Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Sunday, March 29 2020 @ 07:41 PM CEST

EXE Protector v2.01a

   

TutorialsLevel : newbie

Bypassing EXE Protector v2.01a.
The program is supposed to protect the exe file with a password.

I was looking in the other forum and I saw someone asking about this protection:
They were asking about EXEProtector v1.37a
I did a search on the net for it but I came up with this one.
So lets get started:
I put my crackme <int21h.exe> in this protection.
Target:
http://www.reversing.be/binaries/articles/20050304003358606.rar
The program is supposed to protect the exe file with a password.
Lets run the program before we do anything.
We run it and find that it has a window title <Password Check> then in the window it has in the box <Enter the password :> It then has a <Cancel> and a <OK> button.
Lets run this through w32dsm89 and look at some strings:
When I look at the strings I see these 2 that catch my interest:
“You have not supplied a password” and “You have supplied a wrong password”
Let’s take a look at the code:
* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
:00403A9A E869D9FFFF Call 00401408
:00403A9F 85C0 test eax, eax
:00403AA1 0F85AF000000 jne 00403B56
:00403AA7 B904000280 mov ecx, 80020004
:00403AAC 894D98 mov dword ptr [ebp-68], ecx
:00403AAF 6A0A push 0000000A
:00403AB1 58 pop eax
:00403AB2 894590 mov dword ptr [ebp-70], eax
:00403AB5 894DA8 mov dword ptr [ebp-58], ecx
:00403AB8 8945A0 mov dword ptr [ebp-60], eax

* Possible StringData Ref from Code Obj ->"PPassword"
|
:00403ABB C78578FFFFFFD0224000 mov dword ptr [ebp+FFFFFF78], 004022D0
:00403AC5 89B570FFFFFF mov dword ptr [ebp+FFFFFF70], esi
:00403ACB 8D9570FFFFFF lea edx, dword ptr [ebp+FFFFFF70]
:00403AD1 8D4DB0 lea ecx, dword ptr [ebp-50]

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:00403AD4 E83FD8FFFF Call 00401318

* Possible StringData Ref from Code Obj ->"YYou have not supplied a password."
|
:00403AD9 C7458888224000 mov [ebp-78], 00402288
:00403AE0 897580 mov dword ptr [ebp-80], esi
:00403AE3 8D5580 lea edx, dword ptr [ebp-80]
:00403AE6 8D4DC0 lea ecx, dword ptr [ebp-40]

This is the nag you get if you do not enter anything for the password:
The one I am really interested in is this one.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403B7F(C)
|
:00403C0A B904000280 mov ecx, 80020004
:00403C0F 894D98 mov dword ptr [ebp-68], ecx
:00403C12 6A0A push 0000000A
:00403C14 58 pop eax
:00403C15 894590 mov dword ptr [ebp-70], eax
:00403C18 894DA8 mov dword ptr [ebp-58], ecx
:00403C1B 8945A0 mov dword ptr [ebp-60], eax

* Possible StringData Ref from Code Obj ->"PPassword"
|
:00403C1E C78578FFFFFFD0224000 mov dword ptr [ebp+FFFFFF78], 004022D0
:00403C28 89B570FFFFFF mov dword ptr [ebp+FFFFFF70], esi
:00403C2E 8D9570FFFFFF lea edx, dword ptr [ebp+FFFFFF70]
:00403C34 8D4DB0 lea ecx, dword ptr [ebp-50]

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:00403C37 E8DCD6FFFF Call 00401318

* Possible StringData Ref from Code Obj ->"YYou have supplied a worng password."
|
:00403C3C C74588E8224000 mov [ebp-78], 004022E8
:00403C43 897580 mov dword ptr [ebp-80], esi
:00403C46 8D5580 lea edx, dword ptr [ebp-80]
:00403C49 8D4DC0 lea ecx, dword ptr [ebp-40]

This is the nag you get when you enter a wrong password.
So lets see where is comes from:
I see this a little ways up in the code:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403B7F(C)

Let’s go check that out…

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:00403B78 E88BD8FFFF Call 00401408
:00403B7D 85C0 test eax, eax
:00403B7F 0F8585000000 jne 00403C0A
:00403B85 390568534000 cmp dword ptr [00405368], eax
:00403B8B 750F jne 00403B9C
:00403B8D 6868534000 push 00405368
:00403B92 681C224000 push 0040221C

Well now I think we can start Olly up and set us a breakpoint on:
:00403B78 E88BD8FFFF Call 00401408

This call is a string compare for VB600 so you can expect for a string to be compared to another one.
Open up the int21h.exe in Olly and set a breakpoint @ address 00403B78.
Run the program <F9>. When the messagebox comes up asking for the password enter this; 12345678 then hit the <Ok> button.
Olly breaks and we see this in the stack window:
0012F404 0014C954 UNICODE "int21h"
0012F408 0014C6D4 UNICODE "12345678"
I would guess that the password would be <int21h>.
Anyway hit <F8> and go through the call.
You should now be here:
:00403B7D 85C0 test eax, eax
Right click the register EAX and then select <Zero>.
Keep hitting <F8> till you are here:
:00403BFE E821D7FFFF Call 00401324
Now hit <F7>
Hit <F7> again.
You should now be here:
6AAA7C33 > 55 PUSH EBP
Now hit <F8> till you reach this:
6AAA7D64 FF15 0C119D6A CALL DWORD PTR DS:[<&KERNEL32.CreateProc>; kernel32.CreateProcessW
I wonder what the stack looks like:
Take a look:
0012F374 00000000 |ModuleFileName = NULL
0012F378 0014CC14 |CommandLine = "C:targetz__70043.exe"
0012F37C 00000000 |pProcessSecurity = NULL
0012F380 00000000 |pThreadSecurity = NULL
0012F384 00000000 |InheritHandles = FALSE
0012F388 00000000 |CreationFlags = 0
0012F38C 00000000 |pEnvironment = NULL
0012F390 00000000 |CurrentDir = NULL
0012F394 0012F3A8 |pStartupInfo = 0012F3A8
0012F398 0012F3EC pProcessInfo = 0012F3EC

I do not remember that file being in my folder.
Go to the folder where you put this target <int21h.exe> You should see a hidden file for me it is: z__70043.exe.
And yes that is the file. Now you can work on it as you would like.
What is interesting to note is that if you run the program and you enter an invalid password it will erase the hidden file.
Have Fun:
int21h





What's Related

Story Options

EXE Protector v2.01a | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.80 seconds