Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Saturday, January 28 2023 @ 05:01 PM CET
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Exe Guarder

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking
View previous topic :: View next topic  
Author Message
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Sat Dec 24, 2005 9:33 pm    Post subject: Exe Guarder Reply with quote

Here is one very funny protector:

Exe Guarder is program for protecting executable files with password. The idea of this kind of programs is to protect file from unauthorized persons like your kids, colleges on work and even skilled crackers. Protected exe is usually encrypted with some strong crypto algorithm which uses your password for encryption. In that case it is impossible to decrypt original file without correct password. Only possible way is to try to catch some weakness in algorithm and try to make some brute force approach to generate password. That is very hard job and only very skilled reversers can do it.

But our Exe Guarder, although it claims to "...protect your exe-file with high strength encryption.", actually doesn't encrypt anything! It just adds piece of code that asks password and if pass is correct, it will execute exe. Neither one byte of main exe is encrypted what you can see if you open file with Olly and take a look at code section:

00401000 . 6A 00 PUSH 0 ; /pModule = NULL
00401002 . E8 7D040000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401007 . A3 E9204000 MOV DWORD PTR DS:[4020E9],EAX
0040100C . C705 F9204000 >MOV DWORD PTR DS:[4020F9],0
00401016 . 6A 00 PUSH 0 ; /hTemplateFile = NULL
00401018 . 68 80000000 PUSH 80 ; |Attributes = NORMAL
0040101D . 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
0040101F . 6A 00 PUSH 0 ; |pSecurity = NULL
00401021 . 6A 03 PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401023 . 68 000000C0 PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401028 . 68 D7204000 PUSH CRACKME3.004020D7 ; |FileName = "CRACKME3.KEY"
0040102D . E8 76040000 CALL <JMP.&KERNEL32.CreateFileA> ; \CreateFileA
00401032 . 83F8 FF CMP EAX,-1
00401035 . 75 0C JNZ SHORT CRACKME3.00401043
00401037 > 68 0E214000 PUSH CRACKME3.0040210E ; ASCII "CrackMe v3.0 "
0040103C . E8 B4020000 CALL CRACKME3.004012F5
00401041 . EB 6B JMP SHORT CRACKME3.004010AE
00401043 > A3 F5204000 MOV DWORD PTR DS:[4020F5],EAX

So basically, unwrapping Exe Guarder is just like cracking beginners crackme! We just need to find where OEP is and set that information in PE header!



Let's see that on one example. I protected "CRACKME 3.EXE" with some password. I just load it in Olly and placed bp on GetDlgItemTextA. I start exe, dialog box is showed and asks for pass. Just clicked OK without entering nothing, returned from user32.dll to main exe:

00407C2A FF53 68 CALL DWORD PTR DS:[EBX+68] ; USER32.GetDlgItemTextA
00407C2D 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] <----------------------- I'm here!!!
00407C30 50 PUSH EAX
00407C31 FF53 1C CALL DWORD PTR DS:[EBX+1C] ; kernel32.lstrlenA
00407C34 50 PUSH EAX
00407C35 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407C38 50 PUSH EAX
00407C39 E8 20010000 CALL CRACKME3.00407D5E <---------------------- Password checking algorithm!
00407C3E 3B83 D2030000 CMP EAX,DWORD PTR DS:[EBX+3D2] <-------------- Checking hashes!
00407C44 75 07 JNZ SHORT CRACKME3.00407C4D <----------------- Bad boy jump!
00407C46 C683 1E040000 01 MOV BYTE PTR DS:[EBX+41E],1
00407C4D 80BB 1E040000 01 CMP BYTE PTR DS:[EBX+41E],1
00407C54 74 09 JE SHORT CRACKME3.00407C5F <------------------ Good boy jump!
00407C56 83BB 53040000 01 CMP DWORD PTR DS:[EBX+453],1
00407C5D 75 12 JNZ SHORT CRACKME3.00407C71

On above snippet everything is clear. First jump must not be executed but second one must be. NOP-ing first one and JMP-ing second one will solve problem. Now we just need to find where is OEP jump and that is easy:

00407A51 -FFE0 JMP EAX ; CRACKME3.00401000

And that's it! I just opened file with LordPE and change OEP to 1000. There is no need for dumping or import repairing.


Finally, what to say about this protection? Disaster!
Back to top
View user's profile Send private message
TDC
Regular
Regular


Joined: 02 Jul 2005
Posts: 202

PostPosted: Mon Dec 26, 2005 12:17 pm    Post subject: Reply with quote

Laughing very funny how commercial software makers claim things Laughing
_________________
:: BugHunter ::
*RE page: http://reversemasters.nl/*
Back to top
View user's profile Send private message Send e-mail Visit poster's website
BoR0
Regular
Regular


Joined: 28 Feb 2005
Posts: 105
Location: Europe

PostPosted: Mon Dec 26, 2005 2:00 pm    Post subject: Reply with quote

You don't need to change the second jump. It already is unconditional one.

Code:
MOV BYTE PTR DS:[EBX+41E],1
CMP BYTE PTR DS:[EBX+41E],1
JE SHORT CRACKME3.00407C5F


Jump at ModuleEntryPoint+0x786

Ahh.. I can't believe what people make money of Smile
Back to top
View user's profile Send private message Visit poster's website
BoR0
Regular
Regular


Joined: 28 Feb 2005
Posts: 105
Location: Europe

PostPosted: Mon Dec 26, 2005 2:24 pm    Post subject: Reply with quote

The most lousy-coded software. The main application is lousy coded as well.

First, search in memory "Sorry, your registration code is wrong".

Set a memory breakpoint on access. Olly breaks when we hit the button "Verify", but the checking is already done, so we need to trace-back.

You do that yourself, I will give you the address I got from tracing back.

The algo for registration checkup is the call at 00405F56. Enter that call, you will see 2 strings. The first string works for *ANY* mail, and is limited to 20 days. The second string is not limited, and it works for *ANY* mail too.

I won't post the strings in here due to illegal content.

After we post any of the string in the editbox, it says "Successfully registered". Just re-start the application and - tada. Wink

You think I had fun while reversing this one? Rolling Eyes hehe
Back to top
View user's profile Send private message Visit poster's website
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Mon Dec 26, 2005 2:39 pm    Post subject: Reply with quote

Yeah, I cracked it but in different approach, more lame one.

I was suprised to see that password is such easy to bypass but then I was even more shocked when I sow that original file wasn't even encrypted at all.
Back to top
View user's profile Send private message
Falcon1
Frequent poster
Frequent poster


Joined: 17 Mar 2005
Posts: 88
Location: Hellas

PostPosted: Mon Dec 26, 2005 6:02 pm    Post subject: Reply with quote

Shocked
Indeed very lame protection to make money of...

In my opinion haggar should be awarded a 'Universal Unapcker's Certificate'!

lol keep up the good work!!!

_________________
PLAY WITH THE BEST, LOSE LIKE THE REST
(I did...)
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
haggar
Regular
Regular


Joined: 19 Mar 2005
Posts: 246

PostPosted: Mon Dec 26, 2005 6:56 pm    Post subject: Reply with quote

Thanks, but I'm not forst that spoted that app. I posted same topic on ARTEAM forum and then I sow that gabri3l already posted same thing. Also there is couple unpackers for this.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2023 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.92 seconds