Andy's thread(my first approach) Sunday, 25-Apr-1999 06:16:09 > Post any traps/tricks you encountered and a >detailed description on how you manage to bypass >them. In the event that you are not able to, >I'm sure someone will be able to help you out. First of all,the target is packed (it's using directx & it dosn't seem to import any functions from ddraw.dll).I tried to unpack it using procdump but i didn't succeed (not enough experience :( ).However,although the unpacked exe does not work (Ilegall operation...),it has a new import table,with the calls to ddraw.dll, dsound.dll function calls. Since unpacking didn't work,I tried something else.I used BoundsChecker and here's what I found out: There are 2 threads.One is processing the characters pressed and the second tries to find 3 windows using FindWindowA. For the first thread: It containes a TranslateMessage-DispatchMessage loop.Sometimes,inside a DispatchMessage call,strlen is called. Strlen is called for 2 different strings:for your username and for an interesting string: "«*" (didn't knew then what it meant,but I do now:).Sadly,bpx strlen doesn't work. For the second thread: Strlen is very often called for some unreadable strings.I guess they are called inside a While,in order to decrypt the strings passed as parameters to FindWindowA. FindWindowA is called with 3 different parameters: 2 times it searches for 2 versions of procdump and once for "OWL_Window" (Anti SICE code ? noos mentioned something about this...). Since bpx strlen didn't work,I used this approach (I finally saw the congrat. message :): I looked at the functions imported in the "partial-unpacked" file and noticed the program uses DirectDrawCreate. So bpx DirectDrawCreate and run the program. When SICE breaks (finally :),not even Loader32 breaks): Hit F10 and write down the impotrant functions: 401920 call ... =>change mode 640x480 ... 402423 call ... =>first screen is being displayed and so on until: 0137:00402735 call 00402f89 =>displayes "SECURITY CODE"==last string displayed After this call,a TranslateMessage-DispatchMessage loop follows (remember BoundsChecker ...). I was stuck here for a while ,then I looked again at the call at 402735: 0137:00402721 push AF 0137:00402726 push D2 0137:0040272B push 8C 0137:00402730 push 406278 <=hmmm... 0137:00402735 call 00402f89 What's at 406278? (db 406278).It's the programs string table.All the strings dispalyed are there plus some aditiona strings: "noos","DREADX","«*" (remember :) and even the congrat message :). Notice all the displayed strings start with "«": "«WELLCOME TO","«TERMINAL V1.4",... .Also notice the string "«*".It starts with «,sor this '*' is the one being displayed when a key is being pressed.So, bpm that location (bpm 406295-not sure about the adress). Then hit F5 and press a key.SICE breaks (joy :). Hit F12 once and you are inside the part of the code where '*' is being displayed: 0137:00403041 call [ecx+1c] <=displayes '*' Hit F12 a few more times (I think 2 times will do).Tou are now inside the WndProc function (at the end of it). Scrool the code up and see where it starts: 0137:........ ret 0137:004027F6 push ... <=it starts here. disable the previous breakpoins and bpx 4027F6. Hit F5.It will break almost imediatly-all the messages are processed here,not just the WM_CHAR message.So,lets find the code where the characters.Only two messages are processed (don't remember the code): cmp ...,... jxx adress1 <=first conditional jump cmp ...,... jxx adress2 <=second conditional jump jmp endWndProc You'll find out thar the second jump (adress2) is the one it is taken when a WM_CHAR message is being processed.Disable all the previous breakpoints and bpx adress2,then hit F5.Press any key,and you chould be right inside the check routine. If you press RETURN,you'll eventually get to a code that looks like this: call [...] or eax,eax jnz .... <== ... I know,patching is not allowed,but if you whant to see the congrat. message, why not :). Andy Andy |
Andy's thread(my first approach) (Andy) (25-Apr-1999 06:16:09) |