PDA

View Full Version : Calling C++ function from a disassembled program


TrigZu
June 19th, 2012, 23:13
How do?

To give a bit more detail, I'm trying to make a keygen for a program.
I won't claim to know all the details of how the key is generated (too many ASM instructions for me to follow), but I know where the key is in the stack at a particular time. I figured that I would turn the program into it's own keygen by jumping to a code cave and passing the key to a C++ program that I'll make that simply outputs the string it's passed. I'm sure this is possible, I just don't know how (never done this before).

I could easily patch the .exe, but I really want to make a keygen other people can use, otherwise I'll have to patch the program each time a new version is released.

I also considered just copy pasta'ing the ASM and using inline ASM in a C++ program to generate the key, but my gut says there's no way in hell that's going to work.

I've looked into the cdecl calling conventions, which I think is where I need to get started.
http://en.wikipedia.org/wiki/X86_calling_conventions#cdecl
http://homepages.ius.edu/rwisman/C431/html/Chapter6.htm

Should I perhaps inject my code in a .dll rather than trying to call a function from a different program?
http://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces

Darkelf
June 20th, 2012, 17:59
Hi and welcome to the forum.

Well, your gut is wrong. Actually that works pretty well and there are even tools available for just that purpose.
For instance, there are TMG Ripper Studio and Code Ripper. Both of them are in the CRCETL.

There is a tutorial out there from Kwazy Webbit on that issue. I don't have a link but try to google it. Maybe with "Kwazy Webbit+Self-keygenning".
I myself consider self-keygenning a bit lame but that's just my humble opinion. On the other side: if it works, why not.
Please let me encourage you to dig deeper into the disassembly and fully understand what the code does to finally write a real keygen. If you want to become a better reverser and gain more knowledge you nevertheless have to some day - so why don't just start today?

Best regards
Darkelf


edit: It wasn't "self-keygenning" but "keygen injection".

See here: http://www.woodmann.com/krobar/other/key104.html

Have fun.

FrankRizzo
June 23rd, 2012, 00:39
A LONG LONG time ago, circa '93 or so, I was hacking on this application that allowed you to send those text messages to the old alphanumeric pagers. When you entered a registration code for your computer. It would generate the correct code, and then string compare it against what you entered, and then print a message that your code was incorrect.

At the time, I wasn't really keen on doing a keygen for the application, so I changed the parameter being passed to MessageBox to point to the CORRECT value, instead of the "Incorrect Key" message, and made a keygen of sorts that way. I even changed the title of the MessageBox to be "Try this one!".

I tell you that story because you might consider doing the same sort of thing with YOUR target. Once you have it working, THEN, go back, and start studying how it generates the key. IDA Pro with HexRays could help you A LOT. Along with running your application through PeID's "Krypto Analyzer" to see if there are any known hashing algos in there.

FF

TrigZu
June 27th, 2012, 22:41
Hey guys, I've been on vacation for the past few days so I haven't had the chance to reply, but I'd like to say thanks for the help. I managed to pick up The Art of Assembly Language from my school's library before I left, and it has a nice section on "Linking Assembly Modules with C/C++ programs." Unfortunately, from what I understand of the section, the C++ and ASM have to be compiled together for it to work.

@Darkelf, thanks for the two tools and for the tutorial, I've read most of it. The tools I'll have a chance to try out once I get home, it's a shame that all of these Olly1 tools haven't been ported over to Olly2, but I guess the fact that documentation for Olly2 isn't finished yet is reason enough. As far as that tutorial goes it basically explained what I was suggesting, except that his use of the word "injection" was pretty different from the context I was using it in. Self-keygenning might be a bit lame in your opinion, but I think it's the direction I should head in for this particular software with my limited experience. I do want to make it clear though that I attempted to understand and comprehend what every line of Assembly did. I would guess I understand at least half of the email -> key assembly, but there is one particular function call (called 3 times) that's quite daunting, hundreds of lines of code that I'm not sure I want to go through and comment on.

@FrankRizzo, I had considered doing something similar to what you did, but without going into too much detail on the particulars of the software, it can't be done. The software is designed for an external piece of hardware (the Logitech G15 and it's cousins), and the only place that text appears is on a small LCD screen. To be fair I could display the key there, but that's extremely inconvenient to the user (having to manually copy that key from the small screen, paste it into a document, end the process, replace the modified binary with the original, then restart the program). I started to use IDA Pro on the program, but I didn't know about the Hex-Rays addition. I'll check that out once I get home. I was wondering if something like Krypto Analyzer existed, genius stuff right there; can't wait to check that out too.

Anywho, thanks again for the help guys, I can't wait to try out these new tools. I'll post any progress I make once I get home.