Results 1 to 14 of 14

Thread: Reverse Engineer Windows Software Code protection.

  1. #1

    Cool Reverse Engineer Windows Software Code protection.

    Hi there,

    I have a automation program that inside has many files of codes. The files can be locked with a login and password. When I double click a locked file, I will get a windows popup box that already has the login information and I just have to enter a password. If the password is wrong it will say the password is not correct. If the password is lesser than 5 characters, it will say to enter more than 5 characters.

    Things I have done so far:
    Code:
    1) Loaded the exe file into PeiD v0.95. 
    Entrypoint: 0006996F 
    File Offset: 00068D6F
    Ep Section: .text
    Subsystem: Win32 GUI
    Nothing found [Overlay]*
    
    Not sure what I should do here or these information meant because the tuts i saw had ep section as upx and mine is .text.
    Moving On.
    2a) I opened the file with OllyDbg. The whole program opened. Now when i open a project file in the program, OllyDbg step through until I get a
    Exception E06D7363 - use Shift+F7/F8/F8 to pass exception to program. So I press Shifft-F8, it stepped through, and paused there.
    I run it again, and this time i Press Shift F7, it stepped through untill an error dialogbox pops-up.
    Don't know how to step because memory at address 1C2F54F6 is not readable. Try to change EIP or pass exception to program.

    2b) I restarted the program, and ran again. This time i use Shift-F9, the whole thing ran. I went to the program and i don't see the rest of my code files. Seems like the project is not fully loaded properly. I guess Shift-F9 skipping exception is not what i really wanted.
    When i said the code files not loaded: For those who used visual studio : vb. in the solultion project there are many files. Now, after i ran the program, imagine the project is there but all the files are missing. This goes the same with my program here.
    What should I do here?
    My question here is:

    1. What should I do from here now on?

    2. What other program do i need to finish this reverse engr. ?

    3. Is there any program where after I enter the password incorrectly, i would like the program to run to the address of the popup box that gives me the wrong password.
    I have tried softice on Win XP sp 2, the whole system went BSOD on me.

    Hope to hear from someone.!

    Cheers!
    Last edited by AmazingTrans; August 23rd, 2012 at 17:37.

  2. #2
    More progress,

    Eventhough, I don't have the files. I am able to import the protected source code. Hurray.
    Now, when i double click my protected source code, the dialog box pops up. Apparently, the ollydbg does not respond at all. Even when the dialog box pops up. When, I entered the wrong password, the ollydbg which the program runs does not step through any code. Now the question comes to, maybe the file that I double click is running on another dll / exe / something.
    I used procexplorer from sysinternal, and find a windows process cursor. I pointed that to that dialog box, and it leads me to the program file.exe that is opened with ollydbg.

    Now what should i do?

  3. #3
    I am able to track all the way to the dll file that is in-charge of the password protection. There is so many JE, JMP, JNZ going on. I don't know what to do next.

    I have the text file which is about 23mb. What can i do that somebody can assist me?

  4. #4

    OllyDbg thread terminated, setup trace?

    Experts...

    I did a step through ollydbg and at a certain location, the "thread xxxxxxxx terminated, exit code 0."

    Is there anyway i can set up a trace to figure out where it actually got terminated?

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,525
    Blog Entries
    15
    thread Creation Starts in userMode From BaseThreadStartThunk

    and Ends In ntdll!ZwTermainateThread()

    BaseThreadStartThunk Calls
    BaseThreadStart / LPTHREAD_START_ROUTINE / kernel32!ExitThread

    which calls NtdllZwTerminateThread

    all the magic Lies Inbetween

    set a bp on these apis and trace by hand once the whole sequence

    you will get to know more than you can ever hope to get answers from forums / boards / newsgroups

  6. #6
    You can also take a quick look at the call stack windows on olly after a termination, there usually is some trails of information on what was executed before arriving to the terminated thread. (the button labeled 'K')

  7. #7
    Awesome boys, I will take a look with the method you have.
    My first program i learn to crack was little piano and that was like 10 years ago. And I played with some normal program, but now i have this huge programs that calls all kind of DLLs, and code that draws rectangle, windows. Not even sure where the real thing lies.

    But I'll try for now.

    THanks!

  8. #8
    thread Creation Starts in userMode From BaseThreadStartThunk
    False.

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,525
    Blog Entries
    15
    Quote Originally Posted by Indy View Post
    False.
    do we want to muddy the waters for a noob

    if he hasn't mucked with pdbs he would have problems even finding the BaseThreadStartThunk
    how is he going to Find KiUserApcDispatcher or further up

    Code:
    lkd> !thread 860c9590
    THREAD 860c9590  Cid 0d24.08a0  Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
        a921e7d4  SynchronizationEvent
    Not impersonating
    DeviceMap                 e1340868
    Owning Process            0       Image:         <Unknown>
    Attached Process          863f0588       Image:         createthread.exe
    Wait Start TickCount      13813501       Ticks: 86444 (0:00:22:30.687)
    Context Switch Count      3             
    UserTime                  00:00:00.000
    KernelTime                00:00:00.000
    Win32 Start Address 0x00401000
    Start Address kernel32!BaseThreadStartThunk (0x7c8106f9)
    Stack Init a921f000 Current a921e758 Base a921f000 Limit a921c000 Call 0
    Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 0
    ChildEBP RetAddr  Args to Child              
    a921e770 80500cf0 860c9600 860c9590 804f9d72 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
    a921e77c 804f9d72 00000000 860c9590 a921e7cc nt!KiSwapThread+0x46 (FPO: [0,0,0])
    a921e7a4 80638fc4 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
    a921e884 8063a099 863f0588 00000000 a921e8bc nt!DbgkpQueueMessage+0x17c (FPO: [Non-Fpo])
    a921e8a8 8063a1cb a921e8bc 00000001 a921ed64 nt!DbgkpSendApiMessage+0x45 (FPO: [Non-Fpo])
    a921e934 804fcb42 a921ed10 00000001 00000000 nt!DbgkForwardException+0x8f (FPO: [Non-Fpo])
    a921ecf4 8053e0a1 a921ed10 00000000 a921ed64 nt!KiDispatchException+0x1f4 (FPO: [Non-Fpo])
    a921ed5c 8053e7b1 00000000 7c90e451 badb0d00 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
    a921ed5c 7c90e451 00000000 7c90e451 badb0d00 nt!KiTrap03+0xad (FPO: [0,0] TrapFrame @ a921ed64)
    00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x1
    Code:
    lkd> dt nt!_KTRAP_FRAME a921ed64
       +0x000 DbgEbp           : 0
       +0x004 DbgEip           : 0x7c90e451
       +0x008 DbgArgMark       : 0xbadb0d00
       +0x00c DbgArgPointer    : 0x3947c8
       +0x010 TempSegCs        : 0xa921ed98
       +0x014 TempEsp          : 0xa921edcc
       +0x018 Dr0              : 0
       +0x01c Dr1              : 0
       +0x020 Dr2              : 0
       +0x024 Dr3              : 0
       +0x028 Dr6              : 0
       +0x02c Dr7              : 0
       +0x030 SegGs            : 0
       +0x034 SegEs            : 0x23
       +0x038 SegDs            : 0x23
       +0x03c Edx              : 0x3947c8
       +0x040 Ecx              : 0x390000
       +0x044 Eax              : 0x401000
       +0x048 PreviousPreviousMode : 1
       +0x04c ExceptionList    : 0xffffffff _EXCEPTION_REGISTRATION_RECORD
       +0x050 SegFs            : 0x3b
       +0x054 Edi              : 0x7c92770a
       +0x058 Esi              : 0x390000
       +0x05c Ebx              : 0
       +0x060 Ebp              : 0
       +0x064 ErrCode          : 0
       +0x068 Eip              : 0x7c90e451
       +0x06c SegCs            : 0x1b
       +0x070 EFlags           : 0x202
       +0x074 HardwareEsp      : 0x50fd20
       +0x078 HardwareSegSs    : 0x23
       +0x07c V86Es            : 0x80541e02
       +0x080 V86Ds            : 0xf73e8b85
       +0x084 V86Fs            : 0x85f61010
       +0x088 V86Gs            : 0
    Code:
    lkd> .thread /p /r /P 860c9590
    Implicit thread is now 860c9590
    Implicit process is now 863f0588
    Loading User Symbols
    .....
    lkd> dd 0x50fd20 l8
    0050fd20  7c901166 00000000 7c900000 00000000
    0050fd30  00010017 00000000 00000000 00000000
    lkd> dt nt!_CONTEXT Eip 0050fd30
       +0x0b8 Eip : 0x7c8106f9
    lkd> ln 7c8106f9
    (7c8106f9)   kernel32!BaseThreadStartThunk   |  (7c810705)   kernel32!BaseProcessStartThunk
    Exact matches:
        kernel32!BaseThreadStartThunk = <no type information>

    Code:
    EAX 00401000 createth.ThreadProc
    ECX 00390000
    EDX 003947C8
    EBX 00000000
    ESP 0050FD20  <-------------
    EBP 00000000
    ESI 00390000
    EDI 7C92770A ntdll.7C92770A
    EIP 7C90E450 ntdll.KiUserApcDispatcher
    C 0  ES 0023 32bit 0(FFFFFFFF)
    P 0  CS 001B 32bit 0(FFFFFFFF)
    A 0  SS 0023 32bit 0(FFFFFFFF)
    Z 0  DS 0023 32bit 0(FFFFFFFF)
    S 0  FS 003B 32bit 7FFDC000(FFF)
    T 0  GS 0000 NULL
    D 0
    O 0  LastErr ERROR_SUCCESS (00000000)
    EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
    ST0 empty +UNORM 38C8 0013FCBC 78AB2A99
    ST1 empty -UNORM FF18 00000000 0013FF08
    ST2 empty +UNORM 0001 78B1CB64 0000000A
    ST3 empty -1.7863225356269886700e-3463
    ST4 empty -UNORM FFFC 40000060 00000000
    ST5 empty +UNORM 1EA0 003930B8 78B538C8
    ST6 empty 0.0
    ST7 empty 0.0000000000153202670e-4933
                   3 2 1 0      E S P U O Z D I
    FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
    FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

    Code:
    7C90E450 ntdll.KiUserApcDisp>LEA     EDI, DWORD PTR SS:[ESP+10]
    7C90E454                     POP     EAX                                            ;  ntdll.LdrInitializeThunk
    7C90E455                     CALL    NEAR EAX                                       ;  createth.ThreadProc
    7C90E457                     PUSH    1
    7C90E459                     PUSH    EDI                                            ;  ntdll.7C92770A
    7C90E45A                     CALL    ntdll.ZwContinue
    
    Log data, item 0
     Message=[esp+10+0xb8]  = 7c8106f9  esp+10  = 50fd30
    
    7C8106F9 kernel32.BaseThreadStartThunk         XOR     EBP, EBP

  10. #10
    blabberer,

    Thanks for the info. Knowing the terms actually will help me to learn more and dig deeper.

  11. #11
    Hi guys,

    I was able to find the location of the username & password using agentransack. It points me to location for eg: 155 username?Morse?Password??91823... I notice that the 155 means it is at line 155.
    I opened the file using IDA and in Hex View, i was able to find the location of the username.. but on the view the text end it shows u.s.e.r.n.a.m.e.?.M.o.r.s.e
    In the future how do i do a search username without the space or .?
    What other program would anyone recommend to view and edit other than IDA?

  12. #12
    u.s.e.r.n.a.m.e. is UNICODE (wchar)

  13. #13
    Quote Originally Posted by aqrit View Post
    u.s.e.r.n.a.m.e. is UNICODE (wchar)
    aqrit, yup i understand it is UNICODE. I guess what software do most people use to edit? for example i want to change u.s.e.r.n.a.m.e to t.e.s.t.e.r. ?
    instead of entering the dots, is there software that omit the dots? just username then i change it to tester?

  14. #14
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,525
    Blog Entries
    15
    they are not dots
    a unicode char is 16 bits or 2 bytes and english alphabets dont consume more than eight bits or one byte so the unconsumed byte remians as 0x00 and since 0x00 is not a printable character it is dumped as dot by most of the hex editors

    with some code like this

    Code:
    #include <stdio.h>
    
    int main (void) {
    
            char testfoo[] = {'A',0x0,'M',0x0,'a',0x80,'Z',0x7b };
            int i;
            for (i=0;i<sizeof(testfoo);i++)
            {
                    if ( testfoo[i] < 0x20 || testfoo[i] > 0x7f)
                    {
                            printf("*");
                    }
                    else
                    {
                    printf("%C",testfoo[i]);
                    }
           }
           return 0;
    }
    
    result
    
    A*M*a*Z{
    Code:
    CPU Dump
    Address   Hex dump                                         ASCII
    004F2A86  4C 00 6F 00|77 00 20 00|6D 00 65 00|6D 00 6F 00| L o w   m e m o
    004F2A96  72 00 79 00|21                                   r y !
    ollydbg can edit unicode strings in place as well as ascii strings use ctrl+e

Similar Threads

  1. Reverse Code Engineering Book
    By inline_asm in forum The Newbie Forum
    Replies: 2
    Last Post: June 2nd, 2012, 08:29
  2. Reverse Engineer, the PSP
    By PSPfreak! in forum The Newbie Forum
    Replies: 9
    Last Post: January 2nd, 2008, 00:25
  3. [JOB OFFER] Reverse Engineer wanted!
    By Zero in forum Off Topic
    Replies: 0
    Last Post: February 26th, 2005, 14:22
  4. Reverse Flash (MX) Code
    By giorgio in forum The Newbie Forum
    Replies: 8
    Last Post: January 19th, 2003, 00:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •