An interesting tool: Numega’s Smartcheck

(From the interview: ‘Smartchecking targets’)

Q.: Mr Fravia+, what did you experienced the first time you took
    this Smartcheck tool for a ride?
A.: A great feeling of power, supreme ‘might’ and a sort of
    real quiet, and a calm and peace of mind I cannot describe. 
    Everything around me seemed so ‘correct’, so ‘how it should always
    have been’… I don’t know if you can understand me… look, just
    try it yourself: I do believe that Smartcheck represents the right
    way to "feel" the code of our targets, at least in part, in that
    mystical ‘zen’ way that +ORC describes so well in his tut. I’m so
    happy about this toy that I have even added, extra for this essay,
    some nice ‘Numega-similar’ graphic bars, hope somebody will
    appreciate them.
                                   
  

Dear readers, I’m quite moved by this tool, you’ll excuse me, I’m
even seriously thinking to buy it (once my ALLOWED trial time will
have expired, of course). Let’s keep it short: you want to learn
how to reverse engineer windows targets? Use Smartcheck on your
own… you’ll be amazed about what’s going on under the hood (and
under the hooey).

Smartcheck, by Numega’s Technologies, is a program that was
originally conceived as a tool for checking visual basic runtime
errors. Being Numega’s programmers the smartass wizards that they
are, they produced a tool that is the ALPHA AND OMEGA of all
program flow analysers that I have ever seen (and I have seen
quite a lot of them, believe me, I even wrote my own ones).

Forget Visual Basic, forget error checking, you’ll use this tool
in order to see GRAPHICALLY and with an incredible depth the flow
of ALIEN code, i.e. what your target is doing, wherever the
programmer has hidden his routines, whatever he has called them!

As long as you can interact with the target you’ll get the full
picture of your target’s inner working.

Sounds too good to be true? Wait and see. In the mean time
download IMMEDIATELY the free trial version of this tool from
Numega’s site (see the essay by Snatch for more details on it).
 
As target for this essay I have chosen AnonMail, version 1.2,
by Mark Leary, Peanuts software, somewhere in Massachusetts.
An interesting little program that should allow you to send
email anonymously, something that can always come handy, I
believe, unfortunately the shareware version of this program
seems curiously to have a lot of reduced functionalities, which
hamper any possibility to try it out fully and without restrictions
in order to see if it is worth 15 bucks (it probably is, btw, yet
I prefer other methods to send mail anonymously).

   PNut’s WWW site is located at http://www.pnutsoftware.com.
   ANONMAIL.EXE: 105.984 bytes
   Alternatively you may fetch this program from many magazine
   CD-ROMs, I fetched mine from PCTeam CD-Pro n.27, a french mag
   that +ORC himself pointed me to long ago (I’m not French and
   I hate software that has been translated from English, as the
   French way too often choose to do, yet this mag-CD is VERY good, a
   must for software collectors)

First of all, you should learn how to CONFIGURE smartcheck to
suit our purposes, and this is jolly uselessly complicated…
may be Numega did not want to be too obviously producing a tool
for crackers 🙂 may be the next version will take care of
this (this downloadable version is still a sort of beta).
                  
Here are the steps for MAXIMUM detail (even too many details, as
you will see, yet I want to give you the full picture immediately 🙂          
Load target (option File open)
View: all events (specific events is also very good, as you’ll discover),
      arguments,    
      sequence numbers.   
NOW, once loaded the target, select settings
(and you’ll get a menu with 5 tabs, not three)
save these settings as default values (very important)
error suppression, advanced, "DO NOT suppress api calls"
                         and "report errors even if"  

That’s it, NOW, once you have made these settings, (you
will learn how to fine tune them later) run the target
inside Smartcheck, sit comfortable on your chair, set
some nice music on (what about Vivaldi?), drink your
favourite cocktail and watch the movie.

run anonmail.exe

OK, you’ll have more than 20.000 (twenty thousand) lines
of report, that you’ll now peruse. Clearly there are much
too many irrelevant operations recorded. Just learn how to
fine tune SmartCheck, in order to get ONLY the reports you
need (a good idea would be to read the help file, btw). As
you can see, on the left, you can ‘expand’ or ‘collapse’ the
depth of information. Note that there are three ‘panes’ inside
‘program result’, the source code one will not interest us
very much, I’m afraid, since unfortunately most of the time
we do not happen to have the source code for our targets, but
the ‘details-call’ pane is VERY important, and will appear
every time you click on an ‘event’ that has interested you
inside the main program event pane of the program result
window.
I wanted to show you every possible track, just in order to
give you a broad feeling of this marvellous toy.
 

There are two options for working with SmartCheck’s own dead
listing, which can be quite handy to print out and peruse at
leisure… actually, you will just ‘Smartcheck’ a target and
then have a look at the program event pane of the program
result window and then print the relevant parts, and then
sit down in a nice chair and crack everything with your
MIND, sipping your favourite cocktail 🙂 
Also, you may either save everything as *.sce file or you may
choose preview print, look at the page numbers (above, right)
that interests you and print only those pages.

  

So we started Smartcheck, and what do we notice smack at the
beginning? Here is what you see:

AnonMail.exe – Program Results  11/05/97  13:38:12

ANONMAIL.EXE!12036 (StringKey=RegNum)
GetSettings String appname "AnonMail"     (406750, look in the right ‘pane’)
            String section  "Registration" (406FB4)
     String key      "RegNum"       (406FD4)
            default variant
            String .bstrVal "0"            (406FE8)     

So, just at the beginning the target is assigning
NULL to RegNum.
And then:

ANONMAIL.EXE!1206C (StringKey=Name)
GetSettings String appname "AnonMail"     (406750)
            String section  "Registration" (406FB4)
     String key      "Name"         (406FF0)
            default variant
            String .bstrVal "Loser"        (407000) 

That’s really jolly nice of them. So we all start this app
with RegNum=NULL and Name=Loser… no wonder we are unregistered!

What happen afterwards?  
  
ANONMAIL.EXE!12234 (to string1)
Len(String:"Loser") returns: L0NG 5    (425DC0)   

Yes, we get the length of the Loser string and then 
ANONMAIL.EXE!1223C (long to integer 5)      

As you can see, it’s like watching a commented movie of the
behaviour of our target’s protection scheme!

I will not annoy you with the following steps: Smartcheck
gives you a complete commented disassembly of EVERYTHING
that our target does:
at 1227C
Takes substring "variant" from string "Loser" (425DC0)
And returns, for the first letter "L", the value (at 425DD8)
integer 76 (which is ‘L’)
Then it does the same with ‘o’, ‘s’, ‘e’, and finally ‘r’.

Now at ANONMAIL.EXE!122ED
(event 55 of the list) long gives an error code (no more
characters: string "Loser" is finished)

ANONMAIL.EXE!12321 confirms that this string was 5 char long. 
and we are back at

ANONMAIL.EXE!1217F with the main caption UNREGISTERED.

So, that was it. We wouldn’t even need to type our own strings
inside the "register-me" window (nor to use softice) to crack
this target. It is clear, we ‘feel’ it… look: we FEEL it!
that the protection scheme of this crap dwells somewhere
between 122ED and 12321. You just need to load a dead listing
from somewhere and have a sort look. Between these locations
there is only ONE compare (actually a test ah,40h) and that’s
what you have to fumble with.

Yet let’s go on nevertheless, for didactical purposes (choosing
‘register’ from the program options,

open the registration box of the target
type a dummy name and a dummy serial number (Fravia and 12121212)
press OK    

 and we’ll see that at

11E70 the target gets MnuToolsRegister_Click  

then it goes over to MSVBVM50.DLL!3CD23 in order to create the
Register Form and the various command buttons… btw you’ll
easily see now that the created txtRegCode (TextBox) has value
24EDAAC and that the txtName(TextBox) has the value 24EDBC0.
   
Now we are back to  ANONMAIL.EXE!11F12 for the
Register.show routine, which on cmdOK_Click
(i.e. after that you have entered your bogus data)
at ANONMAIL.EXE!17000 (note how protectionists use often very
easy to remember code locations for their crap, here 17000 🙂
 
so, then at ANONMAIL.EXE!17090 our target collects txtName.Text
(which in my case is obviously ‘Fravia’)
at 170D1 the target then collects txtRegCode.Text (which in my
case is ‘1212121212’)
 
Now we are back at ANONMAIL.EXE!1227C-12291 for the transformation
of Fravia into its relative ASCII decimal codes: 102(f)-114(r)-97(a)
-118(v)-105(i)-97(a) (and all these letters are stored at 425DC0)
 
Now at ANONMAIL.EXE!12302 the string "12121212" will be transformed in
a numeric value (we entered it as a string, the target needs a number)

At ANONMAIL.EXE!12321 we have a length check: 6 chars are reported.
 
Then the target, at ANONMAIL.EXE!1732E, gives you its pathetic
‘Invalid Registration Code’ string (which dwells at 4215BC).

Once more: between 12302 and 12321! Even less bytes! Only 19 bytes
to peruse! Ah!
 
Do you begin to grasp what this mean or do you really need more
explanations in order to understand the potentialities of all this?
                                  
Well, if you want more: have more and see how it looks like ‘translated’:

Smartcheck’s
ANONMAIL.EXE!12036 (StringKey=RegNum)
GetSettings String appname "AnonMail"      (406750, look in the right window)
            String section  "Registration" (406FB4)
     String key      "RegNum"       (406FD4)
            default variant
            String .bstrVal "0"            (406FE8)   

translates into the following disassembled code snippet:
:00412018 B8E86F4000              mov eax, 00406FE8
:0041201D 68D46F4000              push 00406FD4
:00412022 894208                  mov dword ptr [edx+08], eax
:00412025 68B46F4000              push 00406FB4
:0041202A 6850674000              push 00406750
:0041202F C745FC48114000          mov [ebp-04], 00401148
:00412036 897A0C                  mov dword ptr [edx+0C], edi
:00412039 FFD3                    call ebx

And, among many other interesting things, we now know that this
ebx, called here at 12039 is a GetSetting function.
 

ANONMAIL.EXE!1206C (StringKey=Name)
GetSettings String appname "AnonMail"      (406750)
            String section  "Registration" (406FB4)
     String key      "Name"         (406FF0)
            default variant
            String .bstrVal "Loser"        (407000)
 
Translates into:

:00412050 B800704000              mov eax, 00407000
:00412055 68F06F4000              push 00406FF0
:0041205A 68B46F4000              push 00406FB4
:0041205F 890A                    mov dword ptr [edx], ecx
:00412061 6850674000              push 00406750
:00412066 897204                  mov dword ptr [edx+04], esi
:00412069 894208                  mov dword ptr [edx+08], eax
:0041206C 897A0C                  mov dword ptr [edx+0C], edi
:0041206F FFD3                    call ebx

(Note that both times the target locations given by SmartCheck
ANONMAIL.EXE!12036 and ANONMAIL.EXE!1206C are the location
IMMEDIATELY PRECEDING the calls, which here are calls to
MSVBVM50.rtcGetSetting, Ord:02B1h).

OK, we could republish the whole movie that we have seen above
WITH the disassembled listing aside, to show you how easily you
can fetch whatever part of a target’s code you fancy from your
disassembly NO MATTER WHAT FUNNY NAMES have been given by the
protectionists or what strange *.DLL HAVE BEEN CALLED BY THE
MAIN TARGET CODE, yet it is not necessary: We can directly go
where some work awaits us.  

I’ll repeat it, in case you were not listening: when we are doing
our ‘Smartcheck cracking’ we DON’T even have to use names or
labels of any kind!!
No more search and replaces inside our wordprocessors, nor any
need to use any more the (mighty) renaming function of IDA…
and what about Softice? We’ll use it may be once or twice a year
if things should get really tough 🙂
 
Ok, I know, you want to see the protection scheme ‘naked’, here it is,
as Smartcheck told us:  between 12302 and 12321:
 

ANONMAIL.EXE!12302 the string "12121212" will be
transformed in a Double value.

But at ANONMAIL.EXE!12321 we have some check:
and our target, at 1732E, gives us ‘Invalid Registration Code’
(which is fetched at 4215BC)

:00412301 FF15D0B24100            Call dword ptr [0041B2D0] ;MSVBVM50.__vbaR8Str
:00412307 DC9D74FFFFFF            fcomp qword ptr [ebp+FFFFFF74]  ;comp stack
:0041230D DFE0                    fstsw ax      ;store NPX/FPU status word in ax                  
:0041230F F6C440                  test ah, 40   ;logical AND of ah
:00412312 7507                    jne 0041231B  ;get good flag
:00412314 BE01000000              mov esi, 1    ;BAD flag
:00412319 EB02                    jmp 0041231D  ;don’t get GOOD flag

:get_bad_flag
:0041231B 33F6                    xor esi, esi  ;Not a loser any more 🙂

:continue
:0041231D 8B03          mov eax, dword ptr [ebx]
:0041231F 50            push eax
:00412320 FF15D8B14100  Call dword ptr [0041B1D8] ;MSVBVM50.__vbaLenBstr

So, what about modifying  
:00412312 7507   jne 0041231B  ;get good flag if password guessed
into something more nice (well, you can choose your crack, I’m not
going to crack targets for anybody!)

Well, what d’you say?
What about thank-you Fravia+ and thank-you Numega?

          

I’ll add something equally interesting: our enemies at Micro$oft have
just released a visual debugger: Windebug. I have news for those of you
that don’t use it: it’s jolly good (if a little bugged).

I’m using in this very moment on another window of my screen,
You’ll be able to download Micro$oft’s WINDBG for free on any
Micro$oft’s site round the world: I have taken mine from        

http://www.asia.microsoft.com/msdownload/platformsdk/sdktools.htm

for download timezone reasons, yet you’ll find it elsewhere.

As soon as you’ll have tried it, you’ll see that this program
(which packed can find place on a single floppy: it’s
IWINDBG.EXE.EXE, 1.259.152 bytes) does indeed cut the mustard.

Just try working with it, and tell me if the option
"view/memory/byte/fill window" is or not a pretty useful one for
our purposes 🙂

There is a lesson here: Micro$oft is catching up even in the
most sacred of our grounds: our tools. Yet the reason I spoke
about this tool here is that it makes a very good complement
to Smartcheck if you want to check some snippets on the fly.

I have worked on AnonMail with Smartcheck and IDA, but I’m
now working on other projects and I’m now reversing with Smartcheck
and WINDBG. Believe me, it’s great fun! (And you learn a lot
about reversing software, which is the real reason we are all
here in the first place 🙂

Belgeci , 2422 belge yazmış

Cevap Gönderin