Log in

View Full Version : Making a program run without the loader ?


markh51
June 13th, 2004, 09:07
I have a none commercial program which I want to change...

I want it to run without the use of the dongle in place. (I have the dongle, but it is a pain in the arse, as I have more than 1 prog which requires the use of a dongle on the LPT port)

I have tried to reverse the prog but is proving to be a bit of a nightmare, as the program with the protection can't be run by itself. If you try it throws a "Access violation at adress..." error. It will only run if it is called by the loader. When it does run, it opens in full screen and you can't switch back to the disassembler !

So my questions are:

1) What routine would the program use to check to see if it was run by the loader ?

2) How do I stop it loading in full screen and not been able to switch back ?

3) How do I get rid of the nasty dongle (Dallas iButton)

Thanks in advance.

JMI
June 13th, 2004, 14:42
markh51:

At the moment, your post simply looks like a crack request. You have apparently not read the FAQ listed in the BIG RED LETTERS at the top of the Forum. Time for you to do so now.

After you read the FAQ, you will discover that one of our requirements here is that you not only attempt to help yourself before you ask a question, you also have to do your own research, show what you have done and where you are stuck, after tyring to help youself.

Your post shows no personal effort at solving your own problem and contains information which suggests you are not being truthful with us. For example, why would a "non-commercial" program be protected with a "Dallas iButton"? So I ask YOU what you have done to determine:

1) What routine would the program use to check to see if it was run by the loader ?

2) How do YOU try to stop it loading in full screen and not been able to switch back ?

3) What have you searched for and read on how YOU get rid of the nasty dongle?

We are not here to do YOUR work for you, only to try to help you along AFTER you have demonstrated that you have tried to help yourself.

Regards,

markh51
June 13th, 2004, 15:21
First of all, I am not expecting anyone to do all the work for me, I have been working on this program for over 8 days without any luck... thats how I have "helped myself".

Secondly... I came to the conclusion that the proram is not commercial due to the fact that it is not available for sale... anywhere. I OWN a copy of this program as well as 2 dongles for it. I just want to make it work without the dongle as I have other programs such as my compiler which requires a dongle to be in place as well.

The reason why I have had no luck with this prog is because, it must be run through a "loader" for it to run. When it does run, it opens in full screen and stops you switching back to the debugger.

The only way I can see me been able to do this, is if I can make it run without the loader and stoping it going in to full screen (or finding a way of switching back to the debugger)

So any help is greatly appreciated.

Best regards,
Markh51

JMI
June 13th, 2004, 16:19
markh51:

You still seem to be missing the point. We are not mind readers, we can deal ONLY with what you write. You will notice your first post (as well as your second) says nothing about what you have actually done to help yourself execpt: "I have been working on this program for over 8 days without any luck."

You say the program has to be run by a "loader." Have you looked at this "loader" in any analysis tools, such as IDA and/or WDasm to examine the code?

You say it "stops you switching back to the debugger." Have you done ANY research here or on the net on "anti-debugger" procedures or techniques or are you simply waiting for someone to give you a tutorial on how programs might muck with your debugger? Are you aware that it is not unusual for programs to disable a debugger or how they might do that? Have you seached here or anywhere for such information? We don't even know WHICH debugger you might be trying.

No one can tell from what you have posted ANYTHING about your skill level or knowledge base or ANYTHING you may have already tried. The FAQ states you should:

Cut and Paste these questions in your post, including your answers :
1. What is the problem....
2. What is the protection.....
3. What tools are you using....
4. What tutorials have you read....
5. Show your output listing WITH comments....
6. NOW ask your question....

It is hard to argue you have done ANY of these things and you certainly have not told us ANYTHING you have actually done to help yourself solve this problem. You may have done many things, but you have done NOTHING to SHOW that you have done ANYTHING. That IS the point.

Regards,

markh51
June 13th, 2004, 16:51
Sorry about this, I'm new to posting things, I never thought to explain in a bit more detail:

1. What is the problem....
The application which I need to remove the dongle protection from must be called from the loader. This make it a bit more tricky to debug, but no impossible.

2. What is the protection.....
The only protection what I can see, is the Dallas iButton and a anti-soft ice routine which I have already removed.

3. What tools are you using....
IDA Pro, W32DASM 8.93, PE Explorer and a Hexeditor

4. What tutorials have you read....
I have trawled the net about the Dallas iButton, but there appears to be nothing apart from it can be cracked by using a dictionary attack only if the developer uses a "normal" word... not in this case ! I have downloaded a copy of the API and have searched for the Functions/refrences but there appears to be nothing in the main prog or the DLL file.

5. Show your output listing WITH comments....
I have attached TXT file, is this what you mean by output listing ?

6. NOW ask your question....

1) What routine would the program use to check to see if it was run by the loader ? If you run the prog without the loader it throws a "Access violation at address..."

2) How do I stop it loading in full screen and not been able to switch back ? You can't use CTRL-ALT-DEL or ALT-TAB or anything only CAPSLOCK appears to work.

3) How do I get rid of the nasty dongle (Dallas iButton) ?
I think I would be able to this myself if I could debug the prog as it was running, as I am just having to take a shot in the dark at the moment.

JMI
June 13th, 2004, 17:27
markh51:

This is much better. Now it's time to use some stratigic thinking and do some searching. You say you have removed the anti-softice routine (or at least disabled it) and now advise that one of the problems is that the program appears to disable parts of the keyboard necessary for activating softice.

This should suggest to you certain search criterial for analysis of your problem, such as "keyboard" and "disable." Just doing a simple search HERE using those two terms I found several threads here, including one titled:
"how to remove Alt+tab protection" which may have some pertinent information. You will find it at

http://www.woodmann.com/forum/showthread.php?t=5287&highlight=disable+keyboard

The other threads with that search may also help. What you need is some general research on keyboard hooking and the API which are used for that prupose and then determining what the "loader" is using to disable those keys.

You might be interested in the fact that Windows has an " application compatibility toolkit" that allows some hooking and modification of the keyboard. Check out the article at http://www.rpgexpert.com/548.html on how the program can be used to disable some keys. Analysis on the program might give you some clues and might actually permit you to modify your program itself.

Googling using "disabling alt tab" also will find some useful information, such as this short article at:

http://www.codeguru.com/Cpp/misc/misc/keyboard/article.php/c433/

"Disabling the Alt-Tab key combination
Rating: none

Dan Crea (view profile)
February 4, 1999

The simplest way to achieve this is to use the RegisterHotKey function. By calling this function from within your process you take precedence over the O/S. The WM_HOTKEY message that is generated by the specified key combination will be re-directed to the your processes message queue. To block the hotkey, don't process the WM_HOTKEY message that is sent to your queue. Below I have copied a constructor and destructor that demonstrate this action.


// Call the RegisterHotKey function when the application
// is instantiated to block the ALT-TAB combination
// Note: The m_nHotKeyID is a int which specifies the hotkey
// ID, the hotkey id is programmer defined
CMainFrame::CMainFrame()
{
m_nHotKeyID = 100;

BOOL m_isKeyRegistered = RegisterHotKey(GetSafeHwnd(), m_nHotKeyID,
MOD_ALT, VK_TAB);

ASSERT(m_isKeyRegistered != FALSE);
}


//lets remove the hotkey block when the application is destroyed
CMainFrame::~CMainFrame()
{
BOOL m_iskeyUnregistered = UnregisterHotKey(GetSafeHwnd(), m_nHotKeyID);
ASSERT(m_isKeyUnregistered != FALSE);
}

There you have it, the simplest way to block the ALT-TAB without writing a VxD.
One last thing, the hotkey block will continue as long as your application is running. When your process terminates the hotkey will return to its original functionality. "

Those same search terms will find you an interesting article titled: "Typename, Disabling Keys in Windows XP with TrapKeys" at

http://msdn.microsoft.com/msdnmag/issues/02/09/CQA/default.aspx

which discusses ways it can be done.

In other words, when you identify a problem (in this case certain keys on the keyboard are disabled) this should suggest to you various terms you can use to search for answers to your problems. This is the result of thinking about your problem, understanding what it is, and chosing terms which describe the problem, and then searching for answers.


Regards,

markh51
June 13th, 2004, 17:45
JMI:

The thing is I don't use softice I use W32DASM or IDA, I just disabled the routines as I thought they might affect other debuggers. I don't know how to use softice

The main loader totaly disabled the keyboard, but I have now patched that. The prog which I am trying to debug uses directdraw for full screen, does this stop you switching tasks ?

Why would the prog throw a Access violation at address error if it is not called from the loader. I have looked at API's like kernel32 GetCommandLineA.

JMI
June 13th, 2004, 18:08
markh51:

Read the additions to my previous post. If you aren't dealing with anything (at the moment) other than the disabling of parts of the keyboard, those links and search terms I suggested should get you on your way.

Are you using IDA as your debugger or are you not using a debugger at all?

If the loader "totally disabled the keyboard" and you patched it, maybe you didn't do so correctly or completely. And if it "totally disables the keyboard" does the program run only from the mouse?

Please note that DETAILS ARE IMPORTANT. Nothing in your first two posts mentioned that the "entire" keyboard was disabled, so you certainly left the impression this was a anti-debugger issue when it now suggests it is something else. Maybe you should search for "keyboard disabled."

Regards,

markh51
June 14th, 2004, 01:32
JMI:

I am using IDA and W32DASM as my Debugger and Disassembler.

The patch for the "Disabled keyboard" does work because, if you run the "unpatched" loader and exit, the keyboard remains diabled, however if you run the patched version and exit... everything seems OK.

This prog DOES only work from the mouse.

I am not sure if the main prog does disable the keyboard, as it does not accept commands from the keyboard, however pressing capslock makes the light go on and off, but other key combo's won't work.

Also had a look through previous posts but nothing really stands out. I had a look at the link you sent, I will follow it up a bit more through Google.

Any other ideas are welcome.

Cheers.

markh51
June 14th, 2004, 14:43
JMI:

Can you have a look at the Anti-Softice code I patched, is this right:

* Referenced by a CALL at Addresses:
|:0044EF46 , :004521E9
|
:0044F3F8 53 push ebx
:0044F3F9 33DB xor ebx, ebx
:0044F3FB 6A00 push 00000000
:0044F3FD 6880000000 push 00000080
:0044F402 6A03 push 00000003
:0044F404 6A00 push 00000000
:0044F406 6A03 push 00000003
:0044F408 68000000C0 push C0000000

* Possible StringData Ref from Code Obj ->"\\.\SICE"
|
:0044F40D 6828F44400 push 0044F428

* Reference To: kernel32.CreateFileA, Ord:0000h
|
:0044F412 E88976FBFF Call 00406AA0
:0044F417 83F8FF cmp eax, FFFFFFFF
:0044F41A EB08 jmp 0044F424 <--- I changed this to a JMP
:0044F41C 50 push eax

* Reference To: kernel32.CloseHandle, Ord:0000h
|
:0044F41D E85E76FBFF Call 00406A80
:0044F422 B301 mov bl, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044F41A(U)
|
:0044F424 8BC3 mov eax, ebx
:0044F426 5B pop ebx
:0044F427 C3 ret

Also, I am having a problem with my softice 4.05 for W95... When you press CTRL-D, the screen goes black and nothing happens.

Thanks.

JMI
June 14th, 2004, 16:16
markh51:

This is known as the "MeltICE" method of detecting SoftICE. You will find it discussed here as method 11 and how to work around it:

http://www.crackstore.com/003.htm

As the code there shows you, there used to be a compare eax and a je if eax was not -001.

Are you really running win95? I've deleted your duplicate thread in the Tools of the Trade Forum asking about the Softice 4.05 and win95 question you already asked here. dELTA was refering to the BIG RED LETTERS and the mention of the FAQ at the top of the forums, which I've mentioned to you already. He's telling you you need to use the search button for "softice" and "video" problems before asking for help. It is most likely a problem with compatiability of your video card, which is an issue you will see discussed many times.

as I said in my previous post:
In other words, when you identify a problem (softice, blank screen, video, win95) this should suggest to you various terms you can use to search for answers to your problems. This is the result of thinking about your problem, understanding what it is, and chosing terms which describe the problem, and then searching for answers.

For example, using "softice and blank screen" (without the quotes) I got a thread titled: "softice 4.05 and WINME, black screen on start-up...." and while I realize it refers to WinME you should have at least read it because you may have the same problem. You will find it at:
http://www.woodmann.com/forum/showthread.php?t=6025&highlight=softice+blank+screen




Regards,

markh51
June 14th, 2004, 16:30
JMI:

Thanks for that but I sorted the softice problem by un-installing and then re-installing it. it now seems to work fine.

I DID do a search before I posted this and I found the same thread which you found but it is was not the same problem which I was getting... but never mind now it's all sorted.

Is the patch which I applied to the "MeltIce" code OK, I wasn't too sure whether to force a jump or just go to the next line.

JMI
June 14th, 2004, 16:53
markh51:

Let me say again that the way to avoid suggestion to searching, is to say you searched and didn't find anything which seemed to answer your question.

On the MeltICE trick, assuming your code was previously a "je" (jump if equal), then you want to take the jump. You could do it one of two ways.

You could make
:0044F417 83F8FF cmp eax, FFFFFFFF into
:0044F417 cmp eax, eax

and then the je would be taken, or as you did, you can change the je to jmp to always go, no matter how the compare works out. The code compares a negative result, meaning it didn't find Softice so it jumps to continue. If it found Softice, it would go somewhere else.

Just remember for other circumstances that the cmp will set a flag, depending on the result, and it is at least possible that something might check that flag later in the routine, but in this case I don't think it is part of the MeltICE routine.

Also you might want to take a look at OllyDBG as a somewhat easier debugger to start with. It works only in ring 3, but that will work for most earily reversing activities. You will find it at:
http://home.t-online.de/home/Ollydbg/

Regards,

CrackZ
June 14th, 2004, 17:30
Hiya,

I'm not sure whether there was a conversation had here about Dallas iButton's, I seem to remember one, or perhaps that was with someone else, regardless :

Find the iButton v4.31 SDK, and then from what I quoted then:

"Most iButton protected programs I've seen are statically linked with the dll swa32ut.dll (something like that), even if this is not the case its a trivial patch to make your target load this dll and of course redirect calls there (I have if you need an example swa32ut.dll with source code."

Give me a shout anyway if you want more help with this.

Regards

CrackZ.

markh51
June 14th, 2004, 17:34
JMI:

I have just had a look at the code which call's the "MeltIce" routines:

:0044EF42 753E jne 0044EF82 <--- Goto Kernel32.CloseHandle
:0044EF44 8BC7 mov eax, edi
:0044EF46 E8AD040000 call 0044F3F8 <--- Check //./SICE
:0044EF4B 84C0 test al, al
:0044EF4D 7533 jne 0044EF82 <--- Goto Kernel32.CloseHandle
:0044EF4F 8BC7 mov eax, edi
:0044EF51 E8DE040000 call 0044F434 <--- Check //./NTICE
:0044EF56 84C0 test al, al
:0044EF58 7528 jne 0044EF82 <--- Goto Kernel32.CloseHandle
:0044EF5A 6A00 push 00000000

What are the "test's" and "jne's" for after it has returned from the "MeltIce" routines ? I ask this because, If I patch the "meltIce" code like you said before, with the JMP's, the prog just quits ?!?

JMI
June 14th, 2004, 19:39
markh51:

Why in the hell are you still not doing your own research??? Have you bothered to SEARCH on the net for MeltICE code and compare it to your code? Isn't that what YOUR brain is for???

Using "MeltICE code" (without the quotes) it took only a second to find:

http://www.woodmann.net/krobar/tutlist/tutlist286.htm

which is located on our server for God's sake. Don't you look for anything? It has the entire asm code for MeltICE:

And now, the Dead Listing of an .exe file using that code:
* Referenced by a CALL at Address :004011DE
:00401080 E87BFFFFFF call 00401000 ; first, check for S-Ice Win95
:00401085 85C0 test eax, eax ; check if loaded...
:00401087 7410 je 00401099 ; No, jump to check_NT, if yes:
:00401089 6894604000 push 00406094 ;->"SoftICE for Windows 95 is active!"
:0040108E E83D000000 call 004010D0
:00401093 83C404 add esp, 4
:00401096 33C0 xor eax, eax
:00401098 C3 ret ; S-Ice Win95 detected. Bye_bye.
:Check_NT
:00401099 E8A2FFFFFF call 00401040 ; Now, check for S-Ice WinNT
:0040109E 85C0 test eax, eax ; check if loaded...
:004010A0 7410 je 004010B2 ; jump if NOT loaded to can't_find, else
:004010A2 6870604000 push 00406070 ;->"SoftICE for Windows NT is active!"
:004010A7 E824000000 call 004010D0
:004010AC 83C404 add esp, 4
:004010AF 33C0 xor eax, eax
:004010B1 C3 ret ; S-Ice WinNT detected. Bye_bye.
:can't_find
:004010B2 6848604000 push 00406048 ;->"Can't find SoftICE with this method!"
:004010B7 E814000000 call 004010D0
:004010BC 83C404 add esp, 4
:004010BF 33C0 xor eax, eax
:004010C1 C3 ret ; S-Ice not found.

********************************End of detection********************************
The detection/CreateFileA routine for S-Ice Win95:
:00401000 6A00 push 00000000 ; CreateFileA parameters
:00401002 6880000000 push 00000080 ; ...
:00401007 6A03 push 00000003 ; ...
:00401009 6A00 push 00000000 ; ...
:0040100B 6A03 push 00000003 ; ...
:0040100D 68000000C0 push C0000000 ; ...
* Possible StringData Ref from Data Obj ->"\\.\SICE" ; VxD driver for S-Ice Win95
:00401012 6830604000 push 00406030
* Reference To: KERNEL32.CreateFileA, Ord:0031h
:00401017 FF15BCA04000 Call dword ptr [0040A0BC] ; CreateFileA
:0040101D 83F8FF cmp eax, FFFFFFFF ; Handle= -1 ?
:00401020 740D je 0040102F ; Yes, jump otherwise...
:00401022 50 push eax ; SoftIce Win95 IS loaded!
* Reference To: KERNEL32.CloseHandle, Ord:0018h
:00401023 FF15F8A04000 Call dword ptr [0040A0F8] ; Close file's handle
:00401029 B801000000 mov eax, 00000001 ; Eax:=1
:0040102E C3 ret !
; Back to the caller
* Referenced by a (C)onditional Jump at Address :00401020
:0040102F 33C0 xor eax, eax ; Eax:=0 (not loaded)
:00401031 C3 ret !
; Back to the caller
...
The detection/CreateFileA routine for S-Ice WinNT:
...
* Referenced by a CALL at Address :00401099
:00401040 6A00 push 00000000 ; CreateFileA parameters
:00401042 6880000000 push 00000080 ; ...
:00401047 6A03 push 00000003 ; ...
:00401049 6A00 push 00000000 ; ...
:0040104B 6A03 push 00000003 ; ...
:0040104D 68000000C0 push C0000000 ; ...
* Possible StringData Ref from Data Obj ->"\\.\NTICE"; VxD driver for S-Ice WinNT
:00401052 683C604000 push 0040603C
* Reference To: KERNEL32.CreateFileA, Ord:0031h
:00401057 FF15BCA04000 Call dword ptr [0040A0BC] ; CreateFileA
:0040105D 83F8FF cmp eax, FFFFFFFF ; Handle= -1 ?
:00401060 740D je 0040106F ; Yes, jump otherwise...
:00401062 50 push eax ; SoftIse WinNT IS loaded!
* Reference To: KERNEL32.CloseHandle, Ord:0018h
:00401063 FF15F8A04000 Call dword ptr [0040A0F8] ; Close file's handle
:00401069 B801000000 mov eax, 00000001 ; Eax:=1
:0040106E C3 ret !
; Back to the caller
* Referenced by a (C)onditional Jump at Address :00401060
:0040106F 33C0 xor eax, eax ; Eax:=0 (not loaded)
:00401071 C3 ret !
; Back to the caller

NOW DO YOU SEE ANY SIMILARITY BETWEEN THIS AND YOUR CODE???
(Yes, I know they've moved some parts of it around a little bit, but LOOK at the code and what it is doing. It makes the checks and closes Softice if one or the other version is found. It would not take much modification to make it close the target program if either is detected. You could search for that as well.)

As Frog's Print concluded:

"But is S-T-U-P-I-D because we now will be able to check if any program is detecting Soft-Ice even before it will have the time to do so: just with a BPX CreateFile(A)." (Actually, should be BPX CreateFileA)

Now, if you look at this code, you will see that it is making more than one check, isn't it. Which one have you patched? Have you patched the other? Have you done anything to determine whether Softice 4.05 is Softice 95 or Softice Win-NT??? Does it not make sense, if you do not know, to LOOK IT UP and, as a fall back position, if you do not know, to patch both???

Now come on, this particular issue is not that hard IF YOU JUST DO A LITTLE STUDY OF THE TOPIC FIRST.

Regards,

Aimless
June 15th, 2004, 00:02
Might I suggest that instead of breaking dongles (as people who have been RCE for years still struggle) you simply find a crack for the same?

It kind of seems a little too enthusiastic to feel that a dongle needs to be broken just because of our familiarity with SoftICE or IDA or w32Dasm.

Feel free to ignore this if you have a lot of RCE experience and think this is a good time to start on dongles.

Have Phun

markh51
June 15th, 2004, 02:25
I have been looking for a cr*ck for the iButton for quite sometime now but without any success, so the only way I can see, is to remove the protection myself... unless anyone else has any ideas ?

JMI
June 15th, 2004, 02:43
I don't suppose you paid much attention to CrackZ' post or did any searching for information on iButton coding or found the SDK he mentioned, now did you??? There's interesting stuff out there like an article titled:

A Basic iButton Interface

found at http://www.codeproject.com/samples/ibuttoninterface.asp

but apparently you just want someone to help you find a crack or do the work for you. How about trying something REALLY desperate, like putting something like "iButton SDK" into your favorite search engine and reading some of the hits.

Regards,

markh51
June 15th, 2004, 02:53
Like I said earlier, I have been searching for a while now (on google), but the only thing what I could come up with was the SDK from Dallas website. Obviously, their kit is not going to let you "hack" the iButton or remove the protection, so instead I just used the API as a reference to check the code against, but like I said, I could not find any reference in the code to the iButton API.

I'll take a look at the link you provided.

Thanks.

markh51
June 15th, 2004, 03:03
OK, I had a look at the link you provided and downloaded the Source Code, only problem is I don't have MS Visual C++ to compile it I only have Borland Builer C++. Anyway, I don't think this tool will be very useful as it seems similar to the TMEX tools which dallas provide. These tools are no use unless you know the password for each section as the contents are encrypted.

JMI
June 15th, 2004, 03:09
Instead of ONLY reading the link I gave you, why don't you actually do some research on the subject of "ibutton + code" and "ibutton sdk" and "ibutton+ crack*" (without the quotes.)

Regards,

markh51
June 15th, 2004, 03:51
Yes, I've tried them variations on google and there is nothing there what will break the iButton, only tools which will communicate with it, which is no good unless you have the password. The only tool I found performs a Dictionary attack on the iButton, but this is only effective if the developer uses a weak password.

Thanks.

JMI
June 15th, 2004, 04:21
markh51:

Take a CLOSE look at the code I posted from MeltICE. Look at the references to "CreateFile" and you will see no "()" around the "A". If you try BPX CreateFileA it should work.

Yes I know what Frog's Print wrote in the line I quoted, but he wrote that in 1999. If you had read a few more threads here, or anywhere, on breakpoints this would have become obvious to you. I believe the "()" are most frequently used to indicate that there may be an API with and without the letter on the end, depending on the system one is using. There is a CreateFile for Windows Me/98/95 and a CreateFileA for later versions.

There's even a program called "auto debug for windows" that claims to have automated circumvention of several anti-debug systems. It can be found at:

http://www.autodebug.com/antidebug.html

Regards,

markh51
June 15th, 2004, 04:29
JMI:

Yeah, I know now, I read the post a little bit closer

That's why I edited it, but you must have replied b4 I changed it.

markh51
June 16th, 2004, 04:57
JMI:

I have come across another "problem" in the prog... If you change anything in the main prog it will half load then crash, but if using the original unchanged prog it will load OK. So it seems to know even if you patch one or two bytes even though the file sizes are EXACTLY the same.

I have done a bit of research on google but I don't really know what I am searching for as I have not come across this before. Do you think it is comparing the CRC values of the files ?

Do you have any ideas on this matter ?

Cheers.

ZaiRoN
June 16th, 2004, 05:04
Quote:
it is comparing the CRC values of the files ?
Could be. Put a bpm over the byte(s) you changed and check if there is a crc or something else...

markh51
June 16th, 2004, 05:11
ZaiRoN:

I take it you are talking about using SoftIce, how do I do that ?

Do I use "bpm address" ? Then what do I look for ?

Also another problem I have with softice, is how do I get it to break at a certain address of a file if it has not loaded it yet ? I need to do this becuase I need to break in to the file more or less as soon as it loads.

Cheers.

JMI
June 16th, 2004, 12:26
markh51:

You need to stop starting new threads each time you seem to have an additional question about reversing this program. You already asked your question about CRC checking here and we don't need a separate thread about it from you. Once again you have also failed to do your own searching and research, both about CRC techniques and about how to make softice work. It does come with a manual, which you should read.

Regards,

markh51
June 16th, 2004, 14:09
For your information I have already looked through the SoftIce manual and read how the BPM works, but I don't understand how to use it in my situation.

Why every time when I ask a question do you always think I haven't bothered to look ? I always look at any manuals if available and on google.

So if you can be so kind to tell me how I can use BPM to do what zairon said I would appreciate it.

Thanks.

JMI
June 16th, 2004, 15:08
markh51:

There are, at least two GOOD reasons why I question whether you have search before you ask a question.

1.) You NEVER state that you have SEARCHED for the answer to a question.

2.) You CONTINUE to ask questions that I KNOW have answers EASILY available by searching.

Take, for example your question "Do I use "bpm address" ? Then what do I look for ?


This tells me your haven't the slightest idea what a CRC check is doing and that, despite your protestations to the contrary, you haven't paid much attention to the Softice manual on the use of BPM (Address) and you really didn't SEARCH for information on the subject, or at least you didn't do so with ANY thought about what you were looking for.

Take for example this search:

http://search.earthlink.net/search?q=softice+%2B+bpm+address&area=earthlink-ws

The very first entry is to:

#Cracking4Newbies SoftIce Tutorial, found at http://www.woodmann.net/krobar/beginner/04.htm

Does that address LOOK FAMILIAR? It's right here.

It contains the statement:

BREAKPOINTING ON MEMORY ACCESS
--------------------------------------------------------
SYNTAX: BPM <address> R/W
The R/W tells SoftICe whether to pop up on a read or write operation to that address. The default is RW (read & write)

The third entry in the search was: Guide to SoftICE Commands
http://www.woodmann.com/crackz/Tutorials/Sicecref.htm

Does that address LOOK FAMILIAR? It's also right here.

It contains: BPM
Break point on memory access
BPM[size] address [R|W|RW|X] [debug register] [IF expression] [DO bp-action]

There are pages and pages of other references.

I KNOW this information is IN THE F*CKING MANUAL with explainations and examples.

There are also pages and pages of search references to CRC available. One such provides:

cyclic redundancy check
(algorithm)

Definition: (1) A method to detect and correct errors by adding bits derived from a block or string of bits to the block. (2) An algorithm to compute bits characteristic of a block based on the algebra of polynomials over the integers, modulo 2. (3) The characteristic bits of a block.

Now if you had read several of these articles on CRC you would understand that there has got to be a routine which "reads" (hint, hint, hint) the bits (or bytes) of the code to check against a "sum" which is generally hard coded in the software "somewere." So..... in order to "read" the bits/bytes there must be code which is reading all, or some significant part of your target's code. Hence the use of BPM <address> (R/W).

How you ask (again)? Well THINK about it. If it is going to "add" bits/bytes, it has to read the code. If you break when "some particular code" is read you will know you are possibly in a routine which is doing a CRC. Now this is not always WHY some code is being read, because it would also "read" an entered serial, but determining that code is being read would, at least suggest, it might be a CRC, and IF your target crashes after you change ANY code, you can pretty well be assured something akin to a CRC is happening. So now, the only thing you need to know is what <address> to check is being read. Well duh!!! How about the one (or more) YOU changed.

Now IF you had SEARCHED and READ any articles on REVERSING CRC (now there's an interesting search criteria) you would already know most of this and what to do if your BPM breaks on a read of the code you previously changed.

The main problem is that you appear to lack some of the most basic level skills of reversing. That, in and of itself, is where we all started and no reason for criticism. You, however, seem not to want to do this basic home work before you venture into the dark codewoods and then you scream for help when you get lost, instead of SEARCHING for the correct path with any forethought or significant effort on your own, or, at the very least, with NO demonstration you have done so. You certainly appear to be trying to fly, before you actually learn how to crawl.

Regards,

markh51
June 16th, 2004, 15:53
Setting a BPM on the address I changed, does nothing. Any ideas ?

JMI
June 16th, 2004, 16:32
Did you set BPM <address> or BPM <address> R/W ? Details ARE important.

The first one will NOT work. The second one should.

And you NEVER actually confirmed that you were, or were not using Win95.
If not what OS are you using?

Regards,

markh51
June 16th, 2004, 16:42
I am using Win95

Using BPM address R, still does not work !

Do you think the prog could be using kernel32.readfile, to check the CRC of it self ? but it has to have the original CRC value to compare it against, so it must be coded in to the prog ?

markh51
June 16th, 2004, 16:52
I set a BPX on the readfile and found a interesting piece of code, which the prog seems to loop inside of for a while, can you take a quick look and see what you think:

* Referenced by a CALL at Address:
|:00402F54
|
:00402EB4 55 push ebp
:00402EB5 8BEC mov ebp, esp
:00402EB7 51 push ecx
:00402EB8 53 push ebx
:00402EB9 56 push esi
:00402EBA 57 push edi
:00402EBB 8BF1 mov esi, ecx
:00402EBD 8BFA mov edi, edx
:00402EBF 8BD8 mov ebx, eax
:00402EC1 8B4510 mov eax, dword ptr [ebp+10]
:00402EC4 0FB75304 movzx edx, word ptr [ebx+04]
:00402EC8 23D0 and edx, eax
:00402ECA 3BC2 cmp eax, edx
:00402ECC 7558 jne 00402F26
:00402ECE 6A00 push 00000000
:00402ED0 8D45FC lea eax, dword ptr [ebp-04]
:00402ED3 50 push eax
:00402ED4 8B4308 mov eax, dword ptr [ebx+08]
:00402ED7 F7EE imul esi
:00402ED9 50 push eax
:00402EDA 57 push edi
:00402EDB 8B03 mov eax, dword ptr [ebx]
:00402EDD 50 push eax
:00402EDE FF550C call [ebp+0C]
:00402EE1 85C0 test eax, eax
:00402EE3 7511 jne 00402EF6

* Reference To: kernel32.GetLastError, Ord:0000h
|
:00402EE5 E8BAE3FFFF Call 004012A4
:00402EEA E8B5F9FFFF call 004028A4
:00402EEF 33C0 xor eax, eax
:00402EF1 8945FC mov dword ptr [ebp-04], eax
:00402EF4 EB3F jmp 00402F35

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EE3(C)
|
:00402EF6 8B45FC mov eax, dword ptr [ebp-04]
:00402EF9 33D2 xor edx, edx
:00402EFB F77308 div [ebx+08]
:00402EFE 8945FC mov dword ptr [ebp-04], eax
:00402F01 8B4514 mov eax, dword ptr [ebp+14]
:00402F04 85C0 test eax, eax
:00402F06 740A je 00402F12
:00402F08 8B4514 mov eax, dword ptr [ebp+14]
:00402F0B 8B55FC mov edx, dword ptr [ebp-04]
:00402F0E 8910 mov dword ptr [eax], edx
:00402F10 EB23 jmp 00402F35

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402F06(C)
|
:00402F12 3B75FC cmp esi, dword ptr [ebp-04]
:00402F15 741E je 00402F35
:00402F17 8B4508 mov eax, dword ptr [ebp+08]
:00402F1A E885F9FFFF call 004028A4
:00402F1F 33C0 xor eax, eax
:00402F21 8945FC mov dword ptr [ebp-04], eax
:00402F24 EB0F jmp 00402F35

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402ECC(C)
|
:00402F26 B867000000 mov eax, 00000067
:00402F2B E874F9FFFF call 004028A4
:00402F30 33C0 xor eax, eax
:00402F32 8945FC mov dword ptr [ebp-04], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402EF4(U), :00402F10(U), :00402F15(C), :00402F24(U)
|
:00402F35 8B45FC mov eax, dword ptr [ebp-04]
:00402F38 5F pop edi
:00402F39 5E pop esi
:00402F3A 5B pop ebx
:00402F3B 59 pop ecx
:00402F3C 5D pop ebp
:00402F3D C21000 ret 0010

Thanks for your time.

dELTA
June 16th, 2004, 18:36
Sure, I just took a look at it and it's a very fine piece of code indeed.

Now for the love of god will you stop posting pages of completely uncommented code here, not to mention start following the posting guidelines which people have been trying to get you to understand for the last week or so!?!

markh51
June 17th, 2004, 01:19
The reason why it is un-commented is because I don't know what it is, so I was asking if you could tell me whether or not it looked like the CRC checking routine, as placing a BPM over the changed code does not work.

bilbo
June 17th, 2004, 02:39
Hi, Markh51,
a snippet of code with external function calls is really tough to attach.
Here is anyway an hypothesis...

Code:

; function name:
; get_elements_from_file(arg0, arg1, arg2, arg3)
; passed arguments and registers:
; arg0 error on read bytes mismatch
; arg1 function, ReadFile
; arg2 sort of flags, the bits inside [EAX+4] must be set here
; arg3 out address, to put-in the number of elements read, or NULL
; EAX must be the pointer to a structure describing one element:
; +00 field: file handle
; +04 field: sort of flags (16 bits)
; +08 field: element size
; ECX number of elements
; EDX buffer to be filled inside this function
; return 0 if ko, else the number of elements retrieved

; function prolog
402EB4 push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
mov esi, ecx ; number of elements
mov edi, edx ; buffer

mov ebx, eax ; passed struct pointer

; check: arg2 flags(?) must have set the bits inside [struct+4] flags
mov eax, dword ptr [ebp+10] ; arg2
movzx edx, word ptr [ebx+04]
and edx, eax
cmp eax, edx
jne 402F26 ; return ko

; read: must return not-zero
push 00000000 ; lpOverlapped
lea eax, dword ptr [ebp-04]
push eax ; lpNumberOfBytesRead
mov eax, dword ptr [ebx+08] ; elements size
imul esi
push eax ; nNumberOfBytesToRead
push edi ; lpBuffer
mov eax, dword ptr [ebx]
push eax ; hFile
call [ebp+0C] ; arg1: ReadFile?
; check the result
test eax, eax
jne 402EF6 ; ok
; the read failed
call 4012A4 ; GetLastError()
call 4028A4 ; acknowledge_return_code(passed in EAX)
; return 0
xor eax, eax
mov dword ptr [ebp-04], eax ; retval
jmp 402F35 ; return 0 (ko)

402EF6 mov eax, dword ptr [ebp-04] ; number of bytes read
xor edx, edx
div [ebx+08] ; divide by number of bytes per element
mov dword ptr [ebp-04], eax ; retval: number of elements read

; store the number of elements read if passed address is not null
mov eax, dword ptr [ebp+14] ; arg3
test eax, eax
je 402F12 ; skip storing result
; do the storing
mov eax, dword ptr [ebp+14] ; arg3
mov edx, dword ptr [ebp-04] ; number of elements
mov dword ptr [eax], edx
jmp 402F35 ; return number of elements

; check if we have got the requested number of elements
402F12 cmp esi, dword ptr [ebp-04] ; retval
je 00402F35 ; return ok (number of elements read)

; on failure
mov eax, dword ptr [ebp+08] ; arg0: error on read bytes mismatch
call 4028A4 ; acknowledge_return_code(passed in EAX)
; return 0(ko)
xor eax, eax
mov dword ptr [ebp-04], eax ; retval
jmp 00402F35 ; return 0

; return ko
mov eax, 00000067
call 4028A4 ; acknowledge_error_code()
; return 0(ko)
xor eax, eax
mov dword ptr [ebp-04], eax ; retval

; return EBP-4
402F35 mov eax, dword ptr [ebp-04] ; retval

; function epilog
pop edi
pop esi
pop ebx
pop ecx
pop ebp
ret 0010 ; clear the 4 arguments



So, no CRC checking, as you see.
Regards, Bilbo.

Kayaker
June 17th, 2004, 03:00
Hi markh51

Could be part of a checksum code, but it could also be your grocery list for all the use it is ;-) We have absolutely no perspective on where this code lays or what it might be doing, and there are probably only 1 or 2 clairvoyants on the forum and they're busy guessing on the stock market. (EDIT: OK, Bilbo must be one of them )

This is where doing background research on all of the dozens of "CRC" threads, or on any of the subjects you've been trying to tackle lately, beforehand is useful - to give you a better perspective on what to look for. An app might use CreateFile/ReadFile to read a copy of itself in to check it, but it might also use OpenFile, _lopen, _hread, _lcreat, MapViewOfFile, maybe others, so you should also rule these API's out.

Let's say the app uses ReadFile to copy sections of itself into memory and perform some check on it. The bytes it's checking are in memory somewhere (i.e. the lpBuffer address of ReadFile), NOT on the bytes in the running image file that you tried to set a BPM(R) on. Two different addresses, not surprising it doesn't break.

Again, you need to approach this slowly and logically. Is ReadFile called only once (reads the whole file), or several times (reads it in sections)? How many bytes does it read in? At what starting address(es) is the file read? And where does it store it?

If you can you find your patched bytes in the read-in memory, THEN maybe you can set a BPM(R) on that address and see where it takes you. Can't find your patched bytes? How about setting a "tag" you can search for. Assuming your patched code isn't actually run until after the crc check passes (check with BPX/BPM(X)), you might be able to make your "patch" a distinctive character tag you can search for. Say "EMKCUF". Since it's going to fail the check anyway, who cares?

Keep trying, but remember, engage mind before keyboard...

Cheers,
Kayaker

markh51
June 17th, 2004, 03:10
Bilbo:

I am VERY greatful for you going through that piece of code for me even though it was not the routine I was looking for.

EDITED: Due to the post above being posted as I was typing this one

Thanks for that Kayaker

markh51
June 17th, 2004, 05:09
Kayaker:

Ok, what I done was modified the NTICE string to unique string. I ran the file an sure enough it crashed. So I seached for my string in memory using the S command, and I found a pattern match, so I noted down the memory location and set a "BPM address R" and ran the file again... It did not break, Any ideas why ?

Cheers.

dELTA
June 17th, 2004, 06:54
Somewhere around the hundredth time you ignore people's tips about what do do, when to post, what to post and how to post, maybe people will start getting really annoyed with you...

Tha answer to your last question is already explicitly in Kayaker's post above, not to mention the tip of trying to think before you post, not just step-by-step following any detailed instruction you might find anywhere (including misunderstanding it first in half of the cases), and then posting again as soon as it didn't produce a crack for you. Aaargh!

Kayaker
June 17th, 2004, 09:47
Quote:
[Originally Posted by markh51]
Ok, what I done was modified the NTICE string to unique string.

I am using Win95


HuH?? Just out of curiousity why are you patching the string 'NTICE'?

markh51
June 17th, 2004, 09:58
It doesn't matter now, I've found the code which does the CRC check, easily bypassed

Stone-D
June 25th, 2004, 13:48
JMI: Offtopic, appologies. Throughout all my years on the net, from usenet to forums, I've only encountered one admin, on the Mailtraq mailing lists, from whom I dreaded a reply. You have knocked him from that spot. Salute.

JMI
June 25th, 2004, 15:20
I believe this is called "damning by faint praise".

Regards,