======================================================== +HCU Maillist Issue: 131 02/01/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: RE: RE: RE: RE: ARTICLES: -----#1------------------------------------------------- Subject: RE: RE: RE: RE: ><<<<< >From what I remember this is just needs a READWRITE flag set in the source >code. But I can't remember where I read this. >>>>> I think the position of the RW flag in the sourcecode well.. I don't think all compilers / linkers support it. btw - should you happen to know how to do it with my beloved TASM/TLINK please tell me. I couldn't find a way to do it in some code I made at a point and chose to set the flag manually after linking. The way this is done - and yes you should know this if you wish to append code / data to PE files, the essays I've seen so far has either just seen that the flags were set correct or been lucky that they were - the flag is positioned as the last byte in the ObjectTableEntry for the object. Set it to 0E0h and you'll have read, write, exe which basically means you'll be able to do what ever you like. As for using VirtualProtect / or VirtualProtectEx API's to remove the protection it obviously requires that this function is in the imports or that you've importeted it yourself thru GetProcAddress (it's in the kernel32.dll which is mapped in all processes so you don't need to load :) ) So the above mentioned method of changing flags in the PE file directly is well suited for "foreign targets". Also since all well behaved aplications run in ring 3 modifying this flag won't pose a general endangerment of the system - only the process itself.. (which IMHO is done by all patching anyways) - though.. avoid changing the flags if there is no obvious reason to do so. <<<<<<<<< >I've always thought it strange that protectionists never tried to search >for softice given how easy it can be done and how difficult (if not >impossible) it would be to hide from a determined programmer. >I wrote to Quine about this not long ago as he pre-empted one of my >'concept' protection schemes: basically heavy softice detection with PE >wrapping. I thought that since most crackers have little experience in >unpacking PE packed files it would be quite safe also tools were limited at >the time, but with Quine's SoftDump... >>>>>>>>>> Even with Quine's SoftDump or long time avaible dumpers by Patriarch or Jammer it's still pretty hard to unpack PE's. Imports might be mangled, resources, relocations etc. there is a lot of work to be done. And - well.. the PE header is more than 200 bytes large and it needs to be consistent (atleast if you wish the unpacked file to run on NT) Speaking of this - do anybody know how to get from a IAT entry to the name/ordinal of an imported function and DLL name? (the IAT entry is the exported entrypoint mapped the current process Virtual Addressing space - you can assume that I have axx. to this mapping because it's relatively easy to force yourself into other processes addressing space :) ) > <<<< >I agree that going to ring 0 is hardly ever necessary. But I remember >reading the above paragraph somewhere recently. Was it something you wrote? >Do you know where it is from? >>>> The paragraph you're refering to could very well be mine - I wrote something similar to Hanno's Exemailing list in respons to the fact that some PE-encrypters are using these unfortunate techniques. Lord Caligo published it on his webpage - *************************** where you can find it if you're interested in an old mans views and thoughts of encrypting PE-files. If you have not previously dealt with the PE-file only the intro will make sense to you. On a totally different note - +RCG's VxD techniques to hook certain functions is IMHO ill behaved cracking. There is no need for ring 0 in the specific situation and in the general case there are many other ways of intercepting "hostile" api's. This does however not change the fact that I found the essay interesting and fairly well written - it's just not a method that should be taken into consideration before all else fails - and all MEANS all.. and there are extremely many tricks that can be applied to solve situations where +RGC's solution would be possible. Maybe if you guys find it particularly interesting I'll write a doc or something on "Pseudo residency and hooking API's from ring 3".. :) Stone / United Cracking Force '98 > > =====End of Issue 131=================================== ======================================================== +HCU Maillist Issue: 132 02/02/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Pseudo residency and hooking API's from ring 3".. #2 Subject: Re....Re #3 Subject: Netscape #4 Subject: Netscape Source #5 Subject: Symantec's protection ARTICLES: -----#1------------------------------------------------- Subject: Pseudo residency and hooking API's from ring 3".. Stone, I'm VERY interested in your essay Pseudo residency and hooking API's from ring 3 please do by all means write it as soon as you have some time... later fravia+ -----#2------------------------------------------------- Subject: Re....Re Hi Stone, I would like very much your comments/critics about the bad use of the VxD for cracking purposes. You know how many protections were being defeated in our beloved MSDOS using TSR programs, because in some cases, there were no other solution. I know that protections in W95/NT are far from these levels of sophistication, but I think soon protectionits will begin to use more powerful technics, in fact a good protection using Hasp/Sentinel can't be removed if you haven't certain privileges like IO access/ interception. BTW 99% of us use a ring 0 utility to reverse programs. I know you and Quine don't agree with me because you are using NT, sure you are right, because I have never use it before and sure many things I don't care about under W95 can be dangerous in NT. All right, my advice is not to use such technics to crack programs, but at least you must know it can be an extreme solution. Finally, would you describe briefly your idea to intercept API using only an standart application, I'm very interesting to know it. regards +rcg rcg__(at)usa(point)net PD. Please forget my latinmail address, our high technology is so good. :-( ____________________________________________________________________ Get free e-mail and a permanent address at ************************* -----#3------------------------------------------------- Subject: Netscape Just a bit of info. Netscape says they will be releasing their client source code by the end of the first quarter '98. That should make for some interesting ideas. Joe Dark -----#4------------------------------------------------- Subject: Netscape Source Ok, I just read on.. they plan on releasing the source code for Netscape Communicator 5.0 Joe Dark Maybe we'll be able to fix some of the bugs its bound to have. -----#5------------------------------------------------- Subject: Symantec's protection Hi there Rezident !!! Way back You wrote about unlocking NU trial. I have recently spent some time on it and I can't jump over anything, i just end i the same place all the time. Can You or someon e else tip me on that. BTW: it uses some strange procedure calling method anyone noticed that ??? Greets KUBAK =====End of Issue 132=================================== ======================================================== +HCU Maillist Issue: 133 02/03/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: Pseudo residency #2 Subject: new project ARTICLES: -----#1------------------------------------------------- Subject: Re: Pseudo residency > Stone, > I'm VERY interested in your essay > Pseudo residency and hooking API's from ring 3 > please do by all means write it as soon as > you have some time... I'm sorry to say that I do not intend to write an essay - however I might write a doc if I find the time.. :) > Hi Stone, I would like very much your comments/critics > about the bad use of the VxD for cracking purposes. > You know how many protections were being defeated in > our beloved MSDOS using TSR programs, because in some > cases, there were no other solution. I know that > protections in W95/NT are far from these levels of > sophistication, but I think soon protectionits will > begin to use more powerful technics, in fact a good > protection using Hasp/Sentinel can't be removed > if you haven't certain privileges like IO access/ > interception. > BTW 99% of us use a ring 0 utility to reverse > programs. It's a well known fact that a system debugger (which IMHO is the most important cracking tool) is by definition a ring 0 utillity. However there is a reason that I don't have my very much loved winice loaded by default on either my windows 95 or windows NT. They are a source of instabillity - a source that I can live with when cracking but a source that I'm not happy to have when I use my PC as a general purpose tools - write school papers etc. > I know you and Quine don't agree with me because > you are using NT, sure you are right, because > I have never use it before and sure many things > I don't care about under W95 can be dangerous in NT. > All right, my advice is not to use such technics > to crack programs, but at least you must know > it can be an extreme solution. Obviously the ring 0 approach can be used as an extreme solution. But as you point out windows copyprotection is not yet far developed and I've yet to see a program that required the use of a ring 0 component after I had been done with it. The exception is ofcause when copyprotection is build directly in ring 0 and for various reasons can't just be peeled off. Ring 0 protections obviously have great strength but they do also come at a great price. A price so high it's my firm belief that it shouldn't be done. The analogy you make to MSDOS TSR's doesn't quite hold. You are in windows offerend plenty other angles of attack - angles that did not exist in MSDOS. The hole import system is something begging for abuse - and that is abuse from ring 3! Another solution on the windows 95 platform is that of unprotected memory areas. While this is to some extend analog to using ring 0 schemes it's not quite as dangerous. (I'll publish some sourcecodes on this topic on my webpage next time I get around to update it). The essense of what I'm saying here is that Ring 0 should only be used when it's strictly unavoidble. And in 99.9% of all application-cracking the finished crack should rely only on ring 3 code. My reluctance to give ring 0 code it's rights in cracking does not mean that I did not find your essay interesting - it is. In short the method of hooking API's from ring 3 relies on forcing yourself upon the virtual address space of the "target" and setting it's IAT to suit your own purposes :) Atleast 5 methods exist in which you can get around this from ring 3! Stone / United Cracking Force '98 -----#2------------------------------------------------- Subject: new project Hi all, I started to work on a project that combines to difficult things like encryption and visual basic. It is similar to the Instant browse scheme - the 1997 HCU strainer. It is called Component Source and it has several software components in a CD. We choose a particular component and we have to phone giving a reference ID program to get a working password that will enable the decryption process. The program is written in VB4 and the CD are available for free at ************************ Has anyone already worked on it? Greets +PopJack ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 133=================================== ======================================================== +HCU Maillist Issue: 134 02/04/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: none #2 Subject: VxD's in protection and deprotection - and ring 3 meassures! #3 Subject: Marx Crypto Box #4 Subject: VRamDir #5 Subject: Component Source ARTICLES: -----#1------------------------------------------------- Subject: none Hello KUBAK, > Way back You wrote about unlocking NU trial. I have recently spent > some time on it and I can't jump over anything, i just end i the > same place all the time. Can You or someon e else tip me on that. > BTW: it uses some strange procedure calling method anyone noticed > that ??? I could try to dig out my writings on this, but I suggest you go to the snippets page at fravia+'s page of reverse engineering, where ThunderLord has written a nice piece about how to do it. The URL is: ************************************************* Hope it helps! Cya, +ReZiDeNt -----#2------------------------------------------------- Subject: VxD's in protection and deprotection - and ring 3 meassures! I'm sorry to say, Fravia, but I'm not much of a essay writter. I might write a doc though when I get the time. +RCG: I do not believe that your analogy with MSDOS TSR quite holds. First in the MSDOS days we were dealing with a single task system. That is the crackers responsibility was limited to the program in question. TSR could simply be loaded prior to running the program and unloaded afterwards or be made in the form of a loader. While this it to some extend true with dynamic VxD's too the problem I see is that other processes has this VxD running as well. Further more the API interface provided in DOS was the interupt structure making this angle of attack a natural one - however in windows the API interface is not one of interupts and such an angle no longer becomes natural in a sense. And as a last comment to this analogy I think it's important to remember that in all but the early days TSR cracks was thought off as a lesser fortunate cracks than the bytepatch. (E.g. many games groups spend countless hours removing int 2fh protections schemes while a small commonly avaible TSR works quite well (cd2emu, fakecd and others - this was not a coincidence) A key distinction that I'd like to enter here is the time of the cracking and the time of the use. While cracking I see no problem in using a ring 0 tool. We are expecting instabillity while cracking - heck in the MSdos days I used to say that it wasn't a fun crack if I didn't have to reboot atleast once. Another thing is the time of use. The goal of the cracking process must be to provide the best possible solution at all times for the end user. This to me means providing something as close as possible to what he/she would've gotten had he/she bought the program legitimately. Adding a factor of instability to his/her entire system is IMHO as far away from this principle as you can get. The crackers use of ring 0 tools while cracking it is not a violation of above mentioned principle. However I cannot rule out that a program might come along where a ring 0 angle is the only angle of attack. However I'd have to say that I've been around - I've seen a few heavy protection schemes in my time and all but those who themselves relied on VxD's I was able to resolve without the use of "use time" ring 0 code. The amount of avaible ring 3 interception techniques is massive and they should be exhausted prior to whimping out and going ring 0. The use of ring 0 techniques for protection purposes is IMHO a surrender of the programmer. It's plain bad karma. It's like selling a carstereo without telling the custumor you removed the airbag to install it. However - knowledge is never bad. So I fully support spreading knowledge about VxD's telling how they could be used by a cracker or in a protection scheme. However in the same breath we should give the instructions of proper use of such techniques (which in 99.9% of all cases is no use) Well - enough about why not to use ring 0 and on to how you can actually avoid using it. As each PE file is loaded each DLL it uses is mapped into it's virtual addressing space and a table of addresses for each requested API-function is made (this table is called the IAT). The trick is to force your own code into the addressing space of the process you where you wish to do damage :) ... then find the IAT and redirect the entries you wish to hook to your own code - possibly even chaining the original API. Since the IAT need not be at a fixed address we're forced to enter the process prior to the imports being loaded. Many methods of doing this from ring 3 exists. 5 atleast - not all well suited from a cracking point of view. Well.. it's beyond this forum to get more greasy than this.. so I'll leave it at that. While on the subject of abusive ring 3 code. I'll put the source code for a windows 95 trainer on my WebNote later tonight. The technique that this uses can also serve as a ring 3 substitute. kind regards Stone / United Cracking Force '98 > -----#3------------------------------------------------- Subject: Marx Crypto Box Dr. Fuhrball, I hope you're on the mailing list... >>>> The device uses a pic16 processor (low voltage with 2mhz oscillator) and an 8kbit eeprom, both devices made by Microchip Inc. But it's even better, because when I soldered enough wires to the microprocessor and stuck it in the pic burner, I was able to read out the entire contents of the processor chip. This is secure????? And the same thing goes for the data inside the eeprom. <<<< I've never actually seen a dongle before. From your description it seems that there are two main components, the PIC and the E^2 module. Reading the E^2 isn't much of a problem, but I don't understand the PIC. Which PIC was it? I thought they all had code protection?! Surely they set the flag! Though having seen their software protection in your essay it wouldn't surprise me if they hadn't... Could you elaborate on the data in the PIC and E^2? I'm just wondering why it would need an extra 8kbit of storage. How does the PIC address the external memory? I didn't think it could do this at least not the PIC16C85 (I suppose technically you could use a couple of bits on a port for I/O but the software on the PIC to handle this would be horrendous!). If you've discovered a new and EASY (i.e. cheap) way to bypass the code protection flag I'd be VERY interested to hear it. :) ~~ Ghiribizzo -----#4------------------------------------------------- Subject: VRamDir When I first cracked Vramdir, I didn't have IDA so I just searched for 40771B and changed that to give me more time (in fact I changed it to give me less time - 2 minutes so that I could check that it worked). After reading the recent essay on VRamdir, I decided to download it again and take another look. I tried the same trick again (you could write a generic patcher to search and replace the string). I noticed something rather interesting: If you change the 6840771b00 to 68cccccccc to give you lots of time, the information is written straight to disk (i.e. vramdir doesn't work) If you change it to the value around 2 minutes (I can't remember exactly what I chose) you get the message as expected (I didn't test for whether it works properly to begin with) At first I thought it might be some checksum so I changed a random byte in the file, but it worked as normal. Not a checksum over the whole file then. I changed string to 684077ff66 and it works! 684077ff99 doesn't work. I haven't looked into why this happens, yet, but I thought I'd mention it in case anyone was interested. The thing is - the author could have hidden the fact that the program wasn't working much better and then I would have thought I had cracked it and would go on merrily using the program... ~~ Ghiribizzo -----#5------------------------------------------------- Subject: Component Source Hi +PopJack and everyone else, I have also just started to look at Component Source. My concern is that the decryption may require a brute force approach. Anyone with any information on the encryption/decryption method used? Regards All basE+mEtaL =====End of Issue 134=================================== ======================================================== +HCU Maillist Issue: 135 02/05/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Modifying the file... #2 Subject: RE: PIC processors #3 Subject: Marx Crypto Box ARTICLES: -----#1------------------------------------------------- Subject: Modifying the file... Hi! My friend Cruhead and I were talking about a protection, a program which could modify itself on disk, when running... The main idea is: You run the proggie The proggie check some things, and then write some data into itself on the HDD... The program then exits... We'd like to use just one EXE, without any dll's or any other files... Does anybody know anything about this? Thanx! Pero -----#2------------------------------------------------- Subject: RE: PIC processors It turns out that Dr. Fuhrball is not on the mailing list. I contacted him by email and this is his reply (edited). I won't post any more messages from this thread unless someone really wants me to as it is straying from software reverse engineering and you may not be interested. >>>> Begin message >it? I thought they all had code protection?! Surely they set the flag! >Though having seen their software protection in your essay it wouldn't >surprise me if they hadn't... answer 1) these people really are total morons. Sad really answer 2) they set the protection flag, and did not verify that they could no longer read the data back out. Even sadder. and the chip is a pic16c55 and the eeprom is a 93aa76 >(I suppose technically you could use a couple of bits on a port for I/O but >the software on the PIC to handle this would be horrendous!). The eeprom is where among other things the 540 bytes of memory storage for the key is used. Also the pre-calculated and/or/xor/... for the two encryption methods is stored. And you bet that serial e squared are icky devices. Just sent fravia the first rev of the dongle hardware essay.... >If you've discovered a new and EASY (i.e. cheap) way to bypass the code >protection flag I'd be VERY interested to hear it. :) there are definitely people out there that can lift the code out of these devices reguardless of the protection flag. for example interesting-devices.com and the various paul maxwell king sites but its time fravia and crew start expanding their horizions into the fun business of dallas 5000's and atmel 89c52's. These guys think they are good, we will see. There have got to be others than AXA and BG. <<<< End message ~~ Ghiribizzo -----#3------------------------------------------------- Subject: Marx Crypto Box Hi Ghiribizzo and all I've seen your comments on the dongle and it reminded me of the chips used in sattelite video decryption (the 18c84 and family) There are proggies made to emulate and program those chips. Just have a look at *************************** and links related. Maybe it is just a long shot but it is worth the try. Greets +PopJack ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 135=================================== ======================================================== +HCU Maillist Issue: 136 02/06/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Re: Modifying the file #2 Subject: Component Source #3 Subject: PICs #4 Subject: nesbitt sharelock ARTICLES: -----#1------------------------------------------------- Subject: Re: Modifying the file You would need to consider the implications of file sharing etc. but one way is: Consider a COM file in DOS. Read from memory the name of the file (from PSP) Check to see if can get file If not reconstuct the path and try again open and write file as usual. Putting counters in the exe file itself has some advantages (e.g. against filemon). If you're writing in HLL e.g. C++ try this: #include void main(int argc, char **argv) { for (int i=0; i