View Full Version : Newbie password protection help
Fatty[NegX]
October 5th, 2004, 11:25
My favorite little app has a "secret area" to get into. This area is password protected. I've looked at many tutorials and most of them all cover plain text passwords. This program doesn't seem to have plain text passwords or it performs a check before accually comparing the two that invalidates your entered PW before even checking the two.
here is what I can't get by:
CMP EAX,1 (I get through this one alright, I assume it makes sure
the PW entered isn't 0 len?)
JNZ proggie.00405298 (just jumps back to the normal program)
CMP BYTE PTR SS:[ESP+61],0A8 (I assume the compare I can't get right)
This program doesn't seem to use any api's to compare strings, only the ASM CMP. there are a bunch of LEA, JNZ, MOV, and a few CMP's after the CMP listed above which I assume check the password, but which I can't get to. Any Ideas?
Also, I've attempted this in w32dasm, ida, and ollydbg. I can't use SIce cause for some reason it doens't like setting breakpoints for me. Even ones defaultly in the program, like kernel32 calls.
SL0rd
October 5th, 2004, 13:01
Hi,
I would like to play with this app, can you point out where can I get it, maybe you can send me by email ...!
You can PM me!
Silver
October 5th, 2004, 13:25
If you search the forum, there are approximately 10 billion posts about your softice problem (and I never, ever exaggerate in a hundred million years).
w32dasm, ida, olly and sice are different types of progs intended for different things. It seems from your basic description that just trying different disasm'ers and debuggers won't solve the problem.
Quote:
CMP EAX,1 (I get through this one alright, I assume it makes sure
the PW entered isn't 0 len?)
JNZ proggie.00405298 (just jumps back to the normal program)
CMP BYTE PTR SS:[ESP+61],0A8 (I assume the compare I can't get right) |
We need to know more about what this app is doing around this code (if you're absolutely sure this is where the checking is taking place). If the jnz 405298 jump really does take you back to the main app to say "Bad password", I would guess that there will be further jumps to this (or near this) loc. You need to follow the logic of the code some more - just because it doesn't use API calls doesn't necessarily make this any harder.
How does this "secret area" work? Does it pop up a dialog, ask for a password and then pop up a message box if it's wrong? At some point there is generally a "choke point" in an app - a jump or call for an invalid registration details.
To summarise that blather, more info please.
Fatty[NegX]
October 5th, 2004, 18:57
WHen I say jumps back to normal program, I mean it just goes back to the normal program, no msgbox's come up.
When you enter the correct password, it goes into a dialog with various options which are "privaliaged"
I know the jnz just goes back to the normal program because I've tried modifying the jump to "incorrect password" to jump there instead, it gives the same effect as not entering a password. (I've cracked a couple proggies that way, so I know it works)
Now after the CMP I have provided, there are a couple MOV's and stuff as I said, and then another jump... which jumps almost to the beginning of the ASM code and it looks to be the real comparing stuff.
here is what comes after the jump to "incorrect password", which is just after the JNZ above.
MOV CL,BYTE PTR SS:[ESP+62]
MOV AL,0CE
CMP CL,AL
JNZ SHORT proggie.0040520B (0040520B being: PUSH 0)
CMP BYTE PTR SS:[ESP+63],AL
SETA AL
MOV BYTE PTR SS:[ESP+62],AL
LEA ECX,DWORD PTR SS:[ESP+F0]
MOV DWORD PTR SS:[ESP+1AC],3
CALL (JMP.&MFC42.#800)
LEA ECX,DWORD PTR SS:[ESP+B0]
MOV BYTE PTR SS:[ESP+1AC],2
CALL (JMP.&MFC42.#609)
MOV BYTE PTR SS:[ESP+1AC],1
JMP proggie.004052CB
PUSH 0
LEA ECX,DWORD PTR SS:[ESP+100]
CALL proggie.00401BC0
MOV AL,BYTE PTR SS:[ESP+63]
MOV BYTE PTR SS:[ESP+1AC],4
CMP AL,66
JNZ SHORT proggie.00405233
MOV DWORD PTR SS:{ESP+67],1
JMP SHORT proggie.00405246
CMP BYTE PTR SS:[ESP+67],1
JNZ SHORT proggie.00405246
Is there a certain ASM snippet that brings up C++ dialogs? if so, then I would
just be able to jump to that instead of trying to figure out the password(which doesn't matter to me) so if you know what ASM code
would do it, please post and I'll look for it in the ASM dump.
and:
w32dasm, ida, olly and sice all "debug" programs and have options for breakpoints when running the program, so I consider them to be pretty much the same. granted they are all considered different types of tools, but they all display ASM coding of a program, and allow you to set breakpoints and view memory. (this is just my opinion, I could be wrong but in my eyes these tools perform the same function.)
JMI
October 5th, 2004, 19:32
The issue of the "debug" programs is not that they all perform the same function, but whether they all perform with the same functionality. W23dasm is the oldest and probably the least powerful. IDA's in new and the extent of it's functionality not yet widely reported. Softice is a ring 0 debugger and operates on substantially different concepts that olly, which is a ring 3 debugger. Certainly softice and olly have their respective places and reading lots of tuts will suggest when each might be appropriate.
Searching this forum and on the net will lead you to various API which would call a "dialogbox" to enter the serial, but it might not actually "be" a dialogbox. There are other alternatives. Searching will also lead you to that information here.
Regards,
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.