps which jump to the middle of an instruction.

Could u please post ur observations and hints etc. And if u happen to reverse the algo. could u please write a tutorial, explaining the general methodologies and techniques that should be used for such a target for the benefit of newbies like me.

Thanx a lot once again...

Regards.

ReD_AnT ???
*

C_DKnight
November 6th, 2000, 13:14
well.. about the unlimited version.. i dunno either. I'd bet on the unlimited time-trial though.. and what comes to the serial algorithm, its very irritating and has got lots of checks and i'm lost there too. It does something with your serial first (messes up with it, takes an encrypted version or something) and then compares some chars with 'good' part of the real serial

repnz
scasb

or something similar i'd remember.. the first check I pass as I got a match with the 'string' in EAX and ES:EDI (Scasb instruction) .. the matching part is "-" (2Dh) .. but from then on i'm stuck too and cant get anywhere without setting additional "r fl z" .. d'oh ;( ... if anyone's able to help please post here.. thx

-C_DKnight

esther
November 8th, 2000, 05:15
Hey Red_Ant,
I didn't find any solutions to it :-(
that's why I did'nt post.
Read Kayaker's post,see a experience reverser
talk about this prog...
Anyway,thanks for the "project" hard one hehhe and C_Dknight too.

regards
esther