Page 2 of 2 FirstFirst 12
Results 16 to 27 of 27

Thread: int 20 (hinte's crackme #6)

  1. #16
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    Hi Zairon,

    Yep, we've been reading the same document

    Code:
    cmp ebx, 0xC0000000
    pushfd
    and dword ptr [esp], 01
    is used to check the state of the Carry flag after the cmp. If ebx is less than C0000000, meaning you've gotten below Ring0 code where a DDB address is no longer valid, then the Carry flag is set. Pushfd pushes the EFLAGS value, or the state of all the flags, onto the stack and the AND statement tests the Carry Bit 0. If the Carry flag is set (esp=1), then esp becomes 1, if unset, 0.

    You see this used later on as well several times for testing the Zero flag:
    Code:
    cmp [ecx], something
    pushfd
    shr [esp], 06	; shift the Zero flag to the bit 0 position
    and [esp], 01	; test if it's set
    You could also use the Bit Test (BT) commands to do the same thing, except that they modify the Carry flag themselves.

    I didn't get any meaningful results from Filemon btw.
    This whole sequence of code is looking for a particular vxd loaded, and it's pretty apparent what that vxd is. Try changing the name of 'FILE' in memory ([ecx])
    cmp [ecx], 'FILE'
    and see if the crackme doesn't open

    As an aside, if the Device_ID of Softice is 202 and corresponds to the Interrupt flag being set:
    202h (binary 001000000010)
    o d I s z a p c
    I wonder if some Numega programmer was having fun when they chose that as a Device_ID for sice?

    Cya,
    Kayaker

  2. #17
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    hi Kayaker,

    OK! i have understood!

    This whole sequence of code is looking for a particular vxd loaded...and see if the crackme doesn't open
    i have found the list of vxd but...the crackme doesn't open
    what i have mistaken?

    ZaiRoN

  3. #18
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    hi,

    i answer myself: Kayaker, you're using icedump!

    you're a lazy man the rule is: only softice! no other tools
    i think i'll continue to study the rest of the program; maybe i'll find other interesting thing

    bye,
    ZaiRoN

  4. #19
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    LOL

    - you must write a keygen
    - no patching

    I don't see any other rules

  5. #20
    CoDe_InSiDe
    Guest

    Smile

    Hi everyone,

    Just a little side note, trace from the OEP of the program, then you'll see that he uses that "pushfd - and [esp], 01 etc...", or something similiar, very often for jump statements
    Also (Like Kayaker mentioned) a lot in the rest of the program
    It's actually the same as a "jz" for example

    Ok, enough of my mumbling maybe i'll come back to this CrackMe

    Cya...

    CoDe_InSiDe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #21
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    hi Kayaker,

    doh! you're right...sigh...

    btw, from your first post i've seen that you had tried to make a keygen. are u able to put bpx?
    i think that the study of the rest of the code is "necessary"

    see you soon,
    ZaiRoN

  7. #22
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    Hi Zairon,

    I've had a *little* bit of success on scoping out the s/n routine. What I did was to open the crackme with Icedump, but as we discussed above the crackme won't open unless you patch in memory the DDB entry for that vxd. I'm actually working on a protection against that 'vulnerability'. This affects not only the ICEDUMP driver but also SICE and SIWVID in a similar manner. This is sort of an extension of the Code 09 VMMCall Get_DDB method of detection discussed in the Frogsice doc, just a different way of using the DDB. I've got the basic protection completed and will probably release it in a few days after I polish it up and have some fun with it In the meantime you need the "fix" that manually.

    There may be other ways around this or you can get the crackme open with Frogsice itself I think. Anyway, I was able to break on inputting a Name using hmemcpy. At 402D9D is a CALL [ESP-4] which is the hmemcpy call itself which monitors what you enter as a name character by character. At 402DB5 there is a CMP EAX, 4 ; the minimum length of name allowed, and it tests the result of the cmp with that famous routine
    pushfd
    and dword ptr [esp], 01
    You're right CodeInside, this is used everywhere!

    Then it takes the last 2 characters of your name (in ESI) and goes into this routine, the output I generated from a backtrace:
    Code:
    18	402E08	66031E66		ADD  BX, [ESI]		; start of loop
    19	402E0B	6603CBC1		ADD  CX, BX
    1A	402E0E	C1C10B68		ROL  ECX, B
    1B	402E11	68B993CC7481		PUSH  DWORD 74CC93B9
    1C	402E16	8104246C9A738B83	ADD  DWORD [ESP], 8B739A6C
    1D	402E1D	83C404FF		ADD  ESP, BYTE +4
    1E	402E20	FF6424FCEA		JMP  NEAR [ESP-4]	; 402E25
    1F	402E25	2BCB81			SUB  ECX, EBX
    20	402E27	81F14513000068		XOR  ECX, 1345
    21	402E2D	68D340DD7581		PUSH  DWORD 75DD40D3
    22	402E32	8104246EED628A83	ADD  DWORD [ESP], 8A62ED6E
    23	402E39	83C404FF		ADD  ESP, BYTE +4
    24	402E3C	FF6424FCEA		JMP  NEAR [ESP-4]	; 402E41
    25	402E41	C1C90348		ROR  ECX, 3
    26	402E44	489C			DEC  EAX
    27	402E45	9CF7			PUSHF
    28	402E46	F71424C1		NOT  DWORD [ESP]
    29	402E49	C12C240683		SHR  DWORD [ESP], 6
    2A	402E4D	8324240150		AND  DWORD [ESP], BYTE +1
    2B	402E51	5052			PUSH  EAX
    2C	402E52	5299			PUSH  EDX
    2D	402E53	99B8			CDQ
    2E	402E54	B8EE25E8CF35		MOV  EAX, CFE825EE
    2F	402E59	3561DA1730F7		XOR  EAX, 3017DA61
    30	402E5E	F764240805		MUL  DWORD [ESP+8]
    31	402E62	05DA0858302D		ADD  EAX, 305808DA
    32	402E67	2D61DA173089		SUB  EAX, 3017DA61
    33	402E6C	894424085A		MOV  [ESP+8], EAX
    34	402E70	5A58			POP  EDX
    35	402E71	5883			POP  EAX
    36	402E72	83C404FF		ADD  ESP, BYTE +4
    37	402E75	FF6424FCC3		JMP  NEAR [ESP-4]	; 402E08
    Loops to above 4 times
    38	402E08	66031E66		ADD  BX, [ESI]
    39	402E0B	6603CBC1		ADD  CX, BX
    etc...
    When it's done with this loop, JMP NEAR [ESP-4] points to 402E7E instead of back to 402E08, and the loop is finished:
    Code:
    96	402E72	83C404FF		ADD  ESP, BYTE +4
    97	402E75	FF6424FCC3		JMP  NEAR [ESP-4]
    98	402E7E	05CAA7F62968		ADD  EAX, 29F6A7CA
    ...
    From here the code seemed to go into GetDlgItemTextA, but as a direct jump not an API call, so I don't think you can set a break on it. Not sure how that's used. There's lot's of other code in there, the loop I listed above seems to get called again, perhaps in response to GetDlgItemTextA.

    You can enter a s/n and follow its course in a similar manner, but this seems to get into some crypto/hashing stuff, which I know little about. I've got a shitload of trace output (like about 4000 lines) so I don't know wtf it's doing to be perfectly honest Maybe I could just dump it all into a keygen and see if it works, heh.

    That's it for now, I think I'll go back to coding. If you can at least break on that Hmemcpy 402D9D CALL [ESP-4] line, or the start of the loop I listed (with your name in ESI), then you should be at a good stage to start tracing.

    Good Luck,
    Kayaker

  8. #23
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    hi,

    From here the code seemed to go into GetDlgItemTextA, but as a direct jump not an API call, so I don't think you can set a break on it. Not sure how that's used
    this is right. the s/n isretrieve using GetDlgItemTextA in this way:
    402EE8: call [esp-04]
    enter the call and after few lines:
    401164: jmp [ebx+10] ; jump to the code of GetDlgItemTextA

    where ebx points to the references to the used apis.
    the s/n must be 8 chrs.
    much of code to explore....

    cya..
    ZaiRoN

  9. #24
    the analyst
    Guest
    hello,

    Originally posted by Kayaker
    The code continues on in this fashion for a while. There is a Structured Exception Handler (SEH) set up and an invalid opcode produced
    then the jump is instead back into valid program code. I'm not sure exactly what is happening here, whether the invalid opcode (F1) is being detected or what. The IDT hasn't been changed at this point so it's not a standard INT 6 invalid opcode hook or anything.
    just to let you know, this is not an invalid opcode.
    In fact F1h is the undocumented opcode for int 1.
    this is a not so known trick to detect tracing.

    start:

    xor eax,eax

    push offset ExceptionHandlingFunction
    push dword ptr fs:[eax]
    mov fs:[eax], esp

    db 0f1h ; undocumented INT 1

    push 0 ; Exception not catched, beeing debugged
    push offset traced ; Gotcha!
    push offset traced
    push 0
    call MessageBoxA

    ; some nasty code couble be here
    ; or some fake routines eventually.

    push 0 ; Exit to win
    CALL ExitProcess


    ExceptionHandlingFunction:

    push 0
    push offset exception ; im not being traced
    push offset exception
    push 0
    call MessageBoxA

    push 0 ; Exit to win
    CALL ExitProcess

    this detect revirgin tracer, wdasm tracer and many other.
    I know this trick for some times already ;-)


    just my two cents, hope it helps.

    the analyst / HERT
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #25
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5

    Cool

    Hi

    Thanks for the info analyst ;-) I've since found out this is indeed an old largely undocumented form of the INT1 Single Step Trace Exception known as ICEBP. (Largely undocumented by Intel at least, but a search for 'ICEBP' yields a lot of info, i.e. h*tp://x86.ddj.com/secrets/opcodes/icebp.htm)

    I *think* I see what's going on here, but anyone please clarify if I'm wrong, I'm still absorbing CPU architecture and Intel docs to get a better understanding. Normally if you are single step tracing (or using the SI backtrace feature), Softice clears the trace (T) flag in the EFLAGS register, so that the regular INT01 handler is not called. If this trace bit is clear, the instructions are executed without interruption.

    So when this errant undocumented INT1 is stepped over (traced), it continues into the "bad boy" code. However, if you weren't single step tracing (and the Trace flag was set), then the SEH (the "good boy" code) that was previously set up would be called and you would continue on unmolested.

    I'm still a little confused in how Softice behaves versus "other" debuggers in terms of this trace flag. According to http://www.woodmann.net/fravia/civetta.htm one way to detect SI is:

    -----------------------------------------------------------------
    4. by using the TRAP flag, one can use the single stepping feature to
    call a protection routine (e.g. a decryptor). The problem is, that
    during single stepping SOFT-ICE clears the TRAP flag for the V86 task
    and will neither execute nor step into the INT01 handler of the
    V86 task. Many schemes use this trick.
    -----------------------------------------------------------------

    OK, so this is where I got that the Trace (Trap) flag is cleared during single step tracing, and this is what this undocumented INT1 trick is taking advantage of. However, according to Art of Assembly Language Ch.6 (or the Intel docs):

    ----------------------------------------------------------------
    The trace flag enables or disables the 80x86 trace mode. Debuggers (such as CodeView)
    use this bit to enable or disable the single step/trace operation. When set, the CPU interrupts
    each instruction and passes control to the debugger software, allowing the debugger
    to single step through the application. If the trace bit is clear, then the 80x86 executes
    instructions without the interruption.
    ----------------------------------------------------------------

    In this case it seems to indicate that when the Trace flag is *set*, control is passed to the debugger "allowing the debugger to single step through the application". It just seems to indicate that there is an inherent difference in how Softice operates versus "other" debuggers, unless I'm misinterpreting all this.

    Nothing I can't live with of course, it's just a question that came to my mind while trying to understand exactly what's going on. In any case you can certainly *see* the effect of this trick. If you set a bpm breakpoint on the address of the exception handler (good boy routine), which as Zairon said was at 40342E, Softice will break on it if you just execute the program. However if you try tracing over that INT1 (Trace flag cleared?) or use a Backtrace (based on BPR), then it won't break and you'll end up continuing on into the bad boy code.

    The output from our Backtrace disassembler actually shows this bad boy sequence (pretty much as you see it in the Softice window anyway), but the difference is that the disassembler (based on the NASM disassembler) records the F1 opcode properly as an INT1, but Softice itself (as you'd see with SHOW) records the backtrace disassembly of 0xF1 as INVALID. Seems Numega never added support for some undocumented opcodes...

    Code:
    SEH:
    23	401876	68875D9749		PUSH  DWORD 49975D87
    24	40187B	812C2459295749		SUB  DWORD [ESP], 49572959
    25	401882	643303			XOR  EAX, [FS:EBX]
    26	401885	50			PUSH  EAX
    27	401886	648923			MOV  [FS:EBX], ESP
    ; handler routine now at 40342E (49975D87 - 49572959)
    ...
    
    UNDOCUMENTED OPCODE + BAD BOY ROUTINE:
    33	4018BE	F1			INT1
    34	4018BF	58			POP  EAX
    35	4018C0	680D620858		PUSH  DWORD 5808620D
    36	4018C5	810424C7B637A8		ADD  DWORD [ESP], A837B6C7
    37	4018CC	83C404			ADD  ESP, BYTE +4
    38	4018CF	FF6424FC		JMP  NEAR [ESP-4]
    39	4018D4	648903			MOV  [FS:EBX], EAX
    3A	4018D7	68382669F2		PUSH  DWORD F2692638
    3B	4018DC	810424B3F2D60D		ADD  DWORD [ESP], DD6F2B3
    3C	4018E3	83C404			ADD  ESP, BYTE +4
    3D	4018E6	FF6424FC		JMP  NEAR [ESP-4]
    3E	4018EB	83C404			ADD  ESP, BYTE +4
    3F	4018EE	83C404			ADD  ESP, BYTE +4
    40	4018F1	FF6424FC		JMP  NEAR [ESP-4]
    ; to Kernel ExitThread
    Anyway, thanks again for the interesting tip

    Regards,
    Kayaker

  11. #26
    the analyst
    Guest

    Re: Cool

    heya

    Originally posted by Kayaker
    Hi

    Thanks for the info analyst ;-) I've since found out this is indeed an old largely undocumented form of the INT1 Single Step Trace Exception known as ICEBP. (Largely undocumented by Intel at least, but a search for 'ICEBP' yields a lot of info, i.e. h*tp://x86.ddj.com/secrets/opcodes/icebp.htm)
    set a bpm breakpoint on the address of the exception handler (good boy routine), which as Zairon said was at 40342E, Softice will break on it if you just execute the program. However if you try tracing over that INT1 (Trace flag cleared?) or use a Backtrace (based on BPR), then it won't break and you'll end up continuing on into the bad boy code.
    Anyway, thanks again for the interesting tip
    Regards,
    Kayaker

    This piece of code is actually an anti tracing code.
    If you run the software without stepping in, it won't call
    the bad boy code.
    It is usefull to detect debuggers that single step thru the code
    such as Wdasm's debugger etc..
    Try my code and see how wdasm get owned
    You can do the same with the trap flag.
    But some better tracer, such as Revirgin don't get owned by
    the trap flag, while they are bumfucked by that int 1 trick
    Note that , you could use a standard int 1 instead of the F1h one.
    It is too obvious then tho

    Here comes the trap flag code :

    start:

    xor eax,eax

    push offset ExceptionHandlingFunction ; exception handler
    push dword ptr fs:[eax]
    mov fs:[eax], esp

    pushf
    pushf
    pop eax ; get the flag register
    or eax, 100h ; and put the TF Trap Flag (Single Step)
    push eax ; And then
    popf ; Put it in the register flag
    nop

    push 0 ; Exception not catched! we are beeing debugged!
    push offset trace ; Gotcha!
    push offset trace
    push 0
    call MessageBoxA

    ; we should put some nasty code in here
    ; or go to some fake routines eventually.

    push 0 ; Exit to win
    CALL ExitProcess


    ExceptionHandlingFunction:

    push 0
    push offset exception ; All is fine, im not being traced
    push offset exception
    push 0
    call MessageBoxA

    push 0 ; Exit to win
    CALL ExitProcess


    end start


    It behaves like the F1's one, but don't fool all the debuggers..
    If you step in with F10, you will go in bad boy code, else
    you will get back in the good boy place
    It is good to put such code in a name / serial scheme
    Newbies, just keep tracing, don't even know wtf is the trap flag
    and get fooled black and blue ;-)

    My other 2 cents ;-)

    regards,

    The Analyst / HERT
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #27
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    Hello, Kayaker!

    I found, why SICE (&+ ICEDUMP) can't load
    EXE.
    Because in header 1st section's Virtual Offset is 00001057
    Abnormal!
    Correct it to 00001000 & all will OK.

Similar Threads

  1. Need help with crackme
    By lucid_dream in forum The Newbie Forum
    Replies: 4
    Last Post: January 12th, 2005, 04:32
  2. help with this crackme
    By chitech in forum Mini Project Area
    Replies: 2
    Last Post: August 28th, 2002, 11:41
  3. try this crackme
    By SaNGa in forum Mini Project Area
    Replies: 11
    Last Post: June 4th, 2002, 20:13
  4. A little crackme
    By raven58 in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: February 14th, 2001, 18:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •