tech2.txt

关于黑客的论坛的下载资料

to this piece of code:
    >   LEA     EAX, [EBP-68]                   ; EAX = EBP-68
        LEA     ECX, [EBP-34]                   ; ECX = EBP-34
        PUSH    EAX                             ; Save: EAX
        PUSH    ECX                             ; Save: ECX
    >   CALL    00403DD0                        ; Call the function again
        ADD     ESP, 08                         ; Erase saved information
        TEST    EAX, EAX                        ; Check function return
     JNZ     00402BFF                        ; Jump if not zero

And what can you find at the address EBP-68? Well... another registration code!
        :d ebp-68

That's it... I hope everything worked!


3.2  Command Line 95 - Easy name/code registration, and we make a keymaker
==========================================================================
This is a nice sample program, with a very easy code calculation.



3.1.1 Examining the program
===========================
You examine the program and you see it's a 32-bit application, demanding Name
and Code in the registration dialog.
So let's start!


3.1.2 Trap the code routine
===========================
We do as with TaskLock - we set breakpoints. We can set breakpoints on both of
the two most probable functions: GetWindowTextA and GetDlgItemTextA. Press
Ctrl+D to make SoftICE show up, and then:
        :bpx getwindowtexta
        :bpx getdlgitemtexta

Now go to the registration dialog, and enter a name and some number (an integer
is the most usual code). I wrote like this, and pressed OK...
        Name:   ED!SON '96
        Code:   12345

The program stopped at GetDlgItemTextA. Just like with TaskLock, we press F11
to return to the calling function. We scroll upwards with Ctrl+Up and the call
looks like this:
        MOV     ESI, [ESP+0C]
        PUSH    1E                              ; Maximum length
        PUSH    0040A680                        ; Address to buffer
        PUSH    000003ED                        ; Control handle
        PUSH    ESI                             ; Dialog handle
        CALL    [User32!GetDlgItemTextA]
The number 40A680 looks interesting to us, so we check that address:
        :d 40a680

And what shows up in the data window, if not the name we entered. Well, we look
below the above piece of code, and it says:
        PUSH    00                              ; (not interesting)
        PUSH    00                              ; (not interesting)
        PUSH    000003F6                        ; Control handle
        MOV     EDI, 0040A680                   ; Save address to buffer
        PUSH    ESI                             ; Dialog handle
        CALL    [User32!GetDlgItemInt]

GetDlgItemInt is similar to GetDlgItemText, but it returns an integer from the
text box. It is returned in EAX, so we step past these instructions, and look
in the registers window... For me it says:
        EAX=00003039


And what is hex 3039? Type:
        :? 3039

And you get this:
       00003039  0000012345  "09"
        ^ hex     ^ dec       ^ ascii

And, as you can see (and already had guessed), it shows the code you wrote. Ok,
what now? Let's look at the code that follows, first the return code is saved:
        MOV     [0040A548], EAX                 ; Save return code
        MOV     EDX, EAX                        ; Put return code in DX too


3.1.3 Calculating the code
==========================
Then the code is calculated!
        MOV     ECX, FFFFFFFF                   ; These rows calc string length
        SUB     EAX, EAX                        ; .
        REPNZ SCASB                             ; .
        NOT     ECX                             ; .
        DEC     ECX                             ; ECX now contains the length
        MOVSX   EAX, BYTE PTR [0040A680]        ; Get byte at 40A680
        IMUL    ECX, EAX                        ; ECX = ECX * EAX
        SHL     ECX, 0A                         ; Shift left 0A steps
        ADD     ECX, 0002F8CC                   ; Add 2f8cc to the result
        MOV     [0040A664], ECX
And validated...
        CMP     ECX, EDX                        ; Compare codes
        JZ      00402DA6                        ; If equal, jump...

When you have stepped to the comparison of the codes, you can check what your
code REALLY should have been:
        :? ecx

For me this gave:
        000DC0CC  0000901324

This means that the right code for me is 901324.

So press F5 or Ctrl+D to let it run, and try again, with the RIGHT code, but in
decimal form. It will work!


4.  MAKING A KEYMAKER FOR COMMAND LINE 95
=========================================
We look at the calculation of the code above, and translate it to C. We make
this very simple description of how the code is calculated:
   code = ( (uppercase_first_char * length_of_string) << 0x0A) + 0x2f8cc;

Note (1): One thing not to forget is that all chars are converted to uppercase
when you enter them in the text box, so we have to do the same.

Note (2): "<< 0x0A" means "multiply with 2^10"

A whole program in C could look like this:

        #include <string.h>
        #include <stdio.h>

        int main()
        {
                unsigned long code;
                unsigned char buffer[0x1e];

                printf("CommandLine95 Keymaker by ED!SON '96\n");
                printf("Enter name:   ");
                gets(buffer);

                strupr(buffer);
               code = ( ((unsigned long)buffer[0] *
                        (unsigned long)strlen(buffer))
                        << 0x0A) + 0x2f8cc;

                printf("Your code is: %lu", code);

                return 0;
        }

Enjoy!


4. HOW PUSH AND CALL AND THINGS REALLY WORK WHEN THE PROGRAM CALL A FUNCTION
============================================================================
We look at this piece of code from TaskLock again:
        PUSH    32                              ; Save: Maximum size of string
        PUSH    EAX                             ; Save: Address of text buffer
        PUSH    000003F4                        ; Save: Identifier of control
        PUSH    DWORD PTR [ESI+1C]              ; Save: Handle of dialog box
        CALL    [USER32!GetDlgItemTextA]        ; Get the text

If you call this from a C program, the call would look like this:
 GetDlgItemTextA(hwndDlg, 0x3F4, buffer, 0x32);
                  ^ [ESI+1C]      ^ EAX

PUSH stores data on something called the stack. This results in that each PUSH
put a new piece of data on top of the stack, and the function then checks what
is lying on the stack and use it to do whatever it's supposed to.


5. ABOUT VISUAL BASIC PROGRAMS
==============================
The Visual Basic .EXE files are not real, compiled EXEs. They just contain code
to call VBRUNxxx.DLL, which reads data from the EXE to run the program. This is
also why Visual Basic programs are so slow. And when the EXE files are not
real, you can't disassemble them, you just find the call to the DLL and a lot
of garbage, and when you debug, you end up in the DLL too.
The solution is a decompiler. There is a decompiler for Visual Basic 2 & 3,
made by someone called DoDi. It is shareware and available on the net. (See
Appendix C) In Windows 95, there are Visual Basic version 4 32-bit apps, and
for them there is no decompiler I know of, although I wish there was.
Note: No real (or bright) programmer makes programs in Basic.
A. MAKING SOFTICE LOAD SYMBOLS
==============================
To check if SoftICE has loaded the symbols for GetWindowText, you enter SoftICE
by pressing Ctrl+D and then write like this:
       :exp getwindowtext
If you don't get all the GetWindowText functions listed, you need to edit
\SIW95\WINICE.DAT by removing the comment chars (';') from some of the 'exp='
lines that follows this text: "Examples of export symbols that can be included
for chicago" near the end of the file. You can remove comment chars from all of
the lines, or to save memory, on just these files: kernel32.dll, user32.dll,
gdi32.dll, which are the most important ones.
When you're ready editing, you'll have to reboot the computer to make it work.


B.  Syntax for the functions
============================
It's always much easier to understand the function calls we talk about when you
have the declarations, so here we go:

int GetWindowText(int windowhandle, char *buffer, int maxlen);
int GetDlgItemText(int dialoghandle, int controlid, char *buffer, int maxlen);
int GetDlgItemInt(int dialoghandle, int controlid, int *flag, int type);

For a more detailed description of the functions, check a Windows/Win32
programming reference.


C. WHERE TO OBTAIN THE SOFTWARES
================================
CRACKING TOOLS
 SoftICE/Win 2.oo:  http://www.geocities.com/SoHo/2680/cracking.html
 VB Decompiler:     ftp://ftp.sn.no/user/balchen/vb/decompiler/

SAMPLE PROGRAMS
 TaskLock:          http://users.aol.com/Sajernigan/sgllck30.zip
 CommandLine 95:    ftp://ftp.winsite.com/pub/pc/win95/miscutil/cline95.zip


D. CONTACTING ME
================
On IRC (EFNet):        In #Ucf96, #Cracking
By e-mail:             edison@ccnux.utm.my OR an461165@anon.penet.fi
On my homepage:        http://www.geocities.com/SoHo/2680/cracking.html