Log in

View Full Version : Loadmodule loads dll and terminates main process

ItShO
August 6th, 2006, 10:04
i'm a VERY NOOB on Cracking, so don't kill me even if the stuff is too simple :-)

i've a small proggie, that been edited by the autor to work on xp.
after 5 hours of analyzing i figure out this:

-=-=-=
getinformation
(get windows version)
if XP go to _xp
...
...
_xp:
if file USERXP is not exist goto _next
(that means that the user is not registered)
...
_next:
{doing some nasty calc about Harddrive serial number, put Calc1 as param1}
00401530 |.PUSH EAX ; eax=calc1 as ParameterBlock
00401531 |.LEA EAX,DWORD PTR SS:[EBP-334]
00401537 |.PUSH EAX ; dll file name
00401538 CALL DWORD PTR DS:[<&KERNEL32.LoadModule>; LoadModule
...
...
Leave

-=-=-=-=
2 questions:

A. even if i bp on loadmodule, and presses F8, when i click on view->
i don't see the new module loaded !.
(while i DO see it on the file->attach as new process with pid 08ec)
so, can i change the api function ? is it correct way ? what can i change it to ?
i tried changing it to CreateProcess
(because m$ said on MSDN that:
Quote:
Loadmodule Note This function is provided only for compatibility with 16-bit versions of Windows. Applications should use the CreateProcess function

)
but nothing appear.

B. if i try to dbg only the loaded dll alone (with loadll of olly), it runs & ends without prompting a thing. so, how can i put the Calculated number manually when i load the dll ?



p.s.
i'm not asking for a crack ! just tell me if i'm doing something wrong.
blabberer
August 6th, 2006, 11:38
LoadModule() is a backward compatible api

internally LoadModule calls CreateProcess()

why do you want to change that ?

also if you f8 in ollydbg ollydbg wont be able to catch a newly created process unless you tamper with it by modifying the entry point with an infinite loop (0xeb , 0xfe ) and attaching it with a new ollydbg

or inserting a 0xcc (int3) and if you have setup ollydbg as jit (justintime)
it will auto attach itself when int3 is hit


afte loading a dll manually -> it stops on dllmain once if you are sure there is not code hidden in Dllmain() hit f9

then Debug->calldllexport-> you will see the functions that are exported by that dll call them by yourself with appropriate arguments

Code:




#include <windows.h>

# pragma argsused



typedef struct _CMDSHOW

{

WORD fp;

WORD sp;

} cmdshow;



typedef struct tagLOADPARMS32 

{ 

  LPSTR lpEnvAddress;  // address of environment strings 

  LPSTR lpCmdLine;     // address of command line 

  LPSTR lpCmdShow;     // how to show new program 

  DWORD dwReserved;    // must be zero 

} LOADPARMS32;





WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)

{

char modulename[] = {"msgbox.exe"};

char lpcmdline[2]={0};



LOADPARMS32 lparms;

cmdshow cs;



cs.fp =2;

cs.sp =SW_SHOWNORMAL;



lparms.lpEnvAddress = 0;

lparms.lpCmdLine = lstrcpyn(lpcmdline,lpcmdline,sizeof(lpcmdline));

lparms.lpCmdShow = &cs;

lparms.dwReserved = 0;



LoadModule(modulename,&lparms);

MessageBox(NULL,"new proc is already here", "LoadModule",NULL);



return 1;

}


if you compile the above code copy iczelions tute-02 msgbox.exe in the same folder as your newly compiled exe you will see two message boxes
one original icz's and one your newly created code

if you are familiar with windbg you can ask it to debug child process also

file -> open executable-> checkmark debug child process also

Code:




Microsoft (R) Windows Debugger  Version 6.6.0007.5

Copyright (c) Microsoft Corporation. All rights reserved.



CommandLine: "C:\Documents and Settings\*****\Desktop\opd.exe"

Symbol search path is: SRV**********http://msdl.microsoft.com/download/symbols

Executable search path is: 

ModLoad: 00400000 00412000   opd.exe 

ModLoad: 7c900000 7c9b0000   ntdll.dll

ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll

ModLoad: 77d40000 77dd0000   C:\WINDOWS\system32\USER32.DLL

ModLoad: 77f10000 77f57000   C:\WINDOWS\system32\GDI32.dll

(41c.598): Break instruction exception - code 80000003 (first chance) 

 <------- original process see pid tid 

eax=00241eb4 ebx=7ffdf000 ecx=00000007 edx=00000080 esi=00241f48 edi=00241eb4

eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

ntdll!DbgBreakPoint:

7c901230 cc              int     3

0:000> g

ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\Apphelp.dll

ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.DLL

ModLoad: 77e70000 77f01000   C:\WINDOWS\system32\RPCRT4.dll

Symbol search path is: SRV*D:\********http://msdl.microsoft.com/download/symbols

Executable search path is: 

ModLoad: 00400000 00404000   image00400000

ModLoad: 7c900000 7c9b0000   ntdll.dll

ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll

ModLoad: 77d40000 77dd0000   C:\WINDOWS\system32\user32.dll

ModLoad: 77f10000 77f57000   C:\WINDOWS\system32\GDI32.dll

(6e8.600): Break instruction exception - code 80000003 (first chance)

eax=00241eb4 ebx=7ffdf000 ecx=00000007 edx=00000080 esi=00241f48 edi=00241eb4

eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

ntdll!DbgBreakPoint:

7c901230 cc              int     3

1:001> lm

start    end        module name

00400000 00404000   image00400000   (deferred)             

77d40000 77dd0000   user32     (deferred)             

77f10000 77f57000   GDI32      (deferred)             

7c800000 7c8f4000   kernel32   (deferred)             

7c900000 7c9b0000   ntdll      (pdb symbols)          ********\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb

1:001> kb

ChildEBP RetAddr  Args to Child              

0012fb1c 7c93edc0 7ffde000 7ffdf000 00000000 ntdll!DbgBreakPoint

0012fc94 7c921639 0012fd30 7c900000 0012fce0 ntdll!LdrpInitializeProcess+0xffa

0012fd1c 7c90eac7 0012fd30 7c900000 00000000 ntdll!_LdrpInitialize+0x183

00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7

1:001> g

(6e8.600): Break instruction exception - code 80000003 (first chance)

 child process <---------- 

eax=00000000 ebx=7ffdf000 ecx=0012ffb0 edx=7c90eb94 esi=00000034 edi=7c91b686

eip=00401000 esp=0012ffc4 ebp=0012fff0 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

*** WARNING: Unable to verify checksum for image00400000

*** ERROR: Module load completed but symbols could not be loaded for image00400000

image00400000+0x1000:

00401000 cc              int     3

1:001> kb

ChildEBP RetAddr  Args to Child              

WARNING: Stack unwind information not available. Following frames may be wrong.

0012fff0 00000000 00401000 00000000 78746341 image00400000+0x1000

1:001> uf

Address expression missing from '<EOL>'

1:001> u

image00400000+0x1000:

00401000 cc              int     3

00401001 006800          add     byte ptr [eax],ch

00401004 304000          xor     byte ptr [eax],al

00401007 6819304000      push    offset image00400000+0x3019 (00403019)

0040100c 6a00            push    0

0040100e e807000000      call    image00400000+0x101a (0040101a)

00401013 6a00            push    0

00401015 e806000000      call    image00400000+0x1020 (00401020)

1:001> da 403019

00403019  "Win32 Assembly is Great!" <-------- child debugeee


i attached opd and msgbox and src
JMI
August 6th, 2006, 12:50
This does not belong in the Advanced section, so it has been moved here.

Regards,