Log in

View Full Version : How to approach a 'dead' target


Pyrae
April 14th, 2002, 16:19
Well, 'dead' means that no live approach (debugging) is possible and disassemblers give messy results, though the target is obviously neither packed nor encrypted.
In this particular case it's the timebomb routine in WINLOGON.EXE/LICDLL.DLL of WinXP Embedded Eval (which btw is a build-it-yourself WinXP Pro and therefore the most useful version of WinXP), but I only need some basic ideas on OS level cracking.
Here is what I've tried so far:

-disassembling LICDLL.DLL, which contains the 'expired' nag's text using IDA, W32Dasm, PEDasm
(all give nonsense listings with lots of unresolved jumps etc., see attached snippet)

-getting Softice to run on XP Embedded Eval
('EXP=\%SystemRoot%\system32\kernel32.dll Error Opening file. Status=C0000225' (same for all other libs, no working solution found) -> no useful breakpoints possible)

-looking for string refs/refs to string offsets with hiew (nothing useful found)

-looking for infinite jumps/inline calls which might confuse disassemblers (nothing found)



So I'm running out of useful ideas on this one, perhaps someone can help me out with any alternative approaches...


Thanks very much, Pyrae

MTB
April 14th, 2002, 19:20
Pyrae, have you tried the IDA 4.17 version, it can get around fair number of anti disassembler tricks etc.

Good Luck
MTB

Pyrae
April 14th, 2002, 23:18
Thanks for your reply, MTB. Of course, I'm using 4.17, but it failed just like all the others. Or do you think of any options I might have forgotten to check in this particular case? This one's giving me one helluva time....

peterg70
April 15th, 2002, 02:17
Have you tried to debug the program WinLOGON etc with OlyDBG.

Attach to it when its running and you can then trace through it.

Could be self modifying code? (I'm no expert though) If you trap the code in memory then you will see the true form of the code.

peterg70

Pyrae
April 15th, 2002, 15:21
Well, first of all, thanks for your reply, peterg70. I certainly would have done this if it was possible. The problem is that I just can't run any other prgramm BEFORE logging on. And if I'm logged on I just can't make the 'expired' nag appear.