giulio8
October 26th, 2005, 08:10
In my previous message "c0000142 in Macromedia Director",
I've received useful help from Ricardo Narvaja, but I'm still facing the first general problem:
I debug an application that throws an exception, supposedly to prevent debugging.
What to do next (in order to reverse the code)?
mr haggar
October 26th, 2005, 11:03
Well, to download papers about exceptions and learn what they mean and what is expected from system or debugger when you land on such one. Protected program expect that exception should be handled with it's exception handler so when you get it in debugger you should do what protector expects.
I don't know nothing about exceptions but I think that this is how it should be.
Ricardo Narvaja
October 26th, 2005, 13:47
If the program stop in a exception press shift + f9 for skip or go to DEBUGGING OPTIONS- EXCEPTIONS and ADD to the CUSTOM LIST the last exception and the next time the program don´t stop more in this type of exception.
Ricardo Narvaja
giulio8
October 26th, 2005, 16:21
Ricardo,
it is difficult for me to explain it exactly - sorry - however is not a question of pressing shift + f9 or adding it to the custom list in the option (I've done it, unsuccessfully)...
I don't know if you have time, but, just in case, try to download the director mx 2004 from http://www.macromedia.com/cfusion/tdrc/index.cfm?product=director
("http://www.macromedia.com/cfusion/tdrc/index.cfm?product=director
")
I would have the opinion of an expert of reverse engineering!
Thanks in advance.
Giulio
Ricardo Narvaja
October 27th, 2005, 02:50
you use parcheado 4?
Ricardo
giulio8
October 27th, 2005, 03:34
Yes, of course, I followed all your instructions.
If you could try yourself...
Bye and thanks.
Giulio
Btw, an interesting article, not related to the subject, but with a some criticism against debugging...
http://www.honeynet.org/scans/scan33/ ("http://www.honeynet.org/scans/scan33/") with the official writeup:
http://www.honeynet.org/scans/scan33/nico/index.html ("http://www.honeynet.org/scans/scan33/nico/index.html")
giulio8
October 28th, 2005, 04:22
This is the run trace (as I see in other post, it could be useful).
Thanks for any help/explanation.
Giulio
796D072E Main MOV ESI,EAX ESI=00000000
796D0730 Main MOV DWORD PTR SS:[EBP-30],ESI
796D0733 Main CMP DWORD PTR SS:[EBP-1C],EDI
796D0736 Main JE SHORT KERNEL32.796D0754
796D0754 Main MOV EAX,DWORD PTR FS:[18] EAX=7FFDE000
796D075A Main MOV DWORD PTR SS:[EBP-60],EAX
796D075D Main PUSH EBX
796D075E Main PUSH EDI
796D075F Main MOV EAX,DWORD PTR DS:[EAX+30] EAX=7FFDF000
796D0762 Main PUSH DWORD PTR DS:[EAX+18]
796D0765 Main CALL DWORD PTR DS:[<&ntdll.RtlFreeHeap>] EAX=00000001, EDX=00130608
796D076B Main OR DWORD PTR SS:[EBP-4],FFFFFFFF
796D076F Main JMP SHORT KERNEL32.796D07BE
796D07BE Main CMP BYTE PTR DS:[7970B221],0
796D07C5 Main JE SHORT KERNEL32.796D07DD
796D07DD Main CMP ESI,EDI
796D07DF Main JGE SHORT KERNEL32.796D07EB
796D07EB Main MOV EAX,DWORD PTR SS:[EBP-38] EAX=10000000
796D07EE Main MOV ECX,DWORD PTR SS:[EBP-10] ECX=0012F96C
796D07F1 Main MOV DWORD PTR FS:[0],ECX
796D07F8 Main POP EDI EDI=0012F492
796D07F9 Main POP ESI ESI=0013607C
796D07FA Main POP EBX EBX=00136070
796D07FB Main LEAVE EBP=0012F440
796D07FC Main RETN 0C
796D02B3 Main RETN 0C
796D027F Main POP EDI
796D0280 Main POP ESI
796D0281 Main POP EBX
796D0282 Main POP EBP EBP=0012F614
796D0283 Main RETN 4
6C00CC03 Main TEST EAX,EAX
6C00CC05 Main JNZ SHORT actlib.6C00CC0E
6C00CC0E Main POP EDI EDI=0012F5C4
6C00CC0F Main POP ESI ESI=00136070
6C00CC10 Main POP EBP
6C00CC11 Main POP EBX EBX=6C00F096
6C00CC12 Main ADD ESP,104
6C00CC18 Main RETN
6C00CAA9 Main MOV EBX,EAX EBX=10000000
6C00CAAB Main ADD ESP,10
6C00CAAE Main TEST EBX,EBX
6C00CAB0 Main JNZ SHORT actlib.6C00CAC0
6C00CAC0 Main MOV EDX,DWORD PTR SS:[ESP+14] EDX=6C00F096
6C00CAC4 Main PUSH ESI
6C00CAC5 Main CALL DWORD PTR DS:[EDX+C] EAX=00000000, EDX=00130608
6C00CAC8 Main MOV EAX,EBX EAX=10000000
6C00CACA Main POP EBX EBX=6C00F096
6C00CACB Main POP EDI EDI=6C000000
6C00CACC Main POP ESI ESI=00137D98
6C00CACD Main POP EBP EBP=6C00C009
6C00CACE Main RETN
6C00C376 Main ADD ESP,2C
6C00C379 Main MOV DWORD PTR SS:[EBP+24],EAX
6C00C37C Main TEST EAX,EAX
6C00C37E Main JNZ SHORT actlib.6C00C390
6C00C390 Main PUSH EBX
6C00C391 Main CALL actlib.6C00EDD0 EAX=00000000
6C00C396 Main PUSH 1
6C00C398 Main CALL actlib.6C00E380 EAX=6C00E3F5, ECX=00000000, EDX=6C00E3F5
6C00C39D Main LEA EDX,DWORD PTR SS:[ESP+18] EDX=0012F5C4
6C00C3A1 Main PUSH EAX
6C00C3A2 Main MOV EAX,DWORD PTR SS:[EBP+24] EAX=10000000
6C00C3A5 Main PUSH EDX
6C00C3A6 Main PUSH EBX
6C00C3A7 Main PUSH EAX
6C00C3A8 Main CALL actlib.6C00C9D0 EAX=10003010, ECX=0012F96C, EDX=00130608
6C00C3AD Main ADD ESP,18
6C00C3B0 Main TEST EAX,EAX
6C00C3B2 Main JNZ SHORT actlib.6C00C3C4
6C00C3C4 Main MOV ECX,DWORD PTR SS:[ESP+1C] ECX=00001000
6C00C3C8 Main LEA EDX,DWORD PTR SS:[ESP+F0] EDX=0012F6A4
6C00C3CF Main MOV DWORD PTR SS:[ESP+2C],EDX
6C00C3D3 Main MOV DWORD PTR SS:[ESP+28],ECX
6C00C3D7 Main LEA EDX,DWORD PTR SS:[ESP+20] EDX=0012F5D4
6C00C3DB Main LEA ECX,DWORD PTR SS:[ESP+1F4] ECX=0012F7A8
6C00C3E2 Main PUSH EDX
6C00C3E3 Main MOV DWORD PTR SS:[ESP+24],EDI
6C00C3E7 Main MOV DWORD PTR SS:[ESP+28],ESI
6C00C3EB Main MOV DWORD PTR SS:[ESP+38],EBP
6C00C3EF Main MOV DWORD PTR SS:[ESP+34],ECX
6C00C3F3 Main CALL EAX EAX=F0920000, ECX=00000014, EDX=00000000, EBX=00000000, EBP=0012EF18, ESI=00136748, EDI=7FFDE000
78465EAD Main RETN 28 EAX=00000001, ECX=0000000B, EDX=1006C8D8, EBX=6C00F096, EBP=6C00C009, ESI=00137D98, EDI=6C000000
6C00C3F5 Main ADD ESP,4
6C00C3F8 Main TEST EAX,EAX
6C00C3FA Main JE SHORT actlib.6C00C40C
6C00C3FC Main POP EDI EDI=6C00C05E
6C00C3FD Main POP ESI ESI=0012F8F0
6C00C3FE Main POP EBP EBP=0012F8DC
6C00C3FF Main MOV EAX,1
6C00C404 Main POP EBX EBX=6C00C05E
6C00C405 Main ADD ESP,2E8
6C00C40B Main RETN
6C00C0AA Main ADD ESP,8
6C00C0AD Main POP ECX ECX=00000001
6C00C0AE Main CMP EAX,0
6C00C0B1 Main JE SHORT actlib.6C00C0CF
6C00C0B3 Main MOV BYTE PTR DS:[EBX],0C2
6C00C0B6 Main MOV BYTE PTR DS:[EBX+1],0C
6C00C0BA Main TEST ECX,ECX
6C00C0BC Main JE SHORT actlib.6C00C0C7
6C00C0BE Main POPAD ECX=6C00C05E, EDX=00000000, EBX=00000000
6C00C0BF Main POP EBP EBP=0012F8FC
6C00C0C0 Main MOV EAX,0 EAX=00000000
6C00C0C5 Main JMP SHORT actlib.<ModuleEntryPoint>
<ModuleEntryPoint> Main RETN 0C
784630E7 Main MOV ESP,ESI
784630E9 Main POP EBX
784630EA Main POP EDI
784630EB Main POP ESI ESI=00133308
784630EC Main POP EBP EBP=0012F97C
784630ED Main RETN 10
7846D96B Main MOV BYTE PTR SS:[EBP-3C],AL
7846D96E Main OR BYTE PTR DS:[ESI+36],8
7846D972 Main TEST AL,AL
7846D974 Main JNZ ntdll.7846D8E8
7846D97A Main JMP ntdll.784793C1
784793C1 Main PUSH -1
784793C3 Main LEA EAX,DWORD PTR SS:[EBP-10] EAX=0012F96C
784793C6 Main PUSH EAX
784793C7 Main CALL ntdll.7846B419 ECX=0012F8EC, EDX=00130608
784793CC Main POP ECX ECX=0012F96C
784793CD Main POP ECX ECX=FFFFFFFF
784793CE Main MOV EAX,C0000142 EAX=C0000142
784793D3 Main JMP ntdll.7846D997
7846D997 Main MOV ECX,DWORD PTR SS:[EBP-10] ECX=0012FD0C
7846D99A Main MOV DWORD PTR FS:[0],ECX
7846D9A1 Main POP EDI EDI=00131F78
7846D9A2 Main POP ESI ESI=7FFDF000
7846D9A3 Main POP EBX EBX=00131F04
7846D9A4 Main LEAVE EBP=0012FC98
7846D9A5 Main RETN 4
7847171B Main MOV EDI,EAX EDI=C0000142
7847171D Main TEST EDI,EDI
7847171F Main JL SHORT ntdll.7847172F
7847172F Main MOV EAX,EDI
78471731 Main POP EDI EDI=7FFDF000
78471732 Main POP ESI ESI=7FFDE000
78471733 Main POP EBX EBX=00000000
78471734 Main LEAVE EBP=0012FD1C
78471735 Main RETN 0C
784716CB Main MOV DWORD PTR SS:[EBP-30],EAX
784716CE Main MOV DWORD PTR SS:[EBP-4],EBX
784716D1 Main JMP ntdll.7846807E
7846807E Main OR DWORD PTR SS:[EBP-4],FFFFFFFF
78468082 Main CALL ntdll.784680C0 EAX=00000000, EDX=784B0348
78468087 Main CALL ntdll.ZwTestAlert ECX=01010101, EDX=FFFFFFFF
7846808C Main CMP DWORD PTR SS:[EBP-30],EBX
7846808F Main JL ntdll.784789D2
784789D2 Main CMP BYTE PTR SS:[EBP-34],BL
784789D5 Main JNZ SHORT ntdll.784789DF
784789D7 Main PUSH DWORD PTR SS:[EBP-30]
784789DA Main CALL ntdll.7847AAC5
784789DF Main PUSH DWORD PTR SS:[EBP-30]
784789E2 Main JMP SHORT ntdll.78478985
78478985 Main CALL ntdll.RtlRaiseStatus EAX=0012FC50, EBP=0012FCA0
End of gathered information, live log begins
Run trace closed
giulio8
November 6th, 2005, 11:21
Using PEiD I found the protection of actlib.dll:
SafeDisc 2.42.000 -> Macrovision [Overlay]
ep: stxt371
I've read the tutorials:
https://quequero.org/uic/sr2cracking.htm ("https://quequero.org/uic/sr2cracking.htm")
http://xoomer.virgilio.it/pinc0pall/crktute/2/mohaa.htm ("http://xoomer.virgilio.it/pinc0pall/crktute/2/mohaa.htm")
http://www.reverse-engineering.info/cd/TSD27p.txt ("http://www.reverse-engineering.info/cd/TSD27p.txt")
They are very detailed but too complex for me.
They also use softice instead of ollydbg :-((
Thanks for any help
Ricardo Narvaja
November 7th, 2005, 03:43
Maybe is hard for your level, th worst step in cracking is put one hard program, and only look this, and try crack, if you can´t let the program for the future is not for you in this moment, and continue learning with easy programs, when yoy reach the level, you can crack easily.
Ricardo Narvaja
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.