Name      : ICQ

Version   : 99b

Editor    : Mirabilis

Target    : icq.exe

Tools     : Softice
	    Brain
	    	    
Cracker   : LW2000

Tutorial  : No.12

http://www.mirabilis.com/


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---

Overview:
---------
How to pass ICQ Startup Security Check



Please excuse my poor english, its not my mother language....

Think about the following situation: You launch ICQ
(hey, your own of course ;), but ICQ wants to have a PWD to work...

1.      Launch ICQ, a PWD Dialog appears.
	Take 1230099 for the password. *BOOM*
	Incorrect password! Typical program bug ;)

2.	[Ctrl]+[d] to Softice and set a Breakpoint on GetWindowtexta:
	bpx windowtexta
	[F5] to return to the application.

3.	PWD: 1230099
	*BOOM* Softice pops up.
	[F5] and then [F11] to get the Caller.
	Now trace to the Code [F10] until you see this:
	0177:2190039A  7440          JZ     219003DC     <-- Bad BOY!
	0177:2190039C  39BED0000000  CMP    [ESI+000000D0],EDI
	0177:219003A2  757A          JNZ    2190041E
	0177:219003A4  E8C40EF8FF    CALL   2188126D
	0177:219003A9  8BCE          MOV    ECX,ESI
	0177:219003AB  8BD8          MOV    EBX,EAX

	Trace till you are on
	0177:2190039A  7440  JZ  219003DC


4.	Now enter: r fl z
	to change the zero flag.

	Type 'bd *'.

	Press [F5] to return to ICQ.

	Fine, icq works. But lets turn of this security feature.

5.	Click on ICQ | Preferences & Security | Security & Privacy
	Set the Security level on 'low'.
	Press the Save Button. Seems to be our PWD Dialog...
	[Ctrl]+[d] to Softice and enter 'be *' to enable our breakpoint.
	[F5] to return to the application.
	 
6. 	PWD: 1230099
	*BOOM* Softice pops up.
	[F5] and then [F11] to get the Caller.
	Now trace to the Code [F10] until you see this:
        0177:219003D9  59                POP     ECX
        0177:219003DA  7442              JZ      2190041E  <-- Bad BOY
        0177:219003DC  39BED0000000      CMP     [ESI+000000D0],EDI
        0177:219003E2  7406              JZ      219003EA
        0177:219003E4  FF86E0000000      INC     DWORD PTR [ESI+000000E0]
        0177:219003EA  8D45F0            LEA     EAX,[EBP-10]
        0177:219003ED  684D1F0000        PUSH    00001F4D
        0177:219003F2  50                PUSH    EAX
        0177:219003F3  FF15EC469E21      CALL    [219E46EC]

	Trace till you are on
	0177:219003DA  7442                JZ        2190041E
	
	Now enter: 'r fl z' to change the zero flag.
	Type 'bd *' to disable our bpx.
	Press [F5] to return to ICQ.
	Now press Done.
	
7.	Quit ICQ and fire it up, again.


Congratulation! You have beaten the ICQ Security Startup Check.

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!