Results 1 to 14 of 14

Thread: Reverse Engineer Windows Software Code protection.

  1. #1

    Cool Reverse Engineer Windows Software Code protection.

    Hi there,

    I have a automation program that inside has many files of codes. The files can be locked with a login and password. When I double click a locked file, I will get a windows popup box that already has the login information and I just have to enter a password. If the password is wrong it will say the password is not correct. If the password is lesser than 5 characters, it will say to enter more than 5 characters.

    Things I have done so far:
    1) Loaded the exe file into PeiD v0.95. 
    Entrypoint: 0006996F 
    File Offset: 00068D6F
    Ep Section: .text
    Subsystem: Win32 GUI
    Nothing found [Overlay]*
    Not sure what I should do here or these information meant because the tuts i saw had ep section as upx and mine is .text.
    Moving On.
    2a) I opened the file with OllyDbg. The whole program opened. Now when i open a project file in the program, OllyDbg step through until I get a
    Exception E06D7363 - use Shift+F7/F8/F8 to pass exception to program. So I press Shifft-F8, it stepped through, and paused there.
    I run it again, and this time i Press Shift F7, it stepped through untill an error dialogbox pops-up.
    Don't know how to step because memory at address 1C2F54F6 is not readable. Try to change EIP or pass exception to program.

    2b) I restarted the program, and ran again. This time i use Shift-F9, the whole thing ran. I went to the program and i don't see the rest of my code files. Seems like the project is not fully loaded properly. I guess Shift-F9 skipping exception is not what i really wanted.
    When i said the code files not loaded: For those who used visual studio : vb. in the solultion project there are many files. Now, after i ran the program, imagine the project is there but all the files are missing. This goes the same with my program here.
    What should I do here?
    My question here is:

    1. What should I do from here now on?

    2. What other program do i need to finish this reverse engr. ?

    3. Is there any program where after I enter the password incorrectly, i would like the program to run to the address of the popup box that gives me the wrong password.
    I have tried softice on Win XP sp 2, the whole system went BSOD on me.

    Hope to hear from someone.!

    Last edited by AmazingTrans; August 23rd, 2012 at 17:37.

  2. #2
    More progress,

    Eventhough, I don't have the files. I am able to import the protected source code. Hurray.
    Now, when i double click my protected source code, the dialog box pops up. Apparently, the ollydbg does not respond at all. Even when the dialog box pops up. When, I entered the wrong password, the ollydbg which the program runs does not step through any code. Now the question comes to, maybe the file that I double click is running on another dll / exe / something.
    I used procexplorer from sysinternal, and find a windows process cursor. I pointed that to that dialog box, and it leads me to the program file.exe that is opened with ollydbg.

    Now what should i do?

  3. #3
    I am able to track all the way to the dll file that is in-charge of the password protection. There is so many JE, JMP, JNZ going on. I don't know what to do next.

    I have the text file which is about 23mb. What can i do that somebody can assist me?

  4. #4

    OllyDbg thread terminated, setup trace?


    I did a step through ollydbg and at a certain location, the "thread xxxxxxxx terminated, exit code 0."

    Is there anyway i can set up a trace to figure out where it actually got terminated?

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    thread Creation Starts in userMode From BaseThreadStartThunk

    and Ends In ntdll!ZwTermainateThread()

    BaseThreadStartThunk Calls
    BaseThreadStart / LPTHREAD_START_ROUTINE / kernel32!ExitThread

    which calls NtdllZwTerminateThread

    all the magic Lies Inbetween

    set a bp on these apis and trace by hand once the whole sequence

    you will get to know more than you can ever hope to get answers from forums / boards / newsgroups

  6. #6
    You can also take a quick look at the call stack windows on olly after a termination, there usually is some trails of information on what was executed before arriving to the terminated thread. (the button labeled 'K')

  7. #7
    Awesome boys, I will take a look with the method you have.
    My first program i learn to crack was little piano and that was like 10 years ago. And I played with some normal program, but now i have this huge programs that calls all kind of DLLs, and code that draws rectangle, windows. Not even sure where the real thing lies.

    But I'll try for now.


  8. #8
    thread Creation Starts in userMode From BaseThreadStartThunk

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    Quote Originally Posted by Indy View Post
    do we want to muddy the waters for a noob

    if he hasn't mucked with pdbs he would have problems even finding the BaseThreadStartThunk
    how is he going to Find KiUserApcDispatcher or further up

    lkd> !thread 860c9590
    THREAD 860c9590  Cid 0d24.08a0  Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
        a921e7d4  SynchronizationEvent
    Not impersonating
    DeviceMap                 e1340868
    Owning Process            0       Image:         <Unknown>
    Attached Process          863f0588       Image:         createthread.exe
    Wait Start TickCount      13813501       Ticks: 86444 (0:00:22:30.687)
    Context Switch Count      3             
    UserTime                  00:00:00.000
    KernelTime                00:00:00.000
    Win32 Start Address 0x00401000
    Start Address kernel32!BaseThreadStartThunk (0x7c8106f9)
    Stack Init a921f000 Current a921e758 Base a921f000 Limit a921c000 Call 0
    Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0
    ChildEBP RetAddr  Args to Child              
    a921e770 80500cf0 860c9600 860c9590 804f9d72 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
    a921e77c 804f9d72 00000000 860c9590 a921e7cc nt!KiSwapThread+0x46 (FPO: [0,0,0])
    a921e7a4 80638fc4 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
    a921e884 8063a099 863f0588 00000000 a921e8bc nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])
    a921e8a8 8063a1cb a921e8bc 00000001 a921ed64 nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])
    a921e934 804fcb42 a921ed10 00000001 00000000 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])
    a921ecf4 8053e0a1 a921ed10 00000000 a921ed64 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])
    a921ed5c 8053e7b1 00000000 7c90e451 badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
    a921ed5c 7c90e451 00000000 7c90e451 badb0d00 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ a921ed64)
    00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x1
    lkd> dt nt!_KTRAP_FRAME a921ed64
       +0x000 DbgEbp           : 0
       +0x004 DbgEip           : 0x7c90e451
       +0x008 DbgArgMark       : 0xbadb0d00
       +0x00c DbgArgPointer    : 0x3947c8
       +0x010 TempSegCs        : 0xa921ed98
       +0x014 TempEsp          : 0xa921edcc
       +0x018 Dr0              : 0
       +0x01c Dr1              : 0
       +0x020 Dr2              : 0
       +0x024 Dr3              : 0
       +0x028 Dr6              : 0
       +0x02c Dr7              : 0
       +0x030 SegGs            : 0
       +0x034 SegEs            : 0x23
       +0x038 SegDs            : 0x23
       +0x03c Edx              : 0x3947c8
       +0x040 Ecx              : 0x390000
       +0x044 Eax              : 0x401000
       +0x048 PreviousPreviousMode : 1
       +0x04c ExceptionList    : 0xffffffff _EXCEPTION_REGISTRATION_RECORD
       +0x050 SegFs            : 0x3b
       +0x054 Edi              : 0x7c92770a
       +0x058 Esi              : 0x390000
       +0x05c Ebx              : 0
       +0x060 Ebp              : 0
       +0x064 ErrCode          : 0
       +0x068 Eip              : 0x7c90e451
       +0x06c SegCs            : 0x1b
       +0x070 EFlags           : 0x202
       +0x074 HardwareEsp      : 0x50fd20
       +0x078 HardwareSegSs    : 0x23
       +0x07c V86Es            : 0x80541e02
       +0x080 V86Ds            : 0xf73e8b85
       +0x084 V86Fs            : 0x85f61010
       +0x088 V86Gs            : 0
    lkd> .thread /p /r /P 860c9590
    Implicit thread is now 860c9590
    Implicit process is now 863f0588
    Loading User Symbols
    lkd> dd 0x50fd20 l8
    0050fd20  7c901166 00000000 7c900000 00000000
    0050fd30  00010017 00000000 00000000 00000000
    lkd> dt nt!_CONTEXT Eip 0050fd30
       +0x0b8 Eip : 0x7c8106f9
    lkd> ln 7c8106f9
    (7c8106f9)   kernel32!BaseThreadStartThunk   |  (7c810705)   kernel32!BaseProcessStartThunk
    Exact matches:
        kernel32!BaseThreadStartThunk = <no type information>

    EAX 00401000 createth.ThreadProc
    ECX 00390000
    EDX 003947C8
    EBX 00000000
    ESP 0050FD20  <-------------
    EBP 00000000
    ESI 00390000
    EDI 7C92770A ntdll.7C92770A
    EIP 7C90E450 ntdll.KiUserApcDispatcher
    C 0  ES 0023 32bit 0(FFFFFFFF)
    P 0  CS 001B 32bit 0(FFFFFFFF)
    A 0  SS 0023 32bit 0(FFFFFFFF)
    Z 0  DS 0023 32bit 0(FFFFFFFF)
    S 0  FS 003B 32bit 7FFDC000(FFF)
    T 0  GS 0000 NULL
    D 0
    O 0  LastErr ERROR_SUCCESS (00000000)
    EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
    ST0 empty +UNORM 38C8 0013FCBC 78AB2A99
    ST1 empty -UNORM FF18 00000000 0013FF08
    ST2 empty +UNORM 0001 78B1CB64 0000000A
    ST3 empty -1.7863225356269886700e-3463
    ST4 empty -UNORM FFFC 40000060 00000000
    ST5 empty +UNORM 1EA0 003930B8 78B538C8
    ST6 empty 0.0
    ST7 empty 0.0000000000153202670e-4933
                   3 2 1 0      E S P U O Z D I
    FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
    FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

    7C90E450 ntdll.KiUserApcDisp>LEA     EDI, DWORD PTR SS:[ESP+10]
    7C90E454                     POP     EAX                                            ;  ntdll.LdrInitializeThunk
    7C90E455                     CALL    NEAR EAX                                       ;  createth.ThreadProc
    7C90E457                     PUSH    1
    7C90E459                     PUSH    EDI                                            ;  ntdll.7C92770A
    7C90E45A                     CALL    ntdll.ZwContinue
    Log data, item 0
     Message=[esp+10+0xb8]  = 7c8106f9  esp+10  = 50fd30
    7C8106F9 kernel32.BaseThreadStartThunk         XOR     EBP, EBP

  10. #10

    Thanks for the info. Knowing the terms actually will help me to learn more and dig deeper.

  11. #11
    Hi guys,

    I was able to find the location of the username & password using agentransack. It points me to location for eg: 155 username?Morse?Password??91823... I notice that the 155 means it is at line 155.
    I opened the file using IDA and in Hex View, i was able to find the location of the username.. but on the view the text end it shows u.s.e.r.n.a.m.e.?.M.o.r.s.e
    In the future how do i do a search username without the space or .?
    What other program would anyone recommend to view and edit other than IDA?

  12. #12
    u.s.e.r.n.a.m.e. is UNICODE (wchar)

  13. #13
    Quote Originally Posted by aqrit View Post
    u.s.e.r.n.a.m.e. is UNICODE (wchar)
    aqrit, yup i understand it is UNICODE. I guess what software do most people use to edit? for example i want to change u.s.e.r.n.a.m.e to t.e.s.t.e.r. ?
    instead of entering the dots, is there software that omit the dots? just username then i change it to tester?

  14. #14
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries
    they are not dots
    a unicode char is 16 bits or 2 bytes and english alphabets dont consume more than eight bits or one byte so the unconsumed byte remians as 0x00 and since 0x00 is not a printable character it is dumped as dot by most of the hex editors

    with some code like this

    #include <stdio.h>
    int main (void) {
            char testfoo[] = {'A',0x0,'M',0x0,'a',0x80,'Z',0x7b };
            int i;
            for (i=0;i<sizeof(testfoo);i++)
                    if ( testfoo[i] < 0x20 || testfoo[i] > 0x7f)
           return 0;
    CPU Dump
    Address   Hex dump                                         ASCII
    004F2A86  4C 00 6F 00|77 00 20 00|6D 00 65 00|6D 00 6F 00| L o w   m e m o
    004F2A96  72 00 79 00|21                                   r y !
    ollydbg can edit unicode strings in place as well as ascii strings use ctrl+e

Similar Threads

  1. Reverse Code Engineering Book
    By inline_asm in forum The Newbie Forum
    Replies: 2
    Last Post: June 2nd, 2012, 08:29
  2. Reverse Engineer, the PSP
    By PSPfreak! in forum The Newbie Forum
    Replies: 9
    Last Post: January 2nd, 2008, 00:25
  3. [JOB OFFER] Reverse Engineer wanted!
    By Zero in forum Off Topic
    Replies: 0
    Last Post: February 26th, 2005, 14:22
  4. Reverse Flash (MX) Code
    By giorgio in forum The Newbie Forum
    Replies: 8
    Last Post: January 19th, 2003, 00:08


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts