PDA

View Full Version : defeating frogsice help please


daze666
December 25th, 2001, 09:29
Hi,

As I'm always in search of reversing knowledge, I tried to reverse frogsice yesterday. I wrote a little program that installed a SEH handler, put 'BCHK' in EBP, so that Frogsice would detect it.

In earlier versions of frogsice (v.40), frogsice would install a int 3 hook, by calling Hook_V86_Int_Chain with eax=3. If an application would call INT 3, it would call the frogsice handler, which would check for EBP=BCHK and if so, it could replace the original INT 3 opcode with a division by zero, so the original SEH handler would still be called.

However, In the latest version of Frogsice (v1.0 and higher), the Hook_V86_Int_Chain is called only once, and eax is not 3, so it doesn't install a int3 hook chain anymore. Also, it doesn't replace the original int 3 instruction anymore, but the original SEH handler is still called !?!?! I tried to intercept the int 20 calls, so I would see which VMM call would be used to accomplish the int 3 hook. The only suspicious call is 'Install_Exception_Handler, but I found it had nothing to do with the int 3 hooking. I am clueless now. Does anybody know how Frogsice checks for int 3 SEH's ? Any information would be greatly appreciated ! Thanks,

Daze
BTW, no , I'm not a commercial protection writer, just a newbie/medium cracker in search of knowledge :-)

daze666
December 27th, 2001, 15:30
I already thought that a delicate subject like 'hacking frogsice', THE utility of OUR community :-) would not get too much response :-) Anway, I spend some quality time reversing frogsice the last days and learned a lot. For example, I thought that the only way to hook an intterupt was to call the Hook_V86_Int_Chain, never knew you could do it "manually" :-) Anway, found out a lot, but I think that a lot of ppl would not like me to make the life of protectionists easier, so I won't discuss it here :-) Keep up the good work,
Daze

Snatch
December 28th, 2001, 04:12
Yes and the people who do not want that are the lamers in these large cracking groups that just want to have it easy. The rest of us are in this as a learning experience and dont want to make trivial cracks. Please do describe what you learned. Share the knowledge. Better protections is what the cracking community is all about.

Snatch

Kayaker
December 28th, 2001, 05:10
Quote:
Originally posted by Snatch
Yes and the people who do not want that are the lamers in these large cracking groups that just want to have it easy. The rest of us are in this as a learning experience and dont want to make trivial cracks. Please do describe what you learned. Share the knowledge. Better protections is what the cracking community is all about.

Snatch


Hi,

I can't help but echo that sentiment, let alone that learning more about hooking interrupts would be very interesting. At your own discretion Daze666.

Regards,
Kayaker

daze666
December 28th, 2001, 13:06
Hi Snatch & Kayaker,

I agree with you, but there are some points of concern here. Let's say that +Frogs released a tutorial with a few ways to detect his own frogsice. This tutorial would be about detection tricks that he could not find a solution for (otherwise he would have implemented it :-). Stupid commercial protectionists could then simply copy & paste the code and charge tons of money for their protections (I already saw a 'VB plugin' which would return a simple 'TRUE' or 'FALSE' for softice detection. Completely useless protection, but the coder charges $65 for it !!! Now, I think it would be a bad thing if these stupid ppl could simply copy & paste some code to make a GOOD protection, without ANY effort (only the effort of the cracker, for giving the protectionists the information, the protections wouldn't even have to understand the detection routines, just copy and paste it).

I spend a lot of time reversing Frogsice the lasts days and learned a lot about Ring0, VxD programming and the VMM. I found 2 ways to detect Frogsice (well, actually 3, but one is not completely bullet proof). As said, I don't think it's a good thing to take stupid protectionists to a higher level, so I won't post them here (don't bother asking). However, as I came here to ask for information about the Frogsice Interrupt hooking in the first place, I can't deny you my findings on this subject.

This is not some 'completely new' information, there is a lot about it on the internet. It was new for me though :-) Ok, this is how Frogsice hooks intterupts:

sidt IDT_address ;store the IDT at mem location 'IDT_adress'
mov ebx, offset IDT_address+2
mov ebx, [ebx]
add ebx,24 ;interrupt number * 8 bytes, int 3 in this example, so ebx points to the int3 info now

MOV DX,[EBX+06] ;get first part of the old int 3 hook procedure
SHL EDX,10h
MOV DX,[EBX] ;get second part
mov eax, offset Save_adres ;See below
add eax,1
mov [eax], edx ;save old int 3 address

mov eax, offset I3hook ;pointer to new int 3 procedure
cli ;Let CPU ignore maskable external interrupts, before installing new interrupt
MOV [EBX],AX ;save it to IDT
SHR EAX,10h
MOV [EBX+06],AX ;save second part to IDT
STI ;Let CPU respond to interrupts again

I3hook is the address of the new int 3 hook procedure (the one Frogsice installs). The old Int 3 procedure address (pointing to Softice if it's running, or to the VMM if it's not) is saved and pushed upon exit of the frogsice int 3 hook procedure and followed by a ret. The frogsice int3 procedure looks as follows (before it is installed)

Frogsint3_proc_begin
....
cmp {did user check the 'int 3 hook option}
jne save_adres
.....
.....
cmp firsttime, 0
jne execute_Org_Int3
......
.......
push 00000000 <-replaced by original INT 5 hook
ret
....
Save_adres:
push 00000000 <- replaced by previous INT 3 hook (softice or VMM)
ret
Execute_Org_Int3:
......
push 00000000 <- replaced by VMM INT 3 hook
ret

So, as you see, the 'push 000000' is overwritten with the old int hook addresses, by code like the
mov [eax], edx instruction in the procedure above, so after executing this new hook procedure, it always returns to the previous procedure. Well, not always :-) If you check the 'Hook int 3' option in Frogsice, frogsice will NOT return to the previous hook procedure, but will chain to the previous INT 5 hook (Frogsice also hooks a new procedure to INT 5, so this one chains to the 'previous' INT 5). After that, the same code is executed again, but this time the hook chains to the VMM INT 3 hook
This is used to 'defeat' the 'BCHK' detection. Softice will not see the 'BCHK' value, because int 3 is simply not passed to softice anymore !! This explains why the 'i3here = true in softice doesn't break anymore and why your program crashes if you set a bpx in softice (softice puts a 'CC' on your breakpoint adress, but since softice doesn't handle the INT3 anymore, your original code isn't restored over the 'CC' code again and your program will crash because of this mangled code)

That's it, I won't say no more :-) If you want to know more, reverse it yourself and study a lot of Ring0/VxD info/sources/tutorials (there are not too many good ones though, ironically one of the better ones is the Frogisce v.40 sourcecode :-)
A last hint though, to make reversing frogsice easier: frogsice encrypts itself in memory, to prevent detection. It decrypts before execution and then encrypts right after. This is done by a simple XOR (at least in version 108_9). For reversing purposes, it's a pain in the ass, so just remove it. In version 108_9, win98 version, nop the following 4 bytes:
00007037: 90 30
00007038: 90 02
00007647: 90 30
00007648: 90 06
Have Phun,

Daze

Snatch
December 31st, 2001, 00:18
Thanks for the information. I have actually been quite interested in softice protections and how to defeat them and how to build them stronger. As for your comment, frog may not know how to defeat certain tricks if he releases all his information. Protectionists get better. Big deal. The fact of the matter is that there is no such thing as an unbeatable protection only ones that take time. Of course with web checks nowadays you can call those unbeatable as with cd keys and such but thats a seperate subject and those checks can only be beaten by hacking the server you wish to target. That is a different field though. And what we are discussing here is still reversable no matter what . But it is at your disgresion because as you said if you want to figure out just reverse frogsice yourself it is a project but one you will probably learn some invaluable information from.

Snatch

Clandestiny
January 2nd, 2002, 20:37
Hiya Daze,

Good job reversing! Intriguing thread... Many thanks for taking the time to share what you learned. That was a very lucid explanation and quite good timing since I'm needing to hook an interrupt in SI myself for the project Kayaker and I have been working on. I've never worked with the IDT before either, but I think I've now got a good place to start.

Best Regards
Clandestiny

daze666
January 3rd, 2002, 13:37
Good to see that the info was useful to you guys.

Clandestiny, I'm also working on a project that involves interrupt hooking in SI, that's why I wanted to figure out how frogsice works. Also, check out the sourcecode from icedump (distributed in the zip file), it contains some valuable info !

Remember that reading the IDT in windows 9x/ME is possible from Ring3 in your program, no need to write a VxD. NT/2000/XP are a little bit better protected. If you want to write/read the IDT in NT/2000/XP, you HAVE to write a KMD and there's VERY little info about this subject on the internet. There's a example source by ElicZ and one by Y0da (check out their websites) that got me started... If you have any questions or want to share info about our projects, feel free to contact me...
/edit
it IS possible to read the IDT in NT/XP without writing a KMD, I found a cool piece of code by EliCz that proves it :-)
/edit

Daze