The compressed programs :


This essay is the second part of HomeSite 4.'s how to crack tutorial. In the precedent essay, using ProcDump to get a Deshrinked version has modified the program. This time, I'll try to explain how to patch directly a shrinked application with ProcDump.


Tools:

PE Sniffer 1.06
Wdasm 8.93
SoftIce 4.0
HexWorkShop 2.54

Méthode:

Live Approach

How to:

The Principe of the strategy used here is available for others compressed programs like Néolite, ASPack...

  1. Identification of the protection

When you want to disassemble the target with Wdasm, crypted or compressed programs often give a nag screen like this one. Some time you got a listing (with no resources references), some time not.

You can found what kind of protection have been used by different way:

  • By using your Hexeditor: usually, you found some reference, copyright... about the compressor in the exe. Shrinker is quit easy to identify, you found many Shrink1, Shrink2… .
  • By using SoftIce, you have some luck to be in a section named shrink (or Vbox...),
  • By using a tool like the very good PE Sniffer 

PE SNIFFER

Detection of the kind of protection :

It's quit simple to use it. Just click on the name of a packed protection, and wait for is answer

When you know the name of the compression used, you can begin your work :



PROCDUMP

2- Making a Dump of the compressed target:

When you have launched ProcDump, you have the choice between some buttons (Unpack, rebuild PE…), and the list of the active applications

(The main board of ProcDump)

What ProcDump can do :

What ProcDump can do :
þ Dump any 32 bits running process/module by using the CodeShot engine.
þ Phoenix engine can restore the Import table & PE header.
þ Phoenix engine can reoptimize a PE file and Dump made with CodeShot.
þ Shiva engine can start & unpack a given PE file (at least it tries !!). With the help of script anguage, u can unpack in a few secs well-known packers and learn to ProcDump how to unpack the others.
þ Alter a given file PE header, kill some object physically.
þ Bhrama server can wait a client send a PID to dump : Client tell to ProcDump when it is good to dump ;).

 Click on UNPACK and a second box will propose you several protection. If you don't know its name, you can choose UNKNOW, but the result is not always good...

ProcDump will launch the application/target, and make a non-compressed dump of him. The screen you can see at this moment show you some first information's like the Entry point of the Target, the address where ProcDump have found the bytes who can identify the kind of protection. . (Cf Script.ini)
Immediately you get this screen, with some informations:

Entry point of the target: 0x007C83DA

Identification of the protection: 0x007C84D6

Entry Point 007C83DA will be confirmed by the Wdasm's listing of the decompressed dump: 

+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
********************** Start of Code in Object .load **************
Program Entry Point = 007C83DA (homesite4.exe File Offset:003CD9DA)
At the end of the operation, ProcDump, before asking you the name for a safe copy of your new decompressed exe will give you a other information:
The EIP where Shrinker will jump in the decrypted version.

This call will often made by a Jump Eax, a call Eax, or by the simulation of a Call/Return like a Push Eax / Ret.
Well, now you dispose of a totally clean exe, that you can disassemble with Wdasm (with references this time), Used with SoftIce, and modify has your wish.
However, in this essay, we will continue to work on the shrinked version, and look how to patch the target without using a decompressed version.


3- The sections of the Programm :

When you click on the button "PE EDITOR" of Proc Dump, you will continued to obtain information's on the compressed Soft:
The image base is at 400000 and the Entry point at 00240E98.

400000+240E98 = 640E98. Here is the Entry Point of HomeSite in is discompressed version , like Wdasm (after ProcDump) will confirm : 

+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
********************** Start of Code in Object CODE **************
Program Entry Point = 00640E98 (homesite0.exe File Offset:00240498)

 By clicking on the button " Sections ", you get this table:

(Before discompressing)


(After discompressing)

In this table, you can see that there are no mentions about Shrinker (but look at the C0000040)
In the case of compressed program, C0000040 is a constant (the section must be Readable, Writable and Data! By this way the program can read compressed codes and discompress the code without having a fatal error in Windows). You just have to change the 0xC0000040 by 0xC0000020 and the target can be readed by Wdasm AND To AUTORIZE THE LOADER OF SOFTICE TO MAKE A BREAK ON THE ENTRY POINT...

Some quick explications on the characteristics of the sections:

================
0x20...... : eXecutable
0x40...... : Readable
0x80...... : Writeable

exemple 0x60.. -> eXecutable + Readable
0x60... -> R-X-.
0xC0... -> R-.-W
0xE0... -> R-X-W
=================
0x......20 : contains Code
0x......40 : Initialized data
0x......80 : Unitialized data

0x......40 : mostly the sections could have this value except the sections .CODE et .BSS
=================

If you want to know plus, there are a good article, you can found on Microsoft.com: "PEERING INSIDE the PE" written in mars 94 by Matt Pietrek (who have worked in NU-MEGA TECHNOLOGIES INC....)

Some others explications:

All characteristic have a value. If you want to have 2 values, you can do : caract1 OR caract2 ...
To autorize Softice to break on the entrypoint, you must have the first section with:

   0x00000020 IMAGE_SCN_CNT_CODE 
   0x20000000 IMAGE_SCN_MEM_EXECUTE 
   0x40000000 IMAGE_SCN_MEM_READ 
OR 0x80000000 IMAGE_SCN_MEM_WRITE 
----------------------------------- 
   0xE0000020 
And to unautorize a break, or a disassemblage of the section, you can put this characteristics : 
       0x00000040 IMAGE_SCN_CNT_INITIALIZED_DATA 
   0x40000000 IMAGE_SCN_MEM_READ 
OR 0x80000000 IMAGE_SCN_MEM_WRITE 
-------------------------------------------- 
   0xC0000040

To finish with ProcDump

ProcDump is a program who can be actualized, trough is script. In the Script.ini you can found all the most usual protections and you will be able to competed it, if you wish. (see the TaMaMBoLo' essays)


Here is a piece of the script for Shrinker 3.3 :

[Shrinker 3.3]

L1=LOOK FF,75,10,FF,75,0C,FF,75,08,FF,55 > ProcDump search this string,
L2=BP                                    >  put a breakpoint (as SoftIce)
L3=STEP                                  > and begin tracing step by step

It's with the string FF7510FF750C7508FF55 that ProcDump will recognize Shrinker 3.3 and begin his work.
For us, this information can be rather interresting, in the way that this codes are in the not compressed part of the exe (if there are no double compression…)
It's easy to find him with a hexeditor or in Wdasm listing:

:007C84AC 8B35B8A17B00            mov esi, dword ptr [007BA1B8]
:007C84B2 85F6                    test esi, esi
:007C84B4 7431                    je 007C84E7
:007C84B6 833DBCA17B0000          cmp dword ptr [007BA1BC], 00000000
:007C84BD 7528                    jne 007C84E7
:007C84BF 833D845E7C0000          cmp dword ptr [007C5E84], 00000000
:007C84C6 741F                    je 007C84E7
:007C84C8 A1845E7C00              mov eax, dword ptr [007C5E84]
:007C84CD 0305985F7C00            add eax, dword ptr [007C5F98]
:007C84D3 8945E0                  mov dword ptr [ebp-20], eax    >the eax
:007C84D6 FF7510                  push [ebp+10]  > codes see in Script.ini
:007C84D9 FF750C                  push [ebp+0C]
:007C84DC FF7508                  push [ebp+08]
:007C84DF FF55E0                  call [ebp-20]  > fire the decompressed programm
:007C84E2 8945E4                  mov dword ptr [ebp-1C], eax

If you ask for the registry value of EAX, you will see 00640E98, the Entry Point of HomeSite, like we have already seen.

SoftIce :

Now we need to have a break on the entry point of the shrinked program:

The API technique :

You can put a BreakPoint on the GetProcAddress API, which is executed several times at the beginning of a program. After the break, you press [F12] to exit of all Kernel and others User, and when you are in the codes of your target, you begin to trace with [F10]. It's a little bit longer as technique...

My preference goes to the Interrupt technique:
Psyché, my Master, offer you to force the program to break where you want by using the interrupt 3:
These techniques consist of replace a byte of the shrinked target on the Entry Point, or other place of your choice. By using a hexeditor, you will found the codes without problem (Hiew is quite good for this...)
:007C84D6 CC > you put a CC (opcode for INT 3) at the address where you have found the ProcDump's corresponding codes, and with a BPINT 3 (breakpoint on the interrupt 3) written on the command line of SoftIce, you will obtain a break when you fired the application. Restore the good bytes (PUSH DWORD PTR [EBP+10]) if you don't want to have a Windows's fatal error.
You are ready for the next step:

Founding some place:

You must found enough places to write the codes of your patch, in offsets not used by the discompression, or by Shrinker. Found codes like 00 (Nulls Bytes) at the end of the section, and control with a BPR that the program doesn't write anything at these addresses:

00000000000000000000 BYTE 10 DUP(0)
00000000000000000000 BYTE 10 DUP(0)
00000000000000000000 BYTE 10 DUP(0)
00000000000000000000 BYTE 10 DUP(0)

You can also use the place where is the Icon of the program, or the place where Shrinker had put is CopyRight...

The Patch to do:

For HomeSite 4.0, here is a solution:

A the exit of the second break on a BPX GetLocalTime, by tracing with F10, you will land here:

* Reference To: kernel32.GetLocalTime, Ord:0000h > get the real date
                                  |
:0040A390 E827CAFFFF              Call 00406DBC
:0040A395 668B4C240E              mov cx, word ptr [esp+0E] day    = 30
:0040A39A 668B54240A              mov dx, word ptr [esp+0A] month  = 08
:0040A39F 668B442408              mov ax, word ptr [esp+08] year   = 1999
:0040A3A4 E81FFEFFFF              call 0040A1C8
:0040A3A9 DD1C24                  fstp qword ptr [esp]
:0040A3AC 9B                      wait
:0040A3AD DD0424                  fld qword ptr [esp]
:0040A3B0 83C418                  add esp, 00000018
:0040A3B3 C3                      ret

You can found many others solutions to break a time limit, but this one have seam to me quite simple. I put the installation date instead the real date. Now HomeSite will ever think he is at the first time of the Trial period.

* Reference To: kernel32.GetLocalTime, Ord:0000h
                                  |
:0040A390 E827CAFFFF              Call 00406DBC
:0040A395 66B91E00                mov cx, 001E  30
:0040A399 90                      nop
:0040A39A 668BA0800               mov dx, 0008  august
:0040A39E 90                      nop
:0040A39F 668BCF07                mov ax, 07CF  1999
:0040A3A3E 90                     nop
:0040A3A4 E81FFEFFFF              call 0040A1C8

Now, you must write a Patch which rewrite on the HomeSite's code, after the discompresion by Shrinker, and before Shrinker give the hand to HomeSite by using the original Entry Point

 
The Patch :

Little note : writing in memory when the code are over 8 bits must be "in the other sense", for example a B001 (mov bl,01) must be written 01B0.

:007C9D1A FF257C637C00            jmp dword ptr [007C637C]
:007C9D20 FF2580637C00            jmp dword ptr [007C6380] > end of Shrinker

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:007C84DC(U) > jump you must made to access of this Patch

:007C9D26 C70595A3400066B91800    mov dword ptr [0040A395], 0018B966 Day
:007C9D30 C60599A3400090          mov byte ptr [0040A399], 90        Nop
:007C9D37 C7059AA3400066BA0800    mov dword ptr [0040A39A], 0008BA66 Month
:007C9D41 C6059EA3400090          mov byte ptr [0040A39E], 90        Nop
:007C9D48 C7059FA3400066B8CF07    mov dword ptr [0040A39F], 07CFB866 Year
:007C9D52 C605A3A3400090          mov byte ptr [0040A3A3], 90        Nop
:007C9D59 FF7508                  push [ebp+08] > restore the writted jmp's code 
:007C9D5C FF55E0                  call [ebp-20] > and GO!
:007C9D5F 00000000000000000000    BYTE 10 DUP(0)
:007C9D69 00000000000000000000    BYTE 10 DUP(0) 

Made this modifications a first time in memory, use after your hexeditor to made then definitive, and verify (with the help of the BPINT 3) that the bytes have not been modified when Shrinker has made is decompression. If it's the case, you must find other place...

Address is Good?

Your Patch has not been change ?
You can think about the jump that goes to the patch.
This jump must be placed after the full decompression, and before Shrinker give the hand to HomeSite:

Replace
:007C84D6 FF7510                  push [ebp+10]  > Script.ini's code
:007C84D9 FF750C                  push [ebp+0C]
:007C84DC FF7508                  push [ebp+08]
:007C84DF FF55E0                  call [ebp-20]  > fire the decompress programm
:007C84E2 8945E4                  mov dword ptr [ebp-1C], eax

by this :

:007C84D6 FF7510                  push [ebp+10]  
:007C84D9 FF750C                  push [ebp+0C]
:007C84DC E945180000              jmp  007C9D26  > jump to the Patch
:007C84E1 90                      nop
:007C84E2 8945E4                  mov dword ptr [ebp-1C], eax

A new time, test in memory the well work of your jump and your Patch, and if always go nice, make the change definitively with your hexeditor.

Now, Your have a shrinked version, patched and functionally

Bonne journée
Christal