Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Library / +HCU / 161-170.TXT < prev next >

Wrap

Text File | 2000-05-25 | 58.3 KB | 1,659 lines

======================================================== +HCU Maillist Issue: 161 03/10/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Handy Tool #2 Subject: gthorne - regarding 2600 and hacking magazine infos #3 Subject: re:frustration with PCBDEMO #4 Subject: 2600 reply ARTICLES: -----#1------------------------------------------------- Subject: Handy Tool Greetings Everyone, First, I'd like to mention a nifty little tool I stumbled on while browsing around NoNags. It's called RegSnap. It will take 'snapshots' of the Win95 registry, then compare them and show you any differences. It's a very small program (37K zipped). You can find it at ****************** Second, I am looking to broaden my 'cracking horizon'. Lately I have been asking (in #cracking4newbies) about packed files, self-modifying codes, and other more advanced protections. Unfortunately, most of the texts I find concerning these are way over my head. Any suggestions on taking that 'next step'? Thanks to all the 'seniors' for letting me eavesdrop on your discussions in this letter. It's a daily encouragement to leave the TV off and learn a little more. Take it easy, newbcrack *********************** -----#2------------------------------------------------- Subject: gthorne - regarding 2600 and hacking magazine infos Message Body = 2600 costs $4.50 per issue in usa dollars, and $5.50 in canadian dollars *************** is the only hacking mag i know of for free, which is worth its salt) The back of the magazine lists locations for meetings, and the only one in australia listed is at Adelaide, outside cafe celsius near the academy cinema on the corner of Grenfell and Pulteney streets if noone seems to have them at the newsstand, or barnes & noble which tend to carry them stateside... email: ************* there is also a address to mail snail mail: 2600 Subscription Dept. P.O.Box 752 Middle Island NY 11953-0752 i will have to warn you ahead of time, many 2600 meetings are basically people who want to hang out and look like hacker types, so only a couple of the several meetings i went to made much sense for me to even be there i tend to bring technical manuals and source code and often orc tutorials or whatever, and in a couple of the meetings basically i had to be the one to do anything that got anyone even thinking about topics that seemed computer related at all in some areas this is not so, such as new york... from what i understand their meetings tend to have guest speakers and attendees such as security analists, NSA agents, you name it (and lots of other not-so-hidden federales in the crowd) all are welcome - the meetings are in full view so noone can claim subversion, and just like the bugtraq hacker mailing list, it is for sysadmins, hackers, analysts, people who are new, and feds alike that doesnt mean the people in the meetings arent careful, and often tend to watch who they talk to, but an open door policy keeps the 'man' off 'the back' and keeps the meetings legal to be held i suppose its what you make of it - which is what upsets me when i see someone at a meeting who is looking sad (someone from the 'good ole days' who remembers when 'there was real hacking and cracking discussion, codebreaking and somesuch there was a microsplotch employee at one - obviously not your average one, since he was quite interested in the opposite end.. but then: not everyone is brainwashed by being hired, as interests didnt start with microsoft, but long before that company ever had its greedy little hands on its people blacklisted 411 is another mag that comes out - tends to also be at barnes & noble, though it seems to have less articles, some on phone related things, and a ton of classifieds of some kind, i havent been amazingly interested, but then it doesnt tend to have an occasional source code for pc or unix or other system like 2600 or phrack tend to i am not a phone phreak by any means, and thats probably why it doesnt appeal to me as much, though i did build a real red box with a switch on a tone dialer from rat shack and a crystal once nothing like looking back on the fun of the past and the mistakes one can make with a soldering iron and way too many gadgets to ruin in an afternoon til next time... +gthorne -----#3------------------------------------------------- Subject: re:frustration with PCBDEMO >I have tried millions of things from my limited >knowledge and It has come time to shout HELP!!!!! >I don't neccessarily want any1 to write a crack, >patch, tute etc - even a simple: "this program >can be registerd, and cracked" or "This is a >demo only you twit" would be fine! I took a quick look and it isn't hard to crack. It doesn't look to me as though it can be registered, the .ini file details appear not to be accessed and were probably only placed there by the install program. Try a different approach, investigate why it won't let you print a particular PCB, (did you notice if you copy sample1.pcb to some other name you can still print/copy it?). Get a dead listing and find where and why the demo message box pops up, search for the demo message string resource identifier or locate the interesting area with sice. Spyder... -----#4------------------------------------------------- Subject: 2600 reply Due to my indolence is 2600 a FREE magazine or in my dreams? :-)) Are there any FREE hacking magazines you would recommend? cheers Rundus Sorry Rundus, but no, 2600 is not free. You can subscribe to the magazine for about $20, but there are also some free hacking zines. One of the best, which i think rivals with 2600 is phrack, who provides you with all the technical info you could ever want. Go pick up a couple issues at ********************** -Tin =====End of Issue 161=================================== ======================================================== +HCU Maillist Issue: 162 03/11/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: thanx all round... ARTICLES: -----#1------------------------------------------------- Subject: thanx all round... Thanx to gthorne for the 2600 info...just happens to be about 10mins drive! :-) . Its a pity that the, dare I say, H/C/P/V scene has changed so much, I am very sorry I missed those good old days. I chose a guitar instead of the C64 my brother got... I could never understand him sitting there for hours....Go figure! Hopefully ppl like +gthorne and the like, #'s like C4N, and Groups like Mex can make a difference to the Status Quo. I have decided to follow suit. I feel it is time to make an effort. <end soapbox> BTW The tutorial on Siren Mail is simply a gold mine of info, it is a surely "Model Tute" I found a crack for ultraedit50..cracked by "shareware Killer Team?" they seem to have a tute in their info as you can make out some mem locations, and BPX's files called Ultra50c.zip, but the .nfo is in Japanese I think...anyway..its a great idea... I just spent 1/2 a day cut&paste ASM - with REAL paper& sticky tape. I am going to go through the code and try to understand the whole protection scheme. The program is called Macro Magic, with a 45 day time limit. I will write a tute for it later. Thanx to Spyder for the ideas on PCBdemo. I will give it another go tonight. also, newbcrack...a very handy app as I was doing this MANUALLY last night! :-) - BTW.. Whats T.V.? ;-) 1 little question...Why would I get an error when trying to load the exports of an .exe, when the .dll of the proggy will load ok? - is it to do with file protectors or "decompiler-busters", or is Softice limited to certain types of programs? I can see the functions by doing a HWND <prog> , but can't load the exports to BPX 'em... Argghhh!!..dog just run off with the CALL to 00447db1... COME back here.....no!..bad ..boy!.... Bye, HaQue =====End of Issue 162=================================== ======================================================== +HCU Maillist Issue: 163 03/12/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: vb and smart check #2 Subject: CCh in SICE? #3 Subject: warez? oooooh, shame! horror! ARTICLES: -----#1------------------------------------------------- Subject: vb and smart check Hi all, has anyone experienced problems when using smart check on extreeeemly overbloated vb apps? my experience is related to one app only, while the app continues and 'errors' (alias cracking info) are reported the display window lists x number of 'pages' and then simply does not display anymore info. I have not had a similar problem with smaller vb apps. Bye base metal -----#2------------------------------------------------- Subject: CCh in SICE? A few issues ago someone stated that SICE embedded CCh into code to break. I thought that it didn't so wrote a small program to test it. The program is embedding in ghiric26.pdf The question is, does SICE use CCh or not? ~~ Ghiribizzo -----#3------------------------------------------------- Subject: warez? oooooh, shame! horror! On 7 Mar 98 at 7:29, +HCU ML wrote: > -----#1------------------------------------------------- > Subject: Re: What every cracker should have > > Hi Wafna, > do you tell me the rest of your tricks if i send you the full german > version of Skat2010? :) It=A6s a 487 kb self-extracting exe. > > NiKai 5777852 (ICQ) Hello Nikai, I tell everyone my 'tricks', but why ask me in particular? I have been lurking on the list for months, with hardly any posting... or do you know me from somewhere else? I think stone, Malattia, gthorne, etc etc are much better at cracking than I am.... Anyway, as a hobby I collect proggies (hehe) and I have Skat 2010, I'm looking for skat 2095. Now, if you have that, it would be very nice, but I have absolutely no idea what tricks you can get from me in particular.... BTW we all crack, don't we? Some of us have been hacking once in a while, I'm sure. And any phreaking? Phreaking should be interesting, I tried for a short while. The only 'funny' thing I found out was that calling 155 in Suriname (597) got your call transferred to the USA, and somebody would pick up the phone and say 'thanks for calling. Your security code, please'....... I wonder what that could have been...... Wafna =====End of Issue 163=================================== ======================================================== +HCU Maillist Issue: 164 03/14/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: warez? oooooh, shame! horror! ARTICLES: -----#1------------------------------------------------- Subject: Re: warez? oooooh, shame! horror! Hi Wafna, you wrote in +HCU Maillist, Issue: 11, 09/11/1997: >I will tell you the rest of the tricks IF and only IF you contact me >through psychic means and tell me where to download the German game >SKAT2095 regged (before anyone faints at this lack of purity - why >doesn't he register it HIMSELF - the shareware version is crippled). > >Wafna of FCA that is where i know you from. Perhaps i forgot in my mail to you a :) or a <g>. That is all. BTW i search for Skat2095 for you....and me :) See (read) you NiKai 5777852 (ICQ) ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 164=================================== ======================================================== +HCU Maillist Issue: 165 03/15/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Who cracked KeyText v1.0x and more...... #2 Subject: PCB Demo...all is not what it seems!!! #3 Subject: NE - new executable ARTICLES: -----#1------------------------------------------------- Subject: Who cracked KeyText v1.0x and more...... 1. Who cracked KeyText ? Target: KeyText 1.0x (current version is 1.03) Download URL: *************** I have read your discussions for 2 months and now I think it may be the right time to ask a question to you +HCU: who have cracked KeyText 1.0x? I have made a keymaker for it and I can register with it successfully, But everytime I run it after registrtion, it crashed. I analyzed the protection scheme for some time but didn't find anything special. Maybe I'm a lamer. So, anyone there can tell me what's wrong? /*-----------------------------------------------------------------------------------------------------------*/ /* KeyMaker for KeyText 1.0x ( by +biGhEAd 1/98 ) */ /* Software URL: *************** */ /*-----------------------------------------------------------------------------------------------------------*/ #include <stdio.h> #include <stdlib.h> #include <ctype.h> #include <string.h> int main() { char sUserName[80]; char sRegNumber[9]; short nUserNameLength; int nNameAsciiSum = 0; int n7RegNumberCharSum = 0; int temp; short i; printf("User Name: "); gets(sUserName); if ((nUserNameLength = strlen(sUserName)) < 5) { printf("ERROR: user name must be at Least 5 characters long !"); exit(1); } nNameAsciiSum = tolower(sUserName[nUserNameLength-1]); for (i=0; i<5; i++) nNameAsciiSum += tolower(sUserName[i]); sRegNumber[0] = (nNameAsciiSum%0x44+0x0A)/0x0A + 0X30; sRegNumber[1] = (nNameAsciiSum%0x44+0x0A)%0x0A + 0X30; sRegNumber[2] = (nNameAsciiSum%0x57+0x0A)/0x0A + 0X30; sRegNumber[3] = (nNameAsciiSum%0x57+0x0A)%0x0A + 0X30; sRegNumber[4] = '-'; sRegNumber[5] = (nNameAsciiSum%0x4D+0x0A)/0x0A + 0X30; sRegNumber[6] = (nNameAsciiSum%0x4D+0x0A)%0x0A + 0X30; for (i=0; i<7; i++) n7RegNumberCharSum += sRegNumber[i]; temp = n7RegNumberCharSum%0xF0%0x18+0X42; if (temp < 0x4A) sRegNumber[7] = temp-1; else if (temp > 0x50) sRegNumber[7] = temp+1; else sRegNumber[7] = temp; sRegNumber[8] = '\0'; printf("Registration Nmuber: %s", sRegNumber); return 1; } 2. I have some difficulties to crack those programs written with Borland's C++ Builder and Delphi? Anyone have any suggestions? Thanks in advance. I hope those questions are not so easy to make you +HCU feel dull :-). +biGhEAd (3/14/98) -----#2------------------------------------------------- Subject: PCB Demo...all is not what it seems!!! Hi all !! This program will only allow you to print "sample1.pcb" and I have included alot of details because some1 *MAY* be interested!!! forgive me if I seem ametuerish, as I am just an ametuer.... I looked at this program again after some suggestions from Spyder. I came up with a lot of interesting things. ....with Quotes from Spyders email..Thanx spyder BTW >>>I took a quick look and it isn't hard to crack. easy 4 U 2 Say ;-) I opened up W32DASM and loaded PCBDEMO.EXE. I decided to change offsets 00014FA3h and 00014FABh to 75[jne] in HIEW (from 74[je]) . Now I copied the file into the c:\pcb\ dir and run it. I loaded up sample1.pcb and it gave the error "sorry, the demo version can only print sample1.pcb" Great I thought!!! now I loaded up sample2.pcb and clicked print, and the print box popped up !!! WOOOHOOO !!! now, being at work, with my laptop, and no printer - I couldnt try the print, but assumed it would work. I gets home and NO BANANA!! dammit I am stroppy now. >>>>It doesn't look to me as though it can be registered, the .ini file details appear not to be accessed and were probably only placed there by the install program. Looking at the unzipped package afresh, I noticed a file called SETUP.DAT. hmmmmm... Wonder whats in there? . look: a line DEMO=1, and alot of other settings. I changed it to read DEMO=0 and run the install. What do you know, a registration pops up!!! The package has files called: setup.exe - for the setup remove.exe - to remove the temp folder called c:\~niche it makes on setup go.exe - I assume this has the reg routine in it setup.dat - to configure the setup .dll's - for the usual reason I renamed remove.exe and run the setup again and it didnt delet the temp folder. so now I could check out go.exe. (computer gives GPF if you try to run this file BTW) Now because this file is "made" by the setup..I dont see how I could change it and then run the setup??? I could not get the reg program to break on any usual password BPX's the only break being on messagebox. (I have a list of the win32API's now so I can learn some more) also, could not find any of my dodgy strings I typed in in memory. any Ideas ppl? I am sure I can get the patching of pcbdemo.exe so it will print, but I thing finding a serial would be Ideal. any help would be appreciated. open to full explanations now..This is getting to me! L8r HaQue -----#3------------------------------------------------- Subject: NE - new executable Hi all crackers and +crackers I wonder if anybody have any info about NE format? if do, please post it, or just a link to some info... Thx in advance! Pero =====End of Issue 165=================================== ======================================================== +HCU Maillist Issue: 166 03/16/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: PCB Demo...all is not what it seems!!! #2 Subject: Editeur #3 Subject: none ARTICLES: -----#1------------------------------------------------- Subject: PCB Demo...all is not what it seems!!! >I opened up W32DASM and loaded PCBDEMO.EXE. I >decided to change offsets 00014FA3h and >00014FABh to 75[jne] in HIEW (from 74[je]). >Now I copied the file into the c:\pcb\ dir and >run it. I loaded up sample1.pcb and it >gave the error "sorry, the demo version can only >print sample1.pcb" Great I thought!!! now I >loaded up sample2.pcb and clicked print, and >the print box popped up !!! WOOOHOOO !! now, >being at work, with my laptop, and no printer - >I couldnt try the print, but assumed it would >work. I gets home and NO BANANA!! dammit I am >stroppy now. Hey don't get stroppy - get working, the two patches you did were in the right area (not sure if they were the right patches) but there is a bit more to it that that - nothing really devious so just look at the code and try to follow what it is doing. There is some similar code elsewhere that needs sorting out as well. On the registering - you could be right but I didn't notice any single flag or value which would cause all this checking code to be bypassed which is why I still don't think the demo version is registerable. Spyder... -----#2------------------------------------------------- Subject: Editeur I'm currently trying to crack Editeur V3.4, I've located the function that displays the "Incorrect Reg Key" message but both W32Dasm and IDA say that it isn't called by anything. I'm thinking self-modifying code? Would it also do this if called by an external file? Any ideas? Joe ----- [ REKLAMA / ADVERTISEMENT ] ------------------------ Zostan Autoryzowanym Partnerem Polbox On-Line Service! Szczegoly: *********************************** ---------------------------------------------------------- -----#3------------------------------------------------- Subject: none Hello +biGhEAd, > 2. I have some difficulties to crack those programs written with > Borland's C++ Builder and Delphi? Anyone have any suggestions? Read +trurl's brilliant essay on cracking VCL applications, and download the formspy program. Both of these are on +fravia's page, browse through the academy database for all of +trurl's essays and you'll find the one you need. Cya, +ReZiDeNt =====End of Issue 166=================================== ======================================================== +HCU Maillist Issue: 167 03/17/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: +ReZiDeNt, one more help please #2 Subject: Editeur, NE, Softice, TSR/W #3 Subject: Timelock 3 #4 Subject: Re: NE-Files #5 Subject: gthorne - virus stuff ARTICLES: -----#1------------------------------------------------- Subject: +ReZiDeNt, one more help please +ReZiDeNt: Thank you for your last help. I have found +trurl's brilliant essay on cracking VCL applications , but the link to the tool FORMSPY is not valid. So would you please email it to me? +biGhEAd -- ****************** (3/16/98) -----#2------------------------------------------------- Subject: Editeur, NE, Softice, TSR/W ****** Editeur I recall playing with a previous version of Editeur. It was a fun program to play with though it did not have selfmodifying code. At the time the copyprotection scheme worked like this: Make a statistic over the typed username an 8 byte string Make a statistic over the typed serial, also an 8 byte string repz cmpsb the two strings. Obviously such a scheme takes a while to unravel when it's well made and it was in Editeur. The byte patch was easy though - get the compare right after repz cmpsb. It should be noted that the serial was tested at the box and everytime the program was loaded. If you think some code is self-modifying the disassembler becomes obsolete as an initial tool and the debugger becomes the real tool. IMHO the dead list approach is overrated. The debugger always does the job - except for the truely rare cases that something has to be reverse engineered properly. ******* NE - this page has documentation on just about all file formats :).. ****************************** ******* Winice, int 3 (cch) - the saga continiues. It was probably I that sometime ago claimed that Winice used int 3's for purposes of breakpoints. Ghiribizzo challenged this hypothesis so I put it to the test using this procedure: I made a call that checksummed a piece of code. I called this code twice once inside, once outside the area being check-summed First I put a bpx in the code being checksummed, and g'd beyound it. Then I removed the breakpoint and stepped the second CRC call. The sums did not match - in other words Winice and BPX did change the code. Thru a few calculations it was obvious that the change was due to a (cch) overwritten the original instruction at the breakpoint. Now stepping (p) the code the two checksums matched. Then I made 4 memory breakpoints - thus using all the memory breakpoints avaible thru hardware and performed the step test again. Indeed the two checksums no longer matched. Again calculating the difference was due to an inserted int 3. The obvious explanation is that when ever a debug register is avaible it is used for stepping instead of the int 3 (which btw. in many intel documentations is refered to as Single-step breakpoint) The short commings of this simple test is: 1) I did it in v86 mode 2) I did it only on Winice 3.22 on WinNT Though I read somewhere that WinIce 95 is a port of the NT version which would render this particular code exactly identical. I see no reason why a different method should be used out of v86 mode either. ofcause if you wish to verify my results you can ask me for sourcecodes - if you wanna make sure that I'm right or wrong - you should disassemble winice.. ****** TSR I promised a while back that I would consider writting a doc on Pseudo residency. As it turned out I only did a couple of sourcecodes an no dox. Now I did half a doc on the topic but I've become dreadfully scared that I've made it too theoretical for anyone to benefit from it. Anyways now ask help from this mailing list to say what is unclear and needs improvement (or possibly waht is wrong). I hope you'll all help me with a ton of suggestions. Start DOC: ------------ After reading MadMax's essay on kernel patching I decided that perhaps it was time for an essay on "in memory patching". Contrary to the general +HCU philosophy my approach will be purely theoretical - the sourcecode I provide will serve as an example for you to build on. Is something preventing a patch? Is your target encrypted, packed, CRC'ed or you need the program to run sometimes with the patch applied sometimes without (A game-trainer for instance).Wouldn't you just love if you could patch the program in memory after it loaded, unpacked, did the CRC checks etc. ? You can. In the dos days we had TSR's to do this job. In the windows world it's a bit more difficult as the programming interface (Win32 API) is dynamic in contrast to dos's static interupt system. However new methods which in many ways are similar to TSR's are now avaible. Kernel patching as MadMax pointed out is generally a bad idea. We need a more gentle approach. Which critereas would we like our solution to conform to? The critereas I'll use is: 1) The approach should perform ok in terms of compatability. That is work on both NT and 95 and hopefully on future versions as well. 2) The operating system should not suffer any long term effects of the crack. That is after termination of the target the OS should be left unchanged. 3) Only ring 3 meassures should be used. (Some of the API-functions I'll use from ring 3 will actually switch to ring 0, but atleast there will be no foreign code introduced at ring 0) Common ground Our immediate problem is that in a preemptive operating system like windows each process runs in it's own addressing space. Each time that the operating system switches to another process the virtual mapping is changed to fit that of the current process. The whole idea with memory patching is providing means of patching the target in it's addressing space at a certain time (after unpacking, CRC'ing or whatever is done). However since a criterea of the memory patch is that we can't patch the operating system nor the program itself we need to find a way of gaining access to the target addressing space from another processes. The next problem we got is one of timing. Obviously the target needs to be patched after the CRC check has been performed or after it is unpacked in memory. And possibly it needs to be unpatched again to pass later checks. In other words we need a reliable trigger mechanisms. It is in this respect that the three methods I'll present here differ. The loader approach The critical assumption I'll make here is that the USER of the program can tell us how to time the patch thru another program. This basically means we assume that the user can: 1) Identify when patching is appropriate. 2) Switch to another program to activate. About the first assumption it can be said - if it's a trainer this will never be a problem. Obviously the user will know when he want's to have infinate lives. Often a messagebox or some other visable sign shows itself when a patch is needed. E.g. A messagebox saying "Insert correct CD in drive and press OK" - It'd be easy to write a doc saying that when this occurs the dear user should press OK in another window first, and then in the target's obnoxious messagebox. However this is a serious shortcomming. Who said the program will actually let the user make a retry? Most 30-day trials tell the user the program has expired and the just exit or trial mode or whatever. Perhaps many different locations has to be patch at many different time making user-controlled patching a cumbersome solution. On assumption 2 can it be said that many games doesn't like switching tasks and it's not likely that users will enjoy having to switch out of their game to get a new handful of bullets or whatever. Let's get a bit more technical. Windows is so nice to provide us with an interface to write in other processes addressing space. The API needed is: kernel32!WriteProcessMemory If one take a closer look at this you'll find that what it actually does utillize Windows's int 2eh interface to switch to ring 0 meaning that it has ring 0 priveledges and thus is able to override page protection. However the interface has build in a security feature so you cannot override ring 0 data/code. (The int 2eh interface is for NT - I figure Windows 95 does something similar but I havn't checked it. Anyways the result is the same) For WriteProcessMemory to work we need to identify by handle which process we want patched. IMHO the best to find such a handle is to create the target process yourself - that is do a good old fashioned EXEC from within your patch/trainer code. The API is Kernel32!CreateProcessA Ofcause there is different means of finding process handles. To summerize a in-memory-patcher of this kind: CreateProcessA (Target) Wait for the user to say apply patch - e.g. a messageboxWriteProcessMemory Sourcecodes at: ******************************************** (or something) ------------------------------------------------------------------------ - The API-Hook/Debug Approach Obviously the assumptions made for the Loader Approach can be too restrictive. For instance 30-day trials often exit prior to offering the user any obvious point of introducing a patch. So does dongles. Players might not like to switch task out of their beloved game to get another 10 bullets or whatever. What we really need is the target to trigger the patch and this section is a way of doing this. The whole idea here is to hook an API-call, and make it perform to our desire. That can be return fake values under certain circumstances it could be to patch the main program or it's dll's in memory. In short what we wish to do is to let the api-call the program performs be surrounded by our code so that we can make it perform in every way we wish. Certain side benefits will come along as well. That is the code I present will show how it's possible to introduce breakpoints in an automated debugger which is indeed something very useful for the creation of for instance unpackers. Again let's get down to it. A PE-file "imports" the functions it wishes to make use of. Because MS-developers decieded on a dynamic structure for API's it's obviously neasesary for each program to declare what functions it uses. This is done in a so called import table. Let's now take a deeper look into what takes place between the importtable in the PE-file and the execution of an API call by the target. 3 basic types of information is stored in the importtable. The first is DLL names, the second is function names and the third is a Thunk-RVA. The information is stored in a structure that looks something like this: DLL1-Name Function1-from-dll1- name or ordinal Thunk-RVA of Function 1 of DLL 1 Function2-from-1dll-name or ordinal Thunk-RVA of Function 2 of DLL 1 .... DLL2-Name Function1-from-dll2- name or ordinal Thunk-RVA of Function 1 of DLL 2 Function2-from-1dl2-name or ordinal Thunk-RVA of Function 2 of DLL 2 .... ... What windows does while loading the PE-file is traverse thru this table following this "pseudo code": While more DLL's do { Load DLL into process addressing space While More Functions imported from current DLL do { Find address of Function and write this to the Thunk-VA for this Function } } END Load Imports The function may be listed by name or something called ordinal. In every DLL each function that it exports for use by other programs is listed in an export directory (which is where windows find the address of the imported function) in this list each DLL is assigned a number and usually a name too. The number is called ordinal. Importing can be done either by referencing this ordinal value or by using the name. What the program then does when it's in need of the API-function it is this: CALL Dword ptr [Thunk VA of needed function] Lets for a second imagine that we could stop execution of the target process right before it started and then inject our own code in to it's addressing space. Then we could simply replace the value at any Thunk-VA with a pointer to our own code and our code would be executed every time the program decieded to use this API. We could even save the old pointer and use this to chain the original intended API-code. Weeeeeee.. "Isn't this just great?" as Oprah Winfrey would say. "No, it is not", as I would reply. We are left with a new problem. Or rather two. The first is stopping Execution of the target process before the program runs the first instruction so that we can be sure that our new pointers are in order. Second we're left the great problem of having code in the target's addressing space. Solving a problem at the time we start by examining how we can stop our target process. Many people always state that windows is overbloated and perhaps they are right - but in this case I'd say that it's damn convinient that MS-engeneers made a full-featured debug interface while designing API calls so that we could with the greatest of ease program a debugger without having to do the low-level work ourselves. Infact they made it so that not one line of ring 0 code has to be written to make an application debugger. "Isn't this just great?" as Oprah would phrase it? "Yes it is, maam" as I would reply. Because it get's even better. Windows engineers must've actually been thinking the day they made windows. What good is a full-featured debug interface if the poor programmer has to make a PE-loader before he can even start debugging. Hey after all they already made a loader and they decieded to be helpful. CreateProcessA can open a process in Debug mode. This means that inside of most windows's procedures hides status breakpoints that'll turn over the control to our debugger thru that interface. One of these status breakpoints triggers just before windows is about to turn over control to the just loaded PE-file. Convinient! Obviously if a process is in debug mode execution is suspended everytime a debug event occurs. A debug event is any non-handled exception. Pagefaults, breakpoints, division overflows, etc. And there is 6 different types of status breakpoints inside windows that'll be triggering like Rambo in Iraq. So basically we need to send a message from our debugger process that it's ok to continiue every time we have encountered such an event. Ofcause if it's the event we've been looking for we need to do whatever it is we wish to do before giving the green light to run on. This is the reason behind the loop of kernel32!WaitForDebugEvent and kernel32!ContiniueDebugEvent in my code. So now we know how to stop the program before it actually started. If you read the previous section you'll know how to exchange pointers. This leaves us with a grave problem. Injecting our code into the target's addressing space. Now this can be done in many ways indeed. We'll just be looking the one I chose. What I'll try to obtain is making the program load a DLL for me. This ofcause isn't something th program is willing to do without force. Fortunately for the moment I'm President Clinton and the security counsil has agreed to bomb the target until it conforms to my ideas. The scene is set at the status breakpoint just before the target is about to start execution. It is fully loaded and ready to go. However we're sitting comfortably with it suspended far far away in our own addressing space. The first thing we got to agree on is how it is we actually want's the target to do. Load OUR dll, find the process address of OUR function, replace the one found at the THunk-VA of the original. We now constuct code that will do just that in deltaoffset so that it can be inserted anywhere. Prior to actually running the program we found a page within the target that allowed execution. Most pages in the target allows execution but we just need one. We now read the page out the Process space of the target into our own and stores it safely. This is done thru another subfunction of INT 2eh which ofcause also overrides pageprotection etc. The API is: kernel32!ReadProcessMemory See Natzguls essay for a more thourough breakdown of this function. Now we write our own code that loads a DLL, finds the address of our function and replaces the Thunk-VA entry of the function with ours. Now were ready to go? No. We're left with the problem that execution should be left otherwise unchanged so that we've written a page somewhere is bad news. So in addition to the code we appended we add an INT 3 which will when executed cause a debug event and once more suspend the target allowing us to restore the page. Unfortunately EIP of the target does not neassesarely point to our page, further we use all the registers and those needs to be restored too. So where do we turn? Windows internal knowledge. Upon creation that is prior to running any actual program code any one process has one and one thread only. Further windows allows debuggers to fetch the Context of a thread. That is all relevant information about the threads current status. Such a context was originally intended for preemptive multitasking so that when ever the OS suspended execution of the thread to do another the context was saved, the address space swapped and another threads context was restored it's process's address space swapped in place and it was allowed to continiue. One should be aware that while a thread indeed has full context it's partly shared with that of the other threads in the process. E.g. the FPU is shared between threads in a process. Since we only got one thread in our process the terms of thread and process is incidental. We ofcause now reads the context of our target's single thread, saves it then changes the EIP in it an resets it to point to our page of code in the target processspace. Ofcause our code will now execute till the int 3 we inserted is reached, then it's suspended and control is back with us. We now reset the context of the thread and restore the page we abused for our code. Then we simply let it run. There is one last unfortunate thing about letting it run. If a process was created in Debug mode it stays in debug mode till it's terminated. That means that we need to stay in a loop of WaitForDebugEvent/COntiniueDebugEvent until that time where the process is actually terminated or the program will suspend itself and wait for our instructions. This wasn't too smart MS! Practical notes on the debug approach A last side note should be mentioned here. While I was doing this code I encountered a bug in windows NT workstation 4.0 build 1381. It might exist on other versions too. Code inside windows looks like this: mov eax, [offset of Context Storeing space in debugger code] ; this is obvioulsy a parameter mov ebx, [Temporaly variable containing ring level of debugger] test eax,ebx jnz insuficient_security everything Ok. Obviously this is wrong. To overcome this bug make sure that the offset where you store your context and'ed with 3 is 0. Further finding the ChunkVA of an imported function can easily be done by dumping the PE-file with Matt Pietreks PE-dump or similar. He gives the first chunk for each DLL, if your function isn't the first you add 4 bytes each time you need to move a line down to find our function. The sourcecodes for this can be found at: ******************************************** ------------------------------------------------------------------------ --- The MessageHook Approach Forth comming source is forth comming --------------- Litterature MadMax (1998) - Cracking useing kernel32??, by MadMax Feb 1998. ****************** Natzgul (1998) - Unknown tittle, by Natzgul Jan 1998. ****************** Pietrek, Matt - Windows 95 System Programming Secrets, IDG books 1995. Various sourcecodes by Me :).. all can be found on my page ************************ Thanks must go to: Patriarch / PWA, friend roomate and local expert. Random / Xforce, God of the PE-format Net Walker / Brazil United Cracking Force, my personal benefactor. All of which I had many enlightning discussions with. email: ************ ***************** Stone/UCF'98 2nd&mi! ----- doc end kind regards Stone / United Cracking Force '98 btw - I just updated my page.. something interesting might be there.. -----#3------------------------------------------------- Subject: Timelock 3 Greetings all! Have you looked at Timelock 3? This protection is use for Zurfrider, among many other programs. It uses this file as a part of its protetion scheme: tl303inj.dll. I just looked inside it and saw this: ******************************************** ?PleaseTraceIntoMe_MrCracker Is that a challenge or what? These people must be very confident of their protection or stupid or both. In looking at the protection, I note that the unlock key uses dual key encryption. I also see CRC checking. Zinger -----#4------------------------------------------------- Subject: Re: NE-Files Someone asked for info on the NE header, AFAIK there should be something in VLAD #4 or #5, where they create the Win 3.1 infecting virus. I never read it though, so I can't say anything about the quality. Cya, Halvar ______________________________________________________ Get Your Private, Free Email at ********************** -----#5------------------------------------------------- Subject: gthorne - virus stuff Message Body = poking around the net i found one of the more interesting virus essay sites i have ever seen quite informative as well as interesting to read ************************************ on a similar note, i have a strange occurrance here lately - one which i am not finding any references to on the net, but has surprised me a but it is clear that flash bios can be overwritten - hence the reason for flash bios a friend of mine had a virus recently and it basically screwed things up for a friend of mine on his hard drive so he sent it to western digital to repair it... the company sent it back to him and told them they will not fix it. they said it has on it a virus that blows bios, and that is not surprising since his drive was not detecting and such the interesting thing is - they said it BLOWS bios... not erases flash bios, and since he does not have flash bios anyway, this really boggled me i admit anything is possible, but without having seen anything remotely indicating this capability in a viral infection it is rather unlikely to me that it does what they said it does the thing that bugs me is that western digital made that statement to him as their reason for not working on the drive (could be a know-nothing-tech-wannabe of course) anyway, i may end up calling WD tech support to see if i get the same story +gthorne =====End of Issue 167=================================== ======================================================== +HCU Maillist Issue: 168 03/18/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: +HCU ML Issue 166 #2 Subject: Re: +HCU ML Issue 167 #3 Subject: CCh ARTICLES: -----#1------------------------------------------------- Subject: Re: +HCU ML Issue 166 > Subject: Editeur > I'm currently trying to crack Editeur V3.4, I've located the > function that displays the "Incorrect Reg Key" message but both > W32Dasm and IDA say that it isn't called by anything. I'm > thinking self-modifying code? Would it also do this if called > by an external file? Any ideas? > Joe as i remember from some version of editeur i cracked, the fastest way to crack it is to open the exe with a resource editor and change the 'unregistered' string with something else. (it'll read unregistered from the cfg file compares it with this, and if this isn't the same, you must be registered...) also, getting your own name in wasn't very hard, i dunno if they changed this, but selfmodifying code? i dont think so. try to locate the code before the 'incorrect key' message and look for something like 'JMP EAX+00123456'. or with softice put a bpx on the first instruction that you don't see where it's called from and when it snaps, trace a few instructions back: BPR code_address1 code_address2 T (take a big chunk b4 & after) then: TRACE number_of_instuction_to_start_with use XP, XT & XG to step, goto etc. +SNiKkEL -----#2------------------------------------------------- Subject: Re: +HCU ML Issue 167 Hello all, I am trying to write a trainer for a REALLY old DOS game (First Samurai, 1992). I have found all the places where I want to patch, my problems arise when it comes to locating the keyboard routine. The prog hooks interrupts 8h, 9h, ah, 23h, 24h int 9h is in fact the one where the keyboard routine takes place. Unfortunately, the program itself does not execute INT 9h once. I thought perhabs it reads the address straight out of the interrupt vector table and then ret's to it, but a BPMD on 0000:0024h did not yield any result either. Which other ways are there this prog could cal int 9 ? Halvar ______________________________________________________ Get Your Private, Free Email at ********************** -----#3------------------------------------------------- Subject: CCh Here's my short test program I used to try to detect CCh insertion in SICE: begin 644 test.com ************************************************************* ?="!T<F%C960N)%1H92!C86QL('=A<R!T<F%C960N)&0N ` end I tested this using Debug, TD and SICE/DOS 2.80. The program reads the byte after the call instruction to see if a CCh is placed there. The theory is that a debugger will place a CCh over the byte following the call to step over the call. Tracing through the entire call won't trip this. Debug and TD both trip the program. SICE steps over it without problem. Now, I'm not sure if SICE/WIN95 supports .com file debugging so I wrote a similar exe: begin 644 test2.exe ************************************************************* M```````````````````````!```````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` M```````````````````````````````````````````````````````````` ************************************************************* ************************************************************* ********************************************* ` end Now, for some reason SICE hangs when I use the dldr utility. This is probably due to something going wrong when I upgraded to 3.22 from version 3.01 as I have used the dldr utility before. Will someone tell me if the same results are found under SICE/WIN95 and if COM files are supported? I don't have time at the moment to fix my copy of SICE. Thanks. Stone, will you send your test files too so I can see if I get the same results as you. ~~ Ghiribizzo =====End of Issue 168=================================== ======================================================== +HCU Maillist Issue: 169 03/19/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Internet privacy #2 Subject: IDA offsets #3 Subject: Bighead+KeyText #4 Subject: Internet privacy ARTICLES: -----#1------------------------------------------------- Subject: Internet privacy Just a quick note to ask if anyone on the list uses the Junkbuster proxy on their system? If so what do they think of the degree of privacy/anonymity it provides? I test it out by visiting Fravia's anonymity (does this word exist?)page. I can't see any information about myself, but, of course, who knows what goes on behind the scenes ;} I use it chaining through various other proxies without a great loss of speed. I still switch off javascript and java just in case. Regards, Zipper49 ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: IDA offsets I just have a simple question. [EBX+ESP+180h+var_148] in IDA is the same as [EBX+ESP+38] in SoftIce.. Why does IDA do it that way? ----- [ REKLAMA / ADVERTISEMENT ] ------------------------ Zostan Autoryzowanym Partnerem Polbox On-Line Service! Szczegoly: *********************************** ---------------------------------------------------------- -----#3------------------------------------------------- Subject: Bighead+KeyText Hi bighead, i read your message in the ML and tried Keytext too. I don┤t know how important the keymaker is for you but i patched 8 bytes in keymaker.exe and the prog runs well except that i can use only 5 items (i had not much time to look further on). NiKai 5777852 (ICQ) ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: Internet privacy Good evening. This may not be exactly on-topic, but I wondered if anyone else on the list uses Junkbuster. If so what is the opinion on the amount of privacy/anonimity provided by it. I tried it out on Fravia's privacy pages and no information about myself showed up (that's you bozo) However, who knows what might be going on behind the scenes as Fravia so rightly tells us? Just to be on the safe side I still navigate with both java and javascript disabled (my main interest is information, not twiddley bits). Regards, Zipper49 PS I tried to send a similar message earlier, but my connectiondied halfway through, so please accept my apologies if this is duplicate. ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 169=================================== ======================================================== +HCU Maillist Issue: 170 03/20/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Stone's Doc, hotmail probs #2 Subject: BB #3 Subject: Timelock v3 #4 Subject: none #5 Subject: To pathch EXE file ARTICLES: -----#1------------------------------------------------- Subject: Stone's Doc, hotmail probs Stone, you asked a few days ago for comments on your doc on run-time-patching, here are mine: I don't think the doc is too dry as you feared. It makes all points clear, and has the lenght that's necessary to bring the point across. Trying to "make it less dry" would lead to a too long doc. Well, you'll have to read some sentences twice (at least I had to), but that's the same all over. The content does a great job of making the source code on your page totally clear to everybody. All in all, I like that doc a lot, pulled a few things together for me. ---------- Concerning Hotmai: Well, I guess I'll finally have to get a new (decent) pop account from somewhere, since Hotmail just deleted ALL messages I received after Feb 1st, including my question I asked yesterday :-(( Where was the Web-Repository of the mailing list again ? HalVar ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: BB >This may not be exactly on-topic, but I wondered if anyone else on the >list uses Junkbuster. From what I remember, there was a page on Fravia which showed a list of people accessing it (using the watches) however, the list wasn't generated 'in real time'. That is, it was just a page from a log on a specific date at a specific time, so even if you were logged, you wouldn't be on there (unless by some fluke you were captured at that time as well). Anonymity is quite hard to achieve, the main nuisance being the delay when using services like 'anonymizer'. You could always use other services such as the one at w3mail at gmd.de which responds fairly quickly. You must also be careful when you post to the 'Reverse Engineering Forum' as the server stamps a time onto your messages so that, for example, Fravia would only have to watch a few of your posts to the forum and compare times to quickly discover your originating IP (unless of course you were careful). This is why you should never post to the forum and surf unguarded. Blocking java and javascript can also help and in any case, I find javascript to be more of a nuisance than anything else. ~~ Ghiribizzo -----#3------------------------------------------------- Subject: Timelock v3 Hello Everyone Hello Zinger ********************************************** >>?PleaseTraceIntoMe_MrCracker >>Is that a challenge or what? These people must be very confident >>of their protection or stupid or both. The information is at Fravia's website, an essay or a snippet. If you are aware of this, then disregard this message. cheers Rundus ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: none hi halvar, > int 9h is in fact the one where the keyboard routine takes place. > Unfortunately, the program itself does not execute INT 9h once. > I thought perhabs it reads the address straight out of the interrupt > vector table and then ret's to it, but a BPMD on 0000:0024h did not > yield any result either. Which other ways are there this prog could > cal int 9 ? Hmmm, int 9 ? it does not read keyboard through int x16 or reading/writing directly to the hardware port ? anyway, about the brpt. above i think you better set an execution breakpoint on the contents of vector 9, i mean *(24h). cu SiuL+Hacky -----#5------------------------------------------------- Subject: To pathch EXE file This is a multi-part message in MIME format. ------=_NextPart_000_001C_01BD53EF.8CC43540 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable Hello all,=20 I am trying to patch a exe file. The program report a device error = when I try to run it. Alse SoftIce can not load it anymore.(It seems that the loader checked = the file before run it) This never happened to me before. It is really = strange.=20 It's a 16bit porgram named HTML2EXE comes from = *********************************************** (Only useful for = learning crack :o) Regards +OldP!G ------=_NextPart_000_001C_01BD53EF.8CC43540 Content-Type: text/html; charset="iso-2022-jp" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-2022-jp = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV>Hello all, <BR><BR> I am trying to patch a exe = file. The=20 program report a device error when I try to run it.</DIV> <DIV>Alse SoftIce can not load it anymore.(It seems that the loader = checked the=20 file before run it) This never happened to me before. It is really = strange.=20 </DIV> <DIV> It's a 16bit porgram named HTML2EXE comes from = <A=20 ************************************************************************** leinet.co.uk/ucs/products.htm.</A> =20 (Only useful for learning crack :o)<BR></DIV> <DIV> </DIV> <DIV>Regards</DIV> <DIV> </DIV> <DIV>+OldP!G</DIV></BODY></HTML> ------=_NextPart_000_001C_01BD53EF.8CC43540-- =====End of Issue 170===================================