Page 1 of 2 12 LastLast
Results 1 to 15 of 21

Thread: Missing something in this code...

  1. #1

    Missing something in this code...

    Hey all,

    I'm playing with a target, and come across something I don't quite understand.

    Scenario. App loads, checks current system time, compares it to a value then messageboxes with "Trial Period Expired". I've tracked down to the call that does the check & decision whether the trial is ok or finished. It calls this code:

    Code:
    :00416790 55                      push ebp
    :00416791 8BEC                    mov ebp, esp
    
    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004167FD(C)
    |
    :00416793 83EC08                  sub esp, 00000008
    :00416796 56                      push esi
    :00416797 50                      push eax
    :00416798 B8D3605765              mov eax, 655760D3
    :0041679D 53                      push ebx
    :0041679E BB1C684100              mov ebx, 0041681C
    :004167A3 51                      push ecx
    :004167A4 B955000000              mov ecx, 00000055
    :004167A9 0003                    add byte ptr [ebx], al
    :004167AB 05BE71BDBA              add eax, BABD71BE
    :004167B0 4B                      dec ebx
    :004167B1 C1C00C                  rol eax, 0C
    :004167B4 05EA3B89E8              add eax, E8893BEA
    :004167B9 35F815836E              xor eax, 6E8315F8
    :004167BE 2D5691812D              sub eax, 2D819156
    :004167C3 C1C004                  rol eax, 04
    :004167C6 E2E1                    loop 004167A9
    :004167C8 22FB                    and bh, bl
    :004167CA C20A44                  ret 440A
    When I step into this code and trace it, it simply sits at the loop instruction and, er, loops . When I execute it, it "magically" jumps out the loop and a messagebox with the trial expired message appears.

    I am absolutely sure that this call (code above) is what causes the messageboxa calll - if I trace over the code one level above, and step over the call to 416793, the messagebox appears (ie: it's not the next instruction).

    Can anyone give me a pointer of where to go next? Thanks!

  2. #2
    Red wine, not vodka! ZaiRoN's Avatar
    Join Date
    Oct 2001
    Location
    Italy
    Posts
    922
    Blog Entries
    17
    Hi.
    The snippet is a simple decryption routine. It decrypts 55h bytes inside the range 4167C7/41681C starting from 41681C. ebx is the pointer to the current byte to change.

    ZaiRoN

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    This smells like anti-tracing code:

    Two possibilities: The code knows you are tracing, and, while at it, it just goes round and round.

    OR

    It goes round and round many times so a tracer will quit in despair, then it executes the dirty


    The most suspicious, out of the loop reference is

    :0041679E BB1C684100 mov ebx, 0041681C
    :004167A3 51 push ecx
    :004167A4 B955000000 mov ecx, 00000055
    :004167A9 0003 add byte ptr [ebx], al

    Which bring into the soup memory addresses somewhere else

    Put Break points to the end of the loop, and find out who or what is kept on the [ebx] == 41691C address and perhaps it would help you.

    Satan

  4. #4
    End to start self-decryption routine.

    Note the important point here:
    :0041679E BB1C684100 mov ebx, 0041681C
    :004167A3 51 push ecx
    :004167A4 B955000000 mov ecx, 00000055

    Also notice the apparant "junk" after the loop instruction. RET 440a ?!? where did it use that much stack space?

    :004167C6 E2E1 loop 004167A9
    :004167C8 22FB and bh, bl
    :004167CA C20A44 ret 440A

    dig further and notice that: (your decryption parameters)
    41681c - 55 = 4167c7
    Check whats sits there:

    :004167C6 E2E1 loop 004167A9
    :004167C8 22FB and bh, bl
    :004167CA C20A44 ret 440A

    The very last iteration of the decryption-loop seems to patch the "loop instruction" into something else.

    If you are using softice, try something like :
    BPM 4167C3 X IF (ecx<3)

    and carefully trace (using F8) and watch what's going on live.
    Last edited by doug; July 5th, 2004 at 21:20.

  5. #5
    Thanks for the help guys, that clears things up, I will poke at the code some more later today.

    A related question. Now that I know what this code does, I will be able to find the decrypted code & understand what happens. Normally I'd be able to patch some part of the code to prevent the trial from expiring, but I can't do that here.

    So, the question. What is the general/accepted method of patching a prog that encrypts the part of the code you want to patch?

    The code is clearly stored in the exe, just encrypted. So should I dump the unencrypted code, import it back into the app over the top of the encrypted code, kill the decryption routine and replace it with a call to the unencrypted code? If so, what's the best tool to do that (dump the code & import it).

    Just had another thought - I can bpx on MessageBoxA (at which point the code must be decrypted), should I just patch in sice to jmp eip, then procdump it and extract the unencrypted code?

    Thanks for the help, didn't expect this app to be so eductional

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    So should I dump the unencrypted code, import it back into the app over the top of the encrypted code, kill the decryption routine and replace it with a call to the unencrypted code?
    Yes, that is a good and common way of doing it.


    If so, what's the best tool to do that (dump the code & import it).
    A hex editor with memory editing capabilitites will work just fine, e.g. Winhex. Copy the decrypted code from memory and paste into the exe on disk.

  7. #7
    Thanks as always for the advice

  8. #8
    Wow this app is giving me trouble . I sucessfully got the decrypted code from mem pasted over the actual code, and the app runs fine, so that's good. But I've found another trick.

    I'd appreciate some confirmation here. I think I've found an anti-tracing technique in this code. I follow the code to this:
    Code:
    :00416851 EB10                    jmp 00416863
    That's fine. So I try and follow the call in wdasm, and all hell breaks loose. Looking in the deadlisting, I see this:
    Code:
    :00416861 80AB8B45FC5E8B          sub byte ptr [ebx+5EFC458B], 8B
    :00416868 E55D                    in ax, 5D
    :0041686A C20800                  ret 0008
    That looks really wrong to me, so am I right in thinking this is an anti-trace technique? Making it appear as though the code jumps to the middle of an instruction?

    So to fix it, I traced in sice to check nothing else funny was going on (it wasn't). Sice started showing some odd behaviour (ie: it would show the instruction at 416867 correctly, but when stepped over it "magically" changed to "in eax, 5d").

    I then nop'd the first 2 bytes, to change the deadlist to:
    Code:
    :00416861 90                      nop
    :00416862 90                      nop
    
    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00416851(U)
    |
    :00416863 8B45FC                  mov eax, dword ptr [ebp-04]
    :00416866 5E                      pop esi
    :00416867 8BE5                    mov esp, ebp
    :00416869 5D                      pop ebp
    :0041686A C20800                  ret 0008
    Which (as you can see) has appeared to stop that little problem and let me trace with wdasm.

    So, the questions:
    (1) Am I right in thinking this is an anti-tracing technique?
    (2) Why did sice/wdasm go a bit screwy? Is that normal?
    (3) Have I done the right thing by nop'ing the dummy bytes that were causing the issue, or is there a "proper" way to deal with this?

    Thanks again. I know I'll be posting again, done all this work and still not found the code that does the expiry check

  9. #9
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    If the execution reaches an illegal instruction (or whatever else might be included in the description of "all hell breaks loose") when you debug it but not when you don't, I would guess that your tracing is detected at some point prior to actually getting there, thus directing you to the bad code branch several steps earlier. The "proper" way of fixing this would then most likely be to find and neutralize this initial detection, not starting to nop out bytes at the "payload" (even though this _might_ work too, depending on the implementation of it all).

  10. #10
    Hm, I don't think the app has caught me tracing it - I get the same behaviour whether I run it normally, debug it through wdasm or load it through sice.

    Handily in this case the app is pretty stupid - if I turn the system clock back a month, it doesn't expire. Turn it forward a month, it expires. Does that change your answer/thoughts somewhat?

    edit... Ok, I'm struggling with this app. Anyone kind enough to give me a hand via privmsg where I can say the appname? I really want to understand how to beat this...
    Last edited by Silver; July 7th, 2004 at 14:51.

  11. #11
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    So, does this problem occur only when the app is expired, or always since you fixed the encrypted code, no matter if it's expired or non-expired?

  12. #12
    wierd, just got a message saying "Sorry this forum is not accepting new posts".

    I see the same behaviour in both my patched version and the original version. I don't believe my patches have altered the behaviour of the app. I've been testing it by pasting my patches into a virgin version of the app, then running it on good and expired dates. I see exactly the same behaviour in both patched and virgin exes; the app works as expected.

    I don't have my notes on this app with me at the moment, I'll post further later. Off the top of my head, in C++ terms the app is generating a function pointer somewhere and calling it, which is why I see a call eax instead of a cmp and jne/je etc.

    IM-not-so-experienced-O, this app seems to be heavily obfuscated with parts of the code encrypted that don't appear to be relevant to the protection, maybe to cause a lot of wasted time decrypting the wrong thing...
    Last edited by Silver; July 9th, 2004 at 06:53.

  13. #13
    Panemuckl
    Guest
    Send me your target and I'll have a look at it. PM the link to DL
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    what you experienced is commonly refered to as "self modifying code"

    :00416851 EB10 jmp 00416863

    :00416861 80AB8B45FC5E8B sub byte ptr [ebx+5EFC458B], 8B
    :00416868 E55D in ax, 5D
    :0041686A C20800 ret 0008

    Look the jmp target address (416863), and try to find this address in your dead-listing.. it's in the middle of another instruction.

    If you check what's _really_ at 416863 (which is what softice did after you jmp'd to it), it starts with the byte 8B. If you are 100% sure that the bytes that are jumped over are not used, you can effectively NOP them like you did.

    Use a better disassembler, like IDA. Or code yourself a cleaner if you find this annoying.

    And of course, search the board for topics on self modifying code.

  15. #15
    Panemuckl
    Guest
    Polymorphic as I expected. Alot of protection for a crappy piece of shit like
    this. It has several anti-debug checks (better than IsDebuggerPresent) and
    creates a thread of itsself (similar to unpacking), that's executed after
    creation. So forget WinDasm, you have to use Soft-Ice / Olly.

    BTW U don't even have to crack it. Just delete all associated registry keys*
    and re-install it after trial.

    *) check @ HKEY_CURRENT_USER\Software\<Name of UnH Crappy Solutions>

    I've uploaded a nag free copy of your target. Check your PM for the URL.

    Enjoy
    Last edited by Panemuckl; July 9th, 2004 at 12:20.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. CFF Explorer Missing Many DLLs In VAD.
    By malhuntr in forum The Newbie Forum
    Replies: 1
    Last Post: January 31st, 2014, 12:00
  2. Packed Executable but with Missing DLLs
    By live_dont_exist in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: November 16th, 2011, 10:27
  3. Rebuilding Missing Imports.
    By riPPadoGG in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: December 15th, 2001, 01:32
  4. Missing address
    By catalis in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: October 11th, 2001, 09:21
  5. Missing SoftIce Commands!!
    By Mans in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 20th, 2001, 06:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •