Web
: http://mxb.cjb.net
Contact Me : [email protected] or [email protected]
Macromedia Full Suite 2000
Type : Full Suite
Protection : RSAgent
Tech : Patching & Redirection of CRC check
|
Authorware
5.0 |
Director
8.0 |
Freehand
9.0 |
Click here to learn about Flash 5.0 unpacker ...
Secret Behind Unpacker : Most funniest part
of RSAgent is that unpacker is
supplied with the demo program itself :)
So by just setting a flag we can unpack the demo.
Suppose if we take Dreamweaver,its unpacker is "DREAMPOP.TTY"
If we rename the file
DREAMPOP.TTY ==>> DREAMPOP.EXE
and then run this file ....
First we will see a window with animation telling something like
"PLEASE WAIT WHILE YOUR SOFTWARE IS BEINGING PREPARED"
After this you will get a warning messagebox like ..
"YOU CAN'T RUN THIS APPLICATION AT THIS TIME......"
What is the secret behind this DREAMPOP.EXE ??? :)
DREAMPOP.EXE actually looks for a file named "LICENSE.xxxxxx" and
if it
is not found it will warn us ,other wise if it found a file and checked
its virginity and make sure that it is real ,then this program will
unpack the original file and we get a full version of desired program :)
So let us see where the flag is set :
In SICE BPX SLEEPEX
[It is found that Animation shown sleeps for a few seconds]
After we pop twice in to SICE we can see ...
0x40193E CALL [SLEEPEX]
0x401944 CALL 0x4017A0
0x401949 CALL 0x401100
0x40194E MOV ESI,EAX >> IF WE MAKE EAX = 1 THEN PROGRAM
0x401950 CMP ESI,-01 IS UNPACKED ITSELF :)
0x401953 JNZ 0x40196B >> GOOD BOY [MUST JUMP]
So why don't we patch DREAMPOP.EXE and make our work easy :) OK ...
Patch :
0x40194E MOV EAX,00000001 | B8 01 00 00 00 OFFSET = 0x194E
0x401953 MOV ESI,EAX | 8B F0
0x401955 JMP 40196B | EB 14
Now run this file ...we will get a page fault or divide error ..
Opps this DREAMPOP.EXE is using CRC checking :(
How to defeat CRC checking :
The program opens the file from the disk itself and does CRC checking.
Suppose we just try to redirect this check to an original and virgin
copy of this file i.e DREAMPOP.TTY , then we will be able to pass this
check.The program will check DREAMPOP.TTY instead of our file DREAMPOP.EXE
So the attack point is to find where the program is trying to open file
DREAMPOP.EXE.
For making our work easy follow this naming :
Our patched file : DREAMPO1.EXE
Virgin copy file : DREAMPOP.EXE
So in SICE BPX GETMODULEFILENAMEA
We can see that at three places if we redirect or change the file name i.e
DREAMPO1.EXE ==> DREAMPOP.EXE | P = '0x50'
our program will work without divide error or page fault :)
(1)
0x401095 CALL [GETMODULEFILENAMEA]
0x40109B LEA ECX,[ESP+00] >> POINTS TO FULL FILE PATH
......................... ALL IN CAPITAL LETTERS
.........................
0x4010A2 CALL 0x419A00 >> AFTER THIS CALL EAX POINTS
0x4010A7 ADD ESP,08 >> TO '\DREAMPO1.EXE'
0x4010AA TEST EAX,EAX >> THIS PLACE CAN USED TO
0x4010AC JZ 0x4010DA >> APPLY PATCH
Patch :
0x4010AA MOV BYTE PTR [EAX+08],50 | C6 40 08 50 OFFSET = 0x10AA
(2)
0x40120E CALL 0x419A00
0x401213 ADD ESP,08
0x401216 TEST EAX,EAX
0x401218 JNZ 0x401226 >> JMP BY DEFAULT
Patch :
0x401216 MOV BYTE PTR [EAX+08],50 | C6 40 08 50 OFFSET = 0x1216
0x40121A JMP 0x401226 | EB 0A
(3)
0x403E77 CALL 0x419A00
0x403E7C ADD ESP,08
0x403E7F TEST EAX,EAX
0x403E81 JZ 0x403EA5 >> NO JMP BY DEFAULT.SO THIS CODE CAN
AVOIDED :) AND USED FOR OUR WORK
Patch :
0x403E7F MOV BYTE PTR [EAX+08],50 | C6 40 08 50 OFFSET = 0x3E7F
Now run DREAMPO1.EXE.It will run and unpack demo version.
And our sucker CRC will check DREAMPOP.EXE and think its
virginity is not lost :)
