KANAL23 Tutorial
|
Paltalk R5 PV28 Build431 |
|
|---|---|
|
Download it from |
|
|
Written by |
sLeEpYż |
|---|
|
Tools |
|
|---|
|
Rating |
|
|---|
|
Introduction |
|---|
This target was very protected for not having to be registered. The goal of this
tutorial is to remove the banner ads from the program. Our main executable,
paltalk.exe, was the only one protected and it was packed with WWpack32
v.1.00/1.11/1.12, it also had CRC error checking on itself and would announce
corruption and quit working once modified.
|
The Essay |
|---|
First things first is we have to identify why w32dasm keeps crashing whenever
you try to disassemble the code. Lets use Un-pack, you can get it at protools or
crackpl. Google search it, you will find. Using unpack run the program and load
paltalk and it will tell you:
WWPack32 v.1.00/1.11/1.12
Then it is even nice enough to
suggest to ya to use procdump, which we will!
Run procdump next, just click unpack and scroll down to WWPack32 II and chose
paltalk. The unpacked copy grows from 544k to 1.48M. Now we can see the code
guts in w32dasm.
Before we go any further though, run paltalk and sign in, ect, you will see a banner ad across the bottom. Right click on that banner and click properties. You will see this:
http://advertising.paltalk.com:8080/admedia/173x23/meta_scroll02.gif
If you go to that page you will see the banner in your browser. Keep this in
mind for later!
Next check out the disassembled code in W32dasm and click the SDR's and scroll
down, our goal is to trash the banner so look for
http://advertising.paltalk.com and
you will find this:
"HTTP/1.0"
"http:"
"http://161.58.192.192/bannerless.html" <-interesting?
"http://161.58.192.192/download/0.x/%d/aff_inst"
"http://161.58.192.192/permgrp_01.htm"
"http://advertising.paltalk.com/perl/groupBanne"
<----------4 references
"http://advertising.paltalk.com/perl/mvBanner.p"
<----------2 references
"http://advertising.paltalk.com/perl/pallistBan"
<----------4 references
"http://advertising.paltalk.com/perl/pmBanner.p"
<----------4 references
"http://advertising.paltalk.com/perl/searchBann"
<----------2 references
"http://www.iconnecthere.com/about/eng/terms_an"
"http://www.paltalk.com/cgi-bin/framemaker.pl?u"
"http://www.paltalk.com/download/0.x/pal_instal"
"http://www.paltalk.com/l90.html?first_name=%s&"
"http://www.paltalk.com/location2.txt"
"http://www.paltalk.com/morpheusim.html"
"http://www.paltalk.com/palpass.html?email=%s&n"
I will just save time by telling
you that we would normally go through and check out each reference but in this
case there is 16 or them and I dont want to type em all out. However the one we
want is here: "http://advertising.paltalk.com/perl/pallistBan"
There is 4 places where this shows up, they are:
:00433249 68E0565400 push 005456E0
(offset 33249)
* Possible StringData Ref from Data Obj ->"http://advertising.paltalk.com/perl/pallistBan"
->"ner.pl?%s&client=morpheus"
:0043324E 685C404C00 push 004C405C
:00433264 68E0565400 push
005456E0 (offset 33264)
* Possible StringData Ref from Data Obj ->"http://advertising.paltalk.com/perl/pallistBan"
->"ner.pl?%s"
:00433269 68A4404C00 push 004C40A4
:004334DF 68E0565400 push
005456E0 (offset 334DF)
* Possible StringData Ref from Data Obj ->"http://advertising.paltalk.com/perl/pallistBan"
->"ner.pl?%s&client=morpheus"
:004334E4 68FC404C00 push 004C40FC
So how do we find the correct one
to patch? Well just pop em each in your browser and you will see that this:
http://advertising.paltalk.com/perl/pallistBanner.pl?%s
change to this, our banner:
http://advertising.paltalk.com/banners/173x23/meta_instantchild.html
So lets dive into the code and
find a way around it.
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004334DD(C) <-go here
to trace back the conditional jump
|
:004334FA 68E0565400 push 005456E0 (offset 334FA)
* Possible StringData Ref from Data Obj ->"http://advertising.paltalk.com/perl/pallistBan"
->"ner.pl?%s"
:004334FF 6844414C00 push 004C4144
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00433460(C) <-go here
to trace back the conditional jump
|
:004334D6 833DE85E4E0000 cmp dword ptr [004E5EE8], 00000000
:004334DD 741B je 004334FA
<-not our guy, just different ads
So we trace the code back to here:
:00433460 7474 je 004334D6
and nop it out
:00433460 9090 nop
Boring ass NOP means No-OPeration so instead of taking the jump to the ad's it
just moves on.
Start the program and hopefully no more ad lines. Ah Hell but what happens? We
see this:
Paltalk Closing
The executable you are running is not valid or has been corrupted. Please
reinstall the application. (rc:524)
This always sucks, here is out CRC check on itself, lets go back into W32dasm
and look for the error.
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004175B0(C) <-go here
:
: lines of code
:
:004175CC 6830000400 push 00040030
* Possible StringData Ref from Data Obj ->"Paltalk Closing"
<-our error
:004175D1 6850084C00 push 004C0850
* Referenced by a CALL at
Address:
|:00423C25 <-go here
:
:lines of code
:
:004175B0 7D11 jge 004175C3
<-nopping this just cause the
prog to shutdown without the error msg. Trace up some more! We are close!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00423B39(C) <-go here
to find the conditional jump we need
|
:00423C20 0FBF4D0C movsx ecx, word ptr [ebp+0C]
:00423C24 51 push ecx
:00423C25 E84E39FFFF call 00417578
<-our call, trace up
:00423B39 0F84E1000000 je
00423C20 <-our jump CRC
check
CRC check is here:
:00423B39 0F84E1000000 je 00423C20
change to:
:00423B39 909090909090 nopX6
Ok now lets run this program
again! Alright, it is working with no error message and the banners are removed!
Hopefully this isn't just Monday's ad. But if it is we know what to do.
The last part of this tutorial deals with a very easy way to create a loader for
this program. I ran across this proggy called
PrincessSandy 1.0 - eMiNENCE Process Patcher. This
program allows you to make a loader in a few mouse clicks and no coding. Now
since this is a packed EXE and we unpacked it, it will usually only work on our
system or at least just the same OS and will not function on win2000 or
something because the PE header is whacked up since we dumped it. So the loader
will send data to patch the code each time the code is run. Normally when you
run paltalk, the code unravels itself from wwpack and goes from memory, so this
loader will patch the memory!
Run the process patcher and it will ask what you want to create a loader for.
Choose paltalk.exe and click open. Click "Add Item" button and you will see a
place for address, original data, and patch data. In the
address box put it
00423B39, and in the
original data put in 0F84E1000000, then in the patch data box put in
909090909090. Now click add. Next click the add item button again and add
the info for the place where the banner was cracked.
Address = 00433460 Original Data = 7474
Patch Data = 9090. Next click the Add button then
click Build at the bottom and name your EXE something like Paltalk_Loader. Put
the loader in the same directory as you paltalk and run it, paltalk starts and
is patched during loading in memory!
Add Banners and CRC check cracked!
|
Final thoughts |
|---|
This
target was my first attack using a loader, since finding that eminence loader
maker. It was a great target.
|
Greetings |
|---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ, KlutCh, KiNgEr,
Edogg, MidNight,
Enigma, movax4c00int21, Acid_Cool_178, & all others i forgot.
Visit
http://zor.org/sleepy
Visit
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.
