|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
"What is WinPatch used for?: WinPatch is used to build or apply a patch file. Patch files greatly simplify the task of providing program updates to your users. Patch files contain only the changes made from one set of files to another. Therefore, user updates can be distributed at a fraction of the cost of re-distributing the entire set of files. Typically patch files are 3 to 7 percent of the size of the entire set of files. Patch files also insure the intellectual investment in you software. User’s must have a valid copy of your software for them to be able to apply the update file.
What WinPatch requires: WinPatch is a 32-bit program that requires Windows 95 or Windows NT 4.0 or later. WinPatch requires less than 2mb of hard disk space. Memory requirements match that of the operating system you are using. I recommend that anyone using Windows 95 have at least 16mb of memory. Windows NT users should have at least 20mb of memory.
How WinPatch works: The WinPatch
build process compares a set of old files in one folder to a set of newer
files in another folder. WinPatch also compares all of the folders inside
each folder. WinPatch has been tested with complex file systems that
contained many different files and folders containing over a 100 megabytes
of data. During the compare process, WinPatch analyzes and compares the
files determining which folders and files have been modified and added
in the folder with the newer files. WinPatch then creates a WinPatch
file (.WNP) containing the changes needed to update the folder of older
files to the newer files.
The second step to this
process is to apply the WinPatch file to a folder that contains an old
set of files, such as one that exists on one of your user's personal computer.
This process is called Apply. "
|
|
|
|
Your first task before anything else it so create a 'Dead Listing' of Win Patch using W32Dasm. If you read my other essay's then you should know how to do this by now.
Lets first find out
where in the program some of these references are, we're curious and these
references don't seem to fit into this sort of program and they *look*
too well defined to be just 'garbage' left over's. So while we're
still in W32Dasm double-click on these references and W32Dasm will take
you to where these references are used within the source code.
If you have done
this then do you notice that all these references are more or less connected
to each other, and further more are part of our target program's protection
system!.
Perhaps our first
instinct here is to try and use what looks like a serial number "D&L-1121"
so lets try it.. Run up WinPatch and enter your name/handle and company
name as normal and for the serial number type: D&L-1121
then press the 'OK' button to see what happens next.
Messagebox displays "Invalid Registration
ID!" on your screen..
So this isn't after all a serial number, well we had to try, it looked so promising.
So now what.. Lets take another look at our dead listing again, we're now interested in the following string references, which the actual code block begins at: :0040F153 in W32Dasm.
*Note* We are not using Softice at the moment, just the dead listing produced by W32Dasm.
"Art+Debby!@"
"D&L-1121"
"The Pin is"
"Invalid Registration
ID!"
Right, the above string references are in their correct order, this is the sequence the target program will process these String references. Since I'm not here to hand everything on a plate for you, your going to have to do some work too.
*
Referenced by a (C)onditional Jump at Address :0040F120(C)
:0040F153 8D4C2410
lea ecx, dword ptr [esp+10]
:0040F157 E8C450FFFF
call 00404220
:0040F15C 8B8610010000
mov eax, dword ptr [esi+00000110]
:0040F162 8B9618010000
mov edx, dword ptr [esi+00000118]
:0040F168 895C2424
mov dword ptr [esp+24], ebx
:0040F16C 8A4802
mov cl, byte ptr [eax+02]
:0040F16F 0FBEE9
movsx ebp, cl
:0040F172 55
push ebp
:0040F173 0FBE6804
movsx ebp, byte ptr [eax+04]
:0040F177 55
push ebp
:0040F178 0FBE6801
movsx ebp, byte ptr [eax+01]
:0040F17C 0FBE4005
movsx eax, byte ptr [eax+05]
:0040F180 55
push ebp
:0040F181 50
push eax
:0040F182 8B42F8
mov eax, dword ptr [edx-08]
:0040F185 0FBEC9
movsx ecx, cl
:0040F188 51
push ecx
:0040F189 0FBE4C10FF
movsx ecx, byte ptr [eax+edx-01]
:0040F18E 51
push ecx
:0040F18F 8D4C2428
lea ecx, dword ptr [esp+28]
:0040F193 E8C856FFFF
call 00404860
:0040F198 8BC8
mov ecx, eax
:0040F19A E8C156FFFF
call 00404860
:0040F19F 8BC8
mov ecx, eax
:0040F1A1 E8BA56FFFF
call 00404860
:0040F1A6 8BC8
mov ecx, eax
:0040F1A8 E8B356FFFF
call 00404860
:0040F1AD 8BC8
mov ecx, eax
:0040F1AF E8AC56FFFF
call 00404860
:0040F1B4 8BC8
mov ecx, eax
:0040F1B6 E8A556FFFF
call 00404860
:0040F1BB 8D4C2410
lea ecx, dword ptr [esp+10]
:0040F1BF E81C54FFFF
call 004045E0
* Possible StringData
Ref from Data Obj ->"D&L-1121"
:0040F1C4 68BCA64400
push 0044A6BC
:0040F1C9 8D4C241C
lea ecx, dword ptr [esp+1C]
:0040F1CD 8BE8
mov ebp, eax
:0040F1CF E84CED0100
call 0042DF20
:0040F1D4 8D542418
lea edx, dword ptr [esp+18]
:0040F1D8 8D4C2410
lea ecx, dword ptr [esp+10]
:0040F1DC 52
push edx
:0040F1DD C644242801
mov [esp+28], 01
:0040F1E2 E8C4ED0100
call 0042DFAB
:0040F1E7 8D4C2418
lea ecx, dword ptr [esp+18]
:0040F1EB 885C2424
mov byte ptr [esp+24], bl
:0040F1EF E803ED0100
call 0042DEF7
:0040F1F4 8D4C2414
lea ecx, dword ptr [esp+14]
:0040F1F8 E82350FFFF
call 00404220
:0040F1FD 55
push ebp
:0040F1FE 8D4C2418
lea ecx, dword ptr [esp+18]
:0040F202 C644242802
mov [esp+28], 02
:0040F207 E81455FFFF
call 00404720
:0040F20C 6A09
push 00000009
:0040F20E 8D4C2418
lea ecx, dword ptr [esp+18]
:0040F212 E80958FFFF
call 00404A20
:0040F217 8D442414
lea eax, dword ptr [esp+14]
:0040F21B 8D4C2410
lea ecx, dword ptr [esp+10]
:0040F21F 50
push eax
:0040F220 E8FB55FFFF
call 00404820
:0040F225 8B0F
mov ecx, dword ptr [edi]
* Possible StringData
Ref from Data Obj ->"Art+Debby!@"
|
:0040F227 68B0A64400
push 0044A6B0
:0040F22C 51
push ecx
:0040F22D E81E790000
call 00416B50
:0040F232 83C408
add esp, 00000008
:0040F235 F7D8
neg eax
:0040F237 1BC0
sbb eax, eax
:0040F239 40
inc eax
:0040F23A 84C0
test al, al
:0040F23C 745D
je 0040F29B
:0040F23E 8D542410
lea edx, dword ptr [esp+10]
:0040F242 8BCF
mov ecx, edi
:0040F244 52
push edx
:0040F245 E861ED0100
call 0042DFAB
:0040F24A 53
push ebx
:0040F24B 8BCE
mov ecx, esi
:0040F24D E869DC0100
call 0042CEBB
* Possible StringData
Ref from Data Obj ->"The PIN is: "
:0040F252 68A0A64400
push 0044A6A0
:0040F257 8D4C241C
lea ecx, dword ptr [esp+1C]
:0040F25B E8C0EC0100
call 0042DF20
:0040F260 8D442410
lea eax, dword ptr [esp+10]
:0040F264 6A2E
push 0000002E
:0040F266 50
push eax
:0040F267 8D4C2420
lea ecx, dword ptr [esp+20]
:0040F26B C644242C03
mov [esp+2C], 03
:0040F270 E8AB55FFFF
call 00404820
:0040F275 8BC8
mov ecx, eax
:0040F277 E8C455FFFF
call 00404840
:0040F27C 8B4C2418
mov ecx, dword ptr [esp+18]
:0040F280 53
push ebx
:0040F281 53
push ebx
:0040F282 51
push ecx
:0040F283 E8C6470200
call 00433A4E
:0040F288 8D4C2418
lea ecx, dword ptr [esp+18]
:0040F28C C644242402
mov [esp+24], 02
:0040F291 E861EC0100
call 0042DEF7
:0040F296 E989000000
jmp 0040F324
* Referenced by a (C)onditional Jump at Address :0040F23C(C)
:0040F29B 8B17
mov edx, dword ptr [edi]
:0040F29D 8B442410
mov eax, dword ptr [esp+10]
:0040F2A1 52
push edx
:0040F2A2 50
push eax
:0040F2A3 E8A8780000
call 00416B50
:0040F2A8 83C408
add esp, 00000008
:0040F2AB F7D8
neg eax
:0040F2AD 1BC0
sbb eax, eax
:0040F2AF F7D8
neg eax
:0040F2B1 84C0
test al, al
:0040F2B3 740E
je 0040F2C3
:0040F2B5 53
push ebx
:0040F2B6 53
push ebx
* Possible StringData
Ref from Data Obj ->"Invalid Registration ID!"
:0040F2B7 6808A64400
push 0044A608
:0040F2BC E88D470200
call 00433A4E
:0040F2C1 EB61
jmp 0040F324
What we should ask ourselves here is just what is going on here and why does the program have a reference to the text message "The Pin is.."?.
Study the above code snippet well, can see how the programmer has tested his protection system yet?. I suggest you now get a print out of just this section of code, you should already know, without my telling you, how to do this.
Why not now run Softice on this routine, pay particular attention to what jumps are made to the various sections of code and what registers are effected and more importantly, what happens to them.
Start up Winpatch, go into the Registration Screen and fill in the details
with anything you want. Before pressing the OK button
press Ctrl-D to enter Softice and setup the following Softice breakpoint:
bpx messageboxa
Now you can press the 'OK' button.
Softice will now break at the beginning of the messagebox routine,
from here press 'F11' key once, then press the 'OK' button to the
messagebox that now appears on your screen telling you that you've entered
a Invalid Registration code. . Softice should once again halt the program
and we're now back in the WinPatch code.
:00433A1F FF15D8C44300
Call dword ptr [0043C4D8]
:00433A25 891E
mov dword ptr [esi], ebx ;We land Here
:00433A27 837DFC00
cmp dword ptr [ebp-04], 00000000
:00433A2B 89450C
mov dword ptr [ebp+0C], eax
:00433A2E 740B
je 00433A3B
We could here simply single step our way using the 'F10' key and eventually
find our way to the block of code that interests us but why would we do
this? We've already located the block of code we want to examine
further in our Dead listing, so lets tell Softice that we want it
to stop at this block of code the next time we run the Registration process
again.
The dead listing tells us that the block of code we're interested in
is at memory offset: :0040F153 so lets type
in SOftice: bc * to clear away any breakpoints Softice may already
have then type: bpx 0040F153
Now press x to exit Softice so we're once again back in our target program. Once more go into the 'Registration Screen' and fill in the necessary information asked by the program then press the 'OK' button once more.
As expected, Softice breaks at the beginning of the block of code we
want to examine more closely..
:0040F153 8D4C2410
lea ecx, dword ptr [esp+10] ;We
land here
:0040F157 E8C450FFFF
call 00404220
:0040F15C 8B8610010000
mov eax, dword ptr [esi+00000110]
:0040F162 8B9618010000
mov edx, dword ptr [esi+00000118]
:0040F168 895C2424
mov dword ptr [esp+24], ebx
Run through this block of code as many times as you want, learn where
all the conditional jumps go to and what happens next when the program
has jump'd to a different section of code. Make plenty of notes and
DON'T be afraid to experiment.
OK, here's what I learned by doing the above, see if you found the
same answers as I did.
On
entry to this routine at memory location :0040F153
the following registers are 'set' to:
EAX
= Memory Location of Your entered Serial Number
ECX
= Memory Location of your Company Name
EDX
= Memory Location of your Name/Handle
The program first creates the first of the 'Registration' Code here.
* Possible StringData
Ref from Data Obj ->"D&L-1121"
:0040F1C4 68BCA64400
push 0044A6BC
Next, it looks to see if the User (you and me) has entered the text "Art+Debby!@" as the registration Number!
:0040F23A 84C0
test al, al
:0040F23C 745D
je 0040F29B ;jump if you haven't used the
;string Art+Debby!@
;else proceed onto
;the next instruction
At location 0040F252 the program
now prepares a new messagebox, one that will TELL the programmer what the
serial number SHOULD BE!.
* Possible StringData Ref from Data Obj ->"The PIN is: "
:0040F252 68A0A64400
push 0044A6A0
The next few instructions now displays the message box:
'The Pin Is D&L-1121-73823587'
* Possible StringData
Ref from Data Obj ->"The PIN is: "
:0040F252 68A0A64400
push 0044A6A0
:0040F257 8D4C241C
lea ecx, dword ptr [esp+1C]
:0040F25B E8C0EC0100
call 0042DF20
:0040F260 8D442410
lea eax, dword ptr [esp+10]
:0040F264 6A2E
push 0000002E
:0040F266 50
push eax
:0040F267 8D4C2420
lea ecx, dword ptr [esp+20]
:0040F26B C644242C03
mov [esp+2C], 03
:0040F270 E8AB55FFFF
call 00404820
:0040F275 8BC8
mov ecx, eax
:0040F277 E8C455FFFF
call 00404840
:0040F27C 8B4C2418
mov ecx, dword ptr [esp+18]
:0040F280 53
push ebx
:0040F281 53
push ebx
:0040F282 51
push ecx
:0040F283 E8C6470200
call 00433A4E
:0040F288 8D4C2418
lea ecx, dword ptr [esp+18]
:0040F28C C644242402
mov [esp+24], 02
:0040F291 E861EC0100
call 0042DEF7
:0040F296 E989000000
jmp 0040F324
Then the program REPLACES the text "Art+Debby!@" that the programmer had just typed in WITH THE REGISTRATION CODE DISPLAYED IN THIS MESSAGE BOX!.
Just to recap on
what we've discovered here. The programmer has hard coded the string
'Art+Debby!@' into
his program, so that if he types this text into where you would normally
type your real serial number then the program will display a message box
on the screen showing you what the real serial should be, THEN the program
will automatically replace the string Art+Debby!@
into the FULL serial number!. From here all you would do is exit the program
and then re-run it to find that there are now nag screens and that the
program has saved your details along with this registration code in your
System registry File.
Job Done.....
|
|
|
|
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
| Next | Return to Essay Index | Previous |
Essay by:
The Sandman
Page Created: 05th June
1998