View Full Version : Reverse Engineer Windows Software Code protection.

August 23rd, 2012, 17:20
Hi there,

I have a automation program that inside has many files of codes. The files can be locked with a login and password. When I double click a locked file, I will get a windows popup box that already has the login information and I just have to enter a password. If the password is wrong it will say the password is not correct. If the password is lesser than 5 characters, it will say to enter more than 5 characters.

Things I have done so far:
1) Loaded the exe file into PeiD v0.95.
Entrypoint: 0006996F
File Offset: 00068D6F
Ep Section: .text
Subsystem: Win32 GUI
Nothing found [Overlay]*

Not sure what I should do here or these information meant because the tuts i saw had ep section as upx and mine is .text.

Moving On.

2a) I opened the file with OllyDbg. The whole program opened. Now when i open a project file in the program, OllyDbg step through until I get a
Exception E06D7363 - use Shift+F7/F8/F8 to pass exception to program. So I press Shifft-F8, it stepped through, and paused there.
I run it again, and this time i Press Shift F7, it stepped through untill an error dialogbox pops-up.
Don't know how to step because memory at address 1C2F54F6 is not readable. Try to change EIP or pass exception to program.

2b) I restarted the program, and ran again. This time i use Shift-F9, the whole thing ran. I went to the program and i don't see the rest of my code files. Seems like the project is not fully loaded properly. I guess Shift-F9 skipping exception is not what i really wanted.
When i said the code files not loaded: For those who used visual studio : vb. in the solultion project there are many files. Now, after i ran the program, imagine the project is there but all the files are missing. This goes the same with my program here.
What should I do here?

My question here is:

1. What should I do from here now on?

2. What other program do i need to finish this reverse engr. ?

3. Is there any program where after I enter the password incorrectly, i would like the program to run to the address of the popup box that gives me the wrong password.
I have tried softice on Win XP sp 2, the whole system went BSOD on me.

Hope to hear from someone.!


August 23rd, 2012, 17:48
More progress,

Eventhough, I don't have the files. I am able to import the protected source code. Hurray.
Now, when i double click my protected source code, the dialog box pops up. Apparently, the ollydbg does not respond at all. Even when the dialog box pops up. When, I entered the wrong password, the ollydbg which the program runs does not step through any code. Now the question comes to, maybe the file that I double click is running on another dll / exe / something.
I used procexplorer from sysinternal, and find a windows process cursor. I pointed that to that dialog box, and it leads me to the program file.exe that is opened with ollydbg.

Now what should i do?

August 23rd, 2012, 21:37
I am able to track all the way to the dll file that is in-charge of the password protection. There is so many JE, JMP, JNZ going on. I don't know what to do next.

I have the text file which is about 23mb. What can i do that somebody can assist me?

August 26th, 2012, 16:44

I did a step through ollydbg and at a certain location, the "thread xxxxxxxx terminated, exit code 0."

Is there anyway i can set up a trace to figure out where it actually got terminated?

August 27th, 2012, 02:24
thread Creation Starts in userMode From BaseThreadStartThunk

and Ends In ntdll!ZwTermainateThread()

BaseThreadStartThunk Calls
BaseThreadStart / LPTHREAD_START_ROUTINE / kernel32!ExitThread

which calls NtdllZwTerminateThread

all the magic Lies Inbetween

set a bp on these apis and trace by hand once the whole sequence

you will get to know more than you can ever hope to get answers from forums / boards / newsgroups

August 27th, 2012, 09:37
You can also take a quick look at the call stack windows on olly after a termination, there usually is some trails of information on what was executed before arriving to the terminated thread. (the button labeled 'K')

August 27th, 2012, 10:02
Awesome boys, I will take a look with the method you have.
My first program i learn to crack was little piano and that was like 10 years ago. And I played with some normal program, but now i have this huge programs that calls all kind of DLLs, and code that draws rectangle, windows. Not even sure where the real thing lies.

But I'll try for now.


August 28th, 2012, 10:07
thread Creation Starts in userMode From BaseThreadStartThunk


August 28th, 2012, 14:24
[Originally Posted by Indy;93200]False.

do we want to muddy the waters for a noob

if he hasn't mucked with pdbs he would have problems even finding the BaseThreadStartThunk
how is he going to Find KiUserApcDispatcher or further up


lkd> !thread 860c9590
THREAD 860c9590 Cid 0d24.08a0 Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
a921e7d4 SynchronizationEvent
Not impersonating
DeviceMap e1340868
Owning Process 0 Image: <Unknown>
Attached Process 863f0588 Image: createthread.exe
Wait Start TickCount 13813501 Ticks: 86444 (0:00:22:30.687)
Context Switch Count 3
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x00401000
Start Address kernel32!BaseThreadStartThunk (0x7c8106f9)
Stack Init a921f000 Current a921e758 Base a921f000 Limit a921c000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
a921e770 80500cf0 860c9600 860c9590 804f9d72 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
a921e77c 804f9d72 00000000 860c9590 a921e7cc nt!KiSwapThread+0x46 (FPO: [0,0,0])
a921e7a4 80638fc4 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
a921e884 8063a099 863f0588 00000000 a921e8bc nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])
a921e8a8 8063a1cb a921e8bc 00000001 a921ed64 nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])
a921e934 804fcb42 a921ed10 00000001 00000000 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])
a921ecf4 8053e0a1 a921ed10 00000000 a921ed64 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])
a921ed5c 8053e7b1 00000000 7c90e451 badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
a921ed5c 7c90e451 00000000 7c90e451 badb0d00 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ a921ed64)
00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x1


lkd> dt nt!_KTRAP_FRAME a921ed64
+0x000 DbgEbp : 0
+0x004 DbgEip : 0x7c90e451
+0x008 DbgArgMark : 0xbadb0d00
+0x00c DbgArgPointer : 0x3947c8
+0x010 TempSegCs : 0xa921ed98
+0x014 TempEsp : 0xa921edcc
+0x018 Dr0 : 0
+0x01c Dr1 : 0
+0x020 Dr2 : 0
+0x024 Dr3 : 0
+0x028 Dr6 : 0
+0x02c Dr7 : 0
+0x030 SegGs : 0
+0x034 SegEs : 0x23
+0x038 SegDs : 0x23
+0x03c Edx : 0x3947c8
+0x040 Ecx : 0x390000
+0x044 Eax : 0x401000
+0x048 PreviousPreviousMode : 1
+0x04c ExceptionList : 0xffffffff _EXCEPTION_REGISTRATION_RECORD
+0x050 SegFs : 0x3b
+0x054 Edi : 0x7c92770a
+0x058 Esi : 0x390000
+0x05c Ebx : 0
+0x060 Ebp : 0
+0x064 ErrCode : 0
+0x068 Eip : 0x7c90e451
+0x06c SegCs : 0x1b
+0x070 EFlags : 0x202
+0x074 HardwareEsp : 0x50fd20
+0x078 HardwareSegSs : 0x23
+0x07c V86Es : 0x80541e02
+0x080 V86Ds : 0xf73e8b85
+0x084 V86Fs : 0x85f61010
+0x088 V86Gs : 0


lkd> .thread /p /r /P 860c9590
Implicit thread is now 860c9590
Implicit process is now 863f0588
Loading User Symbols
lkd> dd 0x50fd20 l8
0050fd20 7c901166 00000000 7c900000 00000000
0050fd30 00010017 00000000 00000000 00000000
lkd> dt nt!_CONTEXT Eip 0050fd30
+0x0b8 Eip : 0x7c8106f9
lkd> ln 7c8106f9
(7c8106f9) kernel32!BaseThreadStartThunk | (7c810705) kernel32!BaseProcessStartThunk
Exact matches:
kernel32!BaseThreadStartThunk = <no type information>


EAX 00401000 createth.ThreadProc
ECX 00390000
EDX 003947C8
EBX 00000000
ESP 0050FD20 <-------------
EBP 00000000
ESI 00390000
EDI 7C92770A ntdll.7C92770A
EIP 7C90E450 ntdll.KiUserApcDispatcher
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDC000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty +UNORM 38C8 0013FCBC 78AB2A99
ST1 empty -UNORM FF18 00000000 0013FF08
ST2 empty +UNORM 0001 78B1CB64 0000000A
ST3 empty -1.7863225356269886700e-3463
ST4 empty -UNORM FFFC 40000060 00000000
ST5 empty +UNORM 1EA0 003930B8 78B538C8
ST6 empty 0.0
ST7 empty 0.0000000000153202670e-4933
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1


7C90E450 ntdll.KiUserApcDisp>LEA EDI, DWORD PTR SS:[ESP+10]
7C90E454 POP EAX ; ntdll.LdrInitializeThunk
7C90E455 CALL NEAR EAX ; createth.ThreadProc
7C90E457 PUSH 1
7C90E459 PUSH EDI ; ntdll.7C92770A
7C90E45A CALL ntdll.ZwContinue

Log data, item 0
Message=[esp+10+0xb8] = 7c8106f9 esp+10 = 50fd30

7C8106F9 kernel32.BaseThreadStartThunk XOR EBP, EBP

August 30th, 2012, 22:10

Thanks for the info. Knowing the terms actually will help me to learn more and dig deeper.

September 12th, 2012, 10:10
Hi guys,

I was able to find the location of the username & password using agentransack. It points me to location for eg: 155 username?Morse?Password??91823... I notice that the 155 means it is at line 155.
I opened the file using IDA and in Hex View, i was able to find the location of the username.. but on the view the text end it shows u.s.e.r.n.a.m.e.?.M.o.r.s.e
In the future how do i do a search username without the space or .?
What other program would anyone recommend to view and edit other than IDA?

September 12th, 2012, 13:30
u.s.e.r.n.a.m.e. is UNICODE (wchar)

September 21st, 2012, 09:02
[Originally Posted by aqrit;93240]u.s.e.r.n.a.m.e. is UNICODE (wchar)

aqrit, yup i understand it is UNICODE. I guess what software do most people use to edit? for example i want to change u.s.e.r.n.a.m.e to t.e.s.t.e.r. ?
instead of entering the dots, is there software that omit the dots? just username then i change it to tester?

September 27th, 2012, 14:44
they are not dots
a unicode char is 16 bits or 2 bytes and english alphabets dont consume more than eight bits or one byte so the unconsumed byte remians as 0x00 and since 0x00 is not a printable character it is dumped as dot by most of the hex editors

with some code like this


#include <stdio.h>

int main (void) {

char testfoo[] = {'A',0x0,'M',0x0,'a',0x80,'Z',0x7b };
int i;
for (i=0;i<sizeof(testfoo);i++)
if ( testfoo[I] < 0x20 || testfoo[I] > 0x7f)
return 0;




CPU Dump
Address Hex dump ASCII
004F2A86 4C 00 6F 00|77 00 20 00|6D 00 65 00|6D 00 6F 00| L o w m e m o
004F2A96 72 00 79 00|21 r y !

ollydbg can edit unicode strings in place as well as ascii strings use ctrl+e