Reverse engineering Academy
Taxonomy

~
snippets
Snippets

Various "snippets" about (more or less) useful tools
and
rare snippets from some +HCU seminars

A fairly important project, started on 28 October 1997.
Last updated: End July 1998
The "snippets" you'll find here have been published 'rough'
1)	They may be almost uncommented (advanced users do not need comments)
2)	They may be fairly irrelevant for techniques used or analyse depth, yet
        regard targets that may be useful for our trade
3)	They are not edited
Since the main problem is usually to "clean" and to "choose" and to "prepare" the essays, you'll find here a sort of curious uncommented mix "et ab hic et ab hoc", that may be useful and quite interesting at times.
DO NOT UNDERESTIMATE these "small" essays! Clever reverse engineers will at once understand how important some of these "snippets" can be... have for instance a look at the one by The Undertaker :-)

You'll find here following snippets:

VisualBB's redCLICKBOOK - Stupid Protection / Tools of the trade 28 October 1997

A+heist's redWebsnake version 1.22 (fetch a whole site on da web) 28 October 1997

The Undertaker's redProtexe v2.11: exploring the protection scheme 11 January 1998

ThunderLord's redCracking Norton Antivirus Trial Edition 11 January 1998

The Undertaker's redUnpack/unprotect com files using debug.exe 16 January 1998
(old powerful dos debugging - still useful today - "An acquarium for your viri")
redHow to make a MSGBOX work for YOU, by RMD+ 21 January 1998
(Winimage Version 2.50)
redFastraq Post Server; a "best before" protection scheme, by Cybercurve 29 January 1998

redTray Day 4.5 "The kill of a weak and badly written scheme, by MAD '96 29 January 1998
"follow a protection scheme around the codecorners"

redCracking Installshield serials: EASY or TOUGH protection, by Snatch 10 February 1998
"Numega, use your brains!"

redMORE DOS4GW STUFF: CD ROM / 3DFX Cracking, by The_Gimp! 28 February 1998
"REMOVING THE CD CHECK"

red The SIMLOCK saga, by Frog's Print 15 June 1998
Nokia's stupidity

redReversing Dllshow v.3.2, by A+heist 26 July 1998
Had to crack it becose I needed it


Here begin the SNIPPETS

 CLICKBOOK - Stupid Protection / Tools of the trade By VisualBB

I also had the opportunity to get a program that is useful for us -
CLICKBOOK from forefront the makers of Quick view pro that Essential
utility. It condenses printouts into booklet form.

This program "DEMO" can be got at:

http://www.ffg.com/wp/clickbook.html

It prints booklets that are a great paper saver. Only thing is the
damn demo prints a box on every page with the words "TRIAL VERSION" as
well as the site address - "www.ffg.com". This was too irritating for
words and so I ran it thru WDASM looking for the words Trial Version
which were found scattered all over.

While examining the code I noticed that every time a shareware notice
as present there was also a normal notice. This seemed to be too easy.
Also the program checked location 00401E6E and if 0 jumped to good and
anything else was bad and demo.

So I searched for this location to see where the flag was being set. I
found it being set at 3 locations.

Set breakpoints and start the debugger of wdasm32 ( which I find
easier to follow than SICE though not as powerful. We break at the
first breakpoint I set which was a call to a function that returned 1
in EAX which was loaded into our 00401E6E and then CMPared . So I
changed the 1 to 0 in ax and ran. No initial nagscreen but still the
box was present. Obviously the value was being changed elsewhere.

Load the program again this time trace into the call. and after
stepping a lot and after a check to some value in the registry, we
arrive at this code:

:004346E5 7518                    jne 004346FF
:004346E7 3BC8                    cmp ecx, eax
:004346E9 7514                    jne 004346FF
:004346EB 83F906                  cmp ecx, 00000006
:004346EE 750F                    jne 004346FF

* Possible Reference to String Resource ID=00001: "Pass B"
                                  |
:004346F0 B801000000              mov eax, 00000001 <--- HERE!!!
:004346F5 5F                      pop edi
:004346F6 5E                      pop esi
:004346F7 5B                      pop ebx
:004346F8 81C4CC000000            add esp, 000000CC
:004346FE C3                      ret

Since we cannot be registered (no provision in the program) we always
arrive at the code "marked.class" tppabs="http://Fravia.org/marked.class" HERE!!! where we observe EAX being loaded
with the BAD flag - 1. Surely it cannot be that easy?

Believe me IT IS. Change the mov eax, 1 to mov eax, 0 and let the
program run. Print a document and preview, no box spoiling the output.
Thats it. We are done. Except for the ABOUT  dialog saying we are not
registered, the program works beautifully and even displays
"Registered to" on the main screen.
VisualBB

Websnake version 1.22 (fetch a whole site on da web) by A+heist Find it on da web... you are supposed to be a master searcher :) Hi frav, Here they protz a little, yet read and you'll understand why I wanted to try it out, and why you'll want to try it out and why everyone will want to try it out: Download a website for off-line browsing, which means you can view the entire site on your own computer much faster than if you were on-line. And, you save money on dial-up costs, too! Duplicate or mirror a website, including the directory structure. Great for webmasters and web designers to see how a website is setup. Copy e-mail addresses referenced in a websites HTML files. These e-mail addresses can later be exported into a comma or tab delimited database file. The applications of this range from simple research to broadcast e-mail marketing. Build a map of the HTML files referenced in a website. Need to know the structure of a remote website? This is your tool. Search for specific keywords on a website. Get the information you need in a flash. Retrieve specific types of files like all the cool graphics, sounds (WAV files), or movies (AVI files). WebSnake automatically downloads anything you want quickly and easily. Here we go: :10007352 E8F9020000 call 10007650 :10007357 833D1861011000 cmp dword ptr [10016118], 00000000 :1000735E 740E je 1000736E ;nop this bad one :10007360 833D1461011000 cmp dword ptr [10016114], 00000000 :10007367 7505 jne 1000736E ;nop this bad one :10007369 B81A750000 mov eax, 0000751A ****! GETTAGODDAFLAG :Check_luser_status :1000736E 3DEE550000 cmp eax, 000055EE :10007373 7464 je 100073D9 :10007375 3DCB590000 cmp eax, 000059CB :1000737A 745D je 100073D9 :1000737C 3D1A750000 cmp eax, 0000751A ;is he registered? :10007381 0F84B2000000 je 10007439 ;yes, go go go good guy :Check_luser_really_registered :10007439 833D1861011000 cmp dword ptr [10016118], 00000000 :10007440 7413 je 10007455 ;ok, good guy :10007442 833D1461011000 cmp dword ptr [10016114], 00000000 :10007449 750A jne 10007455 ;ok, good guy :1000744B 83C634 add esi, 00000034 :1000744E 684F750000 push 0000754F ;"Retail Version" ... :OK_good_guy :10007455 83C634 add esi, 00000034 :10007458 684A750000 push 0000754A ;"Your software is registered. Thank you." Well that's it, I'm afraid: stupid, much too stupid scheme. May be the target could be useful: dunno, never tried it yet, don't have the time to surf much with my fukin Uni and all the fukin essays you keep publishing and I have to read to keep abreast :) A+heist

                PROTEXE V2.11 - TOM TROFS
             EXPLORING THE PROTECTION SCEHME
                          BY
                 THE UNDERTAKER -=BANDA=-


After a long period of busy shedule. Finally I managed to start my reverse
engineering essays. Today we will explore a another EXE protector called
PROTEXE. Exploring the EXE protectors you will learn a lot. Because normally
they use good encription & anti debugging tricks. Most of the time they use
Vector replacement, Self modifying code, Anti debugging tricks. Some of them
uses very good protection schemes. Truly hard to crack those. Ok lets get
back to work. First, protect a EXE file using PROTEXE. Now set up our
favorite tool soft-ice 2.80 for DOS (Yes: dos cracking is great fun!).

Load your protected EXE file using Symbolic Loader (LDR).

LDR lha.exe <

Now you are in Soft-Ice window, Before we analyse the code "we.class" tppabs="http://Fravia.org/we.class" need to study
the X86 flag register.


                FLAGS Intel 8086 Family Flags Register

                 1110FEDCBA9876543210
                                       CF Carry Flag
                                      1
                                     PF Parity Flag
                                    0
                                   AF Auxiliary Flag
                                  0
                                 ZF Zero Flag
                                SF Sign Flag
                               TF Trap Flag  (Single Step) ***
                              IF Interrupt Flag
                             DF Direction Flag
                            OF Overflow flag
                          IOPL I/O Privilege Level  (286+ only)
                         NT Nested Task Flag  (286+ only)
                        0
                       RF Resume Flag (386+ only)
                     VM  Virtual Mode Flag (386+ only)


Ok, lets explore the first few instructions in the protected program....


XXXX:0147 9C            PUSHF Save The Flag Register
XXXX:0148 9C            PUSHF Pushed again to get into AX
XXXX:0149 58            POP     AX AX Contains Current Flag Settings
XXXX:014A 25FF0F        AND     AX,0FFF Discard upper 4 nibbles (msb)
XXXX:014D 50            PUSH    AX Save modified flags
XXXX:014E 9D            POPF Use modified Flags.
                        .
XXXX:0159 9C            PUSHF
XXXX:015A 58            POPF
XXXX:015B 25FF0F        AND     AX,0FFF Discard Upper 4 niblles
XXXX:015E 0D0070        OR      AX,7000 If TF is on, Off it
XXXX:0161 50            PUSH    AX
XXXX:0162 58            POPF

Well above part is to disable the Trap Flag. If the Trap Flag is on then
processor switch back to single step mode. Most universal Unpackers uses
this method to trace through the code. Ok lets analyse the code further
down.

XXXX:016A BA6400        MOV     DX,064
XXXX:016D BOAD          MOV     AL,AD
XXXX:016F EB01          JMP     172 ***
XXXX:0171 88EE          MOV     DH,CH

Above part is to disable the keyboard. but there is a jump it is
directed to OFFSET:172. In the code there is no 172. Ok it is a
self modifying stuff in it.
Opcode for OUT DX,AL is EE. See DX & AL  setup for the keyboard disable.
But there is no OUT DX,AL. Well check the jump it is directed to
172. In offset 172 you will find the opcode EE. Here you got it once
jump executed the code changed to OUT DX,AL.

Code MOV DH,CH has no effect until the jump instruction executed. Within
the code you will find lot of these JMP's directed to OUT DX,AL. Ignore all
of them and countinue.

XXXX:0186 33C0          XOR     AX,AX
XXXX:0188 8ED8          MOV     DS,AX
XXXX:018A FF360C00      PUSH    [000C]
XXXX:018E FF360E00      PUSH    [000E]
XXXX:0192 B84602        MOV     AX,246 **
XXXX:0195 A30C00        MOV     [000C],AX
XXXX:0198 8C0E0E00      MOV     [000E],CS

Ok, Check above code. Mmmm It seems to be a Vector replacemet for
interrupt 3.
Yes it is, Most of the debuggers & universal unpackers uses int 3.
Replacing the int3 code to something else may hang these type of
debuggers & unpackers.
Lets check what is replaceing the existing int 3 code. New interrupt
service routine for int 3 is located at CS:246 (chek the code).

Normally Int3 code has only IRET instruction. Lets check the new int3
ISR...

U 246

XXXX:0246 8ED8          MOV     DS,AX
XXXX:0248 CF            IRET

In here int3 used  to copy the contains of AX to DS.. Let's explore the
code again..

If you are going through the code, You will find lot of Keyboard disable
routines & interrupt masking(keyboard Int masking) routines inside the
code.
Bypass all of them (I think everybody knows to bypass those lame tricks)
and next you will landed on CRC checking routine. Go through the code until
you find this.

XXXX:020B 81FEF78A      CMP     SI,8AF7
XXXX:020F 72B0          JB      1C1
XXXX:0211               PUSH    DX **

Put a Break Point on XXXX:0211. Otherwise it will loop you until SI=8AF7.

BPX 211 & go (F5)

Again you will see keyboard & interrupt Enable routines in the code
window. Go through the code until you see this..

XXXX:022E 81FA2877      CMP     DX,7728
XXXX:0232 7415          JZ      249 **

This part is to check the calculated CRC with the program contains. If
match go ahead. Else you will landed in a CRC failed message & dump into dos.
Mmmm Ok go through the code until you see this.


XXXX:02D2 EB01          JMP     2D5
XXXX:02D4 88EE          MOV     DH,CH
XXXX:02D6 EA0000C615    JMP     15C6:0000 *******

Above FAR JMP take you to the original code of your programm...

Well in this PROTEXE you will find different types of protection
methods. They are..

        # FLAG register Masking. (TF MASK)
        # Vector Replacement.
        # Keyboard & interrupt Masking.
        # Self Modifying Code.
        # CRC Checking.

Above methods are good. But the sad protector's only (MAIN) problem
is what I would call an "implementation lacks".
I think that the Coder only tried to protect the program from
LAMERS. Otherwise he would of course have implemented this program
better than that.

I think All the protection writers have to think twice
It is true this is a dammn "windows" age, I'm afraid.
Yet there are still quite a lot of good reverse engineers in
this Micro$oft 'tamed' world :-)

Ok, now for the most stupid readers, Using a hex editor you can change few opcodes in
this
program. Find those opcodes and change. Then use TRON to unpack it.
Shhhhh!
If you have any problems contact me...


I would like to read your comments.
You can write to me on following email address..

                undertakerd@hotmail.com



NOTE - If you compressed the program before running protexe. Then above
       OFFSET address can be changed. Also you can down load the PROTEXE
       program in Fravia's PAGE.




Thanks goes to all HCU+ & ORC+ guys.
Next time we move to a differnt type of a protector. Until then

                         REST IN PEACE

                The Undertaker -=BANDA=- //SRI LANKA//


Cracking Norton Antivirus Trial Edition
By ThunderLord

At first lets take a look at the directory where all the files were installed. It containes several executables. Four of them are the files which run the main virus scanner, resident virus scanner, sheduler and a rescue disk creation utility.
The first strange thing is that those files are all exactly the same size, about 160 kb. That seemed quite strange for those completly different executables, but my first thought was, that they were wrapped against viral protection.
The protection consisted of a nag screen with amount of trial days left, which appeared at the startup and asked to press the "still on trial" button. There was a possibility to register the package on-line using the internet or modem, but no place wher! e to enter the serial number. That's probably because Symantec decided not to provide telephone lines for direct ordering.
One of the first funny ideas which popped in my head was to hack the winsock.dll to provide a fake registration, but then I declined the idea as beeing too complicated :)

So lets begin with the first step:
I launched the WDASM and quickly produced a dead listing of the main scanner executable NAVW32. At the same time I extracted the resources from it using Borland C++ 5.0 and took a long look at all dialog boxes, remembering their id's.

One little sidestep: sometimes I prefer to use Micro$oft Developer Studio, because Borland's Tool tends to crush when processing the menus:( Using Bill's tool I always get a strange warning messagebox, saying: "You may be anable to save the resources! back to file, because you are probably using a version of operation system which does not support editing the resourses in the executables". AHA ! Well, Borland's editor doesn't seem to have this problem, Bill !. You are trying to scare me off from editing! the Micro$ofts own programs. Well, lets get back to our NAVW32...

Trying to look at the resourses in other files and after reading a number of colorfull dialogs, I found out that Symantec is not using their own protection sheme, but some company which provides online registering service of different software. They eve! n have a whole DLL containg a so called "Sales Agent". Strange thing that I found some references to Micro$oft Front Page in those dialogs, that probably means, that Micro$oft are also using that "Sales Agent".

After finding the id of the dialog which popped up at the startup I quickly searched for it in the dead list. The following code was interesting:

:004024B2 cmp dword ptr [0042173C], 00000000
:004024B9 jne 0040260D <--- Jump over MANY dialogboxparam's
...
:004024C6 cmp dword ptr [004200BC], 00000000
:004024CD push 004027B0
:004024D2 push eax
:004024D3 je 004024D9
...
Set up a dialog for some other product and jump to 004024E2
...
:004024D9 push 00000067 <--- ID of OUR naggin dialog
:004024DB mov ecx, dword ptr [0041D344]
:004024E1 push ecx
:004024E2 Call USER32.DialogBoxParamA
...
MANY different dialog boxes
...

Well as you can see the our dialog box is lying in the chain of other dialog boxes for some other nagscreens and stuff... But the first thing which poppes up is the cmp instruction at the first line. It looks very suspicious as it jumps over the bunch o! f the nagscreens, and the location in memory looks very much like a flag !
I tryed Softicing it and found out, that memory location is only touched once befor this compare... it is zeroed somewhere in the startup code ! So there is a quick crack:

:004024B2 mov dword ptr [0042173C], 00000001 <--- Place a fake flag
:004024B9 jmp 0040260D <--- Jump over MANY dialogboxparam's

The move is nessesary, cause there can be more places where the flag is checked, but this place is the First.
The main scanner is done... no more nagging. Other four executables are cracked similary, they are compiled exactly as this, even with the same opcodes at the same addreses. This comfirmes that the files were processed by Sales Agent wrapper.

Suddenly after a few days of using the software I adjusted my system clock and a window from the resident scanner popped up saying that I am using a timed software and I may not change the time. I realised that there are some more places where the files! need to be patched.
I set my clock to year 1999, and loaded the NAVW32 in to the SoftIce again and quickly patched it in one more place.
I thought that the crack was done when I suddenly noticed that there were loading two copies of the resident scanner one as an executable another as a dll. That looked like a very "unclean" crack, so I decided to take a very serious look at the whole th! ing again.
In the installation directory I found a few executable files which were called almost the same as the main scanner, resident scanner, and other antivira tools, but they were ending with POP, like NAVW3POP.EXE. Theese files also had a exact size and even! icon. I launched one and got a standart windows animated "file copying" dialog box which terminated in a few seconds and showed an error message saying:
"You can't run this program now, but leave it where it is because the system will need it later". Hey that looks like some kinda selfextracting installation file.

I loaded it in the wdasm peeked at it's code... Some interesting opcodes were found:

...
Animated dialog which shows files beeing copied
...
:00401F30 Call KERNEL32.SleepEx <--- They want us to see their creative dialog for 2 seconds :)
:00401F36 call 00401CF0 <--- Some naughty routine which tends to return an error code "of.class" tppabs="http://Fravia.org/of.class" -1 or 0 for beggar or 1 for coolguy
:00401F3B cmp eax, FFFFFFFF <--- Compare to minus one
:00401F3E mov ebx, eax <--- Make a copy of error code "for.class" tppabs="http://Fravia.org/for.class" future reference
:00401F40 jne 00401F4E <--- if not -1, then DON'T QUIT YET

:00401F42 push 00000000 <--- Here the program quits
:00401F44 mov esi, USER32.PostQuitMessage
:00401F4A call esi
:00401F4C jmp 00401F54 <--- Get outta here, beggar

;DON'T QUIT YET, just "prepare" for quit, cause BX can still hold 0 or 1
:00401F4E mov esi, USER32.PostQuitMessage

:00401F54 test ebx, ebx <--- if BX=-1 or BX=1 then goto msgebox with error
:00401F56 jne 00401F8F <--- IMPORTANT JUMP
...
;Quitting with a messagebox containing "You cannot run this application at this time."
...
:00401F71 mov edi, USER32.MessageBoxA
...
:00401F87 call edi
:00401F89 push 00000000
:00401F8B call esi <--- ESI is PostQuitMessage as you remember from above
:00401F8D jmp 00401F95 <--- Jumping outta the program

;IMPORTANT JUMP lands here
:00401F8F mov edi, USER32.MessageBoxA <--- Prepare a message box
:00401F95 cmp ebx, 00000001 <--- SECOND IMPORTANT JUMP which finaly checks for a valid return code "of.class" tppabs="http://Fravia.org/of.class" a coolguy
:00401F98 jne 0040203C <--- If not 1 at this time then gettoutta here beggar
...
;Cool Guy operations go here (like unpacking the executable)
...
:0040203C xor eax, eax <--- return indicating that a bad guy
...
:00402047 ret 0010

As you can see, the code loads EDI and ESI with addresses to PostQuitMessage and MessageBox, threatning to call them if the value in EBX is not equal to 1. Therfor the patch should put a value of 1 in the BX somewhere after the naughty routine call and ! before the great EBX checking starts...
This task can you perform yourself, because when I first cracked it I was tired and therfor patched the previous code in TWO locations...but now I can see a pretty easy to do it in one.
After patching the file is unpacking without any trouble and it replaces the "fake" wrapped Symantec Utilities with a real, clean, and without any nags utilities. The patch is performed on all 4 *POP.EXE files which have the same code at the same adress! es. After the execution of the poppers they may be deleted together with the SalesAgent DLL. You can even patch those poppers in the softice memory and let it run afterwards unpacking the whole thing, the crack only needs to be there on their first run. Tha! t was it, Norton AntiVirus Trial Edition is cracked.

Note at the end: There is a single DOS application included in the Symantec package, which is used under the boot before Windows loads. Because it is a DOS application I didn't take a look at it, as I prefer cracking win stuff, so if there are! somebody who can finish my work they are welcomed to make any additions to this essay.

			Winimage Version 2.50
		How to make a MSGBOX work for YOU
			      by RMD+

There are probably many others like me who are still learning how
to crack or aren't very good assembly programmers and yet want to
write Keygenerators or who are too lazy to rip out the code
in order to write one.
In this essay I want to show how to turn a target program into a
Keygenerator by getting the Msgbox that says that your entered
number is incorrect (or correct) to show you the "secret" password
instead.

The idea for this came from one of our masters tutorials,
where +he said about how ECHOs of the proper serial Number
are left lying about in the data window.

Fire Up Winimage go to the Registering bit and enter your
name and a fake serial, so in my case RMD+ and 12345.

CTRL+D to SOFTICE
and
BPX GETDLGITEMTEXTA

go back to Winimage and press enter

The program should now have immediately broken into
SICE in the middle of the call, so press F11 to return.

Disable ypur breakpoint by BD 00

Now if you look above this @ 0040579E you see the
following:

0040579E MOV ESI,004252D0
004957A3 PUSH ESI

if you d esi you see that you name was copied into ESI
and then ESI was added onto the stack

now if you F10 past the next GETDLGITEMTEXTA you see
your serial num get put into EDI.

Keep on F10-ing till you get to

00405827 call 0040F238 ;Enter this call here

Our approach here is we know that our ECHO is near to the
Msgbox text that says "Registering Information are bad".
So what we've done is enter the call that loads that
information into memory.

If you F10 down to

0040F242 LEA EAX,[EBP+FFFFFF14] ;you see the text
				;string "Reg info bad"

now, you should of course dump that memory:
  	 d EBP+FFFFFF14
and if you look around that area you'll see the correct
registration code at 0067F31C and you'll also see another
copy at 0067F33C, but for the purpose of this short study
we'll use the one @ 0067F31C ('cos the other one gets
written over)

If you carry on single stepping you'll get to

0040F250 PUSH EAX
0040F251 PUSH DWORD PTR [EBP+0C]
0040F254 CALL 00410D47  ;here is where the string for the Msgbox
			 caption is loaded which overwrites the
			 second serial

if you single step to 40F277 and dump memory there, you'll
see that the MSGBOX text is getting put into ECX and then
ECX gets put onto the stack.

THIS IS THE IMPORTANT BIT

If you look, you'll see that our serial number is @ 0067F31C
and that the EDX register is zero. So assemble line 0040F277
to load the serial number text instead of the Msg text
by doing the following:

a 0040F277 {PRESS ENTER}
  LEA ECX,[EDX+0067F31C] {PRESS ENTER}

now if you carry on pressing F10 you'll see the correct serial
number coming up for whatever name you have given as input.

So here is the patch for this:

in you HEX editor load the EXE file and search for 8D8D14FFFFFF then
replace this info with 8D8A1CF36700, save, and then try it out.

Now every time you want a serial number just enter whatever name
you fancy and BINGO!

Note that this is not the best clean patch of the world, of course,
and that also it occasionaly gives garbage for a particolar password.
It's just pure fun AND a different approach about what you can do
when the correct Number is ECHO'd in memory.

Anyway I hope somebody finds it useful

RMD+


redhomepage redlinks redanonymity red+ORC redstudents' essays redacademy database
redtools redcounter measures redcocktails redantismut redsearch_forms redmail_Fravia
redIs reverse engineering legal?