Results 1 to 3 of 3

Thread: Task 4 CRC hints

  1. #1
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,086
    Blog Entries
    5

    Task 4 CRC hints

    Hi All,

    Everyone seems to be doing great with this Project and there's some good learning and understanding going on. I'm really pleased. But I don't hear much CRC noise

    So...

    By now everyone's figured out that the program creates a Happyicon.lic file in the program directory if it's successfully registered (by fair means or foul If you modify even one byte of the .lic file you get a nice "The lic file has been modified !! 1toX cannot run" message.

    Don't worry about the 1toX business, that's actually another program by the author and he obviously didn't change the code to suit HappyIcon...

    At its simplest, a CRC (Cyclic Redundancy Code) check, well really just the most basic Checksum I could think of, might be to add all the bytes in a file as hex and compare this value with the one it's *supposed* to be. If they don't match, the file has been altered.

    In reality they are much more complicated than this and you could read A PAINLESS GUIDE TO CRC ERROR DETECTION ALGORITHMS by Ross N. Williams, somewhere on the Net, as a start.

    Often, what will happen is that a program will Read its exe file in as a regular file (since the program is already mapped into memory it can do this), and pass it through some CRC algorithm routine. It might be on the whole file or just parts of it. If you've patched the program it will likely fail the test.

    This program does the same thing except that it only reads in the .lic file. If you were to trace the code after the critical regged/not regged jump (this was Task 2d!), or use an API monitor on it now if you've patched the jump so it always produces a .lic file, you'd see that the program goes through 2 sequences to write the file.

    First it uses CreateFileA, WriteFile and CloseHandle to write the basic information into the file. It gets the structure of the file from the .exe. If you do a search for say the 1st line, "DO NOT MODIFY" you'd find it hard-coded in the file.

    Then it uses CreateFileA and ReadFile to read the file back in, calculates a Checksum, which actually includes the Checksum value itself, closes the file with CloseHandle since it can't be written to if it's previously open, and then writes the Checksum value with WritePrivateProfileStringA.


    This should give some indication of how to monitor for the CRC check on program startup.

    CreateFileA DO "dd esp->4" will display the name of the file which is to be read in (Happyicon.lic is the one of interest) in the Data window. "dd esp+4" would display the 1st stack parameter, or the pointer to name of the file, "dd esp->4" displays the contents of that address.

    ReadFile DO "dd esp->8" will display what has been read into the buffer that receives the data once you've F11 returned.

    GetPrivateProfileStringA is used to retrieve the CRC value which was written into the file. The destination buffer for the function is the 4th stack parameter, the sequence being esp + 4, 8, C, 10, 14, 18, 1C...

    These 3 Calls should be enough to trace the CRC check to the simple jump which will bypass it and avoid the MessageBoxA (which is another breakpoint you can sometimes make use of).

    Finish this part and the Fat Lady can sing... ^_^

    Cheers,

    Kayaker

  2. #2
    ()whore
    Guest
    Well with all thoes hints not hard to find

    00411084 call 0041f520
    ...
    0041108c test eax,eax
    0041108e jz

    changeing the jz to a jmp will avoid a bad CRC check. So will noping the call. Or you could change some bytes in the call so it allways return 0;
    I traced through the CRC calculation which started by adding all the bytes in happyicon.lic together then preformed alot of floating point math operations on it to arrive at the final number.

    cheers
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    ThRaX
    Guest
    Heh, disagree, I say those hints make it *POSSIBLE* to consider *ATTEMPTING* to do this task ;D Its still a challenge for me. (though I guess im more newbieish than most)

    Doesn't make it *EASY*, though

    I need to *STOP* putting all my *WORDS* in these damn *STARS*...


    --ThRaX
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. OllyDbg, usage hints
    By IcyDee in forum OllyDbg Support Forums
    Replies: 5
    Last Post: May 25th, 2002, 23:57
  2. Need some hints for a wkcrypt target
    By mueller5321 in forum Advanced Reversing and Programming
    Replies: 8
    Last Post: May 9th, 2002, 19:11
  3. Help! Task & Ldt & Hwnd?!
    By dzhiguo in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: August 28th, 2001, 05:15
  4. lost on unpacking, need hints
    By UnpAckEr_SplAj in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: July 11th, 2001, 16:30
  5. Harlequins Task 3 Challenge
    By Kayaker in forum Mini Project Area
    Replies: 29
    Last Post: June 16th, 2001, 22:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •