Log in

View Full Version : Help a newbie please


Alph
August 16th, 2002, 08:04
Hi,

I am new to reverse engineering, but have been programming for some time already. I just installed SoftIce and looked at the innards of Tabledit, and I'd be grateful for a few answers.

Tabledit is a shareware protected by a serial number registration.
It's at www.tabledit.com

What I did, roughly :

I break on GetDlgItem. I see that there is 2 of those, getting username and password, and storing them in fixed memory locations.

Then a first call, which I will go in more detail below.

The a second call, which looks like to me is just doing some clean up with windows.

Then I go into the kernel/_freqasm stuffs.

What is happening here ? Am I right in thinking that windows is now taking care of another thread and doing some window management ? or is tabledit calling those ? or triggering those with a semaphore maybe ?

Anyway.. then another call, I see that it is somewindow stuff, and that a window is refreshed with Table edit 2.60 demo.. so I guess the checking for the correct serial was above.. maybe ?

Then more freqasm/kernel/user..

Is there some debug files for windows dll that I can give to softice to see what is happening better ?

Then back to tabledit, back to freqasm/kernel/user, and I finally arrive at an event server loop (I think... made of TranslateAccelarator, Translate message and DispatchMessageA), which makes me sure that the program decided now that my password was no good.

So back to the first call.

I see that it does first some register access, creates an entry with my username and password.

I'd expect the program to do that after it has validated my password... any idea why it happens before ? (or maybe I did not see the validation ?)

Then the program does some length calculation, checks if the username is not User, Registered, or Chafe (?)

Then it changes the first letter of the username to a capital..

It tries now to convert the password to a hex number at some point, which makes me believe that the password is a hex number.

Then a few other things happen, which I do not totally understand.. and then we are back in the main program..

If someone would care to see if I understand (at least something...) correctly, and give me a hint where the actual validation of the password takes place, I'll be thankful.

Also (yes I'm full of questions..) can I quickly go back to the main program when windoze decides to do kernel/user/freqasm stuff ?

Is there a way to see the stack more easily than displaying memory, then looking how the pointers/data items were entered and write it down ?

Why does softice give me some addresses like with segments, like
1234:004654567.

I thought that with 32 bit app, all the segments/offsets were not used anymore ?

Does some segments still have a meaning ?

Thanks !

Fake51
August 16th, 2002, 08:57
Quote:
Why does softice give me some addresses like with segments, like
1234:004654567.


The segment : offset has indeed been abandoned. Instead, what you're looking at is selector : offset. The idea is that, under protected mode, there is a table in memory which holds a number of selectors. Each selector has a number of characteristics, such as privilege level, base address, addressing mode, and so on. So instead of having to translate the segment and offset to get a real address, now you're just looking at a flat address, that's added to a base address by the cpu. Look into protected mode if you want to know more.

Fake

Edit: hate those frigging smileys when they turn up the wrong place .... segmentffset

least
August 16th, 2002, 08:58
Hi,
I'am quite new too, but I hope I can give you some hints. First of all, is your target packed?
If not, try to disassemble it (IDA is great), it can give you some valuable info that you can hardly find in debugger (like crossreferences).
If it is packed, first try to unpack it and continue with step mentioned above. Big help is Icedump too, both for unpacking, and for its tracex command which can help you with the freqasm stuff. And the last hint - try using bpm on the password and name addresses with option rw, it will tell you when the program reads or writes it (maybee bpr can help too but it will slow your machine).
Hope it helps.
Regards
least

Fake51
August 16th, 2002, 09:52
Some hints:
- To break this one, use bpm's on name and serial. The calc'ing of the serial is all over the exe, not just in one place.
- Use your disassembler and search for "unregistered". One place pops up, and lo and behold, what do u find just before that? The magic memory check.
- Adding these two, your tactic might be: figure out where the flag is set, and how it relates to the name and serial. In other words: go debug!

The programmer has made the job easier: hardcoded offsets, and only one place where he modifies the flag. Shouldn't be too hard

Fake

naides
August 16th, 2002, 13:57
Quote:
Originally posted by Alph
Hi,

I am new to reverse engineering, but have been programming for some time already. I just installed SoftIce and looked at the innards of Tabledit, and I'd be grateful for a few answers.

Tabledit is a shareware protected by a serial number registration.
It's at www.tabledit.com

What I did, roughly :

I break on GetDlgItem. I see that there is 2 of those, getting username and password, and storing them in fixed memory locations.


GOOD. NOW PUT A BPR ON THOSE LOCATIONS, SO ANY TIME YOUR PROGRAM READS THEM, MORE THAN LIKELY FOR VALIDATION PURPOSES, YOU WILL KNOW



Then a first call, which I will go in more detail below.

The a second call, which looks like to me is just doing some clean up with windows.

Then I go into the kernel/_freqasm stuffs.

IT IS NOT UNUSUAL FOR THE FLOW OF CODE TO GO THROUGH KERNEL, USER, ETC CODE DURING THE FLOW OF THE PROGRAM. USUALLY, WHAT HAPPENS THERE IN THE WINDOWS DLLS IS NOT RELEVANT FOR YOUR CRACKING, BUT OCCASIONALLY, IT IS. AT FIRST INSTANCE, DO NOT SPEND TOO MUCH TIME ANALYSING WHAT THE KERNEL CODE T CODE DOES








What is happening here ? Am I right in thinking that windows is now taking care of another thread and doing some window management ? or is tabledit calling those ? or triggering those with a semaphore maybe ?



EITHER/OR


Anyway.. then another call, I see that it is somewindow stuff, and that a window is refreshed with Table edit 2.60 demo.. so I guess the checking for the correct serial was above.. maybe ?

NOW YOU HAVE A GENERAL HYPOTHESIS THAT THE SERIAL VALIDATION TOOK PLACE BEFORE THIS PIECE OF CODE


Then more freqasm/kernel/user..

Is there some debug files for windows dll that I can give to softice to see what is happening better ?

YES THERE ARE AVAILABLE IN THE MSOFT SITE. AND NO, THEY DO NOT HELP UNDERSTAND WHAT YOUR APP IS DOING, ONLY WHAT THE KERNEL IS DOING, AND YOU DO NOT WANT TO DEBUG THE KERNEL OR THE USER32 DLL, DO YOU?

Then back to tabledit, back to freqasm/kernel/user, and I finally arrive at an event server loop (I think... made of TranslateAccelarator, Translate message and DispatchMessageA), which makes me sure that the program decided now that my password was no good.



So back to the first call.

I see that it does first some register access, creates an entry with my username and password.


YOU ARE WARM


I'd expect the program to do that after it has validated my password...

NOT NECESSARILY


any idea why it happens before ? (or maybe I did not see the validation ?)

IT MAY STORE THE PWORD GOOD OR BAD AND DO THE ANALYSIS LATER.

NOTE WHERE THAT ENTRY IS LOCATED, AND TRY TO BREAK SOFTICE (bpr, bpm?) WHEN THAT ENTRY IS READ. I AM NOT SURE WHAT YOU MEAN BY ENTRY: REGISTRY ENTRY OR MEMORY LOCATION ENTRY.





Then the program does some length calculation, checks if the username is not User, Registered, or Chafe (?)

I WOULD TRY IMPUTING THOSE STRINGS AS USER NAMES AND SEE WHAT HAPPENS

Then it changes the first letter of the username to a capital..

It tries now to convert the password to a hex number at some point, which makes me believe that the password is a hex number.

IS IT DIRECTLY CONVERTING A STRING INTO A HEX NUMBER OR IS IT MAKING A HASH OF THE PASSWORD?. . .


Then a few other things happen, which I do not totally understand..

i THINK YOU SHOULD TRY TO GO SLOW
HERE, IT SMELLS LIKE THE VALIDATION ROUTINE MAY BE CLOSE. PUT A BPM ON THE ADDRESS OF THE HEX EQUIVALENT OF YOUR PASSWORD, SO YOU CA TELL WHEN THE CODE READS IT


and then we are back in the main progam..


THE VALID, NO VALID INFO MAY HAVE BEEN PLACED ON A FLAG, IN MEMORY OR IN A REGISTER DURING THE VALIDATION ROUTINE ( THAT YOU HAVE NOT ISOLATED YET)


If someone would care to see if I understand (at least something...) correctly, and give me a hint where the actual validation of the password takes place, I'll be thankful.

Also (yes I'm full of questions..) can I quickly go back to the main program when windoze decides to do kernel/user/freqasm stuff ?

F12 (PRET) GOES FASTER


Is there a way to see the stack more easily than displaying memory, then looking how the pointers/data items were entered and write it down ?


WS COMMAND OPENS A WINDOW FOR THE CALL STACK. OTHERWISE LEARN TO USE THE 4 DIFFERENT DATA WINDOWS SICE PROVIDE AND KEEP ONE POINTED TO THE ESP
Why does softice give me some addresses like with segments, like
1234:004654567.

I thought that with 32 bit app, all the segments/offsets were not used anymore ?

Does some segments still have a meaning ?

Thanks !



UPPERCASE WAS USED TO MARK MY COMMENTS, NOT TO SCREAM

Kayaker
August 16th, 2002, 21:31
Hi All,

I like the purely theoretical approach to this, an unknown and difficult problem, helpful wise reversing suggestions to solve it, resulting from a good description of the problem. Makes a hell of a more interesting thread than another crack patch upload. Someone mentioned this forum getting duller and duller by the day? Lol, truer words have never been spoken my friend

Anyway, this is fun reading because there is one more piece to the puzzle. Everything said were excellent suggestions which will get you to the inevitable fact that there is no solution to this problem. Keep this possibility in mind always and be suspicious when approaching a reversing problem.

Your analysis of the general code flow and the curious returns to kernel code were correct, and you were right in thinking this didn't seem right. Keying in on TranslateMessage to know you've gone too far in code was a good trick, as is always using an API monitor, which will often pick up the exact code you're looking for.

Getting to know API code flow and the general way in which the kernel handles program calls is important, especially to be able to recognize when the code isn't behaving as you think it should. You were expecting at least one more call to validate your s/n and it seemed to never be made, always returning control to kernel code. Well, I'm afraid that's actually the answer, I guarantee you won't find the s/n check because it doesn't even exist in this particular target.

This is a good target to try to uncripple the features and remove the watermarking, but the serial number routine is entirely fake I promise you. Confuse-A-Cracker code. Everybody remember the Monty Python sketch "Confuse-A-Cat"? lol, I always think of that The ref to Chafe is a crack author check from a very old version (1.06?) which had a valid routine, future versions did not, it was just quietly removed. I have a very fond place in my heart for this particular app since this was my pet project for months on which I was weaned into the art of reversing, something akin to a Mother's teat if you will...

Cheers,
Kayaker

naides
August 16th, 2002, 22:05
KAYAKER:

I guess you are having a blast reading all the now useless stuff I wrote.

Well, that is the way I would have done it, if it the serial evaluation code did exist.

Kayaker
August 17th, 2002, 03:31
Wasn't useless at all naides, it was textbook. Sometimes the textbook just needs to be thrown away that's all, as I'm sure you've experienced, that's the fun of it

Fake51
August 17th, 2002, 12:48
This gives it away pretty easily: (from the help file)

Quote:

Entering your password:

When you've gotten your password following registration:

· Follow the instructions you received with your registration code and go to the registered user page on any of the above sites.

· Download the latest full version of TablEdit.
· Install the files included in the zip (*.exe) file over those of your installed demo version and start the program.


Lol. Mind you though, it's possible to make the program show that you're a registered owner, although the program will still show up as demo.

The thing does indeed run thru some serial calc'ing, that's your standard run of the mill translate serial to hex and mess around with the name. There's a value in mem that's checked when the thing wonders if it should display the about box with a reg button or not, and this value holds the transformed value from the name calc'ing. The value is checked against 0 however, so you have to patch it to change it Guess the author didn't bother changing his program too much when doing the stripped version.

Fake

cHeCksUm
August 24th, 2002, 20:51
Hehe,
Reminds me of Muzicman... It was an app I cracked a while back. I like to return to the first apps I cracked now and again to see if they / I have improved. Well anyhow I worked on the serial routine for ages looking back on all my notes from previous versions but I could not crack the sucker. Seemd to be going in circles. In the end I decided to give it a break, and I forgot about it. Funny thing a while later I need just such an app so I went and purchased Muzicman and lo an behold was given a completely different download link from the one on the main page. In other words some time between my first attempts and the last one they had removed the serial routine.... I should have read the readme... would have saved me two three days of work.... but hell it was fun... and informative .

// cHeCksUm