Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 46

Thread: Making a program run without the loader ?

  1. #16
    markh51:

    Why in the hell are you still not doing your own research??? Have you bothered to SEARCH on the net for MeltICE code and compare it to your code? Isn't that what YOUR brain is for???

    Using "MeltICE code" (without the quotes) it took only a second to find:

    http://www.woodmann.net/krobar/tutlist/tutlist286.htm

    which is located on our server for God's sake. Don't you look for anything? It has the entire asm code for MeltICE:

    And now, the Dead Listing of an .exe file using that code:
    * Referenced by a CALL at Address :004011DE
    :00401080 E87BFFFFFF call 00401000 ; first, check for S-Ice Win95
    :00401085 85C0 test eax, eax ; check if loaded...
    :00401087 7410 je 00401099 ; No, jump to check_NT, if yes:
    :00401089 6894604000 push 00406094 ;->"SoftICE for Windows 95 is active!"
    :0040108E E83D000000 call 004010D0
    :00401093 83C404 add esp, 4
    :00401096 33C0 xor eax, eax
    :00401098 C3 ret ; S-Ice Win95 detected. Bye_bye.
    :Check_NT
    :00401099 E8A2FFFFFF call 00401040 ; Now, check for S-Ice WinNT
    :0040109E 85C0 test eax, eax ; check if loaded...
    :004010A0 7410 je 004010B2 ; jump if NOT loaded to can't_find, else
    :004010A2 6870604000 push 00406070 ;->"SoftICE for Windows NT is active!"
    :004010A7 E824000000 call 004010D0
    :004010AC 83C404 add esp, 4
    :004010AF 33C0 xor eax, eax
    :004010B1 C3 ret ; S-Ice WinNT detected. Bye_bye.
    :can't_find
    :004010B2 6848604000 push 00406048 ;->"Can't find SoftICE with this method!"
    :004010B7 E814000000 call 004010D0
    :004010BC 83C404 add esp, 4
    :004010BF 33C0 xor eax, eax
    :004010C1 C3 ret ; S-Ice not found.

    ********************************End of detection********************************
    The detection/CreateFileA routine for S-Ice Win95:
    :00401000 6A00 push 00000000 ; CreateFileA parameters
    :00401002 6880000000 push 00000080 ; ...
    :00401007 6A03 push 00000003 ; ...
    :00401009 6A00 push 00000000 ; ...
    :0040100B 6A03 push 00000003 ; ...
    :0040100D 68000000C0 push C0000000 ; ...
    * Possible StringData Ref from Data Obj ->"\\.\SICE" ; VxD driver for S-Ice Win95
    :00401012 6830604000 push 00406030
    * Reference To: KERNEL32.CreateFileA, Ord:0031h
    :00401017 FF15BCA04000 Call dword ptr [0040A0BC] ; CreateFileA
    :0040101D 83F8FF cmp eax, FFFFFFFF ; Handle= -1 ?
    :00401020 740D je 0040102F ; Yes, jump otherwise...
    :00401022 50 push eax ; SoftIce Win95 IS loaded!
    * Reference To: KERNEL32.CloseHandle, Ord:0018h
    :00401023 FF15F8A04000 Call dword ptr [0040A0F8] ; Close file's handle
    :00401029 B801000000 mov eax, 00000001 ; Eax:=1
    :0040102E C3 ret !
    ; Back to the caller
    * Referenced by a (C)onditional Jump at Address :00401020
    :0040102F 33C0 xor eax, eax ; Eax:=0 (not loaded)
    :00401031 C3 ret !
    ; Back to the caller
    ...
    The detection/CreateFileA routine for S-Ice WinNT:
    ...
    * Referenced by a CALL at Address :00401099
    :00401040 6A00 push 00000000 ; CreateFileA parameters
    :00401042 6880000000 push 00000080 ; ...
    :00401047 6A03 push 00000003 ; ...
    :00401049 6A00 push 00000000 ; ...
    :0040104B 6A03 push 00000003 ; ...
    :0040104D 68000000C0 push C0000000 ; ...
    * Possible StringData Ref from Data Obj ->"\\.\NTICE"; VxD driver for S-Ice WinNT
    :00401052 683C604000 push 0040603C
    * Reference To: KERNEL32.CreateFileA, Ord:0031h
    :00401057 FF15BCA04000 Call dword ptr [0040A0BC] ; CreateFileA
    :0040105D 83F8FF cmp eax, FFFFFFFF ; Handle= -1 ?
    :00401060 740D je 0040106F ; Yes, jump otherwise...
    :00401062 50 push eax ; SoftIse WinNT IS loaded!
    * Reference To: KERNEL32.CloseHandle, Ord:0018h
    :00401063 FF15F8A04000 Call dword ptr [0040A0F8] ; Close file's handle
    :00401069 B801000000 mov eax, 00000001 ; Eax:=1
    :0040106E C3 ret !
    ; Back to the caller
    * Referenced by a (C)onditional Jump at Address :00401060
    :0040106F 33C0 xor eax, eax ; Eax:=0 (not loaded)
    :00401071 C3 ret !
    ; Back to the caller

    NOW DO YOU SEE ANY SIMILARITY BETWEEN THIS AND YOUR CODE???
    (Yes, I know they've moved some parts of it around a little bit, but LOOK at the code and what it is doing. It makes the checks and closes Softice if one or the other version is found. It would not take much modification to make it close the target program if either is detected. You could search for that as well.)

    As Frog's Print concluded:

    "But is S-T-U-P-I-D because we now will be able to check if any program is detecting Soft-Ice even before it will have the time to do so: just with a BPX CreateFile(A)." (Actually, should be BPX CreateFileA)

    Now, if you look at this code, you will see that it is making more than one check, isn't it. Which one have you patched? Have you patched the other? Have you done anything to determine whether Softice 4.05 is Softice 95 or Softice Win-NT??? Does it not make sense, if you do not know, to LOOK IT UP and, as a fall back position, if you do not know, to patch both???

    Now come on, this particular issue is not that hard IF YOU JUST DO A LITTLE STUDY OF THE TOPIC FIRST.

    Regards,
    JMI

  2. #17

    Not to discourage you but...

    Might I suggest that instead of breaking dongles (as people who have been RCE for years still struggle) you simply find a crack for the same?

    It kind of seems a little too enthusiastic to feel that a dongle needs to be broken just because of our familiarity with SoftICE or IDA or w32Dasm.

    Feel free to ignore this if you have a lot of RCE experience and think this is a good time to start on dongles.

    Have Phun
    Blame Microsoft, get l337 !!

  3. #18
    markh51
    Guest
    I have been looking for a cr*ck for the iButton for quite sometime now but without any success, so the only way I can see, is to remove the protection myself... unless anyone else has any ideas ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #19
    I don't suppose you paid much attention to CrackZ' post or did any searching for information on iButton coding or found the SDK he mentioned, now did you??? There's interesting stuff out there like an article titled:

    A Basic iButton Interface

    found at http://www.codeproject.com/samples/ibuttoninterface.asp

    but apparently you just want someone to help you find a crack or do the work for you. How about trying something REALLY desperate, like putting something like "iButton SDK" into your favorite search engine and reading some of the hits.

    Regards,
    JMI

  5. #20
    markh51
    Guest
    Like I said earlier, I have been searching for a while now (on google), but the only thing what I could come up with was the SDK from Dallas website. Obviously, their kit is not going to let you "hack" the iButton or remove the protection, so instead I just used the API as a reference to check the code against, but like I said, I could not find any reference in the code to the iButton API.

    I'll take a look at the link you provided.

    Thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #21
    markh51
    Guest
    OK, I had a look at the link you provided and downloaded the Source Code, only problem is I don't have MS Visual C++ to compile it I only have Borland Builer C++. Anyway, I don't think this tool will be very useful as it seems similar to the TMEX tools which dallas provide. These tools are no use unless you know the password for each section as the contents are encrypted.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #22
    Instead of ONLY reading the link I gave you, why don't you actually do some research on the subject of "ibutton + code" and "ibutton sdk" and "ibutton+ crack*" (without the quotes.)

    Regards,
    JMI

  8. #23
    markh51
    Guest
    Yes, I've tried them variations on google and there is nothing there what will break the iButton, only tools which will communicate with it, which is no good unless you have the password. The only tool I found performs a Dictionary attack on the iButton, but this is only effective if the developer uses a weak password.

    Thanks.
    Last edited by markh51; June 15th, 2004 at 04:06.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #24
    markh51:

    Take a CLOSE look at the code I posted from MeltICE. Look at the references to "CreateFile" and you will see no "()" around the "A". If you try BPX CreateFileA it should work.

    Yes I know what Frog's Print wrote in the line I quoted, but he wrote that in 1999. If you had read a few more threads here, or anywhere, on breakpoints this would have become obvious to you. I believe the "()" are most frequently used to indicate that there may be an API with and without the letter on the end, depending on the system one is using. There is a CreateFile for Windows Me/98/95 and a CreateFileA for later versions.

    There's even a program called "auto debug for windows" that claims to have automated circumvention of several anti-debug systems. It can be found at:

    http://www.autodebug.com/antidebug.html

    Regards,
    JMI

  10. #25
    markh51
    Guest
    JMI:

    Yeah, I know now, I read the post a little bit closer

    That's why I edited it, but you must have replied b4 I changed it.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    markh51
    Guest
    JMI:

    I have come across another "problem" in the prog... If you change anything in the main prog it will half load then crash, but if using the original unchanged prog it will load OK. So it seems to know even if you patch one or two bytes even though the file sizes are EXACTLY the same.

    I have done a bit of research on google but I don't really know what I am searching for as I have not come across this before. Do you think it is comparing the CRC values of the files ?

    Do you have any ideas on this matter ?

    Cheers.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #27
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    it is comparing the CRC values of the files ?
    Could be. Put a bpm over the byte(s) you changed and check if there is a crc or something else...

  13. #28
    markh51
    Guest
    ZaiRoN:

    I take it you are talking about using SoftIce, how do I do that ?

    Do I use "bpm address" ? Then what do I look for ?

    Also another problem I have with softice, is how do I get it to break at a certain address of a file if it has not loaded it yet ? I need to do this becuase I need to break in to the file more or less as soon as it loads.

    Cheers.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #29
    markh51:

    You need to stop starting new threads each time you seem to have an additional question about reversing this program. You already asked your question about CRC checking here and we don't need a separate thread about it from you. Once again you have also failed to do your own searching and research, both about CRC techniques and about how to make softice work. It does come with a manual, which you should read.

    Regards,
    JMI

  15. #30
    markh51
    Guest
    For your information I have already looked through the SoftIce manual and read how the BPM works, but I don't understand how to use it in my situation.

    Why every time when I ask a question do you always think I haven't bothered to look ? I always look at any manuals if available and on google.

    So if you can be so kind to tell me how I can use BPM to do what zairon said I would appreciate it.

    Thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Making fun of your...
    By esther in forum Off Topic
    Replies: 0
    Last Post: April 13th, 2014, 09:57
  2. Making a keygen - almost there...
    By ljre24 in forum The Newbie Forum
    Replies: 30
    Last Post: November 20th, 2008, 11:51
  3. Making the change
    By Ryno in forum The Newbie Forum
    Replies: 10
    Last Post: March 14th, 2005, 12:40
  4. Making a asm rip keygen???
    By bik78 in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: May 14th, 2002, 15:13
  5. SI loader doesn't always break at program start ??
    By Mr. Smith in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: December 5th, 2000, 17:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •