Results 1 to 7 of 7

Thread: How to find out, what the call does ?

  1. #1
    van_Hauser
    Guest

    How to find out, what the call does ?

    I have read some tutorials about reverse engeniering.
    Most of them are easy to understand and the programs
    were easy too.

    Now in "real" it's not so easy anymore :-(

    I tried "bpx getwindowtexta" in SofIce which works well.
    After jumping out with F11 I see this code:

    LEA EAX, [EBP-58] ;d eax = EC 5E D3 77 00 00 00 00 - ...
    PUSH 1D
    PUSH EAX
    PUSH 0000041D
    PUSH DWORD PTR [EBX+000001C4]
    CALL ESI ;the first bpx getwindowtexta was for the name,
    ;now is this the call to get the number from the dialog ?
    PUSH EAX
    CALL EDI ;call and do something with the window registry ?
    LEA ECX,[EBP-18]
    CALL 00DC6E30 ;jesus another call i dont understand
    AND DWORD PTR[ESP-04],00
    PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION
    PUSH 00DDDAD0 ; yeah keep pushing stuff on the stack in dont understand
    LEA ECX,[EBP-18]
    CALL 00DC6E65
    TEST EAX,EAX
    JNZ 00DC78C3 ; NO JUMP
    ...


    I have read the nice tutorial about "Basic Key Generation File Routines"
    but cant find similar code :-(

    I can dive into the calls with F8 but the routines there wont help me
    and there are many other calls.

    How can I find out what all the calls do and where to start
    understandig what the program does ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Are you sure it's
    PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION

    and not
    PUSH 80000001 ;HKEY_CURRENT_USER

    It would make a lot more sense...

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by van_Hauser
    I have read some tutorials about reverse engeniering.
    Most of them are easy to understand and the programs
    were easy too.

    Now in "real" it's not so easy anymore :-(

    Welcome to the true World of RCE!

    I tried "bpx getwindowtexta" in SofIce which works well.
    After jumping out with F11 I see this code:


    You need to scroll UP in the code, before the GetWindowTextA API is called.
    The Second to last pushed paramenter before the call should contain the address of the buffer where whatever was gotten_form_the_window_text_a is stored. You should keep an eye on that.



    LEA EAX, [EBP-58] ;d eax = EC 5E D3 77 00 00 00 00 - ...

    Does EAX hold a pointer to some other value? check also d @EAX


    PUSH 1D
    PUSH EAX
    PUSH 0000041D
    PUSH DWORD PTR [EBX+000001C4]
    CALL ESI ;the first bpx getwindowtexta was for the name,
    ;now is this the call to get the number from the dialog ?

    Now, what API or routine is pointed by ESI? you may find out by stepping into it with F8 or by scrolling up in the code and find when the value of ESI was loaded. I doubt this is a call for GetWindowTextA, because 4 pramenters get pushed to the stack and they do not look like teh typical GetWindowTextA parameters. Get and API reference and study the assembly form of API calling


    PUSH EAX
    CALL EDI ;call and do something with the window registry ?
    Hard to tell,You got to know what EDI is pointing to

    LEA ECX,[EBP-18]
    CALL 00DC6E30 ;jesus another call i dont understand

    Check what is in EBP-18 by doing d EBP-18 AND d @[ebp-18]
    in this case, the parameter may have been passed to the call in a register, ECX, and something is done with it.


    AND DWORD PTR[ESP-04],00
    PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION
    PUSH 00DDDAD0 ; yeah keep pushing stuff on the stack in dont understand
    Looks like a magic number or an address near by, check it out

    LEA ECX,[EBP-18]

    EBP -18 again passed on ECX
    CALL 00DC6E65

    Now this call looks intersting. Calls to a local routine and returns a result in EAX
    The Next constellation of instructions:

    TEST EAX,EAX
    JNZ 00DC78C3 ; NO JUMP

    Is typical of a decision point, good cracker bad cracker, go or not go, and deserves careful consideration
    ...



    I have read the nice tutorial about "Basic Key Generation File Routines"
    but cant find similar code :-(

    Forget about finding similar code in tutorials. Learn assembly, learn the logic. Even small changes in high level code i.e. C++, or compilation paramenters can produce drastic changes in the assembly code.

    I can dive into the calls with F8 but the routines there wont help me
    and there are many other calls.

    How can I find out what all the calls do and where to start
    understandig what the program does ?

    The secret is knowing which one to dive in with F8. given your code Snippet, I would go for: CALL 00DC6E65

  4. #4

    As Above

    Hello,

    Welcome to the cracking world. Simply put, there are always 2 aspects to cracking. They are:

    1. Searching where in the world in the program the protections are
    2. Breaking the protections

    Most tutorials are aimed at the second option. Very few tutorials teach you about the first option. At most, it is generally left to the user to search where in that damned file the protection is located. To make matters worse, protections can be located at more than one locations. In fact, some programs are protections themselves entirely, which run the good program only if you bypass them. And what's worst is, these protections are masked using checksums, CRC, packing, anti-debug tricks, anti-monitoring tricks, digital certificates, private and public keys and anything you can think of. You will have to start at the bottom of this heap by cracking programs that have none of these.

    Now, if I am not mistaken, the question you have asked is not really about point 2, but about point 1. I am afraid there is no straight answer. There is no generic way of searching the locations of the protections. Or which files for that matter, have the protections. However a good approach in this circumstances is the top down approach. You approach the application as a whole and go down into details as they appear clearly. Here are some steps you can do:

    1. Generally, run filemon and regmon (www.sysinternals.com) to figure out which files are involved in the protection. Beware, there are programs that completely bypass the monitoring or change names when monitored.
    2. A good idea is also to use a profiler to see the calls that are made in a program during a protection check. This helps you pinpoint actual calls made as opposed to ALL calls seen in a disassembly or softice tracing.
    3. Then, you can concentrate on the calls obtained above, knowing that these are indeed the ones associated with protection. You can easily discount the API calls from these to get an even lesser number of calls to work with.
    4. In which call is the protection located? Don't know. Its really difficult to tell as protections can be spread across different calls. That is why its important to crack programs initally that are simple and located in one call. Such as Winzip v5 or Winzip v6, Mirc V5 and so on. Try your searching skills on the same. Don't worry, you'll learn how to search. Even the best of us cannot, in a single sitting, sometimes pinpoint the protection. We spend most of our times, sometimes, in just trying to figure out where the heck is that protection scheme and where it snaps. So you are not different. On the contrary, I'd say you are in good company.

    So try cracking old programs first. Trying to crack the latest version of FlexLM or Sentinel is not the way to proceed. Try these for flavour:

    Phase I: Simple serial number cracks (forget about keygens)
    Phase II: Time protected
    Phase III: Serial or time protected with simple anti-debugger tricks
    Phase IV: Serial or time protected with simple packing (say, upx or pe compress etc)
    Phase V: Serial or time protected with both simple anti-debug and simple packing.
    Phase VI: Serial or time protected with complicated anti-debugging
    Phase VII: Serial or time protected with complicate packing
    Phase VIII: Serial or time protected with complicated packing and anti-debugging and anti-dumping and anti-monitoring
    Phase IX: Heavy duty protections like Safe Disc/ Securom etc
    Phase X: Biggies like Flexlm/Alladin etc.

    Phew, quite a bit. And remember, in each of the phases, the idea is to do both point 1 and point 2. You may find some phases are easier in point 1 and others are easier in point 2.

    No one said cracking was easy. But do it for its plain joy and you really wont' mind.

    Have Phun
    Blame Microsoft, get l337 !!

  5. #5
    van_Hauser
    Guest

    Thumbs up

    Hello !

    Thanks for the answers !

    Naides, thank you for the work you invested in your answer for a
    newbie in assembler !

    Well, I thought "You can code in C and C++ and had
    "Introduction to computer architecture" in University
    so this assembler stuff is no big deal" - WRONG DUDE
    Now at least I know where to continue the learning.


    @sgdt
    Quote Originally Posted by sgdt
    Are you sure it's
    PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION
    and not
    PUSH 80000001 ;HKEY_CURRENT_USER
    It would make a lot more sense...
    In Softice the line
    PUSH 80000001 ;STATUS_GUARD_PAGE_VIOLATION
    is displayed as I wrote it here. The command plus the comment
    behind it.

    I can't tell you more as a newbie. You could be right about the HKEY_..
    because values are read and written to registry, thats what I
    was able find out with "regmon"


    @Aimless: "But do it for its plain joy and you really wont' mind."
    Well, I am sorry to tell you that I am a stupid perfectionist. By now
    I just hate this plugin DLL nagging me and I wanna fill it in - bash it,beat in
    ,bite it.


    Hope to see you all again the time I made some progress.
    Last edited by van_Hauser; February 6th, 2004 at 06:04.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    heh...

    Welcome to the board !

    I noticed you mentioned plug-in dll,..any chance I can get some more details? Sounds juicy I've done a lot of plug-in dlls over my learning time, I got one for MSVC++, I got a COM dll for the Task Manager, and I've done a VST instrument DLL.

    DLL's are usually "easier". They usually will have less anti-debug code, especially anything too advanced, since they aren't actual processes themselves.

    I agree with naides, you might want to try and fiddle with those JZ instructions, etc.

    What does the plug-in "do" when it's not registered? Bring up a nag or have a message in the about dialog, or what?

    I'm a little biased in this opinion, but I don't know if trying to keygen is a good way to start reversing...at least for me , it's too hard at first because you have to figure out how all the code "works" together. Whereas with cracking all you have to do is find the weak link in the chain of the protection. You only have to know which jump to fix (and sometimes a couple other small routines).

    -nt20
    Last edited by nikolatesla20; February 6th, 2004 at 09:40.

  7. #7
    van_Hauser
    Guest
    Thanks nikolatesla20 - I PM'ed you about it.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. determine call used?
    By nams in forum The Newbie Forum
    Replies: 0
    Last Post: January 1st, 2011, 21:32
  2. Tips requested to find serialport call
    By rfhvw in forum OllyDbg Support Forums
    Replies: 6
    Last Post: May 6th, 2007, 03:42
  3. call $+5 ?
    By mcensamuel in forum OllyDbg Support Forums
    Replies: 2
    Last Post: August 29th, 2005, 22:19
  4. call [eax+xx]
    By The Keeper in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 2nd, 2002, 15:03
  5. how to add a api call ?
    By SpeKKeL in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: October 29th, 2001, 02:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •