Like watching a movie!
(An interesting tool: Numega's Smartcheck)
by fravia+
+cracker

(7 November 1997)

Courtesy of fravia's page of reverse engineering (of course :-)

Anonmail version 1.2 catastrophe
how to defeat all visual basic 5 protections
in fact: how to reverse any windoze target!

(From the interview: 'Smartchecking targets')



Q.: Mr fravia+, what did you experienced the first time you took 

    this Smartcheck tool for a ride?

A.: A great feeling of power, supreme 'might' and a sort of 

    real quiet, and a calm and peace of mind I cannot describe.  

    Everything around me seemed so 'correct', so 'how it should always 

    have been'... I don't know if you can understand me... look, just 

    try it yourself: I do believe that Smartcheck represents the right 

    way to "feel" the code of our targets, at least in part, in that 

    mystical 'zen' way that +ORC describes so well in his tut. I'm so 

    happy about this toy that I have even added, extra for this essay, 

    some nice 'Numega-similar' graphic bars, hope somebody will 

    appreciate them.

                                    

numegbar   



Dear readers, I'm quite moved by this tool, you'll excuse me, I'm 

even seriously thinking to buy it (once my ALLOWED trial time will 

have expired, of course). Let's keep it short: you want to learn 

how to reverse engineer windows targets? Use Smartcheck on your

own... you'll be amazed about what's going on under the hood (and 

under the hooey).



Smartcheck, by Numega's Technologies, is a program that was 

originally conceived as a tool for checking visual basic runtime 

errors. Being Numega's programmers the smartass wizards that they 

are, they produced a tool that is the ALPHA AND OMEGA of all 

program flow analysers that I have ever seen (and I have seen 

quite a lot of them, believe me, I even wrote my own ones).



Forget Visual Basic, forget error checking, you'll use this tool

in order to see GRAPHICALLY and with an incredible depth the flow

of ALIEN code, i.e. what your target is doing, wherever the 

programmer has hidden his routines, whatever he has called them!



As long as you can interact with the target you'll get the full 

picture of your target's inner working.



Sounds too good to be true? Wait and see. In the mean time

download IMMEDIATELY the free trial version of this tool from 

Numega's site (see the essay by Snatch for more details on it).

 

As target for this essay I have chosen AnonMail, version 1.2, 

by Mark Leary, Peanuts software, somewhere in Massachusetts.

An interesting little program that should allow you to send 

email anonymously, something that can always come handy, I 

believe, unfortunately the shareware version of this program 

seems curiously to have a lot of reduced functionalities, which 

hamper any possibility to try it out fully and without restrictions

in order to see if it is worth 15 bucks (it probably is, btw, yet 

I prefer other methods to send mail anonymously).



   PNut's WWW site is located at http://www.pnutsoftware.com.

   ANONMAIL.EXE: 105.984 bytes 

   Alternatively you may fetch this program from many magazine 

   CD-ROMs, I fetched mine from PCTeam CD-Pro n.27, a french mag 

   that +ORC himself pointed me to long ago (I'm not French and 

   I hate software that has been translated from English, as the 

   French way too often choose to do, yet this mag-CD is VERY good, a 

   must for software collectors)



First of all, you should learn how to CONFIGURE smartcheck to 

suit our purposes, and this is jolly uselessly complicated... 

may be Numega did not want to be too obviously producing a tool 

for crackers :-) may be the next version will take care of 

this (this downloadable version is still a sort of beta).

                   

Here are the steps for MAXIMUM detail (even too many details, as

you will see, yet I want to give you the full picture immediately :-)           

Load target (option File open)

View: all events (specific events is also very good, as you'll discover), 

      arguments,     

      sequence numbers.    
NOW, once loaded the target, select settings (and you'll get a menu with 5 tabs, not three) save these settings as default values (very important) error suppression, advanced, "DO NOT suppress api calls" and "report errors even if" That's it, NOW, once you have made these settings, (you will learn how to fine tune them later) run the target inside Smartcheck, sit comfortable on your chair, set some nice music on (what about Vivaldi?), drink your favourite cocktail and watch the movie. run anonmail.exe OK, you'll have more than 20.000 (twenty thousand) lines of report, that you'll now peruse. Clearly there are much too many irrelevant operations recorded. Just learn how to fine tune SmartCheck, in order to get ONLY the reports you need (a good idea would be to read the help file, btw). As you can see, on the left, you can 'expand' or 'collapse' the depth of information. Note that there are three 'panes' inside 'program result', the source code one will not interest us very much, I'm afraid, since unfortunately most of the time we do not happen to have the source code for our targets, but the 'details-call' pane is VERY important, and will appear every time you click on an 'event' that has interested you inside the main program event pane of the program result window. I wanted to show you every possible track, just in order to give you a broad feeling of this marvellous toy. There are two options for working with SmartCheck's own dead listing, which can be quite handy to print out and peruse at leisure... actually, you will just 'Smartcheck' a target and then have a look at the program event pane of the program result window and then print the relevant parts, and then sit down in a nice chair and crack everything with your MIND, sipping your favourite cocktail :-) Also, you may either save everything as *.sce file or you may choose preview print, look at the page numbers (above, right) that interests you and print only those pages. numegbar So we started Smartcheck, and what do we notice smack at the beginning? Here is what you see: AnonMail.exe - Program Results 11/05/97 13:38:12 ANONMAIL.EXE!12036 (StringKey=RegNum) GetSettings String appname "AnonMail" (406750, look in the right 'pane') String section "Registration" (406FB4) String key "RegNum" (406FD4) default variant String .bstrVal "0" (406FE8) So, just at the beginning the target is assigning NULL to RegNum. And then: ANONMAIL.EXE!1206C (StringKey=Name) GetSettings String appname "AnonMail" (406750) String section "Registration" (406FB4) String key "Name" (406FF0) default variant String .bstrVal "Loser" (407000) That's really jolly nice of them. So we all start this app with RegNum=NULL and Name=Loser... no wonder we are unregistered! What happen afterwards? ANONMAIL.EXE!12234 (to string1) Len(String:"Loser") returns: L0NG 5 (425DC0) Yes, we get the length of the Loser string and then ANONMAIL.EXE!1223C (long to integer 5) As you can see, it's like watching a commented movie of the behaviour of our target's protection scheme! I will not annoy you with the following steps: Smartcheck gives you a complete commented disassembly of EVERYTHING that our target does: at 1227C Takes substring "variant" from string "Loser" (425DC0) And returns, for the first letter "L", the value (at 425DD8) integer 76 (which is 'L') Then it does the same with 'o', 's', 'e', and finally 'r'. Now at ANONMAIL.EXE!122ED (event 55 of the list) long gives an error code (no more characters: string "Loser" is finished) ANONMAIL.EXE!12321 confirms that this string was 5 char long. and we are back at ANONMAIL.EXE!1217F with the main caption UNREGISTERED. So, that was it. We wouldn't even need to type our own strings inside the "register-me" window (nor to use softice) to crack this target. It is clear, we 'feel' it... look: we FEEL it! that the protection scheme of this crap dwells somewhere between 122ED and 12321. You just need to load a dead listing from somewhere and have a sort look. Between these locations there is only ONE compare (actually a test ah,40h) and that's what you have to fumble with. Yet let's go on nevertheless, for didactical purposes (choosing 'register' from the program options, open the registration box of the target type a dummy name and a dummy serial number (fravia and 12121212) press OK and we'll see that at 11E70 the target gets MnuToolsRegister_Click then it goes over to MSVBVM50.DLL!3CD23 in order to create the Register Form and the various command buttons... btw you'll easily see now that the created txtRegCode (TextBox) has value 24EDAAC and that the txtName(TextBox) has the value 24EDBC0. Now we are back to ANONMAIL.EXE!11F12 for the Register.show routine, which on cmdOK_Click (i.e. after that you have entered your bogus data) at ANONMAIL.EXE!17000 (note how protectionists use often very easy to remember code locations for their crap, here 17000 :-) so, then at ANONMAIL.EXE!17090 our target collects txtName.Text (which in my case is obviously 'fravia') at 170D1 the target then collects txtRegCode.Text (which in my case is '1212121212') Now we are back at ANONMAIL.EXE!1227C-12291 for the transformation of fravia into its relative ASCII decimal codes: 102(f)-114(r)-97(a) -118(v)-105(i)-97(a) (and all these letters are stored at 425DC0) Now at ANONMAIL.EXE!12302 the string "12121212" will be transformed in a numeric value (we entered it as a string, the target needs a number) At ANONMAIL.EXE!12321 we have a length check: 6 chars are reported. Then the target, at ANONMAIL.EXE!1732E, gives you its pathetic 'Invalid Registration Code' string (which dwells at 4215BC). Once more: between 12302 and 12321! Even less bytes! Only 19 bytes to peruse! Ah! Do you begin to grasp what this mean or do you really need more explanations in order to understand the potentialities of all this? Well, if you want more: have more and see how it looks like 'translated': Smartcheck's ANONMAIL.EXE!12036 (StringKey=RegNum) GetSettings String appname "AnonMail" (406750, look in the right window) String section "Registration" (406FB4) String key "RegNum" (406FD4) default variant String .bstrVal "0" (406FE8) translates into the following disassembled code snippet: :00412018 B8E86F4000 mov eax, 00406FE8 :0041201D 68D46F4000 push 00406FD4 :00412022 894208 mov dword ptr [edx+08], eax :00412025 68B46F4000 push 00406FB4 :0041202A 6850674000 push 00406750 :0041202F C745FC48114000 mov [ebp-04], 00401148 :00412036 897A0C mov dword ptr [edx+0C], edi :00412039 FFD3 call ebx And, among many other interesting things, we now know that this ebx, called here at 12039 is a GetSetting function. numegbar ANONMAIL.EXE!1206C (StringKey=Name) GetSettings String appname "AnonMail" (406750) String section "Registration" (406FB4) String key "Name" (406FF0) default variant String .bstrVal "Loser" (407000) Translates into: :00412050 B800704000 mov eax, 00407000 :00412055 68F06F4000 push 00406FF0 :0041205A 68B46F4000 push 00406FB4 :0041205F 890A mov dword ptr [edx], ecx :00412061 6850674000 push 00406750 :00412066 897204 mov dword ptr [edx+04], esi :00412069 894208 mov dword ptr [edx+08], eax :0041206C 897A0C mov dword ptr [edx+0C], edi :0041206F FFD3 call ebx (Note that both times the target locations given by SmartCheck ANONMAIL.EXE!12036 and ANONMAIL.EXE!1206C are the location IMMEDIATELY PRECEDING the calls, which here are calls to MSVBVM50.rtcGetSetting, Ord:02B1h). OK, we could republish the whole movie that we have seen above WITH the disassembled listing aside, to show you how easily you can fetch whatever part of a target's code you fancy from your disassembly NO MATTER WHAT FUNNY NAMES have been given by the protectionists or what strange *.DLL HAVE BEEN CALLED BY THE MAIN TARGET CODE, yet it is not necessary: We can directly go where some work awaits us. I'll repeat it, in case you were not listening: when we are doing our 'Smartcheck cracking' we DON'T even have to use names or labels of any kind!! No more search and replaces inside our wordprocessors, nor any need to use any more the (mighty) renaming function of IDA... and what about Softice? We'll use it may be once or twice a year if things should get really tough :-) Ok, I know, you want to see the protection scheme 'naked', here it is, as Smartcheck told us: between 12302 and 12321: ANONMAIL.EXE!12302 the string "12121212" will be transformed in a Double value. But at ANONMAIL.EXE!12321 we have some check: and our target, at 1732E, gives us 'Invalid Registration Code' (which is fetched at 4215BC) :00412301 FF15D0B24100 Call dword ptr [0041B2D0] ;MSVBVM50.__vbaR8Str :00412307 DC9D74FFFFFF fcomp qword ptr [ebp+FFFFFF74] ;comp stack :0041230D DFE0 fstsw ax ;store NPX/FPU status word in ax :0041230F F6C440 test ah, 40 ;logical AND of ah :00412312 7507 jne 0041231B ;get good flag :00412314 BE01000000 mov esi, 1 ;BAD flag :00412319 EB02 jmp 0041231D ;don't get GOOD flag :get_bad_flag :0041231B 33F6 xor esi, esi ;Not a loser any more :-) :continue :0041231D 8B03 mov eax, dword ptr [ebx] :0041231F 50 push eax :00412320 FF15D8B14100 Call dword ptr [0041B1D8] ;MSVBVM50.__vbaLenBstr So, what about modifying :00412312 7507 jne 0041231B ;get good flag if password guessed into something more nice (well, you can choose your crack, I'm not going to crack targets for anybody!) Well, what d'you say? What about thank-you fravia+ and thank-you Numega? numegbar I'll add something equally interesting: our enemies at Micro$oft have just released a visual debugger: Windebug. I have news for those of you that don't use it: it's jolly good (if a little bugged). I'm using in this very moment on another window of my screen, You'll be able to download Micro$oft's WINDBG for free on any Micro$oft's site round the world: I have taken mine from http://www.asia.microsoft.com/msdownload/platformsdk/sdktools.htm for download timezone reasons, yet you'll find it elsewhere. As soon as you'll have tried it, you'll see that this program (which packed can find place on a single floppy: it's IWINDBG.EXE.EXE, 1.259.152 bytes) does indeed cut the mustard. Just try working with it, and tell me if the option "view/memory/byte/fill window" is or not a pretty useful one for our purposes :-) There is a lesson here: Micro$oft is catching up even in the most sacred of our grounds: our tools. Yet the reason I spoke about this tool here is that it makes a very good complement to Smartcheck if you want to check some snippets on the fly. I have worked on AnonMail with Smartcheck and IDA, but I'm now working on other projects and I'm now reversing with Smartcheck and WINDBG. Believe me, it's great fun! (And you learn a lot about reversing software, which is the real reason we are all here in the first place :-)
(c) fravia+ All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redproject2 redproject8
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?