Cracking the doc check routine
Now that we have found the start offset of the doc check and defined its type, itÆs time to do some real work. Our job is to set a breakpoint on the address of the call to the doc check.
Run the program until you reach at this address. For the time being,
let
Æs assume that we are dealing with type 1. YouÆll be looking at code
like the fragment shown in figure 1. We want to figure out which branch
of the jump at xxxx:0005 we need to take. To do this, simply execute the
call to the doc check (do not trace in it, just put some false info) the
program should make the check and exit back to the debugger. The jump will
be made depending on the value of AX. Trace through the jump. If you take
the branch and end up to xxxx:0100 then you should know that you donÆt
want to take this branch cause youÆ
ve entered wrong info. The opposite applies if you didnÆt take the
branch.
To test this theory, rerun the program up to the point where computer checks the value (i.e. xxxx:0005). Now, reassemble the jump forcing (or not forcing depending on your theory) the program to take the right path.
xxxx:0001 CALL DocCheck
xxxx:0003 OR AX,AX
xxxx:0005 JZ 0100
figure 1
Use Hackman to write changes and youÆre ready! Suppose now that you have to deal with type 2. Find the offset where a call is being made to get the user input. Now you need to find where it sets the value. Enter a bogus input and start tracing the code. You should expect to encounter a fragment like the one shown in figure 1 or something like a conditional jump as shown in figure 2.
@@outerLoop: LODSB
SCASB
LOOPE @@outerLoop
OR CX,CX
JNZ xxxx
figure 2
This code compares two strings and jumps if they are not equal. Note the OR CX,CX statement. It is checking to see if the end of the string has been met or if it exited because two characters did not match. If you had entered the wrong input, you would have taken the ôJNZ xxxxö. This takes you to the bad branch. Keep tracing until you come to a piece of code that changes a static memory location. This is where the doc check sets a global variable. Note the memory location and variable cause youÆll need it later.
Eventually, you will see something like a move to the static memory location. Now that you have the address of the variable and the value that it should take, you must make a simple patch for the program. The simplest and easiest way to achieve this is to change the code at the beginning of the doc check to set the variable and then exit.
xxxx:0001 MOVE [xxxx],value
xxxx:0003 RET
It kill completely the doc check which means that you see nothing! You may use Hackman to accomplish this task. No doc check is un-crack-able and you should be aware of this. In fact, itÆs pretty easy to patch the checking routine.