SOURCER 7
"efficiency of a well positioned BPINT under DOS"


Advanced cracking series

by Frog's Print

(29 October 1997)

---

Courtesy of fravia's page of reverse engineering

Well, back to DOS! Was about time! Contrarly to what some still choose to believe, dos reversing is far from being an obsolete activity: many very important programs are working under DOS, because Windoze simply does not give enough power, and as +ORC told us long ago in his tut, many of the older DOS protections are much more tougher and interesting than the banal cmp eax, 1 tricks inside "compiled" windoze targets...
There is another very nice lesson teached here by Frog's Pint: let's not be lazy! Almost anyone uses a "ready cracked" (read "stolen") Sourcer 7 version which comes with a pirated serial number inside it: the whole Web is polluted with all pirated versions of this important tool, and noone seems to care about the only thing that is really fascinating in our opinion: how to reverse this reverser program 'par excellence'. And Frog's Print does exactly this, and he writes:
As we are crackers, let's throw away this serial number and crack Sourcer 7.0
Right! And if you add to these 'strategic' thoughts the whole cursor bpinting, you'll agree with me that this essay deserves to be posistioned among the prestigious "Advanced cracking series". Enjoy!

by Frog's Print -

Running the INSTALL.BAT will display the following message  :

 Please enter the product serial number from the Sourcer
 diskette label (i.e. SX123456-ABCD).

 S/N:_
 
The important thing to note is the "_" right after "S/N:" : this is a blinking cursor.
The program is waiting for you input and the <Enter> key to be pressed.

If you type any number/letter, you'll see that the cusor is moved one collumn to the right (we are in Text mode :-) and will always follow your last input.
That's nice.
There is one Dos Interrupt that moves the cursor from one location to another:

 Int 10h function 02h
 
 Ah = 02h
 Dh = Rows (0..24)
 Dl = Columns (0..79)
 

In Sourcer 7.0, the cursor is first positionned at row 14 (0x0e) and column 36 (0x24).
To verify this, quit the installation program (ctrl-c) and put a Breakpoint on Int 10h function 02h if row=14 and column=36 as per follow:

 BPINT 10 IF Ah==02 && Dh==0x0e && Dl==0x24 DO "rs"

The "rs" instruction is not necessary, but it will restore the program screen instead of SoftIce's one, each time the program will break. As  there may be several breaks that can occur, we could then check which one is the correct one without having to press <F4> each time (I'm lazy).
Now run INSTALL.BAT. You'll get 3 breaks before getting to the blinking cursor:

-1st Break:
 Please enter the product serial number from the Sourcer
 diskette label (i.e. SX123456-ABCD).

 S/N:

-2nd Break:
 Please enter the product serial number from the Sourcer
 diskette label (i.e. SX123456-ABCD).

 S/N: (+ a green box for our input)

-3rd Break:
 Please enter the product serial number from the Sourcer
 diskette label (i.e. SX123456-ABCD).

 S/N: (+ text on status line)
 

-4th Break (This is the right one with the blinking cursor):
 Please enter the product serial number from the Sourcer
 diskette label (i.e. SX123456-ABCD).

 S/N:_

We are now sure: we are at the correct interrupt.
Clear your breakpoint and put another one just on INT 10, Ah=02h:

BPINT 10 IF Ah==02

Type in any letter/number and SoftICE will pop-up each time. Now press <ENTER> and you'll get another break.
Diseable the BreakPoint and press <F2> four times and you'll land here, in SRIN.EXE :

00011447: 9A04006E12  call   0126E:00004   ; That's where we come from
0001144C: 83C406      add    sp,006
0001144F: 16          push   ss
00011450: 8D46EE      lea    ax,[bp][-0012]; User's Input =>Ax
00011453: 50          push   ax
00011454: 9A7F360000  call   00000:0367F
00011459: 83C404      add    sp,004
0001145C: 16          push   ss
0001145D: 8D46EE      lea    ax,[bp][-0012]
00011460: 50          push   ax
00011461: 90          nop
00011462: 0E          push   cs
00011463: E8A100      call   000011507
00011466: 83C404      add    sp,004
00011469: 8BF8        mov    di,ax
0001146B: 0BFF        or     di,di         ; Is_Password_Correct?
0001146D: 7429        je     000011498     ; Yes, jump to Check_Again..
0001146F: 9AA415F31A  call   01AF3:015A4   ; Otherwise..
00011474: 1E          push   ds            ; Bad_guy and let him know
00011475: 68981F      push   01F98         ; "The number you have entered is not correct.."
00011478: 6A0E        push   00E
0001147A: 6AFF        push   0FF
0001147C: 6A11        push   011
...
...
0001148A: 6A0E        push   00E
0001148C: 6AFF        push   0FF
0001148E: 6A12        push   012
00011490: 9AB502F31A  call   01AF3:002B5
00011495: 83C40A      add    sp,00A
00011498: 0BFF        or     di,di         ; Check_Again if Pass OK!!
0001149A: 7403        je     00001149F     ; Good_guy
0001149C: E96CFF      jmp    00001140B     ; Bad_guy
 
 To crack this just change the first "or di,di" into a "xor di,di" and the installation will work.

As you can see, it's quite easy as long as you take the time to examine your program working and know well the DOS interrupts.
You can crack ANY DOS program with the right BPINT (on that interrupt (10h) as well as INT 21h (ah=0A...).. :- ) just because any *.Com or Dos *.Exe files needs Interrupts to work!

Frog's Print October 1997 - (c) Frog's Print, 1997. All rights reversed.

Back to the Advanced cracking section Back to project 1

---

homepage links anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?