|
Cracking using KERNEL32.DLL??
Amazing how things dont change!
|
Advanced
|
|
04 March 1998
|
by
madmax!
|
|
 |
Courtesy of Fravia's page of
reverse engineering
|
|
fra_00F0
980304
madmax!
0010
AD
P4
|
Tsch tsch, madmax! Playing with kernel!
And THAT is exactly what makes the difference
between master crackers and beginners!
What does a real reverser do? He reverses, of
course :-)
Now, see, we have this windows overbloated world we must all swim inside...
huge, heavy, slow applicationosauriers, stupidly chewing routines on the code planes... and look!
The great reverser hunters come! Approaching swift, from beneath the codetrees!
Man, that's an unfair match for the dick overbloated windoze protectors!
The reversers are CLEVER! They use TOOLS! They use dos and unix knowledge, and sharp assembly
knives... and so the stupid, almost brainless applicationosurus lays dead... reversed
in a pool of bloody code... have a good meal! burp!
|
|
|
There is a crack, a crack in
everything
That's how the light gets in
| |
|
Rating
|
( )Beginner ( )Intermediate (X)Advanced
(X)Expert
|
NO beginner |
This essay will be like nothing you've ever read. This essay
does get
a bit detailed and will lose those not intimately familiar with Win95/NT
and
its inner guts. It will show how a program that seems unpatchable can
be,
through our last resort =)
Cracking using KERNEL32.DLL??
Amazing how things don't change!
Written by
madmax!
Deep within the Internet lies a great game...Subspace, by VIE(Virgin)
Having gone retail just recently, it was a matter of time till the
protection came...And it did, quite well I might add. How do we fix
a program that has CRC checks on itself and the memory it resides
in (active checking)???
Winice 3.22
Hiew 5.66
W32Dasm 8.9 (Regged helps)
API Knowledge (Win32.Hlp will do)
Not available except in Demo =( You have to get 1.32 from Hybrid and get
Regged update from http://subspace.vie.com/
First Protection Scheme
SubSpace, an online game has been around for a while now. I always
found it
hard to cheat in...I only did it for fun, not to ruin the game. But now
the
retail version came out and has added a CD-Check....Woohoo! Time to
crack the
ol' knuckles and sit down...
If you have the retail, you will notice nothing different about the game
till
you go to play and a "Please insert CD..." msg flashes with a time
limit...
This brought a smile to my face, but little did I know...So I jump in
Winice
immediately and:
BPX GetDriveTypeA (Commonly used in Cd-Checks to find the
CDROM)
It catches and I'm then in SubSpace code...The usual routine has the
following pattern:
Find CDROM drive letter (GetDriveTypeA)
Get space free on CD (GetDiskSpaceFreeA)
If zero, then CD OK
Get Label of CD (GetVolumeInformationA)
IF label == 'SUBSPACE', then CD OK
Open 'INTRO.FLC' in CD Root Dir. (CreateFileA)
If exist, then CD OK
Get filesize of INTRO.FLC (GetFileSize?)
Cmp filesize to certain #
If equal, set a flag
I won't bother with source since most people reading this won't have
access
to the target, thus it means nothing...The more interesting part, and
the
point of this essay, is how we get around the check...We could just
patch it
with HIEW and go on, but a CRC check stops us...We patch the crc check,
and
memory checksums get us...Hard to debug since Winice's breakpoints(0CCh)
throw off the values...So what do we do?? Well, I looked into API
Hooking
(Which IS NOT a prostitute with a Computer Science Degree =) and it didn't
look promising...Then I get a flashback, thinking back to my AsmEdit
essay..
TSR Crack! But this isn't the good ol' DOS environment, there is not a
AX=25XX, INT 21h function for Winblows...So where would our point of
attack be...Windows ITSELF!
I got this idea while attempting to fix a nuker on my own that had
spread
on IRC...Messing with important Win95 files is dangerous, toying with
the
kernel is just crazy...So we know SubSpace's first call in its
protection
scheme is to GetDriveTypeA..This API returns a 2 for floppies, 3 for
HDs,
and a 5 for CDROM (Other values dont interest us)...So I get this idea
that
we will essentially attack this protection like a FAKECD program
would...We
would emulate the files needed on our HD somewhere while a TSR emulates
a CD
But were going to do this runtime...In Winice, type:
U GetDriveTypeA
You will see the assembly code for the API..write a portion of the
code
so we will find it on disk in kernel32.dll
(I can't give my example because there are too many kernel32.dll's out
there)
But basically you have a short routine that does some weird compares and
then
goes on to another API with a JMP.....Like this:
:BFF777C4 57 push edi
:BFF777C5 6A21 push 00000021
:BFF777C7 2BD2 sub edx, edx
:BFF777C9 68EFE2F9BF push BFF9E2EF
:BFF777CE 64FF32 push dword ptr fs:[edx]
:BFF777D1 648922 mov dword ptr fs:[edx], esp
:BFF777D4 8B7C2414 mov edi, dword ptr [esp+14]
:BFF777D8 0BFF or edi, edi
:BFF777DA 7407 je BFF777E3
:BFF777DC 2BC0 sub eax, eax
:BFF777DE 8D48FF lea ecx, dword ptr [eax-01]
:BFF777E1 F2 repnz
:BFF777E2 AE scasb
* Referenced by a Jump at Address:BFF777DA(C)
|
:BFF777E3 648F02 pop dword ptr fs:[edx]
:BFF777E6 83C408 add esp, 00000008
:BFF777E9 5F pop edi
:BFF777EA E9E5D4FFFF jmp BFF74CD4
So we have this small routine..Where do we put our code?!?
Well, lets set a BPX on that JE and see if it ever actually jumps...
So BPX BFF777DA and run through Explorer or something that trips the
BPX.
You will see that nothing ever makes that damn JE jump! So we can assume
(mainly because MS wrote it =) that this routine has little worth..So
lets
modify and optimize it:
(This routine is first called by SubSpace for the drive C:)
:BFF777C4 57 xor edx,edx ; the only instr. kept
:BFF777C5 6A21 mov eax,[esp] ; get calling routine
:BFF777C7 2BD2 cmp eax,413e6e ; is it SS CD-Check?
:BFF777C9 68EFE2F9BF jnz BFF777EA ; if not, continue API
:BFF777CE 64FF32 mov [esp+4],eax ; save return address
:BFF777D1 648922 pop eax ; inc ESP by 4
:BFF777D4 8B7C2414 mov eax,5 ; we are a CDROM!
:BFF777D8 0BFF ret
:BFF777DA 7407 je BFF777E3 ; useless MS stuff
:BFF777DC 2BC0 sub eax, eax ; HERE!
:BFF777DE 8D48FF lea ecx, dword ptr [eax-01]
:BFF777E1 F2 repnz
:BFF777E2 AE scasb
* Referenced by a Jump at Address:BFF777DA(C)
|
:BFF777E3 648F02 pop dword ptr fs:[edx]
:BFF777E6 83C408 add esp, 00000008
:BFF777E9 5F pop edi
:BFF777EA E9E5D4FFFF jmp BFF74CD4
As you can see, we have intercepted this API quite brutally...We are
checking
to see whether it was called by SubSpace everytime it runs...Simple
enough!
Now that we have fooled it to think C: is a CDROM drive, we move on to
the
Disk space free check:
(The original is similar to above, but with more garbage...Which helps,
because this routine is a bit bigger...Heres the new and improved
routine!)
:BFF778C5 2BD2 xor edx,edx ; All MS is good for?
:BFF778C7 68B8E2F9BF mov eax,[esp] ; get calling address
:BFF778CC 64FF32 cmp eax,491E22 ; is it SubSpace?
:BFF778CF 648922 jnz BFF77900 ; if not, continue API
:BFF778D2 8B4C240C add esp,14h ; Real API returns alot
:BFF778D6 E302 mov [esp],eax ; return point
:BFF778D8 8A01 mov [esp+18],eax ; where spacefree is ret.
:BFF778DA 8B4C2410 ret ; go back...
:BFF778DE E302 jcxz BFF778EA ; rest of MS stuff
:BFF778E0 8B01 mov eax, dword ptr [ecx]
:BFF778E2 8B4C2414 mov ecx, dword ptr [esp+14]
:BFF778E6 E302 jcxz BFF778EA
:BFF778E8 8B01 mov eax, dword ptr [ecx]
:BFF778EA 8B4C2418 mov ecx, dword ptr [esp+18]
:BFF778EE E302 jcxz BFF778F2
:BFF778F0 8B01 mov eax, dword ptr [ecx]
:BFF778F2 8B4C241C mov ecx, dword ptr [esp+1C]
:BFF778F6 E302 jcxz BFF778FA
:BFF778F8 8B01 mov eax, dword ptr [ecx]
:BFF778FA 648F02 pop dword ptr fs:[edx]
:BFF778FD 83C404 add esp, 00000004
:BFF77900 E954D5FFFF jmp BFF74E59
So, we intercepted this routine and forced it to return 0 for disk space
free, like a CDROM...Now the only part left is the label check and the
file
check...
So simply, we label our C: drive SUBSPACE, and with a little asm program
I
stewed up, we make a file that is 37,433,486...Apply these patches to
the
KERNEL32.DLL and reboot... Cross your fingers and it will not crash!
This is indeed an interesting way of approaching a crack...I've never
seen
anyone use this method, probably because its so dangerous and has
compatibility problems...I wanted to spread the idea I found to others
so
they may consider this technique in the future...The main problem with
using
KERNEL32.DLL is that MS has so many damn versions of it, its crazy to
make
a patch for em all...
Amazing, no matter how far DOS goes away, its roots still follow us in
cracking! TSR cracking is kind of a hobby of mine =) It's different!
PS - If you play SubSpace alot, buy the game...It's like 30 bux or
something.
I did this because I wanted the challenge! =)
I wont even bother explaining you
that you should BUY this target program if you intend to use it for a
longer
period than the allowed one. Should you want
to STEAL this software instead, you don't need to crack its
protection
scheme at all: you'll
find it on most Warez sites, complete and already regged,
farewell.
You are deep inside fravia's page of reverse engineering,
choose your way out:
Back to advanced cracking
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse engineering
legal?