Welcome one more time to reverse santmat's reversemes :). Here a easier challenge awaits us. We only need to install a password based protection scheme. Ok, so what do we have to do, exactly ? We need to change the first screen into something that has an edit box, and to check if the password is good to let the user continue. The nfo file tells us that the protection can be a stupid one. So, as usual, load the file into ida, and, while it dissassembles it, take a quick look at it. What can you see here ? A
screen that has 5 edit boxes disabled and a button. Like usual, what api's are needed to do all the stuff ?
I found only 3 :
GetWindowTextA
CreateWindowExa
Lstrcmp (not essential). Ok, now, into ida, go to the import table, and see if they are here. Yes ! They are. (santmat made his first reverseme very easy). Go to see where they are used. The author evens uses them to check the content of an edit box ! Look at
4013DA :). He makes all the job ! We only have to check if that api returns 0, or something else. Note that it checks the edit that contains the word "Here is your mission". We will change this one into an edit box that accepts user entries. Now go to the names menu. Go to the string "Here is ..." and follow the XREFS to the creation of the window. It is at 4011B9. What push chooses if it is a disabled or enabled edit ? the one at 4011B4 (check your api ref). here it uses 50000804. Change the flags to
50000000. Now the edit is enabled. But it doesn't look cool, no ?. Put it to 50800000, so that there is a border :). Change too the push "Here is ..." to a push 0, so it won't be displayed. Now that we have our edit box, what should we do to that window ? First of all, delete all the unuseful edit boxes. To do that, go to 4011CF ( just after the creation of our edit box), and code a jump to 401271 (the creation of the button). Run the program. Ok, now the button is all alone at the bottom of the window.
Change
its coordonnees so that he will be just next to the edit box (change the push 111 at 40128F to a push A0) Then we simply need to re-adjust the window size. Find where the main window is created (by the window name in the name menu), and there change the PUSH 15E to a PUSH 100. Run one more time your program to see the changes. Wow ! It is now a perfect password asking screen ;-))). The only thing that remains is to check the password. Go to where the lstrcmpa function is used and look what's next : a
destroywindow call. So we can easily cahnge this into a jump and re-use it after. But where will we put our code ? Think a little, i will let you guess :) ... a place that is unused ... a place that is NOW unused ... eh ! I SAID A PLACE THAT WE HAD JUST FREE ! ... Ah, you get it :) the createwindow code that we jumped. Go to 4011D6. And there assemble the following code in HIEW :
cmp eax,0
jnz 5ec
push d,[ebp+8] ;
call d,[402018] ;destroywindow (the code that we will change into a jump)
push 401406
ret
push 0
call d,[402008] ;ExitProcess
Now go back to 4013fe and code that jump (i usually use a Push/ret couple). Run that proggie . But EH ! WAIT A SECOND ! We didn't set the password ! Go to the place where the lstrcmp function is used. So, it compares it with the string that is normally into the edit box. Change this string to a stupid pass, like MrEvilSucks (dont forget to put a 0 at the end). Launch you wonderful proggie now. Try to type a stupid pass, and it exits, type MrEvilSucks, and it jumps to the main window.
Extasy
Meet me on IRC(Efnet) on #reversing4newbies, and on #cracking4newbies.
THANKS :
MagicRaph,Edy,Tam,C_DKnight,ep-180,promethee,α tous ceux de #R4N, #C4N, #Win32asm and #crack.fr
