Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 42

Thread: dongle app written in dos

  1. #16
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    KS:
    Answer #1:
    A crash lesson in memory addressing for 16 bit code.
    In those times, the biggest number that a register could hold was a 'word' hex FFFF or dec 65535.
    Programs grew a lot bigger than that, so, to be able to define an address in the code, or in the data, it was necessary to use a more than one register.
    That scheme of addressing was called segmented memory or Segment:Offset.

    So when you are referring to a given line of code, the address is a composite of the CS (Code Segment) and an offset which measures the distance from the the beging of the CS.

    For instance
    FE2E:377C

    The segment FE2E defines a area in memory taht is 65535 bytes long,
    located at FE2E0 bytes from 0. The segment goes from FE2E:0000 to FE2E:FFFF
    FE2E:377C refers to the instruction located 377C bytes above FE2E:0000, which is FE2E0 bytes from memory 0000:0000

    When you are dealing with data, the base address (Segment Address) is contained on the register DS (Data Segment) or the Register ES (Extra segment.
    To make things worse this segmented concept of memory was designed to address only 1 megabyte of memory (hex FFFFF )

    For instance the byte pointed by the segment: Offset address 0000:0011 is loacated at 11 bytes from 00000, could also be pointed by the Address 0001:0001, located 1 byte above 00010. Segmented addressing has a lot of overlap
    The difference between segment 0000 and segment 0001 is only hex 10 or dec 16 bytes (A 'paragraph').


    Fucking confusing.

    With the advent of 32 bit CPU and OS, came the flat memory model, in which a memory address fits in a 32 bit register with a max value of FFFFFFFF or 4 gigabytes. You can refer to any place in memory using a single register. Data Segment (DS) Extra Segment (ES)Code Segment (CS) FS and GS acquired a whole new meaning and are for the most part used just as shortcuts (Selectors)to get to a specific areas in a simple (Flat) memory space address, and also to facilitate the virtual and protected memory architecture of the Windows OS.


    #2
    in 16 bit apps, the CS (that FE2E: part) is assigned and calculated dynamically, when tha app is loaded. A disassembly will not contain that CS address, only the offset is realiable.
    Also, the FE2E: address you are seing is in the high memory area which belong to the (DOS)Operating system. The code that you are tracing, is not in you APP but in DOS.
    You need to use the DLDR.exe to load your app and to land inside your app code.

    I assume you are using Sice right now, right?

    You need to open a DOS window
    (by using the run-> cmd option at your start menu.)


    Navigate, using DOS commands to your \util16 folder

    In DOS window, invoke DLDR.exe followed by the path and name of the app you want to debug (All by sheer typing, welcome to DOS)

    like at the prompt c:\Program Files\Compuware\Driverstudio\SoftIce\Util16>

    Type:

    DLDR c:\some folder\myappfolder\target.exe

    Sice will popup at the entry point of your app code.
    You can check and see that the Disasm and the Sice code coincide.
    Last edited by naides; January 27th, 2006 at 21:50.

  2. #17
    ksbrace
    Guest
    Ok, I found a couple of places that may/may not be of interest in the app. My problem is this....in SI, I see 0DDB:00B3 as a line where I would like to modify. In W32DASM, the same line looks like: 0001.00B3. In HIEW, I can't find the line. I peformed searches looking for both (0DDB and 0001). Any help on this would be great! Thanks in advance.

    Code:
    Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0001.003F(C)
    |
    :0001.0037 F2                     repnz
    :0001.0038 AE                     scasb
    :0001.0039 E343                   jcxz 007E
    :0001.003B 43                     inc bx
    
    :0001.003C 2638                   WORD 3826
    :0001.003E 0575                   WORD 7505
    :0001.0040 F680                   WORD 80F6
    :0001.0042 CD80                   WORD 80CD
    :0001.0044 F7D9                   WORD D9F7
    :0001.0046 890E                   WORD 0E89
    :0001.0048 7400                   WORD 0074
    :0001.004A B902                   WORD 02B9
    :0001.004C 00D3                   WORD D300
    :0001.004E E383                   WORD 83E3
    :0001.0050 C310                   WORD 10C3
    :0001.0052 83E3                   WORD E383
    :0001.0054 F089                   WORD 89F0
    :0001.0056 1E78                   WORD 781E
    :0001.0058 008C                   WORD 8C00
    :0001.005A D22B                   WORD 2BD2
    :0001.005C EABF                   WORD BFEA
    :0001.005E F23D                   WORD 3DF2
    :0001.0060 8EC7                   WORD C78E
    :0001.0062 268B                   WORD 8B26
    :0001.0064 3E86                   WORD 863E
    :0001.0066 0B81                   WORD 810B
    :0001.0068 FF00                   WORD 00FF
    :0001.006A 0273                   WORD 7302
    :0001.006C 08BF                   WORD BF08
    :0001.006E 0002                   WORD 0200
    :0001.0070 2689                   WORD 8926
    :0001.0072 3E86                   WORD 863E
    
    :0001.0074 0BB104D3               or si, [bx+di+D304]
    :0001.0078 EF                     out dx, ax
    :0001.0079 47                     inc di
    :0001.007A 3BEF                   cmp bp, di
    :0001.007C 7305                   jnb 0083
    :0001.007E 90                     nop
    :0001.007F 0E                     push cs
    :0001.0080 E80058                 call 5883
    
    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0001.007C(C)
    |
    :0001.0083 8BDF                   mov bx, di
    :0001.0085 03DA                   add bx, dx
    :0001.0087 891E8400               mov [0084], bx
    :0001.008B 891E8800               mov [0088], bx
    :0001.008F A17A00                 mov ax, word ptr [007A]
    :0001.0092 2BD8                   sub bx, ax
    :0001.0094 8EC0                   mov es, ax
    :0001.0096 B44A                   mov ah, 4A
    :0001.0098 57                     push di
    :0001.0099 CD21                   int 21
    :0001.009B 5F                     pop di
    :0001.009C D3E7                   shl di, cl 
    :0001.009E FA                     cli
    :0001.009F 8ED2                   mov ss, dx
    :0001.00A1 8BE7                   mov sp, di
    :0001.00A3 FB                     sti
    :0001.00A4 B8F23D                 mov ax, 3DF2
    :0001.00A7 8EC0                   mov es, ax
    :0001.00A9 26893E860B             mov es:[0B86], di
    :0001.00AE 833EF40514             cmp word ptr [05F4], 0014
    :0001.00B3 7649                   jbe 00FE
    :0001.00B5 803E7C0003             cmp byte ptr [007C], 03
    :0001.00BA 7242                   jb 00FE
    :0001.00BC 7707                   ja 00C5
    :0001.00BE 803E7D001E             cmp byte ptr [007D], 1E
    :0001.00C3 7239                   jb 00FE
    
    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0001.00BC(C)
    |
    :0001.00C5 B80158                 mov ax, 5801
    :0001.00C8 BB0200                 mov bx, 0002
    :0001.00CB CD21                   int 21
    :0001.00CD 722A                   jb 00F9
    :0001.00CF B467                   mov ah, 67
    :0001.00D1 8B1EF405               mov bx, [05F4]
    :0001.00D5 CD21                   int 21
    :0001.00D7 7220                   jb 00F9
    :0001.00D9 B448                   mov ah, 48
    :0001.00DB BB0100                 mov bx, 0001
    :0001.00DE CD21                   int 21
    :0001.00E0 7217                   jb 00F9
    :0001.00E2 40                     inc ax
    :0001.00E3 A38C00                 mov word ptr [008C], ax
    :0001.00E6 48                     dec ax
    
    * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
    |:0001.FFEB(U), :0001.FFF3(U)
    |
    :0001.00E7 8EC0                   mov es, ax
    :0001.00E9 B449                   mov ah, 49
    :0001.00EB CD21                   int 21
    :0001.00ED 720A                   jb 00F9
    :0001.00EF B80158                 mov ax, 5801
    :0001.00F2 BB0000                 mov bx, 0000
    :0001.00F5 CD21                   int 21
    :0001.00F7 7305                   jnb 00FE
    
    * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
    |:0001.00CD(C), :0001.00D7(C), :0001.00E0(C), :0001.00ED(C)
    |
    :0001.00F9 90                     nop
    :0001.00FA 0E                     push cs
    :0001.00FB E88557                 call 5883
    
      Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
    |:0001.00B3(C), :0001.00BA(C), :0001.00C3(C), :0001.00F7(C)
    |
    :0001.00FE 33ED                   xor bp, bp
    :0001.0100 55                     push bp
    :0001.0101 90                     nop
    :0001.0102 0E                     push cs
    :0001.0103 E88069                 call 6A86
    :0001.0106 58                     pop ax
    :0001.0107 2E8E066002             mov es, cs:[0260]
    :0001.010C BEA80E                 mov si, 0EA8
    :0001.010F BFEA0E                 mov di, 0EEA
    :0001.0112 E8C600                 call 01DB
    :0001.0115 FF367200               push word ptr [0072]
    :0001.0119 FF367000               push word ptr [0070]
    :0001.011D FF366E00               push word ptr [006E]
    :0001.0121 FF366C00               push word ptr [006C]
    :0001.0125 FF366A00               push word ptr [006A]
    :0001.0129 9AE390800A             call 0A80:90E3<-- brings up 'Security missing' msg
    :0001.012E 50                     push ax
    :0001.012F 90                     nop
    :0001.0130 0E                     push cs
    :0001.0131 E8E856                 call 581C
    
    * Referenced by a CALL at Address:
    |:0001.57E7
    |
    :0001.0134 2E8E066002             mov es, cs:[0260]
    :0001.0139 56                     push si
    :0001.013A 57                     push di
    :0001.013B BEEA0E                 mov si, 0EEA
    :0001.013E BF020F                 mov di, 0F02
    :0001.0141 E8DB00                 call 021F
    :0001.0144 5F                     pop di
    :0001.0145 5E                     pop si
    :0001.0146 CB                     retf
    So, I thought that these references may be the key to circumventing the security based on the call that produces the error msg....or not:
    :0001.00B3(C), :0001.00BA(C), :0001.00C3(C), :0001.00F7(C)

    Does it seem like I'm on the right track or not?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hi KS.
    You are certainly making progress.
    1. You can test if changing those jmps indeed bypass the protection by changing them in Sice before they execute:

    Type in Sice:

    A (for Assemble) 0DDB:0083

    then type the new instruction you want in its place

    jmps 00C5 (jmps means jmp short)

    To find your code in HIEW for permanent patching

    Do not relay on the code addresses. Use the search F7 function and enter a pattern of 10 to 14 bytes around the instruction you want to change
    Code:
    :0001.00A9 26893E860B             mov es:[0B86], di
    :0001.00AE 833EF40514             cmp word ptr [05F4], 0014
    :0001.00B3 7649                   jbe 00FE
    strike <F7>: 26 89 3E 86 08 83 3E F4 and you should land nearby the code. Then patch away
    Last edited by naides; February 1st, 2006 at 00:40.

  4. #19
    ksbrace
    Guest
    Can you tell me if the hiew demo has the search disabled? I have searched for strings that I can see in the window and it says "Target not found".

    On another note, I type in:
    A 0DDB:00B3 and hit enter, sice asks me for the instructions and I'm not sure what I want to type in: For instance, if 00B3 is jbe 00FE and it doesn't jump, I was going to make it a ja 00FE so it should jump. I tried typing in: 77 00FE and 0F87 00FE but sice is not happy with those commands. Thanks,
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    If it works like Olly, type in ja 00FE

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #21
    ksbrace
    Guest
    SigiNT,
    Thanks for the tip, works like Olly! Unfortunately, the changes I made( :0001.00B3(C), :0001.00BA(C), :0001.00C3(C), :0001.00F7(C) ) relating to 0001.0129 would eventually send me to 00F9 which is 'abnormal program termination' msg. I tried to work around that, but it sent me to 0001.0099 which is also the same as 0129- 'Security missing' msg.

    So, back to the drawing board.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #22
    ksbrace
    Guest
    FYI,
    HIEWDemo has the search disabled...or at least it doesn't search. F7 will bring up the search field, but it never finds anything. The full version, however, does search correctly.

    Here's a thought, but it seems like cheating.... I have access to the dongle. So, I thought about comparing the code with the dongle to the code without the dongle and see where it goes.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #23
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    In War, every thing goes

    If you can find this tut

    Cracking 99% of all Time Trials - Written by Mushy

    It is somewhere in Krobar's collection

    It will give you inspiration on how to save the traces with and without dongle and zero in the critical decision points

  9. #24
    ksbrace
    Guest
    Naides,
    Found the tut with little trouble. Now that seems like a great plan of attack. Question removed because JMI thought I should have just asked google instead of Naides

    Thanks,
    Last edited by ksbrace; February 1st, 2006 at 16:04.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #25
    ksbrace:

    Do you do ANY of your own basic research??? Put "saving log window ollydbg" (without the quotes) in your favorite search engine and read for yourself what you want to know about how to use the tools of the trade.

    Here's another hint for the lazy. Search for "What's new in OllyDbg" (without the quotes) and actually READ IT!

    Regards,
    JMI

  11. #26
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Quote Originally Posted by ksbrace
    FYI,
    Here's a thought, but it seems like cheating.... I have access to the dongle. So, I thought about comparing the code with the dongle to the code without the dongle and see where it goes.
    If you are truly industrious and a bit of an entrepeneur in your work then you may want to check out a thread from about 2 years ago on "how to build a dongle emulator" written by a kid but quite amazing work, but worth it in my view. Don't search the string quoted above but "dongle+building" would be my guess as a start.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  12. #27
    ksbrace
    Guest
    Ok, I have tried to log the 16 bit app in Sice, but with no successs. the regular Symbol Loader wants a 32 bit app. Inside Sice there is a directory called util16 and inside that there is WDLR.exe which is supposedly a symbol loader. When I bring up the help for wdlr, it states to browse for my exe and hit the load button, the load button is never enabled and I get a message in the bottom of the window "SoftICE is not loaded". That message is not correct, because Sice is loaded. I can ctrl-d and it pops up. I have also tried going to the start menu and Starting Softice just prior to bringing up the wdlr.exe and it still says it's not loaded. I did see some threads referring to the 'cracking trials 99% of time by mushy', but they are using older versions of everything as well as a thread relating to icedump. So, does anyone have experience in logging the 16 bit app in sice?

    I went and grabbed the dongle from the bowling alley. It's a sentinel Scribe parallel dongle.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #28
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Interesting, my guess would have been Sentinel Rainbow - because of the dll you mentioned - is it beige in color or Teal Green, not that it makes much difference unless you are writing an emulator, the Teal ones there are no standard emulators for, the were created for custom applications.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  14. #29
    ksbrace
    Guest
    SiGiNT,
    It is beige in color.....And it says Rainbow Technologies across the top and Sentinel Scribe on the bottom. I grabbed the sentinel medic from their website and it recognized it as a Scribe.
    Last edited by ksbrace; February 2nd, 2006 at 18:04.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #30
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by ksbrace
    Ok, I have tried to log the 16 bit app in Sice, but with no successs. the regular Symbol Loader wants a 32 bit app.

    I went and grabbed the dongle from the bowling alley. It's a sentinel Scribe parallel dongle.

    The loader for DOS apps is DLDR.exe
    not symbol loader, not WDLR.exe
    When you use DLDR, Sice breaks at the entry point

    But now that you mention it, you NEED the Loader32 to be able to save the run-trace. . .

    Oh, fuck.

    UNLESS you find a way to make Sice save the log without the Symbol Loader, the strategy depicted by Mushy will not fly verbatim, but the CONCEPT is still valid.

    Well, you always have paper and pencil

    One more thing. In windows API calls are the way of life. DOS predates that. The Gross equivalent to API calls are interrupts, typically int 21.

    I may be wrong but in Linux the gross equivalents are 'System Calls'

    SOOOO.
    Do not expect to find ANY API calls, you can search for the most typical DOS and BIOS interrupts in the net, so you know what is going on
    Last edited by naides; February 2nd, 2006 at 18:28.

Similar Threads

  1. Replies: 1
    Last Post: November 15th, 2013, 23:38
  2. Replies: 1
    Last Post: August 31st, 2005, 23:06
  3. Assembly incorrect for the written code
    By yaa in forum OllyDbg Support Forums
    Replies: 1
    Last Post: January 9th, 2004, 12:08
  4. +puark's never written articles
    By yaa in forum The Newbie Forum
    Replies: 0
    Last Post: December 8th, 2002, 01:29
  5. how do i use SICE to do what i want to do with programs written in VB
    By yobo in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 26th, 2001, 14:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •