Log in

View Full Version : Reversing CD Phone Book PART II

narnar2000
December 13th, 2002, 21:37
Hi all,

I posted a message here recently regarding reversing a phonebook on CD.
I haven't had enough time to spend trying to extract/crack the database.
However, I did find that the driver app allows for up to 5 search results at a time to be exported to a text file. The results include the name, address and phone number of each match.

Which got me thinking that perhaps this would be an easier feature to exploit... But, of course, the problem is how to alter/fool the app into spitting out any number of results in one go. My guess is that there's a hard-coded max value (=5) somewhere in the binaries. I disassembled the DLL which provides the "export to file" function and from what I could make out, it seems that it has no max value check. No real surprise there... so presumably the "if (numResultsToExport > 5)" check is in the driver app itself. But where????

I changed a few 0x74s to 0x75 etc but to no avail.

Anyone got any ideas about how to locate a hard-coded value?

Thanks.
naides
December 13th, 2002, 22:59
Quote:
Originally posted by narnar2000
Hi all,

I posted a message here recently regarding reversing a phonebook on CD.
I haven't had enough time to spend trying to extract/crack the database.
However, I did find that the driver app allows for up to 5 search results at a time to be exported to a text file. The results include the name, address and phone number of each match.

Which got me thinking that perhaps this would be an easier feature to exploit... But, of course, the problem is how to alter/fool the app into spitting out any number of results in one go. My guess is that there's a hard-coded max value (=5) somewhere in the binaries. I disassembled the DLL which provides the "export to file" function and from what I could make out, it seems that it has no max value check. No real surprise there... so presumably the "if (numResultsToExport > 5)" check is in the driver app itself. But where????


Perhaps close to the place where the "export to file" function is called.

Quote:

I changed a few 0x74s to 0x75 etc but to no avail.

Anyone got any ideas about how to locate a hard-coded value?



Keep in mind that the digit '5' may not appear at all in the dissasembly:


If the counter varible is zero based counts less or equal to 4 gives a total of 5 cycles

The counter variable may be set to 4 and then decremented after each cycle,

The counter value may be set somewhere else in the file and is passsed in a register or in a stack variable, which is not obvious in dead listing. Eaxmple

TEST ECX, [EBP-10]
JZ 41567

ECX holds the count, EBP holds the limit (Perhaps 4?) but you don't see the value.
Thanks.
FoolFox
December 16th, 2002, 08:28
Hello,

Searching for a single value as 5 in a big exe should not
only return you tons of results, it may be difficult to find
which is the one you want to fix....

You export option come from a menu right ? then maybe
you should have a look at the ressources in order to know
which ID the menu got, and find that back in the main exe
(where there is a loop that make a compare on the various
menu entries)...

from there, then study the part of code called.... if you are
lucky you may even got access to a function that retrieve
a whole record info on one shoot....

Regards
FoolFox
Paul333
January 4th, 2003, 14:08
Its noit a very good app if it only allows 5 exports!.

Have you checked to see if you can buy "Credits" which allows higher rates of exporting?..

I "fixed" another telephone app that only allowed 1 export if no PROFILES "Credits" so you had to buy these to export in greater numbers......I done a memory search to find the keys but also found it stored the number of profiles in the registry!!

Check if you can up your exports number ..SURELKY YOU MUST?

paul333