|
|
( 'Sniff and show the code key' ) |
Win Code Reversing |
|
|
|
|
|
|
|
|
|
Program Details
|
||
|
Softice V3.23 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler |
||
|
|
|
|
|
The author of Resizeimage says:-
"What is ResizeImage
ResizeImage is designed to change the size of images. It can enlarge or shrink images using its weighted-pixel averaging technique.
What is weighted-pixel averaging? Most programs enlarge images by duplicating existing pixels. This results in a coarse blocky image. When shrinking images, they remove pixels. This results in an image which isnt very clear. ResizeImage uses a different technique. Rather than duplicating pixels, ResizeImage calculates the average value of the missing pixel based upon the surrounding pixels, weighing each adjacent pixel according to how much of it would have contributed to the new pixel. When shrinking an image, ResizeImage combines the adjacent pixels, again weighted according to their contribution to the new pixel, and determines the average value of the new pixel.
The results from ResizeImage
are truer to the original, allowing for a smooth flow from pixel to pixel."
|
|
This program uses a nag screen shown each
time you run this program, informing you that you need to register this
utility.
When runing it creates a Resizeimage.ini
file in the windows directory with this
details :
ResizeImage
version 3.4
Handle
Code
Key
The last 2 entries will be added on successful registration.
Lets go to have a closer look at this protection
routine.
|
|
I will show here
2 methods for crack this program :
1 - follow and sniffing
the code.
2 - show the right
code in the "error message" window.
Method 2 : Follow and sniffing the code.
You should play with the prog a few times
to get the idea how the protection routine
respond to a wrong key, then create a
dead list...
We get the "invalid key" message, so lets
go look for it in the String Data References
in W32dasm..
here is the code :
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00406593(C), :004065A8(C),
:004065E9(C)
|
:004066A4 833DEC68440000
cmp dword ptr [004468EC], 00000000
:004066AB 741C
je 004066C9
:004066AD 6809040000
push 00000409
:004066B2 6800000400
push 00040000
* Possible StringData
Ref from Data Obj ->"ERROR"
|
:004066B7 682C244400
push 0044242C
* Possible StringData
Ref from Data Obj ->"Invalid key"
|
:004066BC 6848284400
push 00442848
We can see that we get ther from 3 diffrent locations, we will go now to trace it in Softice...
This program using the 32 bit function
GETWINDOWTEXTA to "read" the input.
Run Resizeimage, fill the handle
and any Code Key you like.
1.
When you've done this fire up Softice by pressing CTL-D.
2.
Type: bpx getwindowtexta then x to leave Softice.
3.
Click on the 'OK' button.
4.
Softice now breaks at the beginning of the 1st System Function GetWindowTexta.
5. press
x two times
Press 'F11'
we are in Resizeimage code.
6. Type
bc 00 to delete the prev break point.
7. Put
3 new bpx's : bpx 406593, bpx 4065A8 and bpx
4065E9.
6. Press
x to leave SI...
SI breaks now, and we should see this code :
:00406593 0F840B010000 je 004066A4 < no jump >
So, this is not the actual jump to the
Invalid Key message.
Press x to leave
SI...
SI breaks now again, and we should see this code :
:004065A8 0F84F6000000 je 004066A4 < no jump >
So, again, this is not the actual jump
to the Invalid Key message.
Press x to leave
SI...
SI breaks now again, and we should see this code :
:004065E9 0F85B5000000 jne 004066A4 < jump >
OK, here is the "bad guy" jump, maybe if
we force the program to ignore the jump, we can make the program to recive
the *fake* code...
We can do this in 2 ways, to change the
value of the "zero flag" by typing "r fl z", or
to change the content of register EIP
by typing "r eip=004065EF", so, do one of them
and press x to leave SI... Ohhh..
we are in Resizeimage, and we didn't get any error message. We need now
to check it again. Exit Resizeimage and rerun it.....
We still get the nag screen, so lets go
to look at it again...
Fill the handle and any Code Key you like,
and press "ok", SI breaks on the first bpx
and here is the full code :
:00406592 49
dec ecx
:00406593 0F840B010000
je 004066A4 ; land
here!, jump if handle empty
:00406599 8B7E5C
mov edi, dword ptr [esi+5C]
:0040659C B9FFFFFFFF
mov ecx, FFFFFFFF
:004065A1 2BC0
sub eax, eax
:004065A3 F2
repnz
:004065A4 AE
scasb
:004065A5 F7D1
not ecx
:004065A7 49
dec ecx
:004065A8 0F84F6000000
je 004066A4 ;
jump if code empty
:004065AE 6A00
push 00000000
:004065B0 8BCB
mov ecx, ebx
:004065B2 E899D70200
call 00433D50
:004065B7 50
push eax
:004065B8 8BCE
mov ecx, esi
:004065BA E821010000
call 004066E0 ;
generates *real* code
:004065BF 8B565C
mov edx, dword ptr [esi+5C] ; *fake* code
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004065DC(C)
|
:004065C2 8A08
mov cl, byte ptr [eax] ; next byte of real code
:004065C4 3A0A
cmp cl, byte ptr [edx] ; both bytes equal ?
:004065C6 751A
jne 004065E2
;
go to invalid message
:004065C8 0AC9
or cl, cl
; cl = 0
:004065CA 7412
je 004065DE
; cl=0, end of code
:004065CC 8A4801
mov cl, byte ptr [eax+01]; next byte of real
:004065CF 3A4A01
cmp cl, byte ptr [edx+01]; both bytes equal ?
:004065D2 750E
jne 004065E2
;
go to invalid message
:004065D4 83C002
add eax, 00000002 ; adjust eax for next 2 bytes
:004065D7 83C202
add edx, 00000002 ; adjust edx for next 2 bytes
:004065DA 0AC9
or cl, cl
:004065DC 75E4
jne 004065C2 ; loop
checking next 2 bytes
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004065CA(C)
|
:004065DE 33C0
xor eax, eax ; reset
eax
:004065E0 EB05
jmp 004065E7
--------- snip snip --------
:004065E7 85C0
test eax, eax
:004065E9 0F85B5000000
jne 004066A4 ; go
to invalid message
:004065EF 8D44240C
lea eax, dword ptr [esp+0C]
:004065F3 6800010000
push 00000100
:004065F8 50
push eax
Now, press the F10 15 times. We are now on location 406599:
:004065BA E821010000
call 004066E0
:00406599 8B565C
mov edx, dword ptr [esi+5C] ;<--
we are here !!
Type "d eax" and in the data window you will see the real code you need to register with for this program !!!
You can sniff it now to register the program
but now we can go to the second
way, we can patch the prog to show the
right code.....
Method 2 : Show the right code in the "error message" window.
Take a look at register eax, it contains the address of the real code, we going to need it later. Write the address down for the next step.
Remember that the program is showing us the "Invalid Key" message ?
here it is again :
* Possible StringData
Ref from Data Obj ->"ERROR"
|
:004066B7 682C244400
push 0044242C
* Possible StringData
Ref from Data Obj ->"Invalid key"
|
:004066BC 6848284400
push 00442848
Notice that the address of the "invalid
Key" is at 00442848 and the address of the real key was in register eax,
in my case 007B0E50, so, why not use this address to show the real key
instead of the error message ?
|
|
Load up Resizeimage.exe into your Hex-Editor ( I use hexWorkshop-32).
For method no. 1 : nothing needed
For method no. 2 :
Pay attention that you need to enter the address in reverse order !!!
SEARCH FOR THE FOLLOWING BYTES
: 2444006848244400
REPLACE WITH HIGHLIGHTED
BYTES : 24440068500E7B00.
REMEMBER, i'm
doing my cracks as a hobby and challenge, so please, if you like
this utility and
want to keep using it, support the author and pay for it.
|
|
Sniffing out the code was easy. The second
method can not be done in evry prog.
There are some programs that the *real*
code is cleared before we get the error message, but it didn't in our babe
:)
My thanks and gratitude goes to:-
The Sandman for all what he is doing for us, newbies.
Rhayader for helping me with Reverse Code
Engineering and
useful tips