|
|
( 'unpacking and patching - again' ) |
Win Code Reversing |
|
|
|
|
|
|
|
|
|
Program Name: fguard.zip Program Type: system utility Program Location: Here Program Size: 637kb |
||
|
Softice V3.25 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler UnAspack v1.0 - Aspack Unpacker |
||
|
|
|
|
|
The author of Apispy v2.4 says :
Folder Guard is
a comprehensive security solution for personal or publicly accessible
computers running
the Windows 98/95 operating system.
With Folder Guard,
you can make folders invisible or "read-only", control access
to important system
files, prevent unauthorized use of your computer, restrict access to
Control Panel
and applications, and much more.
|
|
This program was packed wih Aspack
v1.083. This info can be found by using
Gettype.
This tutorial will be in 2 parts
:
part 1 - how to unpack a program
packed with Aspack v1.083 - using Unaspack.
part 2 - how to crack Fguard v4.11.
When i realize that this program
was packed with Aspack, i did all the steps to
unpack it manually, but then when
i start follow the protection routine, i saw that it's
all done in file called Fguard32.dll,
that is packed too.
Since i had no idea how to unpack
a dll, i was about to quit, but here comes
Hobgoblin and says : there is a
"unaspack" that support un-packing dll's. You can
download "Unaspack" by "bane"
from my tools section.
The program save it's registration
information in the registy file :
HKLM\Software\WinAbility\Folder
Guard\Setup\1\Number of Users
HKLM\Software\WinAbility\Folder Guard\Setup\1\Registered To
HKLM\Software\WinAbility\Folder Guard\Setup\1\Registration Code
After
registering, the "Register" button is changed to "Unregister" button.
Hey,
authors, what is this for ?
|
|
PART ONE - how to unpack the program using Unaspack :
The first step will be to COPY fguard.exe
and fguard32.dll to the directory of
unasoack.
Switch to DOS mode, and in Unaspack's
directory type :
unaspack.exe fguard.exe and
"Enter".
unaspack.exe fguard32.dll
and "Enter".
Now, looking at the files size,
can you see that it is bigger then the original ?
Save the original files with other
names, and copy the unpacked files back to Folder
Guard directory.
Run the program, so far, every thing
looks fine. Let's go to see if we can create
"dead list" using w32dasm.
We can see that both, the .EXE and
the .DLL dead lists will not show us the
"imports" nor "string references".
There is one more thing to be done,
fire up ProcDump (you know where to get it),
and choose the "pe editor", and
choose "fguard.exe". We're in "PE structure editor",
so, click on "sections" button and
you'll see that all sections caracteristics (right
column) is C0000040. Click with
mouse right-click on the .text section, end
"edit section". At the bottom right
corner, change it to "E0000020" and click "ok" 3
times.
Do the same process with the fguard32.dll.
Now go to w32dasm again.
Are we done ?? Yep,
let's crack it.
PART TWO - how to crack folder guard v411..
After we've created the lists, we
can see that there is no strings for the good
message or for the bad.
Run the program, go to help/registration
information/register and type in your name,
any number for copies and any reg
code you like. Before you click "register", fire
up Softice and set up this
breakpoint :
"bpx getwindowtexta" and "x" to
leave SI. Now hit the "register" button. Si will
break 2 times but we will
ignore ("x") the first one, and on the second time press
"F11". We are in "fguard32.dll"
code.
We're here :
:1001446B
FF150CF40110 Call dword ptr [1001F40C]
;
getwindowtexta
:10014471 6A01
push 00000001 ;
we land here
:10014473 58
pop eax
:10014474 5E
pop esi
:10014475 5D
pop ebp
:10014476 C3
ret
In this protection routine, we can't
find the "real" key, and we didn't see any good
string to show our way on, so, what's
left is, to trace the code with paying attention
to the values of the registers,
this should light our way. Keep press "F10" 4 times
and we're back from this call to
this snippet of code :
:100145DA
E864FEFFFF
call 10014443
:100145DF
83C40C
add esp, 0000000C ;
we land here
:100145E2
85C0
test eax, eax
:100145E4
0F8456010000
je 10014740
:100145EA
8BCE
mov ecx, esi
:100145EC
E863100000
call 10015654
:100145F1
85C0
test eax, eax
We can see that there is a call,
and then checking the value of EAX, 0 or 1, We will
go into this call ("F8"), and now,
we will disable the previous breakpoint ("bd 00")
and create a new one, so we will
not need to pass all the start again and get straight
to this point. Type "bpx 10015654".
We can see 4 calls folowing by "test
eax,eax", and jumping to same 2 locations, feels
to me like it jumps to show the
"bad message".
The way i use to trace it, is to
"F10" on each call, and if i see that test on EAX
caused the jump, i changed the assembly
code to prevent this. Why ? because this
call is executed 7 times,
and this way we will not need to deal with it each time we
get there.
Show time :) keep "f10" and
follow the code :
:10015654
56
push esi ;
we land here
:10015655
6A00
push 00000000
:10015657
8BF1
mov esi, ecx
:10015659
6A00
push 00000000
:1001565B
E832000000
call 10015692
:10015660
6685C0
test ax, ax ; ex=0
:10015663
7525
jne 1001568A ; no jump - so far so
good
:10015665
8BCE
mov ecx, esi
:10015667
E8ECFDFFFF
call 10015458
:1001566C
85C0
test eax, eax ; eax=0 !!
:1001566E
7416
je 10015686 ; jump - oops
Type
"a 1001566c" and Enter, this will switch SI to asm mode, and we can type
this :
Type "inc
eax" enter "nop" enter, and now let go back to 1001566c, "r eip=1001566c".
we are back here :
:1001566C
40
inc eax ;
eax=1 !!
:1001566D
90
nop
:1001566E
7416
je 10015686 ; no jump - so far so
good
:10015670
8BCE
mov ecx, esi
:10015672
E8FBFDFFFF
call 10015472
:10015677
85C0
test eax, eax ;
eax=0 !!
:10015679
740B
je 10015686 ;
jump - oops
Type
"a 10015677" and Enter, this will switch SI to asm mode, and we can type
this :
Type "inc
eax" enter "nop" enter, and now let go back to 10015677,
"r
p=10015677". we are back here :
:10015677
40
inc eax ;
eax=1 !!
:10015678
90
nop
:10015679
7416
je 10015686 ; no jump - so
far so good
:1001567B
8BCE
mov ecx, esi
:1001567D
E8AAFFFFFF
call 1001562C
:10015682
85C0
test eax, eax ; eax=0 !!
:10015684
7404
je 1001568A ; jump - but
look to where ...
If
we will do the same as we did both previous
times, we will get to "xor eax,eax"
that means EAX will be equal 0,
and then jump to
1001568D
mov dword ptr [esi+64], eax. this
"0" will be kept in memory location
[esi+64].
I
didn't liked this idea, and let the program to jump.
:10015686
33C0 xor eax, eax
:10015688
EB03 jmp 1001568D
:1001568A
6A01 push 00000001
; we jump to here
:1001568C
58 pop eax
; eax=1 !!!
:1001568D
894664 mov dword ptr [esi+64], eax ;
location [esi+64] = 1
:10015690
5E pop esi
:10015691
C3 ret
This will takes us out of this call
with EAX=1, so we passed the "test eax,eax" after
the call. Type "x" in SI, and yes,
we got the "Thank you for...", how nice. Now what ?
Hit the "OK" button, and booom,
we are in SI again, at the starting of the code of the
above call, but look at the code,
do you see that it still have the assembly changes
that we put in ? REMEMBER
- this changes will take place while you're in the
program, when you exit, it's gone.
To make it permanent, you need make it with an
Hexeditor. It should look
like this :
:10015654
56
push esi
:10015655
6A00
push 00000000
:10015657
8BF1
mov esi, ecx
:10015659
6A00
push 00000000
:1001565B
E832000000
call 10015692
:10015660
6685C0
test ax, ax
:10015663
7525
jne 1001568A
:10015665
8BCE
mov ecx, esi
:10015667
E8ECFDFFFF
call 10015458
:1001566C
40
inc eax
:1001566D
90
nop
:1001566E
7416
je 10015686
:10015670
8BCE
mov ecx, esi
:10015672
E8FBFDFFFF
call 10015472
:10015677
40
inc eax
:10015678
90
nop
:10015679
740B
je 10015686
:1001567B
8BCE
mov ecx, esi
:1001567D
E8AAFFFFFF
call 1001562C
:10015682
85C0
test eax, eax
:10015684
7404
je 1001568A
Every thing tooks ok ? type "x',
SI will break again. It will break again another 4 times,
just keep "x".
Here is our registration window,
we force the program to register with our "fake"
details !!!
Job done.
Since TWR is a better reverser than
me, he attaced the program from another
angle. He wrote his tutorial about
"how to validate the real key".
You can read it here.
Thanks TWR for taking the time to write it. i realy appreciate it.
You can protect Fguard from beeing
used by others with a password, here is a
short tutorial
that cupofcoffe
wrote about how to bypass this password.
Thanks CUP :)
|
|
Load up fguard32.dll into your Hex-Editor ( I use hexWorkshop-32).
SEARCH FOR THE FOLLOWING BYTES
: E8ECFDFFFF85C07416
REPLACE WITH HIGHLIGHTED
BYTES : E8ECFDFFFF40907416
SEARCH FOR THE FOLLOWING BYTES
: E8FBFDFFFF85C0740B
REPLACE WITH HIGHLIGHTED
BYTES : E8FBFDFFFF4090740B
REMEMBER, i'm
doing my cracks as a hobby and challenge, so please, if you
like this utility
and want to keep using it, support the author and pay for it.
|
|
3 month ago i post a question on
+Sandman's board about how to unpack a dll. It
was left without any respond.
This week, we had the same question,
but now, after we gain our knoledge during
the last 3 month, we could crack
this program. Thanks to shADe,Hobgoblin and TWR
for beeing involved in it !!l
Last word - this utility is very
powerfull, use it carefully !!!
My thanks and gratitude goes to:-
The Sandman for all what he is doing for us, newbies.
Rhayader for helping me with Reverse Code Engineering and useful tips
Alpine, Lord Soth, Volatility and Torn@do for my basic knowledge in packed programs