Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Help a newbie please

First timers and new learners, this forum is for you. Please use the search function to see if your question has already been answered.
Locked
Alph

Help a newbie please

Post by Alph »

Hi,

I am new to reverse engineering, but have been programming for some time already. I just installed SoftIce and looked at the innards of Tabledit, and I'd be grateful for a few answers.

Tabledit is a shareware protected by a serial number registration.
It's at www.tabledit.com

What I did, roughly :

I break on GetDlgItem. I see that there is 2 of those, getting username and password, and storing them in fixed memory locations.

Then a first call, which I will go in more detail below.

The a second call, which looks like to me is just doing some clean up with windows.

Then I go into the kernel/_freqasm stuffs.

What is happening here ? Am I right in thinking that windows is now taking care of another thread and doing some window management ? or is tabledit calling those ? or triggering those with a semaphore maybe ?

Anyway.. then another call, I see that it is somewindow stuff, and that a window is refreshed with Table edit 2.60 demo.. so I guess the checking for the correct serial was above.. maybe ?

Then more freqasm/kernel/user..

Is there some debug files for windows dll that I can give to softice to see what is happening better ?

Then back to tabledit, back to freqasm/kernel/user, and I finally arrive at an event server loop (I think... made of TranslateAccelarator, Translate message and DispatchMessageA), which makes me sure that the program decided now that my password was no good.

So back to the first call.

I see that it does first some register access, creates an entry with my username and password.

I'd expect the program to do that after it has validated my password... any idea why it happens before ? (or maybe I did not see the validation ?)

Then the program does some length calculation, checks if the username is not User, Registered, or Chafe (?)

Then it changes the first letter of the username to a capital..

It tries now to convert the password to a hex number at some point, which makes me believe that the password is a hex number.

Then a few other things happen, which I do not totally understand.. and then we are back in the main program..

If someone would care to see if I understand (at least something...) correctly, and give me a hint where the actual validation of the password takes place, I'll be thankful.

Also (yes I'm full of questions..) can I quickly go back to the main program when windoze decides to do kernel/user/freqasm stuff ?

Is there a way to see the stack more easily than displaying memory, then looking how the pointers/data items were entered and write it down ?

Why does softice give me some addresses like with segments, like
1234:004654567.

I thought that with 32 bit app, all the segments/offsets were not used anymore ?

Does some segments still have a meaning ?

Thanks !
Fake51
Senior Member
Posts: 217
Joined: Fri Oct 27, 2000 9:30 am
Contact:

Post by Fake51 »

Why does softice give me some addresses like with segments, like
1234:004654567.
The segment : offset has indeed been abandoned. Instead, what you're looking at is selector : offset. The idea is that, under protected mode, there is a table in memory which holds a number of selectors. Each selector has a number of characteristics, such as privilege level, base address, addressing mode, and so on. So instead of having to translate the segment and offset to get a real address, now you're just looking at a flat address, that's added to a base address by the cpu. Look into protected mode if you want to know more.

Fake

Edit: hate those frigging smileys when they turn up the wrong place .... segment :o ffset
least

Post by least »

Hi,
I'am quite new too, but I hope I can give you some hints. First of all, is your target packed?
If not, try to disassemble it (IDA is great), it can give you some valuable info that you can hardly find in debugger (like crossreferences).
If it is packed, first try to unpack it and continue with step mentioned above. Big help is Icedump too, both for unpacking, and for its tracex command which can help you with the freqasm stuff. And the last hint - try using bpm on the password and name addresses with option rw, it will tell you when the program reads or writes it (maybee bpr can help too but it will slow your machine).
Hope it helps.
Regards
least
Fake51
Senior Member
Posts: 217
Joined: Fri Oct 27, 2000 9:30 am
Contact:

Post by Fake51 »

Some hints:
- To break this one, use bpm's on name and serial. The calc'ing of the serial is all over the exe, not just in one place.
- Use your disassembler and search for "unregistered". One place pops up, and lo and behold, what do u find just before that? The magic memory check.
- Adding these two, your tactic might be: figure out where the flag is set, and how it relates to the name and serial. In other words: go debug!

The programmer has made the job easier: hardcoded offsets, and only one place where he modifies the flag. Shouldn't be too hard ;)

Fake
naides
Posts: 1655
Joined: Sat Jan 12, 2002 12:00 pm
Location: Planet Earth

Re: Help a newbie please

Post by naides »

Originally posted by Alph
Hi,

I am new to reverse engineering, but have been programming for some time already. I just installed SoftIce and looked at the innards of Tabledit, and I'd be grateful for a few answers.

Tabledit is a shareware protected by a serial number registration.
It's at www.tabledit.com

What I did, roughly :

I break on GetDlgItem. I see that there is 2 of those, getting username and password, and storing them in fixed memory locations.


GOOD. NOW PUT A BPR ON THOSE LOCATIONS, SO ANY TIME YOUR PROGRAM READS THEM, MORE THAN LIKELY FOR VALIDATION PURPOSES, YOU WILL KNOW



Then a first call, which I will go in more detail below.

The a second call, which looks like to me is just doing some clean up with windows.

Then I go into the kernel/_freqasm stuffs.

IT IS NOT UNUSUAL FOR THE FLOW OF CODE TO GO THROUGH KERNEL, USER, ETC CODE DURING THE FLOW OF THE PROGRAM. USUALLY, WHAT HAPPENS THERE IN THE WINDOWS DLLS IS NOT RELEVANT FOR YOUR CRACKING, BUT OCCASIONALLY, IT IS. AT FIRST INSTANCE, DO NOT SPEND TOO MUCH TIME ANALYSING WHAT THE KERNEL CODE T CODE DOES








What is happening here ? Am I right in thinking that windows is now taking care of another thread and doing some window management ? or is tabledit calling those ? or triggering those with a semaphore maybe ?



EITHER/OR


Anyway.. then another call, I see that it is somewindow stuff, and that a window is refreshed with Table edit 2.60 demo.. so I guess the checking for the correct serial was above.. maybe ?

NOW YOU HAVE A GENERAL HYPOTHESIS THAT THE SERIAL VALIDATION TOOK PLACE BEFORE THIS PIECE OF CODE


Then more freqasm/kernel/user..

Is there some debug files for windows dll that I can give to softice to see what is happening better ?

YES THERE ARE AVAILABLE IN THE MSOFT SITE. AND NO, THEY DO NOT HELP UNDERSTAND WHAT YOUR APP IS DOING, ONLY WHAT THE KERNEL IS DOING, AND YOU DO NOT WANT TO DEBUG THE KERNEL OR THE USER32 DLL, DO YOU?

Then back to tabledit, back to freqasm/kernel/user, and I finally arrive at an event server loop (I think... made of TranslateAccelarator, Translate message and DispatchMessageA), which makes me sure that the program decided now that my password was no good.



So back to the first call.

I see that it does first some register access, creates an entry with my username and password.


YOU ARE WARM


I'd expect the program to do that after it has validated my password...

NOT NECESSARILY


any idea why it happens before ? (or maybe I did not see the validation ?)

IT MAY STORE THE PWORD GOOD OR BAD AND DO THE ANALYSIS LATER.

NOTE WHERE THAT ENTRY IS LOCATED, AND TRY TO BREAK SOFTICE (bpr, bpm?) WHEN THAT ENTRY IS READ. I AM NOT SURE WHAT YOU MEAN BY ENTRY: REGISTRY ENTRY OR MEMORY LOCATION ENTRY.





Then the program does some length calculation, checks if the username is not User, Registered, or Chafe (?)

I WOULD TRY IMPUTING THOSE STRINGS AS USER NAMES AND SEE WHAT HAPPENS

Then it changes the first letter of the username to a capital..

It tries now to convert the password to a hex number at some point, which makes me believe that the password is a hex number.

IS IT DIRECTLY CONVERTING A STRING INTO A HEX NUMBER OR IS IT MAKING A HASH OF THE PASSWORD?. . .


Then a few other things happen, which I do not totally understand..

i THINK YOU SHOULD TRY TO GO SLOW
HERE, IT SMELLS LIKE THE VALIDATION ROUTINE MAY BE CLOSE. PUT A BPM ON THE ADDRESS OF THE HEX EQUIVALENT OF YOUR PASSWORD, SO YOU CA TELL WHEN THE CODE READS IT


and then we are back in the main progam..


THE VALID, NO VALID INFO MAY HAVE BEEN PLACED ON A FLAG, IN MEMORY OR IN A REGISTER DURING THE VALIDATION ROUTINE ( THAT YOU HAVE NOT ISOLATED YET)


If someone would care to see if I understand (at least something...) correctly, and give me a hint where the actual validation of the password takes place, I'll be thankful.

Also (yes I'm full of questions..) can I quickly go back to the main program when windoze decides to do kernel/user/freqasm stuff ?

F12 (PRET) GOES FASTER


Is there a way to see the stack more easily than displaying memory, then looking how the pointers/data items were entered and write it down ?


WS COMMAND OPENS A WINDOW FOR THE CALL STACK. OTHERWISE LEARN TO USE THE 4 DIFFERENT DATA WINDOWS SICE PROVIDE AND KEEP ONE POINTED TO THE ESP
Why does softice give me some addresses like with segments, like
1234:004654567.

I thought that with 32 bit app, all the segments/offsets were not used anymore ?

Does some segments still have a meaning ?

Thanks !

UPPERCASE WAS USED TO MARK MY COMMENTS, NOT TO SCREAM
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Hi All,

I like the purely theoretical approach to this, an unknown and difficult problem, helpful wise reversing suggestions to solve it, resulting from a good description of the problem. Makes a hell of a more interesting thread than another crack patch upload. Someone mentioned this forum getting duller and duller by the day? Lol, truer words have never been spoken my friend :D

Anyway, this is fun reading because there is one more piece to the puzzle. Everything said were excellent suggestions which will get you to the inevitable fact that there is no solution to this problem. Keep this possibility in mind always and be suspicious when approaching a reversing problem.

Your analysis of the general code flow and the curious returns to kernel code were correct, and you were right in thinking this didn't seem right. Keying in on TranslateMessage to know you've gone too far in code was a good trick, as is always using an API monitor, which will often pick up the exact code you're looking for.

Getting to know API code flow and the general way in which the kernel handles program calls is important, especially to be able to recognize when the code isn't behaving as you think it should. You were expecting at least one more call to validate your s/n and it seemed to never be made, always returning control to kernel code. Well, I'm afraid that's actually the answer, I guarantee you won't find the s/n check because it doesn't even exist in this particular target.

This is a good target to try to uncripple the features and remove the watermarking, but the serial number routine is entirely fake I promise you. Confuse-A-Cracker code. Everybody remember the Monty Python sketch "Confuse-A-Cat"? lol, I always think of that :p The ref to Chafe is a crack author check from a very old version (1.06?) which had a valid routine, future versions did not, it was just quietly removed. I have a very fond place in my heart for this particular app since this was my pet project for months on which I was weaned into the art of reversing, something akin to a Mother's teat if you will...

Cheers,
Kayaker
naides
Posts: 1655
Joined: Sat Jan 12, 2002 12:00 pm
Location: Planet Earth

Post by naides »

KAYAKER:

I guess you are having a blast reading all the now useless stuff I wrote.

Well, that is the way I would have done it, if it the serial evaluation code did exist.
User avatar
Kayaker
Posts: 4179
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Wasn't useless at all naides, it was textbook. Sometimes the textbook just needs to be thrown away that's all, as I'm sure you've experienced, that's the fun of it :)
Fake51
Senior Member
Posts: 217
Joined: Fri Oct 27, 2000 9:30 am
Contact:

Post by Fake51 »

This gives it away pretty easily: (from the help file)
Entering your password:

When you've gotten your password following registration:

· Follow the instructions you received with your registration code and go to the registered user page on any of the above sites.

· Download the latest full version of TablEdit.
· Install the files included in the zip (*.exe) file over those of your installed demo version and start the program.
Lol. Mind you though, it's possible to make the program show that you're a registered owner, although the program will still show up as demo.

The thing does indeed run thru some serial calc'ing, that's your standard run of the mill translate serial to hex and mess around with the name. There's a value in mem that's checked when the thing wonders if it should display the about box with a reg button or not, and this value holds the transformed value from the name calc'ing. The value is checked against 0 however, so you have to patch it to change it ;) Guess the author didn't bother changing his program too much when doing the stripped version.

Fake
cHeCksUm

Post by cHeCksUm »

Hehe,
Reminds me of Muzicman... It was an app I cracked a while back. I like to return to the first apps I cracked now and again to see if they / I have improved. Well anyhow I worked on the serial routine for ages looking back on all my notes from previous versions but I could not crack the sucker. Seemd to be going in circles. In the end I decided to give it a break, and I forgot about it. Funny thing a while later I need just such an app so I went and purchased Muzicman and lo an behold was given a completely different download link from the one on the main page. In other words some time between my first attempts and the last one they had removed the serial routine.... I should have read the readme... would have saved me two three days of work.... but hell it was fun... and informative ;) .

// cHeCksUm
Locked