Courtesy of fravia's page
of reverse engineering"Noo, Dos cracking is not dead, Dos is still VERY important for reverse engineering purposes, Windows is more "transient" than DOS, you are well advised to learn dos cracking -and tsrring- techniques, study dos and dos protections every time you get a chance to find one, fish Softice DOS lastversion 92 out of the web... etcetera."
As the name says, DOS Navigator v1.5 (available at http://www.ritlabs.com/dn/
from the authors of THE_BAT!, an e-mail program with a nice protection
that may drive crazy some newbyes...) is a DOS file manager.
It can handle any kind of file manipulation, viewing,
edition, drag & drop, as well as a disk editor and even 2 versions
of the famous Tetris. It doesn't support Windows95 long filenames (I really
couldn't care less about that because I don't like long filenames and I'm
still using the 16 bits Winfile.exe -: ).
It's a useful tool, specially when you get stuck at the
DOS prompt because Win95 doesn't want to load...
It is shareware and has a nagscreen reminding it to you
each time you run it.
Right after installing it, here is the listing of the files in its directory:
DN.COM 1 778 <= "Launcher"
DN.OVR 762 170
DN.PRG 132 720 <= .Exe file packed
with PKLITE
DN.LNG 17 952
DN.DLG 57 031
We can see that DN.COM is 1.7Kb and could only
be a "launcher" (the file is full of "jmp xxxx:xxxx" ). Due to its extension,
DN.PRG seems to be the main program. After opening it with an hexeditor,
we can see it is an EXE file and that it has been packed with PKLITE.
The programmers did a little mistake here, because PKLITE
has an option to make compressed file unextractable but they didn't use
it (or may those naughty guys from Ritlabs don't have a Registered version
of the famous PKWARE soft! -: ). Anyway, we will not unpack it, it is not
the purpose of this essay.
As there's a nagscreen but no registration dialog
box, I just assume that the program is looking for a .reg or .key file.
So let's see:
Load DN.COM with SoftICE (with any version of S-ICE Symbol
Loader for DOS - I am using here DLDR.EXE v3.1from S-ICE DOS v2.95 ) and
BPINT on Int21h function 3Dh (open existing file, ds:dx=ASCIZ filename
- Return AX=file handle or error code):
BPINT 21 IF ah==3d do "d ds:dx"
At the 12th break you can see in the data window that
Dos Navigator is looking for DN.KEY. Of course it will return a #2 error
code (file not found) as this is the registration key file and it is not
included in the shareware package.
I simply copy a file in its directory, rename in DN.KEY,
and using the same BPINT, run the program again.
When the break occures, I put a conditional BPINT Int21h/AH=3Fh
(read from file):
BPINT 21 IF ah==3f && bx==?? (put DN.KEY handle returned in Eax during last open_existing_file)
At this point, I was about trying to decrypt the registration procedure. I still had SoftICE Data window pointing to DS:DX and then, about one minute later, I saw the following message in this memory area:
HI, Hacker Nice To See You Here!
I was just wondering if there was any Anti-Cracker/Debugger trick that was about to crash my PC. I noted the Offset location and decided to go ahead to verify this. So, "F12" and I got there at offset xxxx:1ADB (in DN.PRG):
1AC5 push
bp
1AC6 mov
bp,sp
1AC8 cmp
byte ptr [1E8A],00 ; Any_Cracker_Around ?
1ACD jz
1AD1
; 1) Yes, send him the message
1ACF jmp
1AF7
; 2) No Cracker there, go ahead
1AD1 les
di, [bp+06]
1AD4 push
es
1AD5 push
di
1AD6 call
xxxx:0020 ;
"Hi Hacker..."
1ADB les
di, [bp+06]
...
1AF7 leave
1AF8 retf
0004
; Back to caller
Pressing "F12" again we land here:
18A1 call
xxxx:0057 ;
Any_Cracker_Around routine we come from
18A6 push
0100
18A9 push
9DD1
; "key"
18AC push
00
18AE push
00
18B0 call
xxxx:19A0 ;
Check if registered
18B5 or
ax,dx
; Is it?
18B7 jnz
18C8
; Good_Guy jump
...
18C3 call
xxxx:0034 ;
NagScreen
18C8 mov
di,9BBA
; Go_Ahead
Obviously, patching the JNZ at offset 18B7 would get rid of the nagscreen.
The crack is done, but what about
our "Any_cracker_Around" routine?
The message doesn't appear on the
program screen, only in the memory area where ds:dx pointed. It didn't
crash nor it affected the program.
Let's find out how Dos Navigator
check if we are debugging it (or if SoftICE is loaded).
Fisrt I checked the usual DOS tricks
to detect SoftICE (i.e. Int 2Fh/ax=1684h/ bx=0202h/ di=0/es=di...) then
stupid anti-debugging tricks (Int 01h, Int 03h) but didn't find anything.
Then, as I knew that the program
used a "cmp byte ptr [1E8A],00" to check if we are debugging it, I though
the best would be to write a TSR that would check [1E8A]. It would work
like this:
1)-Grab an interrupt as closed as
possible to the "Any_Cracker_Around" routine
2)-Check the flag at [1E8A]:
a)-If "0" ( cracker
detected) then do nothing, restore the interrupt and go ahead
(nagscreen..)
b)-If "1" (no debugging)
then get rid of the NagScreen and
go ahead
3)-Restore original Interrupt used
by Dos Navigator.
We must grab an Int as closed as
possible to the routine because during its execution, the program jumps/jumps
back from DN.COM to DN.PRG. The routine is only loaded at the latest moment.
As this happens during the program initialization, intercepting Int 10h
should be fine.
I found a good one:
Int 10h / AX=03h (get cursor position
and size). The routine to check is loaded right before the call to this
Int (but is located far from it).
And now, the TSR:
;***********************;
; Check_DN.asm
;
;
;
;***********************;
code
segment
org 100h
assume cs:code
start: jmp Install
int10 label
dword
; Save old Int10
int10off dw 0
; address
int10seg dw 0
;
NewInt10 proc
far
; Our new Int10.
pushf
; Save flags.
cmp ax,0300h
; Chech if it is
jne Exit
; the right one
cmp cx,0020h
; otherwise
jne Exit
; exit.
Check_Flag: push ax
; Save ax,
push bp
; and bp.
mov bp,sp
; sp=>bp.
mov ax,[bp+8]
; Get previous segment in DN.EXE.
add ax,2F0Fh
; +2F0Fh to get segment to check.
push es
; Save es
push di
; and di.
push ax
; Push ax
pop es
; Pop it back into es.
mov di,1E8Ah
; Get offset to check.
cmp byte ptr es:[di],0
; Check our AntiCracker_Flag.
je Bad_Guy
; If 0 (Bad_guy), then jump...
Patch_Nag: sub
ax,309Fh
; -309Fh to get segment to patch.
push ax
; Save it.
pop es
; Pop it back into es.
mov di,18B7h
; Offset to patch.
mov byte ptr es:[di],74h
; Get rid of the NagScreen.
Bad_Guy: pop
di
; Restore di,
pop es
; es,
pop bp
; bp,
pop ax
; ax
Exit: popf !
;
; and flags
jmp dword ptr cs:[Int10]
; Execute Int 10h.
NewInt10 endp
Install: mov
ax,3510h
; Get interrupt vector.
int 21h
;
mov Int10off,bx
; ES:BX = value of interrupt vector
mov Int10seg,es
;
mov ax,2510h
;
mov dx,offset NewInt10
; New vector to be used for Int 10h
int 21h
; ...
mov dx,Install-Start+100h+15
; DX= Program size.
mov cl,4
; Divide by 4 to get
shr dx,cl
; size in paragraphs.
mov al,0
; Exit code.
mov ah,31h
;
int 21h
; Terminate and stay resident.
code ends
end Start
;**********************;
; TLINK Check_DN
;
; TASM Check_DN /t
;
;**********************;
Now, under DOS run CHECK_DN.COM and then DN.COM and...the
Nagscreen is still present!
Re-boot, don't load SoftICE and try again: the NagScreen
pops again!!
CONCLUSION:
The program doesn't check (and doesn't care) if you are
debugging it or not, the flag at [1E8A] is
always equal to "0" (Bad_Guy) and will always display the "Hi, Hacker..."
message in memory... conclusions? Draw your own conclusions!
Frog's Print - December 1997 - (c) Frog's Print All rights reversed
homepage
links
anonymity
+ORC
students' essays
academy databasetools
cocktails
javascripts
antismut CGI-scripts
search_forms
mail_fraviaIs reverse engineering legal?