Exe Guarder

[haggar]

Here is one very funny protector:

Exe Guarder is program for protecting executable files with password. The idea of this kind of programs is to protect file from unauthorized persons like your kids, colleges on work and even skilled crackers. Protected exe is usually encrypted with some strong crypto algorithm which uses your password for encryption. In that case it is impossible to decrypt original file without correct password. Only possible way is to try to catch some weakness in algorithm and try to make some brute force approach to generate password. That is very hard job and only very skilled reversers can do it.

But our Exe Guarder, although it claims to "...protect your exe-file with high strength encryption.", actually doesn't encrypt anything! It just adds piece of code that asks password and if pass is correct, it will execute exe. Neither one byte of main exe is encrypted what you can see if you open file with Olly and take a look at code section:

00401000 . 6A 00 PUSH 0 ; /pModule = NULL
00401002 . E8 7D040000 CALL <JMP.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401007 . A3 E9204000 MOV DWORD PTR DS:[4020E9],EAX
0040100C . C705 F9204000 >MOV DWORD PTR DS:[4020F9],0
00401016 . 6A 00 PUSH 0 ; /hTemplateFile = NULL
00401018 . 68 80000000 PUSH 80 ; |Attributes = NORMAL
0040101D . 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
0040101F . 6A 00 PUSH 0 ; |pSecurity = NULL
00401021 . 6A 03 PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401023 . 68 000000C0 PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401028 . 68 D7204000 PUSH CRACKME3.004020D7 ; |FileName = "CRACKME3.KEY"
0040102D . E8 76040000 CALL <JMP.&KERNEL32.CreateFileA> ; \CreateFileA
00401032 . 83F8 FF CMP EAX,-1
00401035 . 75 0C JNZ SHORT CRACKME3.00401043
00401037 > 68 0E214000 PUSH CRACKME3.0040210E ; ASCII "CrackMe v3.0 "
0040103C . E8 B4020000 CALL CRACKME3.004012F5
00401041 . EB 6B JMP SHORT CRACKME3.004010AE
00401043 > A3 F5204000 MOV DWORD PTR DS:[4020F5],EAX

So basically, unwrapping Exe Guarder is just like cracking beginners crackme! We just need to find where OEP is and set that information in PE header!



Let's see that on one example. I protected "CRACKME 3.EXE" with some password. I just load it in Olly and placed bp on GetDlgItemTextA. I start exe, dialog box is showed and asks for pass. Just clicked OK without entering nothing, returned from user32.dll to main exe:

00407C2A FF53 68 CALL DWORD PTR DS:[EBX+68] ; USER32.GetDlgItemTextA
00407C2D 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] <----------------------- I'm here!!!
00407C30 50 PUSH EAX
00407C31 FF53 1C CALL DWORD PTR DS:[EBX+1C] ; kernel32.lstrlenA
00407C34 50 PUSH EAX
00407C35 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00407C38 50 PUSH EAX
00407C39 E8 20010000 CALL CRACKME3.00407D5E <---------------------- Password checking algorithm!
00407C3E 3B83 D2030000 CMP EAX,DWORD PTR DS:[EBX+3D2] <-------------- Checking hashes!
00407C44 75 07 JNZ SHORT CRACKME3.00407C4D <----------------- Bad boy jump!
00407C46 C683 1E040000 01 MOV BYTE PTR DS:[EBX+41E],1
00407C4D 80BB 1E040000 01 CMP BYTE PTR DS:[EBX+41E],1
00407C54 74 09 JE SHORT CRACKME3.00407C5F <------------------ Good boy jump!
00407C56 83BB 53040000 01 CMP DWORD PTR DS:[EBX+453],1
00407C5D 75 12 JNZ SHORT CRACKME3.00407C71

On above snippet everything is clear. First jump must not be executed but second one must be. NOP-ing first one and JMP-ing second one will solve problem. Now we just need to find where is OEP jump and that is easy:

00407A51 -FFE0 JMP EAX ; CRACKME3.00401000

And that's it! I just opened file with LordPE and change OEP to 1000. There is no need for dumping or import repairing.


Finally, what to say about this protection? Disaster!

[TDC]

very funny how commercial software makers claim things

[BoR0]

You don't need to change the second jump. It already is unconditional one.

[BoR0]

The most lousy-coded software. The main application is lousy coded as well.

First, search in memory "Sorry, your registration code is wrong".

Set a memory breakpoint on access. Olly breaks when we hit the button "Verify", but the checking is already done, so we need to trace-back.

You do that yourself, I will give you the address I got from tracing back.

The algo for registration checkup is the call at 00405F56. Enter that call, you will see 2 strings. The first string works for *ANY* mail, and is limited to 20 days. The second string is not limited, and it works for *ANY* mail too.

I won't post the strings in here due to illegal content.

After we post any of the string in the editbox, it says "Successfully registered". Just re-start the application and - tada.

You think I had fun while reversing this one? hehe

[haggar]

Yeah, I cracked it but in different approach, more lame one.

I was suprised to see that password is such easy to bypass but then I was even more shocked when I sow that original file wasn't even encrypted at all.

[Falcon1]

Indeed very lame protection to make money of...

In my opinion haggar should be awarded a 'Universal Unapcker's Certificate'!

lol keep up the good work!!!

[haggar]

Thanks, but I'm not forst that spoted that app. I posted same topic on ARTEAM forum and then I sow that gabri3l already posted same thing. Also there is couple unpackers for this.