Log in

View Full Version : Loadmodule loads dll and terminates main process


ItShO
August 6th, 2006, 10:04
i'm a VERY NOOB on Cracking, so don't kill me even if the stuff is too simple :-)

i've a small proggie, that been edited by the autor to work on xp.
after 5 hours of analyzing i figure out this:

-=-=-=
getinformation
(get windows version)
if XP go to _xp
...
...
_xp:
if file USERXP is not exist goto _next
(that means that the user is not registered)
...
_next:
{doing some nasty calc about Harddrive serial number, put Calc1 as param1}
00401530 |.PUSH EAX ; eax=calc1 as ParameterBlock
00401531 |.LEA EAX,DWORD PTR SS:[EBP-334]
00401537 |.PUSH EAX ; dll file name
00401538 CALL DWORD PTR DS:[<&KERNEL32.LoadModule>; LoadModule
...
...
Leave

-=-=-=-=
2 questions:

A. even if i bp on loadmodule, and presses F8, when i click on view->
i don't see the new module loaded !.
(while i DO see it on the file->attach as new process with pid 08ec)
so, can i change the api function ? is it correct way ? what can i change it to ?
i tried changing it to CreateProcess
(because m$ said on MSDN that:
Quote:
Loadmodule Note This function is provided only for compatibility with 16-bit versions of Windows. Applications should use the CreateProcess function

)
but nothing appear.

B. if i try to dbg only the loaded dll alone (with loadll of olly), it runs & ends without prompting a thing. so, how can i put the Calculated number manually when i load the dll ?



p.s.
i'm not asking for a crack ! just tell me if i'm doing something wrong.

blabberer
August 6th, 2006, 11:38
LoadModule() is a backward compatible api

internally LoadModule calls CreateProcess()

why do you want to change that ?

also if you f8 in ollydbg ollydbg wont be able to catch a newly created process unless you tamper with it by modifying the entry point with an infinite loop (0xeb , 0xfe ) and attaching it with a new ollydbg

or inserting a 0xcc (int3) and if you have setup ollydbg as jit (justintime)
it will auto attach itself when int3 is hit


afte loading a dll manually -> it stops on dllmain once if you are sure there is not code hidden in Dllmain() hit f9

then Debug->calldllexport-> you will see the functions that are exported by that dll call them by yourself with appropriate arguments

Code:


#include <windows.h>
# pragma argsused

typedef struct _CMDSHOW
{
WORD fp;
WORD sp;
} cmdshow;

typedef struct tagLOADPARMS32
{
LPSTR lpEnvAddress; // address of environment strings
LPSTR lpCmdLine; // address of command line
LPSTR lpCmdShow; // how to show new program
DWORD dwReserved; // must be zero
} LOADPARMS32;


WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
char modulename[] = {"msgbox.exe"};
char lpcmdline[2]={0};

LOADPARMS32 lparms;
cmdshow cs;

cs.fp =2;
cs.sp =SW_SHOWNORMAL;

lparms.lpEnvAddress = 0;
lparms.lpCmdLine = lstrcpyn(lpcmdline,lpcmdline,sizeof(lpcmdline));
lparms.lpCmdShow = &cs;
lparms.dwReserved = 0;

LoadModule(modulename,&lparms);
MessageBox(NULL,"new proc is already here", "LoadModule",NULL);

return 1;
}


if you compile the above code copy iczelions tute-02 msgbox.exe in the same folder as your newly compiled exe you will see two message boxes
one original icz's and one your newly created code

if you are familiar with windbg you can ask it to debug child process also

file -> open executable-> checkmark debug child process also

Code:


Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Documents and Settings\*****\Desktop\opd.exe"
Symbol search path is: SRV**********http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00412000 opd.exe
ModLoad: 7c900000 7c9b0000 ntdll.dll
ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.DLL
ModLoad: 77f10000 77f57000 C:\WINDOWS\system32\GDI32.dll
(41c.598): Break instruction exception - code 80000003 (first chance)
<------- original process see pid tid
eax=00241eb4 ebx=7ffdf000 ecx=00000007 edx=00000080 esi=00241f48 edi=00241eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> g
ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\Apphelp.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.DLL
ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll
Symbol search path is: SRV*D:\********http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00404000 image00400000
ModLoad: 7c900000 7c9b0000 ntdll.dll
ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\user32.dll
ModLoad: 77f10000 77f57000 C:\WINDOWS\system32\GDI32.dll
(6e8.600): Break instruction exception - code 80000003 (first chance)
eax=00241eb4 ebx=7ffdf000 ecx=00000007 edx=00000080 esi=00241f48 edi=00241eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c901230 cc int 3
1:001> lm
start end module name
00400000 00404000 image00400000 (deferred)
77d40000 77dd0000 user32 (deferred)
77f10000 77f57000 GDI32 (deferred)
7c800000 7c8f4000 kernel32 (deferred)
7c900000 7c9b0000 ntdll (pdb symbols) ********\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
1:001> kb
ChildEBP RetAddr Args to Child
0012fb1c 7c93edc0 7ffde000 7ffdf000 00000000 ntdll!DbgBreakPoint
0012fc94 7c921639 0012fd30 7c900000 0012fce0 ntdll!LdrpInitializeProcess+0xffa
0012fd1c 7c90eac7 0012fd30 7c900000 00000000 ntdll!_LdrpInitialize+0x183
00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7
1:001> g
(6e8.600): Break instruction exception - code 80000003 (first chance)
child process <----------
eax=00000000 ebx=7ffdf000 ecx=0012ffb0 edx=7c90eb94 esi=00000034 edi=7c91b686
eip=00401000 esp=0012ffc4 ebp=0012fff0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x1000:
00401000 cc int 3
1:001> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fff0 00000000 00401000 00000000 78746341 image00400000+0x1000
1:001> uf
Address expression missing from '<EOL>'
1:001> u
image00400000+0x1000:
00401000 cc int 3
00401001 006800 add byte ptr [eax],ch
00401004 304000 xor byte ptr [eax],al
00401007 6819304000 push offset image00400000+0x3019 (00403019)
0040100c 6a00 push 0
0040100e e807000000 call image00400000+0x101a (0040101a)
00401013 6a00 push 0
00401015 e806000000 call image00400000+0x1020 (00401020)
1:001> da 403019
00403019 "Win32 Assembly is Great!" <-------- child debugeee



i attached opd and msgbox and src

JMI
August 6th, 2006, 12:50
This does not belong in the Advanced section, so it has been moved here.

Regards,