Reverse engineering Advanced Disk Catalog v. 1.1
by Aesculapius
(Redundant instructions: the undiscovered treasure
and a couple of lessons for shareware programmers)
(21 July 1997, slightly edited by Fravia+)
Courtesy of Fravia's page of reverse engineering
Well, Aesculapius show us a whole new direction and cracks a couple of
useful tools without even noticing it much... what should I say? An outstanding
essay from an outstanding +cracker!
Advanced Disk Catalog v. 1.12
("Redundant instructions: the undiscovered treasure")
By Aesculapius
There was a time when CPU's were turtles and hard drives smaller than
your RAM capacity is today. Considering this panorama, it's understandable
why assembly coding was so necessary to enhance applications performance;
things have changed though, hardware does not limit today's programmers and it's
possible and desirable to use a more sophisticated high level programming
language instead of pure assembly. These facts have obvious consequences:
most programs include unnecessary instructions and such thing could represent
an open door for a very well shielded protection scheme. We'll deal in this
essay with debugging and patching unfriendly application.
ADC 1.12 code is very sensitive to patching procedures.
Slight changes, for instance JNE to JE, will hang the whole thing, or simply,
although logic suggests that some change should crack the scheme, you can hold
your breath and count to one thousand because nothing will happen.
This is especially true if the changes are carried out in code locations "close"
to the protection scheme.
The main validation code resides in a *.DLL file named VALIDATE.DLL; to
produce a more robust anti-crackers strategy, there's a checksum in the main
executable (ADC.EXE) to validate the integrity of VALIDATE.DLL (one
validation over another, interesting!). The scheme code itself inside
VALIDATE.DLL will be executed many times. As you can see, paranoia in
it's maximum expression!
To figure out that the protection scheme was inside VALIDATE.DLL,
Win-eXpose-I/O 95 v. 2.00 (WXI) probed to be a formidable tool. You can
locate it at http://www.sheltef.com/wxi95-20.zip, 1.1 Mb. You should also
get Win-eXpose-Registry 95 v. 1.00 at http://www.sheltef.com/wxr95-10.zip,
1.1 Mb. Both of these applications are excellent additions for our trade.
All Sheltef Solutions products are distributed as a 30 days free trial limit
shareware. This is the snippet of the protection scheme for all products:
:0040619D FF15247B6D00 Call dword ptr [006D7B24] ; Calculates the valid
; password
:004061A3 83C40C add esp, 0000000C
:004061A6 8D85CCFEFFFF lea eax, dword ptr [ebp+FECC]; Moves to EAX the
memory offset
where the password
you typed is
located
:004061AC 8D8DCCFDFFFF lea ecx, dword ptr [ebp+FDCC]; Moves to ECX the
memory offset
where the valid
password is located
Referenced by a Jump at Address:004061CC(C) ; The following code compares
; both numbers one byte at a time
:004061B2 8A10 mov dl, byte ptr [eax];
:004061B4 3A11 cmp dl, byte ptr [ecx]
:004061B6 751A jne 004061D2
:004061B8 0AD2 or dl, dl
:004061BA 7412 je 004061CE
:004061BC 8A5001 mov dl, byte ptr [eax+01]
:004061BF 3A5101 cmp dl, byte ptr [ecx+01]
:004061C2 750E jne 004061D2
:004061C4 83C002 add eax, 00000002
:004061C7 83C102 add ecx, 00000002
:004061CA 0AD2 or dl, dl
:004061CC 75E4 jne 004061B2
Using Winice, set a breakpoint at CS:4061CC (BPX CS:4061CC), and
execute the following instruction: "D ECX" after winice pops up, the memory
location where the valid password is stored will be revealed. If you're too
lazy, then use this data, Serial Number: AESCULAPIUS, Password: f3e39742.
Sheltef Solutions programmers should be strong candidates to win the
stupidity award, because all their products use not only the same protection
scheme, but also the same code generation sequence! So this data will
unprotect Win-eXpose-Registry too... you wont believe it: the same password
works over and over for every single program, this is too much!
Now, in regard to the subject of this essay, ADC 1.12 can be located
at http://www.ecsc.mipt.ru/Elcom/, 1.21 MB, dated June 25 1997.
To begin this session, load the file VALIDATE.DLL in wdsm85, hit the
search button looking for: "thank you for registering". We land here:
* Referenced by a Jump at Address:1C001354(C)
|
:1C00123F C68500FFFFFF00 mov byte ptr [ebp+FFFFFF00], 00
:1C001246 6800010000 push 00000100
:1C00124B 8D8500FFFFFF lea eax, dword ptr [ebp+FF00]
:1C001251 50 push eax
* Possible StringData Ref from Data Obj ->"Enter code:"
|
:1C001252 684060001C push 1C006040
* Possible StringData Ref from Data Obj ->"Registration"
|
:1C001257 684C60001C push 1C00604C
* Reference To: USER32.GetFocus, Ord:00F7h
|
:1C00125C FF152C92001C Call dword ptr [1C00922C]
:1C001262 50 push eax
:1C001263 E8AA010000 call 1C001412
:1C001268 83F801 cmp eax, 00000001
:1C00126B 0F85B8000000 jne 1C001329
:1C001271 8D8500FFFFFF lea eax, dword ptr [ebp+FF00]
:1C001277 50 push eax
:1C001278 E881020000 call 1C0014FE
:1C00127D 85C0 test eax, eax
:1C00127F 0F8514000000 jne 1C001299
:1C001285 8D8500FFFFFF lea eax, dword ptr [ebp+FF00]
:1C00128B 50 push eax
:1C00128C E847060000 call 1C0018D8 ; Code validation
; Sequence
:1C001291 85C0 test eax, eax ; EAX=0 Unreg.
; EAX=1 Reg.
:1C001293 0F8477000000 je 1C001310 ; Don't change this jump,
it won't work.
* Referenced by a Jump at Address:1C00127F(C)
| Possible StringData Ref from Data Obj ->"Registration" ; We want to
; Execute this code
:1C001299 685C60001C push 1C00605C
:1C00129E E81D090000 call 1C001BC0
:1C0012A3 8985FCFEFFFF mov dword ptr [ebp+FEFC], eax
:1C0012A9 8D8500FFFFFF lea eax, dword ptr [ebp+FF00]
:1C0012AF 50 push eax
:1C0012B0 E8BB0D0000 call 1C002070
:1C0012B5 83C404 add esp, 00000004
:1C0012B8 50 push eax
:1C0012B9 6A01 push 00000001
:1C0012BB 8D8500FFFFFF lea eax, dword ptr [ebp+FF00]
:1C0012C1 50 push eax
* Possible StringData Ref from Data Obj ->"Code"
|
:1C0012C2 686C60001C push 1C00606C
:1C0012C7 8B85FCFEFFFF mov eax, dword ptr [ebp+FEFC]
:1C0012CD 50 push eax
:1C0012CE E872090000 call 1C001C45
:1C0012D3 8B85FCFEFFFF mov eax, dword ptr [ebp+FEFC]
:1C0012D9 50 push eax
:1C0012DA E84F090000 call 1C001C2E
:1C0012DF 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"ADC"
|
:1C0012E1 687460001C push 1C006074
* Possible StringData Ref from Data Obj ->"Thank you for registering!"
|
:1C0012E6 687860001C push 1C006078
The validation sequence begins at :1C00128C. Lets search for the code
where this CALL points to: Hit the search button at wdsm85 (or text
editor) looking for :1C0018D8. We land here:
* Referenced by a CALL at Addresses:1C00128C, :1C001A4D
; The validation sequence is activated
; from two different code locations
:1C0018D8 55 push ebp
:1C0018D9 8BEC mov ebp, esp
:1C0018DB 83EC30 sub esp, 00000030
:1C0018DE 53 push ebx
:1C0018DF 56 push esi
:1C0018E0 57 push edi
:1C0018E1 C745D01E000000 mov [ebp-30], 0000001E ; fixed value
:1C0018E8 C745FC06000000 mov [ebp-04], 00000006 ; fixed value
:1C0018EF 837D0800 cmp dword ptr [ebp+08], 00 ; Is the typed code
equal to 00? then
EAX=0 Unreg.
:1C0018F3 0F8507000000 jne 1C001900
:1C0018F9 33C0 xor eax, eax ; Erase EAX, EAX=0 Unreg.
:1C0018FB E900010000 jmp 1C001A00 ; Return to the CALLer
* Referenced by a Jump at Address:1C0018F3(C)
|
:1C001900 8B4508 mov eax, dword ptr [ebp+08]
:1C001903 50 push eax
? Reference To: KERNEL32.lstrlenA, Ord:028Dh ; Get Number of digits of the
; typed serial number
|
:1C001904 FF15A891001C Call dword ptr [1C0091A8]
:1C00190A 83F808 cmp eax, 00000008 ; Is the number you
typed more or less
than 8 digits, then
EAX=0 Unreg.
:1C00190D 0F8407000000 je 1C00191A
:1C001913 33C0 xor eax, eax ; Erase EAX
:1C001915 E9E6000000 jmp 1C001A00 ; Return to the CALLer
* Referenced by a Jump at Address:1C00190D(C)
|
:1C00191A 8B45D0 mov eax, dword ptr [ebp-30]
:1C00191D 50 push eax
* Possible StringData Ref from Data Obj ->"%02d"
|
:1C00191E 68D460001C push 1C0060D4
:1C001923 8D45D4 lea eax, dword ptr [ebp-2C]
:1C001926 50 push eax
:1C001927 E8B4080000 call 1C0021E0
:1C00192C 83C40C add esp, 0000000C
:1C00192F 8B4508 mov eax, dword ptr [ebp+08] ; Moves the code offset
to EAX
:1C001932 0FBE00 movsx eax, byte ptr [eax]; Moves the first byte
of the code to EAX
:1C001935 83E830 sub eax, 00000030; Converts the first
digit to decimal
:1C001938 8945F8 mov dword ptr [ebp-08], eax; Moves the decimal
value to [ebp-08]
:1C00193B 8B4508 mov eax, dword ptr [ebp+08]; Moves the code offset
to EAX
:1C00193E 0FBE4001 movsx eax, byte ptr [eax+01]; Moves the second byte
of the code to EAX
:1C001942 83E830 sub eax, 00000030; Converts second digit
to decimal
:1C001945 8945F4 mov dword ptr [ebp-0C], eax; Moves the decimal
value of the second
digit to [ebp-0c] and
so on with the rest
of the 8 digits
:1C001948 8B4508 mov eax, dword ptr [ebp+08]
:1C00194B 0FBE4002 movsx eax, byte ptr [eax+02]
:1C00194F 83E830 sub eax, 00000030
:1C001952 8945F0 mov dword ptr [ebp-10], eax; third decimal value
; in [ebp-10]
:1C001955 8B4508 mov eax, dword ptr [ebp+08]
:1C001958 0FBE4003 movsx eax, byte ptr [eax+03]
:1C00195C 83E830 sub eax, 00000030
:1C00195F 8945EC mov dword ptr [ebp-14], eax; fourth in [ebp-14]
:1C001962 8B4508 mov eax, dword ptr [ebp+08]
:1C001965 0FBE4004 movsx eax, byte ptr [eax+04]
:1C001969 83E830 sub eax, 00000030
:1C00196C 8945E4 mov dword ptr [ebp-1C], eax; fifth in [ebp-14]
:1C00196F 8B4508 mov eax, dword ptr [ebp+08]
:1C001972 0FBE4005 movsx eax, byte ptr [eax+05]
:1C001976 83E830 sub eax, 00000030
:1C001979 8945E0 mov dword ptr [ebp-20], eax; sixth in [ebp-20]
:1C00197C 8B4508 mov eax, dword ptr [ebp+08]
:1C00197F 0FBE4006 movsx eax, byte ptr [eax+06]
:1C001983 83E830 sub eax, 00000030
:1C001986 8945DC mov dword ptr [ebp-24], eax; seventh in [ebp-24]
:1C001989 8B4508 mov eax, dword ptr [ebp+08]
:1C00198C 0FBE4007 movsx eax, byte ptr [eax+07]
:1C001990 83E830 sub eax, 00000030
:1C001993 8945D8 mov dword ptr [ebp-28], eax; eighth in [ebp-28]
:1C001996 8B45F8 mov eax, dword ptr [ebp-08]; Moves first digit to
EAX
:1C001999 2B45D8 sub eax, dword ptr [ebp-28]; first-eighth
:1C00199C 8B4DF4 mov ecx, dword ptr [ebp-0C]; Moves second digit to
ECX
:1C00199F 2B4DDC sub ecx, dword ptr [ebp-24]; second-seventh
:1C0019A2 0FAFC1 imul eax, ecx ; (first-eighth)*(second-seventh)
:1C0019A5 8945E8 mov dword ptr [ebp-18], eax; Result stored in
[ebp-18]
:1C0019A8 8B45E8 mov eax, dword ptr [ebp-18] ; Moves result to EAX
:1C0019AB 99 cdq ; Moves high order bits of EAX to EDX
:1C0019AC 33C2 xor eax, edx ; Exclusive OR
:1C0019AE 2BC2 sub eax, edx ; subtract EAX-EDX
:1C0019B0 8945E8 mov dword ptr [ebp-18], eax ; result in [ebp-18]
:1C0019B3 8B45E8 mov eax, dword ptr [ebp-18] ; result in EAX
:1C0019B6 3945D0 cmp dword ptr [ebp-30], eax ; EAX must be equal
; to value at [ebp-30]
; [ebp-30]=1Eh=30Dec at
; :1C0018E1 (look back)
:1C0019B9 0F8407000000je 1C0019C6
:1C0019BF 33C8 xor ecx, eax ; if EAX<>1E (30 decimal) then XOR EAX
; and EAX=0 Unreg.
:1C0019C1 E93A000000 jmp 1C001A00 ; Returns to the CALLer
At this point we could easily crack this schemes by changing instruction
:1C0019BF from XOR EAX,EAX to XOR ECX,EAX, this would erase ECX
leaving EAX intact, if EAX<>0 the program is Registered, and the
protection scheme would be disabled. Off course, we would have to deal
with the checksum (read the validate.dll checksum annihilation add on, at
the end of this essay).
However, we want to go for the gold, lets calculate the valid serial
number: we know that the validation code is calculated according to the
following equation: (first digit - eighth digit) * (second digit -
seventh digit)= 1Eh = 30 Decimal. The high order bits of EAX should be
"0" because this value will be stored in EDX and finally EDX is
subtracted from EAX.
So lets begin with this tentative 8 digits number:
88776623 ; Applying the equation: (8 - 3) * (8 - 2) => (5) * (6) =
30 Decimal = 1E Hexadecimal.
(Don't forget to check the SUB REGISTER, 30 instruction ADD ON, at
the end of this document)
This attempt will pass the first validation test and leads the
execution to the following piece of code:
* Referenced by a Jump at Address:1C0019B9(C)
|
:1C0019C6 8B45F0 mov eax, dword ptr [ebp-10]; Moves third digit to EAX
:1C0019C9 2B45E0 sub eax, dword ptr [ebp-20]; Subtract third-sixth
:1C0019CC 8B4DEC mov ecx, dword ptr [ebp-14]; Moves Fourth digit to ECX
:1C0019CF 2B4DE4 sub ecx, dword ptr [ebp-1C]; Subtr. Fourht - fifth
:1C0019D2 0FAFC1 imul eax, ecx ; (third-sixth) * (fourth-fifth)
:1C0019D5 8945E8 mov dword ptr [ebp-18], eax; Moves result to
; [ebp-18]
:1C0019D8 8B45E8 mov eax, dword ptr [ebp-18]; Moves result to EAX
:1C0019DB 99 cdq ; Moves high order bits of EAX to EDX
:1C0019DC 33C2 xor eax, edx ; Exclusive OR
:1C0019DE 2BC2 sub eax, edx ; Subtract EAX-EDX
:1C0019E0 8945E8 mov dword ptr [ebp-18], eax; Moves result to
; [ebp-18]
:1C0019E3 8B45E8 mov eax, dword ptr [ebp-18]; Moves result to EAX
:1C0019E6 3945FC cmp dword ptr [ebp-04], eax; Compares EAX with
; [ebp-04] which is
; equal to 06h (look
; back at :1C0018E8)
:1C0019E9 0F8407000000 je 1C0019F6 ; If equal return to the CALLer
:1C0019EF 33C0 xor eax, eax ; If not equal EAX=0 Unreg.
:1C0019F1 E90A000000 jmp 1C001A00 ; Return to the CALLer with EAX=0
* Referenced by a Jump at Address:1C0019E9(C)
|
:1C0019F6 B801000000 mov eax, 00000001 ; The serial number has passed
; all tests, therefore,
; EAX=01 Registered
:1C0019FB E900000000 jmp 1C001A00 ; Return to the CALLer
; with EAX=1 Registered
* Referenced by a Jump at Addresses:1C0018FB(U), :1C001915(U), :1C0019C1(U),
:1C0019F1(U), :1C0019FB(U)
|
:1C001A00 5F pop edi
:1C001A01 5E pop esi
:1C001A02 5B pop ebx
:1C001A03 C9 leave
:1C001A04 C20400 ret 0004
The equation looks like this: (third digit - sixth digit) * (fourth
digit - fifth digit) = 06h = 6 Decimal.
Lets modify our tentative number according to this:
Valid Number: 88552323, where, (5 - 3) * (5 - 2) =>
(2) * (3) = 6 Decimal = 06hex.
This number seems to pass all tests.
Now try to register ADC 1.12 with the Serial Number: 88552323 and
it works!
VALIDATE.DLL ANNIHILATION ADD ON
Once we've cracked the file validate.dll with our favorite hex
editor, everything seems to be fine, but when we double click on the main
executable (ADC.EXE), another window pops up!!! VALIDATE.DLL missing or
invalid. No!!!, there's a checksum to verify the integrity of the .dll file,
Damn!!!
We're sitting in our workbench once again. If you try to execute
ADC.EXE with WXI in memory, it'll inform you that the checksum resides in
the main executable (ADC.EXE) itself. So lets disassemble this file with
wdsm85 and hit the search button looking for this sequence: "VALIDATE.DLL is
missing or invalid". We land here:
* Referenced by a Jump at Address:00409239(U)
|
:00409266 83C4FC add esp, FFFFFFFC
:00409269 A350F44800 mov [0048F450], eax
:0040926E C60548F3480000 mov byte ptr [0048F348],00; Redundant
; Instruction
Several instructions eliminated to save some space!
* Referenced by a Jump at Address:004092DC(U)
|
:0040930D A33CF34800 mov [0048F33C], eax
:00409312 E8A9A70100 call 00423AC0 ; Checksum
:00409317 A3FCF74800 mov [0048F7FC], eax; Moves the checksum
; of the modified
; file to [48F7FC]
:0040931C 8B15E8154800 mov edx, dword ptr [004815E8]; Moves the valid
checksum of the
original file
validate.dll to
[4815E8]
:00409322 3BC2 cmp eax, edx ; Compares both values
:00409324 0F8576000000 jne 004093A0 ; Jumps if the .dll
; file is invalid
; to 4093A0
Several instructions eliminated to save space!
? Referenced by a Jump at Addresses:00409324(C), :0040937A(C)
; The checksum is activated
; from two different sections
; of the code.
* Reference To: USER32.GetFocus, Ord:0000h
|
:004093A0 E800D50600 Call 004768A5 ; This is the part we
; don't want to see
; in our screen!
:004093A5 6A00 push 00000000
:004093A7 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"Fatal"
|
:004093A9 689B7B4700 push 00477B9B
* StringData Ref from Data Obj ->"VALIDATE.DLL is missing or invalid."
|
:004093AE 68777B4700 push 00477B77
:004093B3 50 push eax
Pay attention to this explanation: The checksum is calculated at :409319,
then, the checksum of the modified file is stored at memory location
[48F7FC], the valid checksum of the original file is stored at EDX from
memory location [4815E8]. At instruction :409322 both values are compared
and the decision is taken at instruction :409324 which will jump if the
checksums values are different. Changing the JNE to JE won't crack this
scheme, because the invalid checksum has already been stored at a memory
location where it'll be checked by other locations of the code. The
programmer was very intelligent because he moved the invalid checksum from a
register (EAX) to the memory, and the valid checksum from memory to a
register (EDX); this particular configuration will prevent us to move the
right checksum to the invalid checksum memory location, because assembly can
not move data directly from one memory location to another (except by the
use of rep movs instructions). We can't move the right cheksum to EAX at
409317 (MOV EAX, [4815E8]) because the program will crash. This piece of code
is not as easy to crack as it seems.
Now load ADC.EXE with WINICE press ctrl-d, set a breakpoint at
cs:409322 to see what's the difference between both checksums. Start ADC and
WINICE will pop up. Execute: ? EAX and ? EDX to check both values. You get
this:
EAX: F4E9C8A1
EDX: F4E9C8A9
The difference resides in the last digit; you also know that EAX
value is stored backwards at [48F7FC], this means that A1 will be
stored at the first byte of that memory location. All we have to do
to crack this mess is search for a redundant instruction to change the byte
at [48F7FC] from A1h to A9h. Searching backwards in the code we find the
perfect instruction (mov byte ptr) at :40926E. To be sure that it is in fact
redundant, set a breakpoint at CS:40926E and when WINICE pops up, execute:
d [48F348]. Just what I thought, this byte is already zero before the
instruction stores 00 at it, therefore, it's redundant and not necessary.
Finally, to crack the checksum, change this:
:0040926E C60548F3480000 mov byte ptr [0048F348],00
to
:0040926E C605E8154800A9 mov byte ptr [0048F7FC],A9
The checksum has been defeated!
Don't forget this: redundant instructions are frequently located at
push & pop sequences of the beginning and ending of almost every CALL. You
may use this spare bytes at your will!
SUB REGISTER, 30 INSTRUCTION ADD ON
By Aesculapius
Many programs use the instruction: SUB REGISTER, 30 to convert a
hexadecimal number to its decimal equivalent. Locating instructions like
this one, for instance: SUB EAX, 30 several times in the same piece of code
will warn you about two things:
1. A valid code calculation sequence could be there.
2. This instruction is used only with numbers (not with letters). So there
are as many numbers in the serial code as SUB REGISTER, 30 instructions in
the asm code.
Aesculapius - July 97
Email: aesculapius@cyberjunkie.com
HomePage: http://aesculapius.home.ml.org
You are deep inside Fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
tools cocktails
search_forms
corporate
mailFravia
Is reverse engineering legal?