Log in

View Full Version : How to find out, what the call does ?


van_Hauser
February 5th, 2004, 20:11
I have read some tutorials about reverse engeniering.
Most of them are easy to understand and the programs
were easy too.

Now in "real" it's not so easy anymore :-(

I tried "bpx getwindowtexta" in SofIce which works well.
After jumping out with F11 I see this code:

LEA EAX, [EBP-58] ;d eax = EC 5E D3 77 00 00 00 00 - ...
PUSH 1D
PUSH EAX
PUSH 0000041D
PUSH DWORD PTR [EBX+000001C4]
CALL ESI ;the first bpx getwindowtexta was for the name,
;now is this the call to get the number from the dialog ?
PUSH EAX
CALL EDI ;call and do something with the window registry ?
LEA ECX,[EBP-18]
CALL 00DC6E30 ;jesus another call i dont understand
AND DWORD PTR[ESP-04],00
PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION
PUSH 00DDDAD0 ; yeah keep pushing stuff on the stack in dont understand
LEA ECX,[EBP-18]
CALL 00DC6E65
TEST EAX,EAX
JNZ 00DC78C3 ; NO JUMP
...


I have read the nice tutorial about "Basic Key Generation File Routines"
but cant find similar code :-(

I can dive into the calls with F8 but the routines there wont help me
and there are many other calls.

How can I find out what all the calls do and where to start
understandig what the program does ?

sgdt
February 5th, 2004, 22:40
Are you sure it's
PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION

and not
PUSH 80000001 ;HKEY_CURRENT_USER

It would make a lot more sense...

naides
February 5th, 2004, 23:48
Quote:
[Originally Posted by van_Hauser]I have read some tutorials about reverse engeniering.
Most of them are easy to understand and the programs
were easy too.

Now in "real" it's not so easy anymore :-(

Welcome to the true World of RCE!

I tried "bpx getwindowtexta" in SofIce which works well.
After jumping out with F11 I see this code:


You need to scroll UP in the code, before the GetWindowTextA API is called.
The Second to last pushed paramenter before the call should contain the address of the buffer where whatever was gotten_form_the_window_text_a is stored. You should keep an eye on that.



LEA EAX, [EBP-58] ;d eax = EC 5E D3 77 00 00 00 00 - ...

Does EAX hold a pointer to some other value? check also d @EAX


PUSH 1D
PUSH EAX
PUSH 0000041D
PUSH DWORD PTR [EBX+000001C4]
CALL ESI ;the first bpx getwindowtexta was for the name,
;now is this the call to get the number from the dialog ?

Now, what API or routine is pointed by ESI? you may find out by stepping into it with F8 or by scrolling up in the code and find when the value of ESI was loaded. I doubt this is a call for GetWindowTextA, because 4 pramenters get pushed to the stack and they do not look like teh typical GetWindowTextA parameters. Get and API reference and study the assembly form of API calling


PUSH EAX
CALL EDI ;call and do something with the window registry ?
Hard to tell,You got to know what EDI is pointing to

LEA ECX,[EBP-18]
CALL 00DC6E30 ;jesus another call i dont understand

Check what is in EBP-18 by doing d EBP-18 AND d @[ebp-18]
in this case, the parameter may have been passed to the call in a register, ECX, and something is done with it.


AND DWORD PTR[ESP-04],00
PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION
PUSH 00DDDAD0 ; yeah keep pushing stuff on the stack in dont understand
Looks like a magic number or an address near by, check it out

LEA ECX,[EBP-18]

EBP -18 again passed on ECX
CALL 00DC6E65

Now this call looks intersting. Calls to a local routine and returns a result in EAX
The Next constellation of instructions:

TEST EAX,EAX
JNZ 00DC78C3 ; NO JUMP

Is typical of a decision point, good cracker bad cracker, go or not go, and deserves careful consideration
...



I have read the nice tutorial about "Basic Key Generation File Routines"
but cant find similar code :-(

Forget about finding similar code in tutorials. Learn assembly, learn the logic. Even small changes in high level code i.e. C++, or compilation paramenters can produce drastic changes in the assembly code.

I can dive into the calls with F8 but the routines there wont help me
and there are many other calls.

How can I find out what all the calls do and where to start
understandig what the program does ?



The secret is knowing which one to dive in with F8. given your code Snippet, I would go for: CALL 00DC6E65

Aimless
February 6th, 2004, 03:34
Hello,

Welcome to the cracking world. Simply put, there are always 2 aspects to cracking. They are:

1. Searching where in the world in the program the protections are
2. Breaking the protections

Most tutorials are aimed at the second option. Very few tutorials teach you about the first option. At most, it is generally left to the user to search where in that damned file the protection is located. To make matters worse, protections can be located at more than one locations. In fact, some programs are protections themselves entirely, which run the good program only if you bypass them. And what's worst is, these protections are masked using checksums, CRC, packing, anti-debug tricks, anti-monitoring tricks, digital certificates, private and public keys and anything you can think of. You will have to start at the bottom of this heap by cracking programs that have none of these.

Now, if I am not mistaken, the question you have asked is not really about point 2, but about point 1. I am afraid there is no straight answer. There is no generic way of searching the locations of the protections. Or which files for that matter, have the protections. However a good approach in this circumstances is the top down approach. You approach the application as a whole and go down into details as they appear clearly. Here are some steps you can do:

1. Generally, run filemon and regmon (www.sysinternals.com) to figure out which files are involved in the protection. Beware, there are programs that completely bypass the monitoring or change names when monitored.
2. A good idea is also to use a profiler to see the calls that are made in a program during a protection check. This helps you pinpoint actual calls made as opposed to ALL calls seen in a disassembly or softice tracing.
3. Then, you can concentrate on the calls obtained above, knowing that these are indeed the ones associated with protection. You can easily discount the API calls from these to get an even lesser number of calls to work with.
4. In which call is the protection located? Don't know. Its really difficult to tell as protections can be spread across different calls. That is why its important to crack programs initally that are simple and located in one call. Such as Winzip v5 or Winzip v6, Mirc V5 and so on. Try your searching skills on the same. Don't worry, you'll learn how to search. Even the best of us cannot, in a single sitting, sometimes pinpoint the protection. We spend most of our times, sometimes, in just trying to figure out where the heck is that protection scheme and where it snaps. So you are not different. On the contrary, I'd say you are in good company.

So try cracking old programs first. Trying to crack the latest version of FlexLM or Sentinel is not the way to proceed. Try these for flavour:

Phase I: Simple serial number cracks (forget about keygens)
Phase II: Time protected
Phase III: Serial or time protected with simple anti-debugger tricks
Phase IV: Serial or time protected with simple packing (say, upx or pe compress etc)
Phase V: Serial or time protected with both simple anti-debug and simple packing.
Phase VI: Serial or time protected with complicated anti-debugging
Phase VII: Serial or time protected with complicate packing
Phase VIII: Serial or time protected with complicated packing and anti-debugging and anti-dumping and anti-monitoring
Phase IX: Heavy duty protections like Safe Disc/ Securom etc
Phase X: Biggies like Flexlm/Alladin etc.

Phew, quite a bit. And remember, in each of the phases, the idea is to do both point 1 and point 2. You may find some phases are easier in point 1 and others are easier in point 2.

No one said cracking was easy. But do it for its plain joy and you really wont' mind.

Have Phun

van_Hauser
February 6th, 2004, 05:58
Hello !

Thanks for the answers !

Naides, thank you for the work you invested in your answer for a
newbie in assembler !

Well, I thought "You can code in C and C++ and had
"Introduction to computer architecture" in University
so this assembler stuff is no big deal" - WRONG DUDE
Now at least I know where to continue the learning.


@sgdt
Quote:
[Originally Posted by sgdt]Are you sure it's
PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION
and not
PUSH 80000001 ;HKEY_CURRENT_USER
It would make a lot more sense...

In Softice the line
PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION
is displayed as I wrote it here. The command plus the comment
behind it.

I can't tell you more as a newbie. You could be right about the HKEY_..
because values are read and written to registry, thats what I
was able find out with "regmon"


@Aimless: "But do it for its plain joy and you really wont' mind."
Well, I am sorry to tell you that I am a stupid perfectionist. By now
I just hate this plugin DLL nagging me and I wanna fill it in - bash it,beat in
,bite it.


Hope to see you all again the time I made some progress.

nikolatesla20
February 6th, 2004, 09:37
heh...

Welcome to the board !

I noticed you mentioned plug-in dll,..any chance I can get some more details? Sounds juicy I've done a lot of plug-in dlls over my learning time, I got one for MSVC++, I got a COM dll for the Task Manager, and I've done a VST instrument DLL.

DLL's are usually "easier". They usually will have less anti-debug code, especially anything too advanced, since they aren't actual processes themselves.

I agree with naides, you might want to try and fiddle with those JZ instructions, etc.

What does the plug-in "do" when it's not registered? Bring up a nag or have a message in the about dialog, or what?

I'm a little biased in this opinion, but I don't know if trying to keygen is a good way to start reversing...at least for me , it's too hard at first because you have to figure out how all the code "works" together. Whereas with cracking all you have to do is find the weak link in the chain of the protection. You only have to know which jump to fix (and sometimes a couple other small routines).

-nt20

van_Hauser
February 9th, 2004, 08:54
Thanks nikolatesla20 - I PM'ed you about it.