Published
by Tsehp September 2000
Target:
-------
InstaPass
Pro v1.20 by Ashish Computer
Systems
This
program can find the database password for MS Access databases from
Access
'95 and up to Access 2000.
You
can find the demo version at http://www.ashishsystems.com
This
demo version is limited to files up to 150 kilobyte in size.
Required
software:
------------------
SoftICE
for Windows 9x v4.05 (search the net, buy it, or download evaluation
version from www.numega.com)
HIEW
v6.16 (I think you can find it on protools.cjb.net)
ANY
MS Access '95 or newer database over 150kb in size - if you can't find
one, or don't know how to create one yourself, email me.
TDUMP.EXE
- I'm not around my own computer right now, but I think it is
Turbo Dump, or something. I'll correct this in the next version, but
for now I'd just like some feedback.
Preface:
--------
I
have been into the art of Reversing for the past three or four years now,
but
I have never really taken the time to find some tutorials on the 'net to
get
myself really started. Many people claim that reversing is very difficult
to
learn and master, but in reality all it takes is a day or two of dedicated
experimentation,
and you're set to go. Of course, you are not anywhere near
a
super-Fravia yet, but at least you'll know the basics, and if nothing
else
you'll be able to do some small, simple reversing/cracking jobs.
In
any event, I found it very difficult to find an essay which wasn't too
difficult
to read - many contained a lot of small assembly dumps, and those
were
pretty hard to follow, so I thought I'd give it a go and write something
which
I thought would be good for an apprentice in the art of Reversing.
Background:
-----------
This
is pretty much my first crack-job, but it does work, and I have done
other
half-baked stuff before this. The meaning of this essay is to teach
the
basics of using SoftICE, and to be a small introduction to reversing
a
simple protection.
PLEASE
let me know if you've even read this essay, and if you have any
comments,
let me know! I want to write more essays in the hope of strengthening
the
Fravia-community, but if I'm not sure the way I'm writing these essays
is
good, it'll be pretty hard to produce any quality.
Also,
if there are ANY terms you are unclear on, or any passages which are
unreadable
either because of too many fancy words, or because of bad English,
please
do not hesitate to let me know!
Tutorial:
---------
First
of, it might be a good idea to print this out in some way, since it
is
very hard to memorize all the steps. You could also just read it, make
some
notes, and try without reading again, but be aware that once you are
inside
SoftICE, you can't switch back to a Windows program and read this -
you
have to exit the SoftICE-window, and then you'll have to start over.
Try
running the program on your database. If your database was over 150kb in
size,
you'll see it pops up with an error message when you press "Go".
Since
it will be able to do it's job to the fullest as long as the database
is
less than 150kb, we will for now assume that it is simply a matter of
checking
the filesize and showing a dialog box.
Now,
the next step is to see if we can get any help from the .EXE file itself.
I
used TDUMP.EXE, but anything that dumps the imports and exports of the EXE-
file
can be used. In any event, you'll see that this EXE imports functions
from
MSVBVM50.DLL. If you don't already know, this is the runtime DLL for
programs
built in Visual Basic v5.0 (Microsoft Visual Basic Virtual
Machine
5.0). If there are anybody who wants me to expand on this subject
(like,
what is a runtime DLL, what is Visual Basic, or what imported functions
are),
please lemme know, and I'll write a section on it.
Visual
Basic is an interpreted language, meaning that you don't actually
do
much work in the program file, but rather rely on the .DLL file to supply
the
functions you want to do. This makes Visual Basic a VERY high level
language
- it is easy to learn, but extremely in-efficient. So, what you
want
to do is see which functions are exported from MSVBVM50.DLL, to see if
there
are any functions we can set a breakpoint on (more on this later).
Running
"TDUMP.EXE c:\windows\system\msvbvm50.dll > msvbvm50.exp"
suffices.
This
will produce a file called "msvbvm50.exp" with the output from the
TDUMP
command.
You will see all the exports, which are the functions available
for
other programs to use. We are interested in anything that has to do with
file
lengths, and perusing down the list we see "rtcFileLen" and
"rtcFileLength".
Okay, remember these. Now we will get into action with
SoftICE.
I
assume that you have installed SoftICE, and that it is running. You can
verify
this by pressing CTRL+D - SoftICE should pop up. Press CTRL+D to
remove
it again. If SoftICE is not installed, or it is installed but isn't
working/running,
and you'd like me to explain how this should be set up,
email
me and I'll include it here.
Now,
start InstaPass if it isn't running already. Press CTRL+D to get into
SoftICE.
The
layout of the SoftICE screen can be customized, so how it looks on your
screen
might vary, but I hope that this short introduction is good enough.
What
you see on the top is the registers of the CPU. We'll deal shortly with
this
later. Beneath is usually the data window - it is equal to a hex dump
of
the memory. This window might not be on your screen, though.
Next
is the Code window - this window can display source-code if you are
debugging
an application, or it can show assembler-instructions, as it
probably
is doing now.
In
the lower, right corner you'll see what context we are in now. The context
is
the program we are currently working in, and the place where our
breakpoints
will take effect. It might read "DISPLAY" or
".text!MsAccess", or
something
else. We need to change it to our InstaPass program.
If
you type in "ADDR", you will see all the address context's we can
switch
to.
Now, just type "addr InstaPas", and we will be in InstaPas's
context.
Remember
to two functions we saw? Now, we can make a breakpoint on these,
so
each time one of the two functions are called, SoftICE will halt the
system
temporarily, and switch into the debugger (what you are seeing now).
There
are many types of breakpoints, but that is for another tutorial.
Right
now, we use the "bpx" command. Type these two commands:
"bpx rtcFileLen"
"bpx rtcFileLength"
and
press CTRL+D. Now, select your test database, and press "Go".
SoftICE
interrupts,
saying that the breakpoint was encountered.
Just
below the CPU registers window, it will say something with
"msvbvm50" in
it.
This means that the execution point (the point where the computer is
running
code) is in the msvbvm50 module. We want to be in the Instapas-module,
since
this is the code we need to hack. If you press F12, SoftICE will trace
the
code until it encounters the next "ret"-instruction, meaning that it
will
execute
all the assembler-instructions, until it meets "ret". The
"ret"-
instruction
will return the computer to the place where a "call" instruction
was
issued.
In
this case, in the Instapas-program, the program wants to know the file
length,
so it can see if it is larger than the allowed 150 kilobyte.
It
calls the function "rtcFileLen", and the computer starts running
code from
msvbvm50.dll,
where the function rtcFileLen is located. When the "ret"-
instruction
is encountered, we are returned to Instapas. This is the point
were
we will be after having pressed F12.
Now,
in the code window, you will se a lot of numbers, and towards the right
side,
these two assembler instructions:
CMP EAX, 000249F0
SETGE CL
Now,
this is were the registers come into play. If you have ever programmed,
you'll
know what a variable is. The registers are variables in the CPU.
If
you have never programmed - you might want to try it, good experience... -
this
is similar to the x and y stuff from math class. EAX, EBX, ECX and EDX
are
four of the variables available to us, and what the first assembler
instruction
does is compare the value we have stored in the register EAX
to
the hex-value 0x249F0.
Now,
at the very top, you'll see the registers, and their current contents.
You
can also see the EAX register. Now, try typing "? " and the value
you can
see
in the EAX register. This will evaluate the expression you have just
typed.
Also, it will display the value again, along with the decimal
representation.
I'll bet you this value is the same as the filesize of your
test
database. So, what it does is compare your test-databases filesize with
0x249F0.
Try typing "? 249F0", and you'll see that in decimal this is
"150000".
Does this ring a bell? This is precisely what we have been looking
for
- the 150kb limit (actually, pretty imprecise, since 150kb = 153600 bytes).
Now,
the next instruction is what we want to modify. As I said earlier, I'm
pretty
much still learning this, so I'm not quite sure what this command does
precisely,
but I know it modifies something based on the flags in the CPU.
The
flags, in turn, get set by the result of the CMP command, so what these
two
lines do is check if the filesize is greater than 150.000 bytes, and
modifies
a flag based upon that comparison.
What
we want it to do is ALWAYS return with a success.
We
can alter the CMP-instruction, so it compares with a greater value.
"CMP
EAX, 00ABCDEF" will make the max filesize equal 11259375 bytes (roughly
11
megabytes), but this is not what we want. No limits! :)
So,
we change this (more on how to change later) to "CMP EAX, 00000000",
which
will
fail always - files over 0 byte not allowed. Now we are sure of the
outcome
of the CMP-instruction. On to changing the SETGE-instruction. Now, I
have
really not checked what this instruction does, and I will post a more
up-to-date
version explaining what this instruction does, but instead I just
toyed
around with the manual to NASM, a great freeware assembler - find it
at
"htpp://www.cryogen.com/nasm". It listed the different SET*
instructions
there
are, and I just tested them until I found one which worked :)
Not
the most elegant method, I know. Sorry about that...
Anyway,
"SETZ CL" worked, and with these two modifications, InstaPass will
accept
all files, regardless of size.
This
is how you do the actual modification. Bear in mind, though, that this
is
only in-memory, and not the actual contents of the file itself we are
changing.
Once your quit InstaPass, the changes will be lost - however, I
will
demonstrate how to make the changes permanent a little later on.
The
command we are looking for now is "A" for Assemble. This is because
we
want
to enter the two new machine-code statements we have just figured out.
The
argument to A is the address at which we want to start assembling. This
_should_
be 0x00408C42, but there is a little possiblity of this changing
(e.g.
a newer or older version of the program). You can see the address
just
to the left of the "CMP EAX, ..." instruction in the code window.
Now,
type "A 408C42" (or the correct address, if this is not the one)
The
input window will display "00408C42 " and wait for your input. Type
the
new
commands:
"CMP EAX, 0"
"SETZ CL"
and make another blank return, to end the assembler mode.
You
will be able to see your changes in the code window.
Lastly,
type "bc *" to clear the two breakpoints we've set. We have patched
the
memory, and don't want SoftICE to use the breakpoints anymore.
Type
CTRL+D, and verify that InstaPass indeed works with files larger than
150kb!
This
is actually a crack! There are more things you could do, like change
the
text in the About box (it says "Evaluation Version"), but this is
only
cosmetic.
What
we want to do know is make the changes permanent. There are two ways
to
accomplish this. Either we make a process patcher, or we patch the program
now.
The
first method is a bit complicated, and outside the scope of this essay.
Suffice
to say, you "attach" a small program at the end of the real program,
which
will, once the "real" program is loaded, patch certain memory
locations.
This
has a couple of advantages, but you should search for more information
before
using this.
The
other method I'll describe here. I wrote that HIEW is a requirement - this
is
because it is what I find the easiest to use on these kind of operations.
There
might be other editors suited, but for now, stick with HIEW.
Just
run HIEW, and use it's file-browser to select InstaPas.exe.
Now,
press F4, select Decode, and press F5. We want to go to the location
where
we patched the program. If we were using a regular editor, we couldn't
just
type "408C42" and get there, since this is a virtual offset, or
something
akin to that. Now, here comes the reason why I use HIEW -
type
".408C42", and press RETURN. With the "." in front, HIEW
knows it is a
virtual
(or whatever) address, and we land smash right where we were in
SoftICE.
This time, it's just the actual EXE file.
Now,
press F3 to get into edit mode. Navigate the cursor past the
"3D"-portion
of
the hex-code, and enter "000000". Now, press <TAB> to enter
assembler-mode,
and
enter "SETZ CL". The reason for not entering the
"CMP"-command the same
way
is that HIEW translates this to a shorter version, and we have to patch
a
little more. Nothing dangerous, but it's just a notch over beginner if you're
totally
new to assembler.
Anyway,
<ESC> to quit assembler-mode, press F9 to keep the changes, and press
F10
to exit HIEW. Quit any running InstaPass-instances, start the new
patched
version, and voila - no limits! Your very own, semi-registered
InstaPass!
-------------------------------------------------------------------------------
I
hope this essay has been helpfull. If you feel something is missing,
something
is wrong, something is unexplained, have something nice to say
about
it (or bad), or just want to chat, please email me at
charon@synaptic.8m.com
/
cHaron '00