![](http://members.xoom.com/cupofcoffe/zouzouni.gif")
| target | Folder Guard 4.11 - FGKey.exe - FGuard32.dll |
| about the program | Folder Guard is a software-only security solution for personal or publicly accessible computers running the Windows 95/98 operating system |
| about the tutorial |
In this tutorial we will see how to patch a packed dll the FGuard32.dll (packed with aspack) without unpacking it. Folder Guard is protecting files from accessing,Our aim is to crack the password code check made in the FGKey.dll, useful for those that forgot their passwords or they want to access files and they don't know the password ;) |
| tolls needed | softice 3.x-4,a hex editor(I use Ultra Edit) |
Run FGKey.exe
set a bpx getdlgitemtexta
put a password (or don't put anything) and press ENTER
F12 once
at the second JN make a "R FL Z"
that's all
In the same way you can unlock the locked files
In the same way you can toggle the protection
Yes,in the same way it is checking all the real with the wrong passwords
As you see we mast patch the location
100089D3 in the FGuard32.dll 0F84B1000000 (NO JUMP) to 0F85B1000000
(JUMP) next step is to make this permanant
Lets see how we can patch
the packed dll that checks the real with the wrong password without unpacking.
The idea it's like this :Before the program its unpacked in the memory we have
to add a bit
of code that says : make the JN ,JNZ .
Load the FGKey.exe into the softice loader ,but before load it in ProcDump32 and with the PE Editor change in Sections the .text from C0000040 into E0000020 .Softice will break here ,in the beginning of the unpacking code:
Break due to Symbol Loader 015F:0040B000 60 PUSHAD 015F:0040B001 E800000000 CALL 0040B006 015F:0040B006 5D POP EBP 015F:0040B007 81ED0A4A4400 SUB EBP,00444A0A 015F:0040B00D BB044A4400 MOV EBX,00444A04 015F:0040B012 03DD ADD EBX,EBP 015F:0040B014 2B9DB1504400 SUB EBX,[EBP+004450B1] 015F:0040B01A 83BDAC50440000 CMP DWORD PTR [EBP+004450AC],00 015F:0040B021 899DBB4E4400 MOV [EBP+00444EBB],EBX 015F:0040B027 0F8517050000 JNZ 0040B544 (NO JUMP) since we are looking for a place to write our patching code lets make the 015F:0040B027 0F8517050000B JNZ 0040B544 (NO JUMP) into 015F:0040B027 0F84C35EFFFF JZ 00400EF0 (JUMP)
if you wonder why
,I'm gona tell you that into 00400EF0
I'll write the patching code and when it will run it will return to 0040B02D
to continue the unpacking code.How did I find that 00400EF0 is the correct place
to write the code ?With a Hex editor (Ultra Edit e.g.) you can see that the
offset EF0 it is empty ,enter "I AM BON JOVY" there and run FGkey.exe
with the symbol loader and search for s 0 l ffffffff "I AM BON JOVY"
you found it at 00400EF0 this place it is not modified by the packing-unpacking
in the memory .Now make the changes at 0040B027 and press F10 ,at 00400EF0 press
"a" and add the
code :
015F:00400EF0 8D05D4890010 LEA EAX,[100089D4] this is the adress of the dll we want to patch 015F:00400EF6 C60085 MOV BYTE PTR [EAX],85 this is the byte we want to patch 015F:00400EF9 8D0500B04000 LEA EAX,[0040B000] we set EAX in its original value 015F:00400EFF E929A10000 JMP 0040B02D and we jump back to the unpacking code
LETS PATCH --------------------------------------------------------------- OFFSET - Original File Bytes Patched File Bytes -------------------------------------------------------------- 00000EF0 - 00 00 00 00 00 00 00 00 --- 8D 05 D4 89 00 10 C6 00 00000EF8 - 00 00 00 00 00 00 00 00 --- 85 8D 05 00 B0 40 00 E9 00000F00 - 00 00 00 00 00 00 00 00 --- 29 A1 00 00 00 00 00 00 00005828 - 85 17 05 00 00 8D 85 D1 --- 84 C3 5E FF FF 8D 85 D1
COOL we patch a packed program without unpacking it in case we want to make a crack there are allot of patcher producers ,this will be useful in case we don't have softice in the computer that is protected by the Folder Guard.
MAKING A CRACK
Using the Flu[X] Byte Patcher Version 2.61 the following asm code it's created to compile do: tasm patch.asm tlink /t patch.obj
file: patch.asm
.model Tiny
.code
.386
ORG 100h
start:
mov ah,9
mov dx, offset WelcomeMessage
int 21h
mov ah, 4eh ;get fileinfo to memory
mov cx, 10h
mov dx, offset Filename
int 21h
mov ah, 2fh ;get address from above int 21 call
int 21h
mov eax, dword ptr es:[bx+1ah]
cmp eax, [FileSize]
jne FailTest
mov ax, 3D02h ;open file
mov dx, offset Filename
int 21h ; return file handle to ax...
mov bx,ax
mov ax, 4200h ;seek
mov cx,0
mov dx, 500
int 21h
mov [newdata], 32
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 503
int 21h
mov [newdata], 224
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3824
int 21h
mov [newdata], 141
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3825
int 21h
mov [newdata], 5
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3826
int 21h
mov [newdata], 212
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3827
int 21h
mov [newdata], 137
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3829
int 21h
mov [newdata], 16
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3830
int 21h
mov [newdata], 198
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3832
int 21h
mov [newdata], 133
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3833
int 21h
mov [newdata], 141
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3834
int 21h
mov [newdata], 5
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3836
int 21h
mov [newdata], 176
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3837
int 21h
mov [newdata], 64
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3839
int 21h
mov [newdata], 233
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3840
int 21h
mov [newdata], 41
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 3841
int 21h
mov [newdata], 161
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22568
int 21h
mov [newdata], 132
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22569
int 21h
mov [newdata], 195
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22570
int 21h
mov [newdata], 94
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22571
int 21h
mov [newdata], 255
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 4200h ;seek
mov cx,0
mov dx, 22572
int 21h
mov [newdata], 255
mov ax,4000h
mov cx,1
mov dx,offset newdata
int 21h
mov ax, 3e00h ; close file
int 21h
mov ah,9 ;print
mov dx, offset Success
int 21h
jmp PassTest
FailTest:
mov ah,9 ; print
mov dx, offset FAIL
int 21h
PassTest:
mov ax,4c00h ;exit
int 21h
newdata db 090h
Filename db 'FGKEY.EXE',0
FileSize dd 27136
WelcomeMessage db '',0dh,0Ah
db 'Program Name: Folder Guard 4.11 - PASSWORD CRACK ',0dh,0Ah
db 'Company: WinAbility(R)',0dh,0Ah
db 'Size: FGKey.exe 27.136 b',0dh,0Ah
db 'Date: September 26 1999',0dh,0Ah
db 'Cracker: cupofcoffe',0dh,0Ah
db '',0dh,0Ah
db 'Description: This file is cracking the FGKey.exe-FGuard32.dll',0dh,0Ah
db ' So you can access files protected with ',0dh,0Ah
db ' Folder Guard 4.11',0dh,0Ah
db '$'
Success db 'Patch Successful',0dh,0Ah,'$'
FAIL db 'Patch Failed.. Wrong Version',0dh,0Ah,'$'
CrediT db 'FluX - PhrozenCrew98',0dh,0Ah,'$'
end start
|
tutorial by :
page created September 99