Page 3 of 4 FirstFirst 1234 LastLast
Results 31 to 45 of 46

Thread: Making a program run without the loader ?

  1. #31
    markh51:

    There are, at least two GOOD reasons why I question whether you have search before you ask a question.

    1.) You NEVER state that you have SEARCHED for the answer to a question.

    2.) You CONTINUE to ask questions that I KNOW have answers EASILY available by searching.

    Take, for example your question "Do I use "bpm address" ? Then what do I look for ?


    This tells me your haven't the slightest idea what a CRC check is doing and that, despite your protestations to the contrary, you haven't paid much attention to the Softice manual on the use of BPM (Address) and you really didn't SEARCH for information on the subject, or at least you didn't do so with ANY thought about what you were looking for.

    Take for example this search:

    http://search.earthlink.net/search?q=softice+%2B+bpm+address&area=earthlink-ws

    The very first entry is to:

    #Cracking4Newbies SoftIce Tutorial, found at http://www.woodmann.net/krobar/beginner/04.htm

    Does that address LOOK FAMILIAR? It's right here.

    It contains the statement:

    BREAKPOINTING ON MEMORY ACCESS
    --------------------------------------------------------
    SYNTAX: BPM <address> R/W
    The R/W tells SoftICe whether to pop up on a read or write operation to that address. The default is RW (read & write)

    The third entry in the search was: Guide to SoftICE Commands
    http://www.woodmann.com/crackz/Tutorials/Sicecref.htm

    Does that address LOOK FAMILIAR? It's also right here.

    It contains: BPM
    Break point on memory access
    BPM[size] address [R|W|RW|X] [debug register] [IF expression] [DO bp-action]

    There are pages and pages of other references.

    I KNOW this information is IN THE F*CKING MANUAL with explainations and examples.

    There are also pages and pages of search references to CRC available. One such provides:

    cyclic redundancy check
    (algorithm)

    Definition: (1) A method to detect and correct errors by adding bits derived from a block or string of bits to the block. (2) An algorithm to compute bits characteristic of a block based on the algebra of polynomials over the integers, modulo 2. (3) The characteristic bits of a block.

    Now if you had read several of these articles on CRC you would understand that there has got to be a routine which "reads" (hint, hint, hint) the bits (or bytes) of the code to check against a "sum" which is generally hard coded in the software "somewere." So..... in order to "read" the bits/bytes there must be code which is reading all, or some significant part of your target's code. Hence the use of BPM <address> (R/W).

    How you ask (again)? Well THINK about it. If it is going to "add" bits/bytes, it has to read the code. If you break when "some particular code" is read you will know you are possibly in a routine which is doing a CRC. Now this is not always WHY some code is being read, because it would also "read" an entered serial, but determining that code is being read would, at least suggest, it might be a CRC, and IF your target crashes after you change ANY code, you can pretty well be assured something akin to a CRC is happening. So now, the only thing you need to know is what <address> to check is being read. Well duh!!! How about the one (or more) YOU changed.

    Now IF you had SEARCHED and READ any articles on REVERSING CRC (now there's an interesting search criteria) you would already know most of this and what to do if your BPM breaks on a read of the code you previously changed.

    The main problem is that you appear to lack some of the most basic level skills of reversing. That, in and of itself, is where we all started and no reason for criticism. You, however, seem not to want to do this basic home work before you venture into the dark codewoods and then you scream for help when you get lost, instead of SEARCHING for the correct path with any forethought or significant effort on your own, or, at the very least, with NO demonstration you have done so. You certainly appear to be trying to fly, before you actually learn how to crawl.

    Regards,
    JMI

  2. #32
    markh51
    Guest
    Setting a BPM on the address I changed, does nothing. Any ideas ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #33
    Did you set BPM <address> or BPM <address> R/W ? Details ARE important.

    The first one will NOT work. The second one should.

    And you NEVER actually confirmed that you were, or were not using Win95.
    If not what OS are you using?

    Regards,
    JMI

  4. #34
    markh51
    Guest
    I am using Win95

    Using BPM address R, still does not work !

    Do you think the prog could be using kernel32.readfile, to check the CRC of it self ? but it has to have the original CRC value to compare it against, so it must be coded in to the prog ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #35
    markh51
    Guest
    I set a BPX on the readfile and found a interesting piece of code, which the prog seems to loop inside of for a while, can you take a quick look and see what you think:

    * Referenced by a CALL at Address:
    |:00402F54
    |
    :00402EB4 55 push ebp
    :00402EB5 8BEC mov ebp, esp
    :00402EB7 51 push ecx
    :00402EB8 53 push ebx
    :00402EB9 56 push esi
    :00402EBA 57 push edi
    :00402EBB 8BF1 mov esi, ecx
    :00402EBD 8BFA mov edi, edx
    :00402EBF 8BD8 mov ebx, eax
    :00402EC1 8B4510 mov eax, dword ptr [ebp+10]
    :00402EC4 0FB75304 movzx edx, word ptr [ebx+04]
    :00402EC8 23D0 and edx, eax
    :00402ECA 3BC2 cmp eax, edx
    :00402ECC 7558 jne 00402F26
    :00402ECE 6A00 push 00000000
    :00402ED0 8D45FC lea eax, dword ptr [ebp-04]
    :00402ED3 50 push eax
    :00402ED4 8B4308 mov eax, dword ptr [ebx+08]
    :00402ED7 F7EE imul esi
    :00402ED9 50 push eax
    :00402EDA 57 push edi
    :00402EDB 8B03 mov eax, dword ptr [ebx]
    :00402EDD 50 push eax
    :00402EDE FF550C call [ebp+0C]
    :00402EE1 85C0 test eax, eax
    :00402EE3 7511 jne 00402EF6

    * Reference To: kernel32.GetLastError, Ord:0000h
    |
    :00402EE5 E8BAE3FFFF Call 004012A4
    :00402EEA E8B5F9FFFF call 004028A4
    :00402EEF 33C0 xor eax, eax
    :00402EF1 8945FC mov dword ptr [ebp-04], eax
    :00402EF4 EB3F jmp 00402F35

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00402EE3(C)
    |
    :00402EF6 8B45FC mov eax, dword ptr [ebp-04]
    :00402EF9 33D2 xor edx, edx
    :00402EFB F77308 div [ebx+08]
    :00402EFE 8945FC mov dword ptr [ebp-04], eax
    :00402F01 8B4514 mov eax, dword ptr [ebp+14]
    :00402F04 85C0 test eax, eax
    :00402F06 740A je 00402F12
    :00402F08 8B4514 mov eax, dword ptr [ebp+14]
    :00402F0B 8B55FC mov edx, dword ptr [ebp-04]
    :00402F0E 8910 mov dword ptr [eax], edx
    :00402F10 EB23 jmp 00402F35

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00402F06(C)
    |
    :00402F12 3B75FC cmp esi, dword ptr [ebp-04]
    :00402F15 741E je 00402F35
    :00402F17 8B4508 mov eax, dword ptr [ebp+08]
    :00402F1A E885F9FFFF call 004028A4
    :00402F1F 33C0 xor eax, eax
    :00402F21 8945FC mov dword ptr [ebp-04], eax
    :00402F24 EB0F jmp 00402F35

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00402ECC(C)
    |
    :00402F26 B867000000 mov eax, 00000067
    :00402F2B E874F9FFFF call 004028A4
    :00402F30 33C0 xor eax, eax
    :00402F32 8945FC mov dword ptr [ebp-04], eax

    * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
    |:00402EF4(U), :00402F10(U), :00402F15(C), :00402F24(U)
    |
    :00402F35 8B45FC mov eax, dword ptr [ebp-04]
    :00402F38 5F pop edi
    :00402F39 5E pop esi
    :00402F3A 5B pop ebx
    :00402F3B 59 pop ecx
    :00402F3C 5D pop ebp
    :00402F3D C21000 ret 0010

    Thanks for your time.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #36
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Sure, I just took a look at it and it's a very fine piece of code indeed.

    Now for the love of god will you stop posting pages of completely uncommented code here, not to mention start following the posting guidelines which people have been trying to get you to understand for the last week or so!?!

  7. #37
    markh51
    Guest
    The reason why it is un-commented is because I don't know what it is, so I was asking if you could tell me whether or not it looked like the CRC checking routine, as placing a BPM over the changed code does not work.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #38
    son of Bungo & Belladonna bilbo's Avatar
    Join Date
    Mar 2004
    Location
    Rivendell
    Posts
    310
    Hi, Markh51,
    a snippet of code with external function calls is really tough to attach.
    Here is anyway an hypothesis...

    Code:
            ; function name:	
            ; get_elements_from_file(arg0, arg1, arg2, arg3)
    	; passed arguments and registers:
    	;	arg0 error on read bytes mismatch
    	;	arg1 function, ReadFile
    	;	arg2 sort of flags, the bits inside [EAX+4] must be set here
    	;	arg3 out address, to put-in the number of elements read, or NULL
    	;	EAX must be the pointer to a structure describing one element:
    	;       +00 field: file handle
    	;       +04 field: sort of flags (16 bits)
    	;       +08 field: element size
    	;	ECX number of elements
    	;	EDX buffer to be filled inside this function
    	; return 0 if ko, else the number of elements retrieved
    
              ; function prolog
    402EB4 push ebp
           mov ebp, esp
           push ecx
           push ebx
           push esi
           push edi
           mov esi, ecx  ; number of elements
           mov edi, edx  ; buffer
    
           mov ebx, eax  ; passed struct pointer
    
              ; check: arg2 flags(?) must have set the bits inside [struct+4] flags
           mov eax, dword ptr [ebp+10]   ; arg2
           movzx edx, word ptr [ebx+04]
           and edx, eax
           cmp eax, edx
           jne 402F26  ; return ko
    
              ; read: must return not-zero
           push 00000000  ; lpOverlapped
           lea eax, dword ptr [ebp-04]
           push eax  ; lpNumberOfBytesRead
           mov eax, dword ptr [ebx+08]  ; elements size
           imul esi
           push eax  ; nNumberOfBytesToRead
           push edi  ; lpBuffer
           mov eax, dword ptr [ebx]
           push eax  ; hFile
           call [ebp+0C]  ; arg1: ReadFile?
              ; check the result
           test eax, eax
           jne 402EF6  ; ok
              ; the read failed
           call 4012A4  ; GetLastError()
           call 4028A4  ; acknowledge_return_code(passed in EAX)
              ; return 0
           xor eax, eax
           mov dword ptr [ebp-04], eax  ; retval
           jmp 402F35  ; return 0 (ko)
    
    402EF6 mov eax, dword ptr [ebp-04]  ; number of bytes read
           xor edx, edx
           div [ebx+08]  ; divide by number of bytes per element
           mov dword ptr [ebp-04], eax  ; retval: number of elements read
    
              ; store the number of elements read if passed address is not null
           mov eax, dword ptr [ebp+14]  ; arg3
           test eax, eax
           je 402F12  ; skip storing result
    		; do the storing
           mov eax, dword ptr [ebp+14]  ; arg3
           mov edx, dword ptr [ebp-04]  ; number of elements
           mov dword ptr [eax], edx
           jmp 402F35  ; return number of elements
    
              ; check if we have got the requested number of elements
    402F12 cmp esi, dword ptr [ebp-04]  ; retval
           je 00402F35  ; return ok (number of elements read)
    
              ; on failure
           mov eax, dword ptr [ebp+08]   ; arg0: error on read bytes mismatch
           call 4028A4  ; acknowledge_return_code(passed in EAX)
              ; return 0(ko)
           xor eax, eax
           mov dword ptr [ebp-04], eax  ; retval
           jmp 00402F35  ; return 0
    
              ; return ko
           mov eax, 00000067
           call 4028A4  ; acknowledge_error_code()
              ; return 0(ko)
           xor eax, eax
           mov dword ptr [ebp-04], eax  ; retval
    
              ; return EBP-4
    402F35 mov eax, dword ptr [ebp-04]  ; retval
    
              ; function epilog
           pop edi
           pop esi
           pop ebx
           pop ecx
           pop ebp
           ret 0010  ; clear the 4 arguments
    So, no CRC checking, as you see.
    Regards, Bilbo.

  9. #39
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,113
    Blog Entries
    5
    Hi markh51

    Could be part of a checksum code, but it could also be your grocery list for all the use it is ;-) We have absolutely no perspective on where this code lays or what it might be doing, and there are probably only 1 or 2 clairvoyants on the forum and they're busy guessing on the stock market. (EDIT: OK, Bilbo must be one of them )

    This is where doing background research on all of the dozens of "CRC" threads, or on any of the subjects you've been trying to tackle lately, beforehand is useful - to give you a better perspective on what to look for. An app might use CreateFile/ReadFile to read a copy of itself in to check it, but it might also use OpenFile, _lopen, _hread, _lcreat, MapViewOfFile, maybe others, so you should also rule these API's out.

    Let's say the app uses ReadFile to copy sections of itself into memory and perform some check on it. The bytes it's checking are in memory somewhere (i.e. the lpBuffer address of ReadFile), NOT on the bytes in the running image file that you tried to set a BPM(R) on. Two different addresses, not surprising it doesn't break.

    Again, you need to approach this slowly and logically. Is ReadFile called only once (reads the whole file), or several times (reads it in sections)? How many bytes does it read in? At what starting address(es) is the file read? And where does it store it?

    If you can you find your patched bytes in the read-in memory, THEN maybe you can set a BPM(R) on that address and see where it takes you. Can't find your patched bytes? How about setting a "tag" you can search for. Assuming your patched code isn't actually run until after the crc check passes (check with BPX/BPM(X)), you might be able to make your "patch" a distinctive character tag you can search for. Say "EMKCUF". Since it's going to fail the check anyway, who cares?

    Keep trying, but remember, engage mind before keyboard...

    Cheers,
    Kayaker

  10. #40
    markh51
    Guest
    Bilbo:

    I am VERY greatful for you going through that piece of code for me even though it was not the routine I was looking for.

    EDITED: Due to the post above being posted as I was typing this one

    Thanks for that Kayaker
    Last edited by markh51; June 17th, 2004 at 05:02.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #41
    markh51
    Guest
    Kayaker:

    Ok, what I done was modified the NTICE string to unique string. I ran the file an sure enough it crashed. So I seached for my string in memory using the S command, and I found a pattern match, so I noted down the memory location and set a "BPM address R" and ran the file again... It did not break, Any ideas why ?

    Cheers.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #42
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Somewhere around the hundredth time you ignore people's tips about what do do, when to post, what to post and how to post, maybe people will start getting really annoyed with you...

    Tha answer to your last question is already explicitly in Kayaker's post above, not to mention the tip of trying to think before you post, not just step-by-step following any detailed instruction you might find anywhere (including misunderstanding it first in half of the cases), and then posting again as soon as it didn't produce a crack for you. Aaargh!

  13. #43
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,113
    Blog Entries
    5
    Quote Originally Posted by markh51
    Ok, what I done was modified the NTICE string to unique string.

    I am using Win95
    HuH?? Just out of curiousity why are you patching the string 'NTICE'?

  14. #44
    markh51
    Guest
    It doesn't matter now, I've found the code which does the CRC check, easily bypassed
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #45
    Stone-D
    Guest
    JMI: Offtopic, appologies. Throughout all my years on the net, from usenet to forums, I've only encountered one admin, on the Mailtraq mailing lists, from whom I dreaded a reply. You have knocked him from that spot. Salute.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Making fun of your...
    By esther in forum Off Topic
    Replies: 0
    Last Post: April 13th, 2014, 09:57
  2. Making a keygen - almost there...
    By ljre24 in forum The Newbie Forum
    Replies: 30
    Last Post: November 20th, 2008, 11:51
  3. Making the change
    By Ryno in forum The Newbie Forum
    Replies: 10
    Last Post: March 14th, 2005, 12:40
  4. Making a asm rip keygen???
    By bik78 in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: May 14th, 2002, 15:13
  5. SI loader doesn't always break at program start ??
    By Mr. Smith in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: December 5th, 2000, 17:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •