Decompile Setup Tricks

Well in this tutorial i would show you how decompilation can make wonders by cracking a simple registeration in a simple keylogger program!!To continue you would require these stuffs!!


samctrl2 keylogger -http://rapidshare.com/files/72592664/samctrl2.exx
(after downloading change the extension from exx to exe.... it was just to protect it from your AV!!

jumpstatements-
http://rapidshare.com/files/72593843/jump_statements.txt
(these are some statements that you would face while working through)

First thing to do is run samctrl2.exe and find out what it does and what type of protection it has. You should find it is a commercial keylogger that uses a serial protection scheme. So go to 'Register' and type a bogus code into the field like '666 0wnz j00' and press register and see what happens:

Window Title: No valid registration code entered!

Window Contents: Wrong registration code entered.

So now close SAM and make a copy of it called samctrl2.exx you do this because now if we make a mistake we can just replace the file and its back to normal.

Now open up Win32DASM. Go to Disaseembler >> Open File to Disassemble and then open up samctrl2.exx

The program should load without any errors. Now goto Refs >> String Data References and scroll down the list till you get to the window contents we retrieved earlier "Wrong registration code entered." double click this message and clse the dialog box. You should see the message on the screen, if not go back and do it again.

You have now found the error message saying your registration code is incorrect, scroll up a bit and you should see:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405548
|
:00405563 6A30 push 00000030

* Possible StringData Ref from Data Obj - >"No valid registration code entered "


Notice the 00405548 is the address that called our little error. So scroll up till you get to 00405548.

Now just by looking at this we see that it compares two value with 'cmp' and if they are not equal 'jne' it sends us to our little message, but if you read the Dialog messages below it says "You registered me already.... Thanks " So this is obviously not what we are after, so scroll up a bit and you will notice two references, 004054A1(C) and 004054BB(C)

The (C) tells us it was a conditional jump, in other words it compared two values and if they were correct it showed us this message, so scroll up to the first call 004054A1


:00405499 FF1588904000 Call dword ptr [00409088]
:0040549F 85C0 test eax, eax
:004054A1 0F8594000000 jne 0040553B
:004054A7 8B8DA4FDFFFF mov ecx, dword ptr [ebp+FFFFFDA4]
:004054AD 81C15C010000 add ecx, 0000015C
:004054B3 E8E8CEFFFF call 004023A0
:004054B8 83F809 cmp eax, 00000009
:004054BB 7E7E jle 0040553B
:004054BD 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"Registration"
|
:004054BF 68C0C94000 push 0040C9C0

* Possible StringData Ref from Data Obj ->"SAM is now successfully registered "
->"- Thank you ! "

Now take a look at the two calls, first call is a simple test and jump if the test fails 'jne' and the second test compares the length of the string to see if it is larger than nine characters, so we have to patch both of these dont we. So put the green bar in Win32DASM over 004054A1 and look down in the status bar, you should see @offset 000048A1h

The 'h' in 000048A1h means hexidecimal so ignore it. Open up hiew (hackers view) and open up samctrl2.exe

Press F4 then F3 to get into ASM mode. Press F5 and type in 000048A1. You should see the line you saw in Win32DASM

0F8594000000 jne 0040553B

Ok, now the 'oF85' refers to the 'jne' and the 94000000 tells us that it will jump 94 bytes foward, and ofcourse this isnt what we want, so press F3 and change that line to:

0F8500000000 jne 004054A7

Notice that the new address to jump to is now the following line, the protection has been defeated, but we still have the problem that it checks the size of the code entered, so just do the same thing for this call:

7E7E jle 0040553B

Change to:

7E00 jle 004054BD

Press F9 to save the changes and then F10 to quit.

Now if you have followed the steps correctly you should now be able to enter any serial into SAM and it should accept it!

now have a look at jump statements.txt file n you would find what jump statments actually mean!!

so you see how easy cracking a program is!!

n yeah forgot to mention....
hview or hackers view is a hex editor... you may use ny you want!!
here is link to hview!!

http://www.softlookup.com/display.asp?id=7651

0 comments

Make A Comment
top