Cracking for dummies - by fravia+
Lesson 2: "The difficult years" - Target: Netmed
(08 December 1997 - version 0.01, will change)

Cracking and reverse engineering for those that have NEVER done something like this before

Reviews:
"Fravia's lessons demonstrate that cracking can be great fun!"

"For people that would like doing useful cracking in a matter of hours"

"Fravia+'s 'Cracking for dummies' is the perfect choice for those who want to use their programs in order to do what they want, not what the programmers wanted they to do with them"

Synopsis:
Expert +cracker and +ORC's student fravia+ builds on the success of his cracking essays, updating his discussions in a humorous fashion. His style helps to overcome the technical and non-intuitive barriers presented by cracking. The lessons show readers everything from how to 'dead list' a target to more advanced cracking tasks like 'feeling' concealed and encrypted protection schemes.

Price:
Nothing, nada, nichts... it's here and free for everyone, of course :-)

OK, enough kidding... I have decided to write an easy and GUIDED tutorial to software reverse engineering, aimed at all those among my readers that are interested yet AFRAID of the many 'technicalities' that are given for acquired inside the 'real' essays on the student pages (those essays of the +HCU Academy that are dedicated to a 'more mature' cracking audience). In fact I believe that our duty is not only to explain our science to those already able to follow it, but also to allow anybody who cares to join us.

These essays does not have ANY value for average or advanced crackers and are aimed EXCLUSIVELY at those among our readers that have NOT YET BEGONNEN any cracking or reverse engineering at all.
This said, you'll not be able to understand this lesson if you do not 'work' a little. Some of the explanations and of the concepts that you have to learn may NOT be easy to assimilate, no matter how 'basically' explained.
If this happens, just read on, once you have got some more 'perspective' many of the 'barriers' that you encounter will suddenly disappear.
Don't forget to read and assimilate lesson 1 before starting this.

GATHERING TARGET AND TOOLS FOR THE SECOND LESSON
You are about to begin a REVERSE ENGINEERING SESSION. You need to PRINT this text, you need a PC-computer with windows95 installed, you need a 'target' and you need some tools in order to follow my lessons (tools are forever, like diamonds).

For this second lesson you'll need, specifically, all tools described in lesson 1 (the "tekfact" lesson: wdasm, psedit and pkunzip) and two new programs

1) Base Calculator: an integer calculator with not only the usual operations such as addition and subtraction, but also the most common logical operations. In addition, Base Calculator can display 8 bit, 16 bit and 32 bit numbers, both signed and unsigned in decimal, hexadecimal, binary or octal.
You can fetch it right off my site, here: bcalcns1.zip (148.156 bytes).
This program by John Zaitseff has been programmed in pascal (Delphi2) and is one of the best tools you'll use when you reverse engineer. It offers bin, hex, dec and octal calculations with XORing, ANDing, NOTing and whatever capabilities you need... you'll see and understand... For now just download it, unzip it and keep it ready for use.

2) Netmedic. (Version 1.2). This is our target for this lesson: You'll be able to fetch it easily performing a ftp search.
Search for the strings 'nm.exe', 'netmedic' and 'vitalsign' in this order.
The self-extracting trial shareware version 1.2 that we will use here as target has a length of 1.019.455 bytes
Alternatively you may fetch this target from vitalsign's own site at http://www.vitalsigns.com. They will release a new version very soon, of course, so harry up.
Netmedic is a PHANTASTIC tool for stalking activities, self-defense on the Web and net surfing, as you will soon discover. To navigate the deep sees of the web with this tool can be great fun, like being in the gauge and machine room of a huge ship every time you approach a site.
Its protection scheme, altough extremely easy to defeat, does indeed present some very interesting pecuilarities.
I checked (just in case) and found that this target has already been cracked by (at least) three different cracker groups.
You could easily fetch all over the web a ready made de-protection, for instance its Phrozen Crew's patch...
But you will not do it, because you will never need any more these ready-made "patches for lamers".
You are already a cracker (in nuce) and therefore you are going to feel the code of your target, understand it and crack it all by yourself (and in the mean time you will learn a lot, and you'll know what you have done and why :-)
OK, let's start: fetch netmedic and install it on your harddisk. Believe me: you'll love this target for the sheer MIGHT that it gives (offensive and defensive) to all internauts lost among the sees (and the currents) of the Web.
In fact you'll like netmedic so much that you'll probably want to register its next new version (which should deserve in my opinion a much more complicated protection scheme :-)
STARTING THE SESSION: string fishing
We could have tackled this protection scheme inside the code of our target in many other ways, like searching for the relative protection functions; pinpointing the protection scheme through a debugger (the easiest if most boring approach); getting the pixel dimensions of the protection window elements with a screen ruler, individuating the protection through a resource editor or even using a software 'stepwatch' (great fun for graphical demos deprotection :-)
But we will for this lesson -once more- use the SIMPLEST way: the approach you already began to learn with lesson one: string fishing.

Disassemble netmedic.exe
Run wdasm32 (by now you should have found on the web, or bought, version 8.9 of wdasm (see my first lesson). If you are still using the demo version, what follows applies nevertheless, yet you'll work on your target's code "on screen", using wdasm's own search capabilities, and not inside your texteditor, since the demo version of wdasm does not allow the editing and saving of the disassembled text file. Yet by the end of this lesson you should be enough 'semi-advanced' in our reversing art to be able to work on the essays inside +HCU's project 0, where you'll find detailed instructions about transforming the demo version of wdasm in a full working version adding or modifying all disabled functions inside it. But wait, don't go there right now: you better finish this lesson first :-)
The disassembly of a windows95 program can easily result in a huge text file.
netmed.exe is a 1.016.832 bytes file, and wdasm89 -which I'm using as disassembler instead of the more powerful (but newbyes scaring) IDA 3.7. for these lessons- will give you a 11.927.177 bytes *.alf file: a dead listing that of 12 millions bytes, quite a monster. Of course you wont be able to handle well such a file inside Micro$oft Word, which is a very sloppy wordprocessor by whatever standards you might choose to use. I may suggest my personal choice working under Windoze: Ultraedit32.
You'll have the possibility to customize its toolbar with your own 'reversing' macros and it will be a lot quicker than Word. Moreover it will not crash and you'll be able to cut and paste code without 'loosing' your mouse grip on the window (a very peculiar and annoying characteristic of Micro$oft's abomination :-(

Choose a quiet evening and perform your string search, (using for instance "license" "evaluation" "expir"), see if something "bites" and once you think you have found enough, pull your nets out of the code and look at the many little poor zapping fishes you have caught:
:00406A1B 6817E20000 push 0000E217 ID=57879: "Your advanced feature trial license expires in 1 day." 
:00406A3A 6818E20000 push 0000E218 ID=57880: "Your advanced feature trial license expires in %d days."                                 |
:00406A87 6819E20000 push 0000E219 ID=57881: "Your advanced feature trial license has expired."                                         
:0043E901 6812E20000 push 0000E212 ID=57874: "Your evaluation period for Net.Medic has ended. 
:0043F21F 6835E20000 push 0000E235 ID=57909: "Your advanced feature trial license expires in %d day(s)
:0043F234 6840094A00 push 004A0940 Data Obj ->"Your license expires in %d days."
Whoa! Even if something did slip through we have pulled a full net of strings out of our target's code! We will not hunger this evening!
Notice that we already know WHERE are located the protection code snippets: in fact we'll have a protection snippet around 06A and another one from 3E9 to 3F2!
Let's prepare and sip our cocktail and continue:
DISSECTIONING OUR FIRST FISH
Let's pull out the guts of the first one
:00406A1B 6817E20000 push 0000E217 ID=57879: "Your advanced feature...expires in 1 day."
Before passing the protection code that dwells around this location under our serene 'reversing' blick (we will do it in a minute), we better understand first of all what's the meaning of the code that precedes those 6 strings above. Let's look at the instruction at location :00406A1B: 6817E20000
68 is push and 17E20000 is 0000E217 (which corresponds, hexadecimally to the decimal value ID=57879).

Why the pushing around?
First: all the strings you see are being PUSHED on the stack because a subsequent call to a display function will need to know what to display on the screen. All the parameters for any subroutine function must be pushed (the call must be prepared) before executing the call, and the only (minor) question when you reverse is the ORDER of this pushing. In C language it is rightmost parameter first, in Pascal language the other way round.
Here we have a target written in C... well, sort of, they have used overbloated Micro$oft's "Visual" C++... would the authors have programmed with "real" C, this target would have been a lot smaller, yet some sort of degenerated C it is anyway, and therefore the LAST parameter is pushed first on the stack... how do I know that our target has been written and compiled with Micro$oft's VisualC++? Well, the code is typical, and that would be more than enough, but if you want to check on your own, just have a look at the list of IMPORTED FUNCTIONS (at the beginning of your dead listing) and you'll find the following: Import Module 009: MSVCRT40.dll... that's the (bad) Micro$oft's run-time library dll, as you'll see in a moment... back to our pushing parameters around:
The following code snippet (from our very target) shows you for instance the typical and very simple parameter passing for the ubiquitous messagebox function:
:00457586 6A00                    push 00000000             ;0, the rightmost parameter
:00457588 68541E4A00              push 004A1E54             ;Data Obj ->"Error"
:0045758D 68481E4A00              push 004A1E48             ;Data Obj ->"Print Error"
:00457592 6A00                    push 00000000             ;NULL, the leftmost parameter
:00457594 FF15A4864A00            Call dword ptr [004A86A4] ;USER32.MessageBoxA, Ord:0188h
Since the function MessageBox has 4 parameters, int MessageBox(hwndParent, lpszText, lpszTitle, fuStyle) you can see inside the target's code four pushes just before the call, so easy and simple is that.

The above code means therefore: MessageBoxA(NULL, Print Error, Error, 0)... in other words: "please draw a DialogBox without parent window (hwndParent=NULL) with the word "Error" as title and the words "Print Error" as message text and with a nice little OK button!
See, fuStyle is 0, and this correspond to MB_OK, and therefore this message box will contain only one push button with the tag OK written onto it... In fact you could modify this last parameter determining the "button", through your hexeditor, and for instance substitute 0x20 to the zero for the rightmost parameter. If you then re-run the program (and then cause a print error), the modified line :00457586 6A20 would give you MB_ICONQUESTION instead of MB_OK, and a silly question-mark icon would in this case appear in the message box. Pretty cheap reversing thrills, in this specific case, yet I'm sure you are getting the point: substituting parameters inside alien code it's very easy and may be great fun!

Yet the 'MessageBox' explanation above is fully valid only for ONE of the above fishes: the last string at 3F234, which is directly located inside our target's data:
:0043F234 6840094A00 push 004A0940 Data Obj ->"Your license expires in %d days."
So it pushes a string located inside the target, at A0940! Now -for this string- we will use psedit (or another hexeditor, see lesson1, the "tekfact" lesson) and search it "physically" inside the BYTES of our target, (I repeat: put now aside our disassembled wdasmed dead listing, and look at the bytes of netmed.exe).
Once we search for this string we find it at 9ED40:
9ED40	596F7572206C6963656E736520657870 Your license exp
9ED50   6972657320696E20256420646179732E ires in %d days.
O mann_o_mann! Hey! It is not at A0940!ou use your brand new base calculator, that you should have downloaded and installed on your harddisk and notice a staggering difference of 1C00 bytes! What's going on? Where does this difference come from?
Man! I thought you just pushed the stupid data location for the call, getting thattaway the string you pushed for, automagically, appear! Hey fravia+, what's going on?
Quiet! I have the pleasure to introduce to you the subdivisions of all windozes' programs (in fact of ALL programs but the most tight ones): have a look at the TOP of your netmed's dead listing! The very first table you'll find there is the following one:
Number of Objects = 0007 (dec), Imagebase = 00400000h

   Object01: .text    RVA: 00001000 Offset: 00000400 Size: 00087400 Flags: 60000020
   Object02: .rdata   RVA: 00089000 Offset: 00087800 Size: 00014C00 Flags: 40000040
   Object03: .data    RVA: 0009E000 Offset: 0009C400 Size: 00006200 Flags: C0000040
   Object04: .idata   RVA: 000A7000 Offset: 000A2600 Size: 00002E00 Flags: C0000040
   Object05: .tls     RVA: 000AA000 Offset: 000A5400 Size: 00000200 Flags: C0000040
   Object06: .rsrc    RVA: 000AB000 Offset: 000A5600 Size: 00046A00 Flags: 40000040
   Object07: .reloc   RVA: 000F2000 Offset: 000EC000 Size: 0000C400 Flags: 42000040
So, netmed.exe has 7 objects. Don't worry about their names and exact meanings for yet, just remember that .text and .data are the two important (and standard) ones. .text is CODE and .data is DATA.
Now look: the Imagebase is at 400000 and the DATA (Object03), is at RVA 9E000 with offset 9C400.
And as you can easily check (using for instance your brand new basecalculator tool) once you take away the dummy 400000 of the Imagebase, the simple subtraction 0x9E000-0x9C400 gives us a difference of 1C00... Bingo! This little mistery is cleared.
Yet where are the other little zapping strings we have fished out?
STRINGTABLE VAGARIES
ALL the other protection strings inside our target's code (our zapping fishes) are in unicode (all the ascii characters have an interpolated null) and dwell at locations that (apparently) have nothing to do with the direct data locations pushed above... for instance, 0xE217 (which is ID=57879) does NOT directly correspond to a code location... hey bud, what's that? Keep cool, just read on
:00406A1B 6817E20000    push 0000E217      ;Your advanced... license expires in 1 day."
What's "E217"? Some sort of european food component?
No. it's a stringtable pointer... see: 0xE217 is decimal 57879. Yet if we have look at the hexes of our target with an hexeditor... our string begins at 0xE8DFC... what's going on here?
E8DFA		                350059006F00           5.Y.o.
E8E00		7500720020006100640076006100  u.r. .a.d.v.a.n.
E8E10		6E00630065006400200066006500  c.e.d. .f.e.a.t.
...
Well: this is a pointer to the STRINGTABLE! I'l show you a part of the stringtable of our target, which you could easily inspect using a resource monitor tool like BRW from Borland... you will learn how to use this very important reversing tool later studying the +HCU's essays, for the moment just have a look at this STRINGTABLE snippet):
STRINGTABLE 
{
 57872, "Delay"
 57873, "Traffic"
 57874, "Your evaluation period for Net.Medic has ended. You can continue using 
 57875, "www.vitalsigns.com/buy/register.html"
 57876, "www.vitalsigns.com/buy/index.html"
 57877, "www.vitalsigns.com/tech/relnotes.html"
 57878, "www.vitalsigns.com/tech/index.html"
 57879, "Your advanced feature trial license expires in 1 day."
 57880, "Your advanced feature trial license expires in %d days."
 57881, "Your advanced feature trial license has expired."
 57882, "The feature you have requested is available only in the retail 
 57883, "Net.Medic from VitalSigns Software uses analysis techniques which 
 57884, "Some of the information above has been provided by Net.Medic from\r\nVitalSigns 
 57885, "Date and Time of Occurrence: "
 57886, "Date and Time of First Occurrence: "
 57887, "Date and Time of Last Occurrence: "
}
If we look at the data part of the target code we find above our string running from E8DFC (That's the "Y" of Your) to E8E66 (that's the full point after "day."). Look once more at the data dump above... at E8DFA, immediately before the "Y", we have a "3500": this is 0x0035, and represents the number of characters (it's decimal 53) of our string
 12345678901234567890123456789012345678901234567890123
 Your advanced feature trial license expires in 1 day.
So the real "block" is E8dfA-E8e65. And somewhere inside the code a TABLE translates the string number 57879 (0xE217) into a pointer to our location E8defA... where? Well as you'll see, the MFC40 function "NoName" 185 is an equivalent of a LoadString function, and it works like this:
:00406A1B 6817E20000    push 0000E217      ;Your advanced... license expires in 1 day."
:00406A20 8D4DA8        lea ecx, dword ptr [ebp-58] ;prepare call
:00406A23 E8BC0C0800    Call 004876E4      ;MFC40:NoName0185, Ord:0E48h; call_this
This means: call MFC40:NoName0185 with a pre-determined cx and the stringtable ID pushed. OK, we have seen enough, if you want to see what the cuckoo MFC40/185 does you know already what you have to do: just disassemble MFC40.DLL and look at the dead listing!
A string table consists of one or more separate resources, each containing exactly 16 strings. The maximum length of each string is 255 bytes. One or more strings in a block can be null or empty. The first byte in the string specifies the number of characters in the string. (For null or empty strings, the first byte contains the value zero.)
Windows uses a 16-bit identifier to locate a string in a string-table resource.
Bits 4 through 15 specify the block in which the string appears;
bits 0 through 3 specify the location of that string relative to the beginning of the block.
Time to get back to our little fishes and crack them, before they get stale.
Sniffing the code
Let's have a look at the code where our first string "Your advanced... license expires in 1 day" is pushed for the call: as we have already noticed, part of the protection scheme MUST dwell around 00406Axx; here you have the relative code snippet, that I have commented for you. Don't worry too much right now, get this snippet on your screen (or on paper) as well and just try to follow:
* Referenced by a Jump at Address:069BF(C)
:069EC E8CF7D0100    call 0041E7C0      ;get PROT parameter good/bad guy  !!!!!!
:069F1 83C404        add esp, 4         ;correct stack after call
:069F4 898542FFFFFF  mov dword ptr [ebp+FFFFFF42], eax  ;save PROT parameter
:069FA 83F801        cmp eax, 1         ;is it one?
:069FD 757F          jne 00406A7E       ;go check if PROT is three, or what else
:069FF E83C800100    call 0041EA40      ;else PROT = one, call this function
:06A04 8BF8          mov edi, eax       ;and save in edi how many days this guys has left
:06A06 8D4DA8        lea ecx, dword ptr [ebp-58] ;and do whatever the following call
:06A09 E8CA0C0800    Call 004876D8      ;MFC40:NoName0183, Ord:01E6h, ;MFC40/183 does
:06A0E C645FC03      mov [ebp-04], 03   ;and flag with three [ebp-04]
:06A12 85F6          test esi, esi      ;and check esi
:06A14 7455          je 00406A6B        ;go flag [ebp-04] with 2, else
:06A16 83FF01        cmp edi, 1         ;does he have only one day left, the poor chap?
:06A19 751F          jne 00406A3A       ;no, then go calculate how many days left, else
:06A1B 6817E20000    push 0000E217      ;Your... license expires in 1 day"
:06A20 8D4DA8        lea ecx, dword ptr [ebp-58] ;prepare call
:06A23 E8BC0C0800    Call 004876E4      ;MFC40:NoName0185, Ord:0E48h; call MFC40/185
:06A28 85C0          test eax, eax      ;did it work?
:06A2A 7430          je 00406A5C        ;no:continue without ax/cx and without call213
:06A2C 8D45A8        lea eax, dword ptr [ebp-58]  ;yes get ax
:06A2F 8D4DF0        lea ecx, dword ptr [ebp-10]  ;yes get cx
:06A32 50            push eax           ;and use ax for the following call213
:06A33 E8480D0800    Call 00487780      ;MFC40:NoName0213, Ord:02F8h ;call MFC40/
:06A38 EB22          jmp 00406A5C       ;then continue

:let's tell you how many days you have left (from 6A19)
:00406A3A 6818E20000    push 0000E218      ;Your... license expires in %d days"
:00406A3F 8D4DA8        lea ecx, dword ptr [ebp-58]
:00406A42 E89D0C0800    Call 004876E4  ;MFC40.MFC40:NoName0185, Ord:0E48h
...
...
:check if parameter PROT is three (from 69FD):
:00406A7E 83BD42FFFFFF03    cmp dword ptr [ebp+FFFFFF42], 3  ;guy's parameter it's three
:00406A85 751C              jne 00406AA3                     ;if not three check what else it is
:00406A87 6819E20000        push 0000E219     ;and push "Your advanced license has expired"
:00406A8C 8D4DF0            lea ecx, dword ptr [ebp-10]      ;beggar off bad guy
....

Well, an impressive code snippet with not only one but THREE zapping strings!
We can already understand some easy elements of this protection. The scheme checks right at the beginning a protection PARAMETER, calling function 1E7C0 (that we will examine in a minute). ON return we save the return value in [ebp+FFFFFF42] (which is [ebp-BE] probably). And chooses different strings depending from these values.
We know now that:
call 1E7C0 and get "kinda_guy" return value"
  if kinda _guy=1 then 
                    call 1EA40 and save in edi how many days this guy has left
                    call MFC40/143 and check esi return value 
                                                  and flag [EBP-4] with 2 or 3 accordingly
                             if the guy has 1 day tell him
                             else tell him how many days he has left
  if kinda_guy=3 then
                    tell the guy that his license his expired.
I would say that our work is already (almost) finished. Let's examine the code at the call that triggers the whole "kinda_guy" value, we will surely learn more.
Where we will crack:
The following code snippet is the routine that rturns the "kinda_guy" parameter.
We already know that a value of 1 means a "time limited trial" and that a value of 3 means that "your allowed time limit has expired". Well, an immediate legitime quastion for any researcher mind would be: "What about parameters "0", "2" and "4", "5", etcetera?
In the code below of our kinda_guy routine, you'll see many calls to OTHER routines (of course) some of them are calls to MSVCRT40.DLL, like the following sscanf:
:first_sscanf(ax,%x,cx):
:0041E8A6 8B3D44854A00       mov edi, dword ptr [004A8544];MSVCRT40.sscanf, Ord:0442h
:0041E8AC C645C000           mov [ebp-40], 00             ;zeroing memory location [ebp-40]
:0041E8B0 51                 push ecx                     ;pass parameter cx for sscanf
:0041E8B1 68A4F54900         push 0049F5A4   ;->"%x"      ;pass parameter
:0041E8B6 52                 push edx                     ;pass parameter dx for sscanf
:0041E8B7 FFD7               call edi                     ;sscanf(dx,%x,cx)
Clearly you may legitimately ask what the cuckoo is going on here. Well, I told you that this target has been written with Microsoft Visual C++, and therefore read (and head) the following:
MSVCRT40 is "Microsoft C Runtime Library Version 4.10.6038" 
for  "Microsoft Visual C++", as you can see through any hexeditor inside the very code of 
this *.DLL.

What the cuckoo is a "runtime library"?
A run time library is a set of hundreds of predifined 
functions and macros, designed for use in C programs.

Run time libraries make programming (and cracking) easier, 
providing tne following:

- an interface to operating system functions (such as opening 
  and closing files)

- fast functions to perform common programming task (such as
  string manipulation, "sparing the programmer the time and 
  effort needed to write such functions".

Run time libraries are specially important in high level programming 
because all "high level" programmers rely on libraries for basic functions not 
provided by their languages: input and output, storage allocation, process 
control.

These C functions try to maintain a maximum system compatibility
between DOS, Xenix and Unix, and have mostly the same names in 
the C runtime libraries for Unix operating systems.

OK, let's have a look "inside" our MSVCRT40.DLL (you'll find a couple 
of them, at least, inside your own harddisk, disassemble one of them 
with wdasm (or IDA) and look, for instance, at the very simple 
_toupper function:

in c you would have:
int toupeer(c);		converts c to uppercase if appropriate
int _toupper(c);	converts c to uppercase

and therefore you would for instance use this kind of programming code:

if (islover(ch))
	printf("_toupper =%#04x", _toupper(ch));

Well, let's look at its implementation INSIDE our disassembled MSVCRT40.DLL:

Exported fn(): _toupper - Ord:036Fh
:10215450 8B442404                mov eax, dword ptr [esp+04]
:10215454 83E820                  sub eax, 00000020
:10215457 C3                      ret

This means: get passed parameter inside eax
            subtract 20h
            return home with subtracted parameter... 
and since fravia is (ASCII)     f  r  a  v  i  a
                               66 72 61 76 69 61
if I call _toupper six times, one for each letter, this will return me
                               46 52 41 56 49 41
which, as you have guessed is:
                                F  R  A  V  I  A
So easy is that (in assembly :-)
In fact it is so easy that one wonders why you should use twelwe bytes
to perform the same uppercasing (with a lot more CPU-cycles and a call 
to a DLL outside your main exe code):

 53                      push ebx                   ;throw lowercase char_value
 FF15C8854A00            Call dword ptr [004A85C8]  ;MSVCRT40.toupper, Ord:0461h
 83C404                  add esp, 00000004          ;correct stack
 8BD8                    mov ebx, eax               ;save uppercased returned char

instead of just using directly inside your program the three bytes: 
 83E820                  sub eax, 00000020          ;uppercase char in ax
...misteryes of high level languages, I presume. Multiply this for MUCH more 
complexes routines and MANY more bytes and you will quickly understand WHY the 
programs that you are using nowadays
-	are slow
-	crash
-	are huge
-	need powerful CPUs and a lot of memory
-	compel you to upgrade PC every two years

Let's look at our target's code now, it's time to CRACK!: Let's have a look at the routine returning the "kinda_guy" parameter:
this code snippet is CALLED from three different points (:004069EC, :0041ED0D, and :0043F1F1) it has also to do with a Menu whose ident is [ID=807Fh], as you will easily see just perusing the routine, which starts at 41E7C0. Here follows ONLY the most interesting part of it for us, but if you examine ALL its code, you'll see that we have already had another important C++ functions: a strncpy and a sscanf(dx,%x,cx) and that now we come to the second sscanf function: sscanf(ax,%x,cx).
....(started at 1E7C0)
:0041E8BC 8D4DEC             lea ecx, dword ptr [ebp-14]  ;prepare cx for call
:0041E8BF 8D45B8             lea eax, dword ptr [ebp-48]  ;prepare ax for call
:0041E8C2 51                 push ecx		          ;pass parameter cx for sscanf
:0041E8C3 68A4F54900         push 0049F5A4   ;->"%x"      ;pass parameter
:0041E8C8 50                 push eax		          ;pass parameter
:0041E8C9 FFD7               call edi		          ;sscanf(ax,%x,cx)
:0041E8CB 83C40C             add esp, 0000000C            ;correct stack
:0041E8CE 8B45F0             mov eax, dword ptr [ebp-10]  ;get value
:0041E8D1 3501101000         xor eax, 00101001            ;xor it with 0010 1001
:0041E8D6 3B45EC             cmp eax, dword ptr [ebp-14]  ;is it like cx, once xored?
:0041E8D9 7521               jne 0041E8FC 		  ;No? Beggar off: EVIL JUMP
:0041E8DB C745FCFFFFFFFF     mov [ebp-04], FFFFFFFF	  ;dummy parameter
:0041E8E2 E831010000         call 0041EA18                ;dummy end call
:0041E8E7 B804000000         mov eax, 4                   ;GOOD "registered" FLAG ax=4

* MAIN EXIT: Jump at Addresses	:0041E916(U), :0041E936(U), :0041E968(U), 
				:0041E974(U), :0041E98A(U), :0041EA09(U)
:0041E8EC 8B4DF4                  mov ecx, dword ptr [ebp-0C]   ;poppall and exit
:0041E8EF 5F                      pop edi
:0041E8F0 64890D00000000          mov dword ptr fs:[00000000], ecx
:0041E8F7 5E                      pop esi
:0041E8F8 8BE5                    mov esp, ebp
:0041E8FA 5D                      pop ebp
:0041E8FB C3                      ret  				;RETURN after check

* Referenced by a Jump at Address:0041E8D9(C) EVIL JUMP 
:0041E8FC 833DA0F5490000          cmp dword ptr [0049F5A0], 0   ;d'we have a zero there?
:0041E903 7413                    je 0041E918			;if so go ahead and xor other things
:0041E905 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF 	;else  dummy parameter
:0041E90C E807010000              call 0041EA18			;      dummy end call
:0041E911 B801000000              mov eax, 00000001  		;trial FLAG ax=1
:0041E916 EBD4                    jmp 0041E8EC  		;RET WITH trial FLAG 1


* Referenced by a Jump at Address:0041E903(C) EVIL JUMP
:0041E918 8B45F0               mov eax, dword ptr [ebp-10]   ;clean and ready for xor once more
:0041E91B 3510101100           xor eax, 00111010             ;this time xor with 0011 1010
:0041E920 3B45EC               cmp eax, dword ptr [ebp-14]   ;is it, xored, like cx?
:0041E923 7513                 jne 0041E938                  ;No? Go ahead and xor 1101 1101
:0041E925 C745FCFFFFFFFF       mov [ebp-04], FFFFFFFF        ;else   dummy parameter
:0041E92C E8E7000000           call 0041EA18                 ;       dummy end call
:0041E931 B805000000           mov eax, 00000005             ;Not yet advanced funct flag 5
:0041E936 EBB4                 jmp 0041E8EC                  ;ret with bad flag ax=5


* Referenced by a Jump at Address:0041E923(C) EVIL JUMP
|
:0041E938 8B45F0               mov eax, dword ptr [ebp-10]   ;ready for xor once more
:0041E93B 3501110111           xor eax, 11011101             ;this time xor with 1101 1101
:0041E940 3B45EC               cmp eax, dword ptr [ebp-14]   ;is it, xored, like cx?
:0041E943 7534                 jne 0041E979                  ;if yes check time else ret with 
:0041E945 6A00                 push 00000000                 ;trial ax=1 and time unchecked
:0041E947 FF1548864A00         Call dword ptr [004A8648]     ;MSVCRT40.time, Ord:045Dh
:0041E94D 83C404               add esp, 00000004
:0041E950 2B45F0               sub eax, dword ptr [ebp-10]   ;number of second elapsed, subtracted
:0041E953 C745FCFFFFFFFF       mov [ebp-04], FFFFFFFF        ;       dummy parameter
:0041E95A 3BC6                 cmp eax, esi                  ;check if user has time or not
:0041E95C 760C                 jbe 0041E96A	             ;below, return with trial flag one
:0041E95E E8B5000000           call 0041EA18                 ;       dummy call
:0041E963 B803000000           mov eax, 3                    ;else return with flag ax=3:
:0041E968 EB82                 jmp 0041E8EC                  ;flag ax=3= no more time!

* Referenced by a Jump at Address:0041E95C(C)
|
:0041E96A E8A9000000              call 0041EA18    ;     dummy call
:0041E96F B801000000              mov eax, 1       ;trial FLAG 1: time not to be...
:0041E974 E973FFFFFF              jmp 0041E8EC     ;...checked or something: return 1 

* Referenced by a Jump at Address:0041E943(C)
|
:0041E979 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF    ;dummy parameter
:0041E980 E893000000              call 0041EA18             ;dummy call
:0041E985 B801000000              mov eax, 1                ;trial flag 1
:0041E98A E95DFFFFFF              jmp 0041E8EC              ;return with trial flag 1
OK, we can now experiment a little... since the return flag of this function is important, you may want to see what happens when you return: 0, 2, 4 (just try it :-) and 5. (parameter fiddling).

The big question is of course: what is the sscanf above? The sscanf function reads data from buffer into the locations given by each argument. Every argument must be a pointer to a variable with a type that corresponds to a type specifier in format.

The sscanf function returns the NUMBER of fields that were successfully converted and assigned. The return value does not include the fields that were read but not assigned.

The return value is EOF for an attempt to read at end of string A return value of ZERO means that no fields were assigned
among other things sscanf calls _isctype and isspace!
isspace is a test for white space chars (0x9, 0xD, 0x20)
_isctype is a test for integer values in an ASCII environment (alphanumeric, letters or ASCII)

So we have here the part of the target code that checks if the name and the serial number you have entered are or, are not, valid.
Actually, to be simple, sscanf goes into a string and interprets it according to the format specifications... let's seay you want for instance to convert a STRING OF DIGITS INTO AN INTEGER (typical of password protections :-)
In that case you would write in C:
sscanf (char_array_digitz, "%d",&intstorez);
this statement will convert the string of digits held inside the array of type char into type int, and store it into the variable intstorez
Well, if you want to learn more you'll find many resources about C language (and sscanf) online... just read on!

You'll notice that we have THREE xoring operations inside the code above: it work like this:
          8B45F0             mov eax, dword ptr [ebp-10]  ;get value
:0041E8D1 3501101000         xor eax, 00101001            ;1) here xor it with 0x00101001
:0041E91B 3510101100         xor eax, 00111010            ;2) here xor it with 0x00111010
:0041E93B 3501110111         xor eax, 11011101            ;3) here xor it with 0x11011101
          3B45EC             cmp eax, dword ptr [ebp-14]  ;[ebp-14] like xored [ebp-10]?
XOR is a "logical" operation, like and, not and all the other that you'll learn if you continue on your cracking path.
You take the bits of your two operands and check, each bit of the resultant dword is set to 1 ONLY if the corrisponding bits of the two operands contain opposite values.
So, first of all the three right operands of our three XORs are HEXADECIMAL values, in a "binary-similar" format: 0x00101001, 0x00111010, 0x11011101. (Watch it when you will search for these instructions inside the listing, there are two occurrences inside our target, and the second one is the correct one, as you'll notice if you acquire the GOOD practice of ALWAYS checking the code "around" your search strings)!
At your base calculator! Use hexadecimaml values and xore them, and see how they see out in binary (and how the xoring affects the bits!)
In my case we have always Ox34829AB7 inside [ebp-10]
which, xored with 0x01101000 unfortunately does not give
0x25838bb6 (the value that I always had inside [ebp-14]... therefore we are unfortunately NOT REGISTERED!

This Ox34829AB7 that we have inside [ebp-10]
xored with 0x10101100 (at the second check) does not give either
0x25838bb6 any more (it would have done it at the beginning, by the first run of our target) therefore we don't get flag 5 and that means that we have CHOSEN THE SPECIAL advanced features option!

Finally, our Ox34829AB7, that we have inside [ebp-10]
xored with the third xoring choice: 0x01110111 does indeed
give us 0x25838bb6 therefore we have snapped the advanced features and we are running the trial time flag.

What do we learn from this, besides using our base calculator?
1) That the only thing that matter is to get flag 4, therefore we just need to xor with 0x01110111 at the FIRST occurrence to have it every time!
2) That even xoring with 0x01110111 at the SECOND OCCURRENCE would be good, since we would have 'just started' flag 5 every time.
3) That the only thing we really don't need is xoring 0x01110111 at the third xoring occurrence, since that's the "normal" trial period checking.
4) That this protection is incredibly lame and that the programmer should NEVER have included a 'registering' flag inside the target.

In order to crack the above target you may of course now choose HUNDRED different solutions, and you may apply the crack wherever you want inside the get the flag subroutine.

Now that you have seen the protection scheme naked, try to work a little on this using the DEBUGGER that you have downloaded for the previous "tekfact" lesson (iwindebug).
Set some location breakpoints just before the xores above, and follow in the register window (and in the memory windows) what's going on. You'll have a taste of the 'live' approach to cracking, that we will use in the next lessons. Dead listing and live approach together can reverse ANY code you will encounter on your way, even if it has been written on Mars (or at Micro$oft :-)

I showed you enough, I'm not going to give you ANY ready made solution to crack this target, you don't need it any more. In fact I will never give ready made cracks again, you are (gonna be) real crackers: you don't need people chewing code for you and spitting out ready made solutions any more! Reread this lesson, experiment a little and crack this target on your own, it's very easy (now).

Well, I reckon that's enough for this second lesson.

(c) fravia+ December 1997. All rights reserved.

WATCH IT, THIS LESSON IS STILL UNDER CONSTRUCTION!

You are deep inside fravia's page of reverse engineering, choose your way out:


redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?