RegSpy v1

RegSpy v1.51 - Patched

by NchantA [PGC]

Published by +Tsehp July 2001

Current URL: http://www.utils32.com/files/regspy.zip

tools needed:

- PeEditor

- Windasm / IDA

- softice ;)

- HIEW

- Win 32 API List

- icedump (optional)

Sorry for the extravagant list of tools, but they were all used. They can all be found at protools.cjb.net or www.suddendischarge.com. or www.google.com ;P

this program looks nice, when its not crashing ;P another handy util that may eventually equal regmon, it certainitly has a nicer interface ;)

Problem

Finally! a protection a little different from the rest.

I found this protection interesting, very different from the rest, so to me it was tutorial worthy ;)

Attack! I installed the program and got straight down to business. Enable icedump (just in case it has some fucked up anti-softice code. Hi Bi-Tarts!)

hrmm a handy nag (note this as a possible attack point), press �try� and continue, loads fast, nice program :o)

goto Help->About and check it out, unregistered (of course), wow, It has a place to enter a serial! Well nothing too it, set a bpx hmemcpy after u type in a serial and before u press OK. Hit OK. It breaks here:

* Reference To: USER32.GetDlgItemTextA, Ord:0107h

:00409329 FF152C444200�� Call dword ptr [0042442C]

// compares your serial with nothing:

:0040932F 803E00�� cmp byte ptr [esi], 00��

// if it is, then bugger off:

:00409332 741C�� je 00409350

// if you typed in anything, pop up message box:

:00409334 8B4F04�� mov ecx, dword ptr [edi+04]

:00409337 6A00�� push 00000000

:00409339 6888A74200�� push 0042A788

* Possible StringData Ref from Data Obj ->"Thank you for registration"

Well that sux. You have to restart to see if its registered, this generally means that the serial check is somewhere in the programs initialization code.

No matter. We simple have to find another place to attack! Before u read on, I would like anyone blindly following this tutorial to have a solid go at:

- patching the program so its registered

- finding a valid serial (for your computer ?????)

- keygening it

I personally took the easy way out by stopping after step one, but thats laziness and not ignorance (I hope haha).

Have u had a go at cracking this? Failed miserably? Keygenned it without problem? Oh well no matter, continue reading for one of the many many possible solutions.

Solution

Allright. Now my reasoning was that there had to be a way of registering the damn program. I went searching for the serial algorythm, but I hit a different sort of goldmine.

Firstly:

Remember the nag as a possible attack point? Well I reasoned, that if the nag pops up, then we obviously havent cracked it have we! So firstly, we pinpoint the nag creation routine in the code, and then we backtrack using Windasm or (preferably) IDA.

Also remember this:

* Reference To: USER32.GetDlgItemTextA, Ord:0107h

:00409329 FF152C444200�� Call dword ptr [0042442C]

when we tried to get serial? Well that shows us that the program was created as a dialogbox, probably using resources stored in the .exe.

so do this before you run the program:

bpx dialogboxparama

( exp dialogbox for a list of possible bpx�s )

start the program.

It breaks before the nag pops up yay!

Press F12 (� Important! )

F12 does a �p ret� which means it is will execute/trace every piece of code (like you press F10) until it reaches a RET ( return from a CALL ) ,when it reaches the RET it will pop up sice. Handy huh!

Press �Try� on the nag. Sice pops up nicely at the end of the dialogbox call!

Lovely. Take note of the the calling address and press F5. Open IDA/Windasm and Goto the address we just recorded.

�

* Reference To: USER32.DialogBoxParamA, Ord:0095h

�� |

:0040E6CD FF1528444200�� Call dword ptr [00424428]

�

look upwards. Only one call to this window, so lets go down a level.

�

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00407991(C)

// weird compare

:0040799B 6683BE6C06000000�� cmp word ptr [esi+0000066C], 0000

// jump over the nag ( we are registered?! )

:004079A3 752E�� jne 004079D3

:004079A5 8D4DD8�� lea ecx, dword ptr [ebp-28]

:004079A8 E8E38C0000�� call 00410690

:004079AD 6A00�� push 00000000

* Reference To: USER32.GetActiveWindow, Ord:00DFh

�� |

:004079AF FF15F8424200�� Call dword ptr [004242F8]

:004079B5 50�� push eax

:004079B6 8D4DD8�� lea ecx, dword ptr [ebp-28]

// nag

:004079B9 E8C26C0000�� call 0040E680

�

traces upwards too 407991.

�

// this is our boy

:0040798A E851F5FFFF�� call 00406EE0

// test if eax == 0

:0040798F 85C0�� test eax, eax

// if not then jump

:00407991 7508�� jne 0040799B

�

now, because all this code formatting is killing me, I will simply tell u what happens in the call above.

First is create�s another instance of ITSELF. It then maps the view to memory and here is where it gets interesting:

�

// wtf is this u might ask?

* Reference To: IMAGEHLP.CheckSumMappedFile, Ord:0002h

�� |

:00406F89 FF15B0404200�� Call dword ptr [004240B0]

// um ok.

:00406F8F 660FB6481B�� movzx cx, byte ptr [eax+1B]

:00406F94 8B542418�� mov edx, dword ptr [esp+18]

:00406F98 33C0�� xor eax, eax

:00406F9A 57�� push edi

// important! In softice type d edx+66c and take note of this address.

:00406F9B 66898A6C060000�� mov word ptr [edx+0000066C], cx

:00406FA2 8B4C2414�� mov ecx, dword ptr [esp+14]

// hrmm. Comparing something? Its correct atm. Means the call will return One.

:00406FA6 3B4C2418�� cmp ecx, dword ptr [esp+18]

:00406FAA 0F94C0�� sete al

:00406FAD 8BF0�� mov esi, eax

* Reference To: KERNEL32.UnmapViewOfFile, Ord:02Deh

�

when you exit this call, continue until we hit the compare/conditional jump that we KNOW will jump straight over our nag:

�

// weird compare

:0040799B 6683BE6C06000000�� cmp word ptr [esi+0000066C], 0000

// jump over the nag ( we are registered?! )

:004079A3 752E�� jne 004079D3

�

type d esi+66c and we notice that address is the same from inside the mapping file call!

00406F9B 66898A6C060000�� mov word ptr [edx+0000066C], cx

That means if we change CX to 1 before it is moved, all will be well!. Now. Where in gods name is CX getting its value from?

:00406F8F 660FB6481B�� movzx cx, byte ptr [eax+1B]

hmm.

To understand this more fully, load up your win32api help reference ( if u dont have it get it! ). Here it is for the handicapped:

PIMAGE_NT_HEADERS CheckSumMappedFile(

�� IN LPVOID BaseAddress,��

�� IN DWORD FileLength,��

�� OUT LPDWORD HeaderSum,��

�� OUT LPDWORD CheckSum��

�� );

Important: �If the function succeeds, the return value is a pointer to the IMAGE_NT_HEADERS structure contained in the mapped image.�

What does that mean?

�

:00406F8F 660FB6481B�� movzx cx, byte ptr [eax+1B]

�

that means that the program is getting the BYTE at PE_HEADER + 0x01B, and putting it in cx, which is later put into our magic registered address. Well thats easy to fix!

Open up HIEW and load the RegSpy.exe program. Press enter once to get to Hex mode.

You see the little �PE� at hex offset 0x0100 ? ok thats the start of the PE_HEADER. Simply add 0x01B to it. We get: 0x011B.

hit F5, type 11B, press enter

press F3 to edit, and then type 01.

Hit F9 to save and F10 to exit. Dont u just love HIEW ;D

run the program. Wtf? If never starts. Something is wrong here, bpx MapViewOfFileA. It breaks, trace down and CX is equal to 1!!!!!!! We did it!, but why isnt it starting?

Wait do u see this:

// hrmm. Comparing something? Its correct atm. Means the call will return One.

:00406FA6 3B4C2418�� cmp ecx, dword ptr [esp+18]

:00406FAA 0F94C0�� sete al

:00406FAD 8BF0�� mov esi, eax

Its not returning one anymore! That means that that compare above must be wrong. Damn!

From the winapi help, we can see that the compare is simply comparing the CORRECT checksum with the checksum thats located in the PE_HEADER. How do we fix that? Easy PEEditor! Load up your file in PEEditor and click �checksum�, and then �correct�. Optionally u can fix the checksum manually.

Perfect! The program runs, and now its fully registered! Now for fun, you can find out yourself if/how the serial is checked to be correct, or if its even used.

Conclusion

Not a bad protection because of its ability to check if its registered without external files, or with easily accessed keys in the registry. But the author should have made maybe a few of his own checksum routines, instead of relying on an easily duplicated one ;)

Whew long tutorial

This goes out to all my online buddy�s.

Group Greetz: PGC EVC UCF CORE TMG DAMN UG and every group trying to make a difference.

PPl Greetz: Kilby ;) r!sc, MackT, nu, nroc, WarezPup, CrackZ, tsehp+, splaj+, webby, SV, deamon, Maud dib,� KW,�� and ive already gone blank. ;P everyone in #cracking4newbies and #pgc on efNET.

PGC 4 L1FE ---- http://www.pgc-force.com ----

NchantA