Cracking Tutorial #83:
Reversing Files Protected with ExE-Blocker v2.00
[cracked bY:] sLeEpYż[FWA/NWA/FTPR8Z] iN 12/2002
[difficulty:] beginner
[where:]  http://www.kickme.to/dbz2k
 http://dbz2k.code-breaker.org/
[tOOLz:] DLSuperCBT (Binary File Compare Program), Hiew 6.0

KANAL23 Tutorial

http://www.kanal23.net



Reversing Files Protected with ExE Blocker v2.00

Download it from

http://www.kickme.to/dbz2k
http://dbz2k.code-breaker.org/



Written by

sLeEpYż

Tools

  • DLSuperCBT (Binary File Compare Program)

  • Hiew 6.0

Rating

  • Easy {X}

  • Medium { }

  • Hard { }

  • Pro { }



Introduction

Taken from the nfo file and readme of ExE Protector 2.00:

+======================================================+
| rELEASE : ExE-Blocker v2.00 [English] |
| uRL : http://www.kickme.to/dbz2k  |
| dATE : 2002- 6-25 |
| cRACKER : d0pesh0w / DiViDE BY ZERO |
+======================================================+
Created with the release manager (c) by Ghosthunter

What is ExE-Blocker 2.00 ?
-----------------------------------------------------------
Are you have some files on your
harddrive , they must be secret ?
No Problem here it comes
ExE-Blocker patches :
Exefiles *.exe
Comfiles *.com
It makes the Exe unable to start
-----------------------------------------------------------

It's Updated
-----------------------------------------------------------

I think it has some interesting changes :

- it's fully 32bit (Exeblocker 1.00 was an Qbasic compiled exe
- you don't need to rename the Exefile (Target)
- it has gfx'st backround
- Let suprise you :)
-----------------------------------------------------------

PS : i know this is they lame way to patch an file but an com file looks a little difference , i cant go to the entrypoint and set an C3 or try other way's
So ... be lucky that you can patch two files :P

coded by d0pesh0w <[DiViDe by Zer0]>
dopeshow.1984@lycos.de

The Essay

Ok let's find a file to protect with exe blocker, well notepad!
Run ExE-Blocker 2.00 and get a couple copies of notepad, patch notepad with this util and
run it, you will find that the exe file does not run anymore (like intended).

So now it's time to use DLSuperCBT (Check out tutorial 80 on how to crack it), run it and select the patched file then select the unpatched original, set it for CHNG only and output it to C:\diff.doc. Run the binary compare and open up the doc file on your C drive root, it should read like so:


DLSuperCBT V2.1cByte Compare Chng Results Section 12/14/2002 12:38 PM
New File = c:\documents and settings\plug & play comps\desktop\new folder\notepad.exe 12/14/2002 12:35:40 PM
Old File = c:\documents and settings\plug & play comps\desktop\new folder\bak\notepad.exe 8/18/2001 12:00:00 PM

ID NEW-FILE/ HEX-FILE-DATA * ASCII TEXT * LEFTMOST
OFFSET/0 - - - 4 - - - 8 - - - C - - - *0---4---8---C---* OLD-OFFSET/
000000/ 5A9000 03000000 04000000 FFFF0000 * Z.........˙˙..* 000001/
I - 000000/4E *N *  <-the difference
DR- /4D *M * 000002/ <-the difference
000010/B8000000 00000000 40000000 00000000 *¸.......@.......* 000010/
000020/00000000 00000000 00000000 00000000 *................* 000020/
000030/00000000 00000000 00000000 E8000000 *............č...* 000030/

DLSuperCBT V2.1cByte Compare Totals Section 12/14/2002 12:38 PM
New File = c:\documents and settings\plug & play comps\desktop\new folder\notepad.exe 12/14/2002 12:35:40 PM
Old File = c:\documents and settings\plug & play comps\desktop\new folder\bak\notepad.exe 8/18/2001 12:00:00 PM

66048 Number of Byte Matches 1 Total Changes (Paired+NonPaired Chg)
1 New File Byte Insertions 0 Non-Paired Inserts (Ins Paired-Chg)
1 Old File Byte Deletions 0 Non-Paired Deletes (Del Paired-Chg)
66048 New File Bytes Processed (10200 - Hex)
66048 Old File Bytes Processed (10200 - Hex)
LISTING-TYPE=Chng OPTIONS=Chgv PASSES=3 CHG#-BEFORE/AFTER-MATCHES=3.
INFORM: Done. Byte differences found. Files compare as different.


So the only difference between the files is one byte change at the beginning of the program at offset 0. 4D is the original byte, and it gets changed to 4F, so to reverse this protection if you run across a program with it, just open the file in HIEW, no need to goto an offset as it is 0, select F3, change 4F back to 4D and F9, then F10.

Change this:
00000000: 4F            dec ebi
To this:
00000000: 4D            dec ebp


File is able to be run again! Exe Blocker 2.00 Reversed.





Final thoughts

"WALK WHEN YOU WALK, TALK WHEN YOU TALK, AND DIE WHEN YOU DIE."
-Zen Saying

Greetings


Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals: MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpYż
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com

This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.

:00401FDC(U), :00401FEF(U)