----------------------------------------------------------- Cracking InstaPass Pro v1.20 by Ashish Computer Systems By cHaron ----------------------------------------------------------- Target: ------- InstaPass Pro v1.20 by Ashish Computer Systems This program can find the database password for MS Access databases from Access '95 and up to Access 2000. You can find the demo version at http://www.ashishsystems.com This demo version is limited to files up to 150 kilobyte in size. Required software: ------------------ SoftICE for Windows 9x v4.05 (search the net, buy it, or download evaluation version from www.numega.com) HIEW v6.16 (I think you can find it on protools.cjb.net) ANY MS Access '95 or newer database over 150kb in size - if you can't find one, or don't know how to create one yourself, email me. TDUMP.EXE - I'm not around my own computer right now, but I think it is Turbo Dump, or something. I'll correct this in the next version, but for now I'd just like some feedback. Preface: -------- I have been into the art of Reversing for the past three or four years now, but I have never really taken the time to find some tutorials on the 'net to get myself really started. Many people claim that reversing is very difficult to learn and master, but in reality all it takes is a day or two of dedicated experimentation, and you're set to go. Of course, you are not anywhere near a super-reverser yet, but at least you'll know the basics, and if nothing else you'll be able to do some small, simple reversing/cracking jobs. In any event, I found it very difficult to find an essay which wasn't too difficult to read - many contained a lot of small assembly dumps, and those were pretty hard to follow, so I thought I'd give it a go and write something which I thought would be good for an apprentice in the art of Reversing. Background: ----------- This is pretty much my first crack-job, but it does work, and I have done other half-baked stuff before this. The meaning of this essay is to teach the basics of using SoftICE, and to be a small introduction to reversing a simple protection. PLEASE let me know if you've even read this essay, and if you have any comments, let me know! I want to write more essays in the hope of strengthening the reverser-community, but if I'm not sure the way I'm writing these essays is good, it'll be pretty hard to produce any quality. Also, if there are ANY terms you are unclear on, or any passages which are unreadable either because of too many fancy words, or because of bad English, please do not hesitate to let me know! Tutorial: --------- First of, it might be a good idea to print this out in some way, since it is very hard to memorize all the steps. You could also just read it, make some notes, and try without reading again, but be aware that once you are inside SoftICE, you can't switch back to a Windows program and read this - you have to exit the SoftICE-window, and then you'll have to start over. Try running the program on your database. If your database was over 150kb in size, you'll see it pops up with an error message when you press "Go". Since it will be able to do it's job to the fullest as long as the database is less than 150kb, we will for now assume that it is simply a matter of checking the filesize and showing a dialog box. Now, the next step is to see if we can get any help from the .EXE file itself. I used TDUMP.EXE, but anything that dumps the imports and exports of the EXE- file can be used. In any event, you'll see that this EXE imports functions from MSVBVM50.DLL. If you don't already know, this is the runtime DLL for programs built in Visual Basic v5.0 (Microsoft Visual Basic Virtual Machine 5.0). If there are anybody who wants me to expand on this subject (like, what is a runtime DLL, what is Visual Basic, or what imported functions are), please lemme know, and I'll write a section on it. Visual Basic is an interpreted language, meaning that you don't actually do much work in the program file, but rather rely on the .DLL file to supply the functions you want to do. This makes Visual Basic a VERY high level language - it is easy to learn, but extremely in-efficient. So, what you want to do is see which functions are exported from MSVBVM50.DLL, to see if there are any functions we can set a breakpoint on (more on this later). Running "TDUMP.EXE c:\windows\system\msvbvm50.dll > msvbvm50.exp" suffices. This will produce a file called "msvbvm50.exp" with the output from the TDUMP command. You will see all the exports, which are the functions available for other programs to use. We are interested in anything that has to do with file lengths, and perusing down the list we see "rtcFileLen" and "rtcFileLength". Okay, remember these. Now we will get into action with SoftICE. I assume that you have installed SoftICE, and that it is running. You can verify this by pressing CTRL+D - SoftICE should pop up. Press CTRL+D to remove it again. If SoftICE is not installed, or it is installed but isn't working/running, and you'd like me to explain how this should be set up, email me and I'll include it here. Now, start InstaPass if it isn't running already. Press CTRL+D to get into SoftICE. The layout of the SoftICE screen can be customized, so how it looks on your screen might vary, but I hope that this short introduction is good enough. What you see on the top is the registers of the CPU. We'll deal shortly with this later. Beneath is usually the data window - it is equal to a hex dump of the memory. This window might not be on your screen, though. Next is the Code window - this window can display source-code if you are debugging an application, or it can show assembler-instructions, as it probably is doing now. In the lower, right corner you'll see what context we are in now. The context is the program we are currently working in, and the place where our breakpoints will take effect. It might read "DISPLAY" or ".text!MsAccess", or something else. We need to change it to our InstaPass program. If you type in "ADDR", you will see all the address context's we can switch to. Now, just type "addr InstaPas", and we will be in InstaPas's context. Remember to two functions we saw? Now, we can make a breakpoint on these, so each time one of the two functions are called, SoftICE will halt the system temporarily, and switch into the debugger (what you are seeing now). There are many types of breakpoints, but that is for another tutorial. Right now, we use the "bpx" command. Type these two commands: "bpx rtcFileLen" "bpx rtcFileLength" and press CTRL+D. Now, select your test database, and press "Go". SoftICE interrupts, saying that the breakpoint was encountered. Just below the CPU registers window, it will say something with "msvbvm50" in it. This means that the execution point (the point where the computer is running code) is in the msvbvm50 module. We want to be in the Instapas-module, since this is the code we need to hack. If you press F12, SoftICE will trace the code until it encounters the next "ret"-instruction, meaning that it will execute all the assembler-instructions, until it meets "ret". The "ret"- instruction will return the computer to the place where a "call" instruction was issued. In this case, in the Instapas-program, the program wants to know the file length, so it can see if it is larger than the allowed 150 kilobyte. It calls the function "rtcFileLen", and the computer starts running code from msvbvm50.dll, where the function rtcFileLen is located. When the "ret"- instruction is encountered, we are returned to Instapas. This is the point were we will be after having pressed F12. Now, in the code window, you will se a lot of numbers, and towards the right side, these two assembler instructions: CMP EAX, 000249F0 SETGE CL Now, this is were the registers come into play. If you have ever programmed, you'll know what a variable is. The registers are variables in the CPU. If you have never programmed - you might want to try it, good experience... - this is similar to the x and y stuff from math class. EAX, EBX, ECX and EDX are four of the variables available to us, and what the first assembler instruction does is compare the value we have stored in the register EAX to the hex-value 0x249F0. Now, at the very top, you'll see the registers, and their current contents. You can also see the EAX register. Now, try typing "? " and the value you can see in the EAX register. This will evaluate the expression you have just typed. Also, it will display the value again, along with the decimal representation. I'll bet you this value is the same as the filesize of your test database. So, what it does is compare your test-databases filesize with 0x249F0. Try typing "? 249F0", and you'll see that in decimal this is "150000". Does this ring a bell? This is precisely what we have been looking for - the 150kb limit (actually, pretty imprecise, since 150kb = 153600 bytes). Now, the next instruction is what we want to modify. As I said earlier, I'm pretty much still learning this, so I'm not quite sure what this command does precisely, but I know it modifies something based on the flags in the CPU. The flags, in turn, get set by the result of the CMP command, so what these two lines do is check if the filesize is greater than 150.000 bytes, and modifies a flag based upon that comparison. What we want it to do is ALWAYS return with a success. We can alter the CMP-instruction, so it compares with a greater value. "CMP EAX, 00ABCDEF" will make the max filesize equal 11259375 bytes (roughly 11 megabytes), but this is not what we want. No limits! :) So, we change this (more on how to change later) to "CMP EAX, 00000000", which will fail always - files over 0 byte not allowed. Now we are sure of the outcome of the CMP-instruction. On to changing the SETGE-instruction. Now, I have really not checked what this instruction does, and I will post a more up-to-date version explaining what this instruction does, but instead I just toyed around with the manual to NASM, a great freeware assembler - find it at "htpp://www.cryogen.com/nasm". It listed the different SET* instructions there are, and I just tested them until I found one which worked :) Not the most elegant method, I know. Sorry about that... Anyway, "SETZ CL" worked, and with these two modifications, InstaPass will accept all files, regardless of size. This is how you do the actual modification. Bear in mind, though, that this is only in-memory, and not the actual contents of the file itself we are changing. Once your quit InstaPass, the changes will be lost - however, I will demonstrate how to make the changes permanent a little later on. The command we are looking for now is "A" for Assemble. This is because we want to enter the two new machine-code statements we have just figured out. The argument to A is the address at which we want to start assembling. This _should_ be 0x00408C42, but there is a little possiblity of this changing (e.g. a newer or older version of the program). You can see the address just to the left of the "CMP EAX, ..." instruction in the code window. Now, type "A 408C42" (or the correct address, if this is not the one) The input window will display "00408C42 " and wait for your input. Type the new commands: "CMP EAX, 0" "SETZ CL" and make another blank return, to end the assembler mode. You will be able to see your changes in the code window. Lastly, type "bc *" to clear the two breakpoints we've set. We have patched the memory, and don't want SoftICE to use the breakpoints anymore. Type CTRL+D, and verify that InstaPass indeed works with files larger than 150kb! This is actually a crack! There are more things you could do, like change the text in the About box (it says "Evaluation Version"), but this is only cosmetic. What we want to do know is make the changes permanent. There are two ways to accomplish this. Either we make a process patcher, or we patch the program now. The first method is a bit complicated, and outside the scope of this essay. Suffice to say, you "attach" a small program at the end of the real program, which will, once the "real" program is loaded, patch certain memory locations. This has a couple of advantages, but you should search for more information before using this. The other method I'll describe here. I wrote that HIEW is a requirement - this is because it is what I find the easiest to use on these kind of operations. There might be other editors suited, but for now, stick with HIEW. Just run HIEW, and use it's file-browser to select InstaPas.exe. Now, press F4, select Decode, and press F5. We want to go to the location where we patched the program. If we were using a regular editor, we couldn't just type "408C42" and get there, since this is a virtual offset, or something akin to that. Now, here comes the reason why I use HIEW - type ".408C42", and press RETURN. With the "." in front, HIEW knows it is a virtual (or whatever) address, and we land smash right where we were in SoftICE. This time, it's just the actual EXE file. Now, press F3 to get into edit mode. Navigate the cursor past the "3D"-portion of the hex-code, and enter "000000". Now, press to enter assembler-mode, and enter "SETZ CL". The reason for not entering the "CMP"-command the same way is that HIEW translates this to a shorter version, and we have to patch a little more. Nothing dangerous, but it's just a notch over beginner if you're totally new to assembler. Anyway, to quit assembler-mode, press F9 to keep the changes, and press F10 to exit HIEW. Quit any running InstaPass-instances, start the new patched version, and voila - no limits! Your very own, semi-registered InstaPass! ------------------------------------------------------------------------------- I hope this essay has been helpfull. If you feel something is missing, something is wrong, something is unexplained, have something nice to say about it (or bad), or just want to chat, please email me at charon@synaptic.8m.com / cHaron '00