CASIMIR
Hi Joe I have an other Xmas present for you! (File Locker, see below) Happy Newyear day Caz A 2 minutes crack...
+++++ +++ + + + +++ + + +++ ++ ++ ++++ by + + + + + + + + + +++ + + + +++++++++ + + + +++ + + + + + + + + + + + + + ++++ +++++ + + + + +++ + + + + + + +++ +++ + +Victim: File Locker v1.11 by Microsort CA [flocker.exe : 212992 bytes] Get it at: Microsort CA
Tools:
-a system-level debugger -> Winice by Nu-mega -a disassembler -> W32dasm by URSoftware -an hexadecimal editor -> HexWorkshop by BreakPoint SoftwareNEVER decrypt original password, for God sake! If you do it, a casual cracker will just have to locate the COMPARE sequence in code to find out what correct pwd is. Even worse, you used a *standard* VB function to compare correct pwd to pwd entered. How lazy!
1. Disassemble flocker.exe. Look at the beginning of listing (IMPORTED FUNCTIONS section). Huumm... This program importes functions from a Visual Basic module: MSVBVM50.dll. MSVBVM50.dll module is located in your c:\windows\system\ directory. Some of those functions may raise our interest, so we'll need to be able to monitor them. To do that, we modify Winice configuration file (winice.dat) so it will load VB functions at startup: add following line to EXP list:
2. A VB function is specifically designed to compare strings: __vbastrcmp, so we'll survey it, just in case... {;-) Inside Flocker, start decryption process with pwd: 7777777 but just before double-clicking on file you want to decrypt, enter Winice and set a break-point on this function: __vbastrcmp. Leave Winice and double-click...
3. ...BINGO! Winice pops up at the beginning of __vbastrcmp function. Press F11 to execute and return from function. Here's what we see (type "code on" to display hexadecimal values):
137:42BA0A 8B 8D 30 FE FF FF mov ecx , [ebp - 1D0] <- good password 137:42BA10 51 push ecx 137:42BA11 8B 95 2C FE FF FF mov edx , [ebp - 1D2] <- what we entered 137:42BA17 52 push edx 137:42BA18 FF 15 14 23 43 00 call [msvbvm50!__vbastrcmp]Flocker puts good pwd and what we entered on stack, then it calls Compare function. If strings are the same: OK, file is decrypted; otherwise we get an error message.
4. Let's patch program, so it lets you decrypt file even if you enter a wrong pwd! To do so, we substitute "push eDx" (52) by "push eCx" (51), so Compare function will compare good pwd to itself {:-)
Open flocker.exe in your hexadecimal editor.
Search : 51 8B 95 2C FE FF FF 52 replace with : 51 8B 95 2C FE FF FF 515. We're done!
If you need more info, contact me at: Casimir
Converted to hypertext by Joe Peschel December 27, 1998.