Cracking the doc check routine

Now that we have found the start offset of the doc check and defined its type, itÆs time to do some real work. Our job is to set a breakpoint on the address of the call to the doc check.

Run the program until you reach at this address. For the time being, let
Æs assume that we are dealing with type 1. YouÆll be looking at code like the fragment shown in figure 1. We want to figure out which branch of the jump at xxxx:0005 we need to take. To do this, simply execute the call to the doc check (do not trace in it, just put some false info) the program should make the check and exit back to the debugger. The jump will be made depending on the value of AX. Trace through the jump. If you take the branch and end up to xxxx:0100 then you should know that you donÆt want to take this branch cause youÆ
ve entered wrong info. The opposite applies if you didnÆt take the branch.

To test this theory, rerun the program up to the point where computer checks the value (i.e. xxxx:0005). Now, reassemble the jump forcing (or not forcing depending on your theory) the program to take the right path.

  xxxx:0001 CALL DocCheck
  xxxx:0003 OR   AX,AX
  xxxx:0005 JZ   0100
   figure 1

Use Hackman to write changes and youÆre ready! Suppose now that you have to deal with type 2. Find the offset where a call is being made to get the user input. Now you need to find where it sets the value. Enter a bogus input and start tracing the code. You should expect to encounter a fragment like the one shown in figure 1 or something like a conditional jump as shown in figure 2.

@@outerLoop:  LODSB
              SCASB
              LOOPE @@outerLoop
              OR    CX,CX
              JNZ   xxxx
                figure 2

This code compares two strings and jumps if they are not equal. Note the OR CX,CX statement. It is checking to see if  the end of the string has been met or if it exited because two characters did not match. If you had entered the wrong input, you would have taken the ôJNZ xxxxö. This takes you to the bad branch. Keep tracing until you come to a piece of code that changes a static memory location. This is where the doc check sets a global variable. Note the memory location and variable cause youÆll need it later.

Eventually, you will see something like a move to the static memory location. Now that you have the address of the variable and the value that it should take, you must make a simple patch for the program. The simplest and easiest way to achieve this is to change the code at the beginning of the doc check to set the variable and then exit.

   xxxx:0001 MOVE [xxxx],value
   xxxx:0003 RET

It kill completely the doc check which means that you see nothing! You may use Hackman to accomplish this task. No doc check is un-crack-able and you should be aware of this. In fact, itÆs pretty easy to patch the checking routine.

Return