Miscellaneous
Papers Return to Main Indexhttp://www.tamos.com/soft/ - Webpage.
SoftICE v3.2x.
Greetings once again!. SmartWhoIs is a truly smart DNS & IP search tool. It is a useful tool to search for the source of a hostname, I'll bet you like it very much, so buy it when you want to use it :).
Fire up SmartWhoIs, click the Help tab and choose register. It will ask you for a name and a code. Enter anything you want and click OK. Next it will tell you to restart SmartWhoIs to validate the registration details. So, quit the program and restart. If you have entered a bad code, it will say 'Invalid Registration Code'. So we can see that the program always compares our code against a good code when it starts.
In this case a breakpoint (BPX) on GetDlgItem, is useless because it does not compare the code and the name directly in the Register tab. It had to be saved first onto our media, in the Windows registry or a file (sometimes in a hidden place). I opened a registry window, and searched but there is no record of anything interesting relating to SmartWhoIs (I could have just used Registry Monitor).
Therefore it must have saved the code and the name into a file, somewhere... I used QuickView to see the (API) used. I tried BPX GetSystemDirectory and before long I find some interesting code to trace.
:00403CD0 PUSH 02
:00403CD2 CALL [KERNEL32!GlobalAlloc]
:00403CD8 MOV ESI,EAX <-- Hmm, interesting.
:00403CDA PUSH ESI <-- What is this?!.
:00403CDB CALL [KERNEL32!GlobalLock]
:00403CE1 MOV EBX,EAX
:00403CE3 LEA ECX,[ESP+18]
At this stage I dumped the ESI register to the data window 'd esi' and look what I see, a file "swhois2.INI". Next I searched for this file in the program folder (mine is C:\PROGRAM FILES\SWHOIS2), hmm, it is not there. Now I resort to Windows File Search 'swhois.*' and look out, it is kept in the Windows folder C:\WINDOWS. I open the file and view the last line.
[Licence] Name=Evaluation Version Code=
So what should I do with these two silent lines?, although they are blank their 'Silent is Golden', they have something to tell me. The point is, what are they going to tell me?. I fire up the program again, fill the name and code and exit. Now I view the swhois2.INI file, at the last line I see that the temporary name and code are stored there like so:
[Licence] Name=BogusName <-- The name I entered just before. Code=123456789abcd <-- the code I entered just before.
So I fire up SoftICE, and this time I break during the launch.
:bc * <-- Clear all breakpoints in SoftICE.
:bpx GetPrivateProfileStringA <-- the most common call to read/write from/to a *.ini
file or a file of similar format.
'A' is for 32-bit win apps.
Back to Windows and lets fire the program again:
:00409622 MOV EBX,[KERNEL32!GetPrivateProfileStringA] <-- see EBX.
:00409628 PUSH 00422380 <-- "swhois2.ini".
:0040962D PUSH 28
:0040962F PUSH 0042DE60
:00409634 PUSH 00422C94
:00409639 PUSH 00422800
:0040963E PUSH 00422884
:00409643 MOV [004275E0],EAX
:00409648 CALL EBX
:0040964A PUSH 00422380 <-- Break here.
:(F12) <-- Return to caller.
:s cs:0 l ffffffff 'Licence' <-- Search for the word "Licence".
Pattern found at 00422670.
:d 422670 <-- Here is the word "Licence".
:bpm cs:422670 R <-- R = Read, W = Write address at CS:00422670.
<-- Break when program reads this address.
:bd 0 <-- Disable the first break point (GetPrivateProfileStringA).
F5 to continue running the program.
SoftICE now breaks when the SWhoIs program is reading this address (CS:00422670).
:(F12) <-- Press it nine times.
:0040B969 MOV ESI,[KERNEL32!GetPrivateProfileStringA] <-- See ESI.
:0040B96F PUSH EDI
:0040B970 PUSH 00422380
:0040B975 PUSH 28
:0040B977 PUSH 00427540
:0040B97C PUSH 00426A88
:0040B981 PUSH 004226EC
:0040B986 PUSH 00422670
:0040B98B MOV DWORD PTR [ESP+28],00000000
:0040B993 MOV DWORD PTR [ESP+2C],00000000
:0040B99B CALL ESI <-- Another get from the file swhois2.ini.
:0040B99D PUSH 00422380 <-- 'swhois2.ini'.
:0040B9A2 PUSH 28
:0040B9A4 PUSH 0042DDA0
:0040B9A9 PUSH 00426A88
:0040B9AE PUSH 00422668
:0040B9B3 PUSH 00422670
:0040B9B8 CALL ESI <-- Read again.
:0040B9BA MOV AL,[00427540] <-- This is the Name entered.
:0040B9BF TEST AL,AL
:0040B9C1 JZ 0040BD3D <-- Empty? Yes = bad.
This time the program is reading the "Licence" word inside the body of swhois2.ini. Let's trace it. Firstly we compare the bytes of the Name with "Evaluation Version".
:0040BA06 MOV ESI,00422E0C <-- "Evaluation Version". :0040BA0B MOV EAX,00427540 <-- Name entered. :0040BA10 MOV DL,[EAX] :0040BA12 MOV BL,[ESI] :0040BA14 MOV CL,DL :0040BA16 CMP DL,BL :0040BA18 JNZ 0040BA38 <-- Not equal, OK, proceed!. :0040BA56 REPNZ SCASB <-- Find the string length of Name. :0040BA58 NOT ECX :0040BA5A DEC ECX <-- Save in ECX register. :0040BA5B TEST ECX,ECX :0040BA5D MOV [ESP+18],ECX :0040BA61 JLE 0040BA84 <-- Name was 0 in length, bad jump. :0040BA63 FLD REAL8 PTR [ESP+10] :0040BA67 XOR EDX,EDX :0040BA69 MOV DL,[EAX+00427540] <-- Get the first byte of Name. :0040BA6F INC EAX <-- Prepare the next get. :0040BA70 MOV [ESP+10],EDX <-- Store in [ESP+10]. :0040BA74 CMP EAX,ECX <-- Name done? :0040BA76 FILD DWORD PTR [ESP+10] <-- Save it in ST(0) 32bit. :0040BA7A FCOS <-- COS (cos 00h = 01h). :0040BA7C FADDP ST(1),ST <-- Then add it with ST(0) and pop to ST(1). :0040BA7E JL 0040BA67 <-- Do until end of Name.
My, there is still a long way to go. The strings are multiplied, cos, sin, etc... what complicated things to do, lets cut it I'm getting a headache :).
:0040BC72 TEST EAX,EAX <-- Hmm, very interesting. :0040BC74 JNZ 0040BCCE <-- EAX=1, Yes. "Invalid Registration!". :0040BC76 LEA ECX,[ESP+50] <-- Look carefully!. :bpx cs:40BCCE <-- Break Point for address CS:408CCE which displays "Invalid Registration". :0040BCCE PUSH 10 <-- break here!. :0040BCD0 PUSH 00422090 Now dump pointer [ESP+50] : :d esp+50 <-- Eureka! the real code!. Name : Friendship for Everyone Code : 9351218f3714a7a54629
Now write down the name and the code, goto the Register tab, type in the details and exit the program. Its no more evaluation version, Registered!.
You can easily use the steps above to generate a key based on your name, just dump esp+50, so, there is no need for a keygen is there?, it can be made into a self key generating program.
1. Open with Notepad swhois2.ini, and write down these:
[Licence]
Name=Your Name <-- The name you want.
Code=1234567890abcdef <-- Any code.
2. Fire up SoftICE:
- BPX GetPrivateProfileStringA
3. Run SmartWhoIs
4. After SoftICE pops, set another breakpoint:
:s cs:0 l ffffffff 'Licence' <-- Search for the word 'Licence'.
It is stored at CS:00422670.
Breakpoint there.
:bpm cs:422670 R
:(F12) <-- Press 9 times.
:bpx cs:40BCCE <-- Set the last breakpoint on address CS:408CCE.
5. After the break on address CS:408CCE, dump esp+50.
:d esp+50 <-- You see the code!.
OK thats it, it is time for me to say goodbye for now and I'll see you in the next cracking tutorial.
PS: Many thanks to +ORC and this wonderful website.
Miscellaneous
Papers Return to Main Index