DOS  Navigator v1.50: how to spy our targets
(TSR spying and "classical old style" cracking)

by Frog's Print

(10 December 1997, slightly edited by fravia+)
Courtesy of fravia's page of reverse engineering
Well, a nice example of DOS cracking...
<short explanation for people that don't know anything at all:>
"Noo, Dos cracking is not dead, Dos is still VERY important for reverse engineering 

purposes, Windows is more "transient" than DOS, you are well advised to learn dos 

cracking -and tsrring- techniques, study dos and dos protections every time you get a 

chance to find one, fish Softice DOS lastversion 92 out of the web... etcetera."
<End of the short explanation for people that don't know anything at all>
...and of TSR building, a particular fascinating essay for reversers that are building their own tools, not quite suitable for the beginner cracker or the casual reverser, tough :-)
Enjoy!

DOS  Navigator v1.50
(TSR spying/cracking)
 
 by Frog's Print -: )

As the name says, DOS Navigator v1.5 (available at http://www.ritlabs.com/dn/ from the authors of THE_BAT!, an e-mail program with a nice protection that may drive crazy some newbyes...) is a DOS file manager.
It can handle any kind of file manipulation, viewing, edition, drag & drop, as well as a disk editor and even 2 versions of the famous Tetris. It doesn't support Windows95 long filenames (I really couldn't care less about that because I don't like long filenames and I'm still using the 16 bits Winfile.exe -: ).
It's a useful tool, specially when you get stuck at the DOS prompt because Win95 doesn't want to load...
It is shareware and has a nagscreen reminding it to you each time you run it.

Right after installing it, here is the listing of the files in its directory:

   DN.COM     1 778  <= "Launcher"
   DN.OVR   762 170
   DN.PRG   132 720  <= .Exe file packed with PKLITE
   DN.LNG    17 952
   DN.DLG    57 031
 
 We can see that DN.COM is 1.7Kb and could only be a "launcher" (the file is full of "jmp xxxx:xxxx" ). Due to its extension, DN.PRG seems to be the main program. After opening it with an hexeditor, we can see it is an EXE file and that it has been packed with PKLITE.
The programmers did a little mistake here, because PKLITE has an option to make compressed file unextractable but they didn't use it (or may those naughty guys from Ritlabs don't have a Registered version of the famous PKWARE soft! -: ). Anyway, we will not unpack it, it is not the purpose of this essay.
 
As  there's a nagscreen but no registration dialog box, I just assume that the program is looking for a .reg or .key file. So let's see:
Load DN.COM with SoftICE (with any version of S-ICE Symbol Loader for DOS - I am using here DLDR.EXE v3.1from S-ICE DOS v2.95 ) and BPINT on Int21h function 3Dh (open existing file, ds:dx=ASCIZ filename - Return AX=file handle or error code):

BPINT 21 IF ah==3d do "d ds:dx"

At the 12th break you can see in the data window that Dos Navigator is looking for DN.KEY. Of course it will return a #2 error code (file not found) as this is the registration key file and it is not included in the shareware package.
I simply copy a file in its directory, rename in DN.KEY, and using the same BPINT, run the program again.
When the break occures, I put a conditional BPINT Int21h/AH=3Fh (read from file):

BPINT 21 IF ah==3f && bx==?? (put DN.KEY handle returned in Eax during last open_existing_file)

At this point, I was about trying to decrypt the registration procedure. I still had SoftICE Data window pointing to DS:DX and then, about one minute later, I saw the following message in this memory area:

  HI, Hacker Nice To See You Here!

I was just wondering if there was any Anti-Cracker/Debugger trick that was about to crash my PC. I noted the Offset location and decided to go ahead to verify this. So, "F12" and I got there at offset xxxx:1ADB (in DN.PRG):

1AC5    push    bp
1AC6    mov     bp,sp
1AC8    cmp     byte ptr [1E8A],00 ; Any_Cracker_Around ?
1ACD    jz      1AD1               ; 1) Yes, send him the message
1ACF    jmp     1AF7               ; 2) No Cracker there, go ahead
1AD1    les     di, [bp+06]
1AD4    push    es
1AD5    push    di
1AD6    call    xxxx:0020          ; "Hi Hacker..."
1ADB    les     di, [bp+06]
...
1AF7    leave
1AF8    retf    0004               ; Back to caller

Pressing "F12" again we land here:

18A1    call    xxxx:0057          ; Any_Cracker_Around routine we come from
18A6    push    0100
18A9    push    9DD1               ; "key"
18AC    push    00
18AE    push    00
18B0    call    xxxx:19A0          ; Check if registered
18B5    or      ax,dx              ; Is it?
18B7    jnz     18C8               ; Good_Guy jump
...
18C3    call    xxxx:0034          ; NagScreen
18C8    mov     di,9BBA            ; Go_Ahead

Obviously, patching the JNZ at offset 18B7 would get rid of the nagscreen.

The crack is done, but what about our "Any_cracker_Around" routine?
The message doesn't appear on the program screen, only in the memory area where ds:dx pointed. It didn't crash nor it affected the program.

Let's find out how Dos Navigator check if we are debugging it (or if SoftICE is loaded).
Fisrt I checked the usual DOS tricks to detect SoftICE (i.e. Int 2Fh/ax=1684h/ bx=0202h/ di=0/es=di...) then stupid anti-debugging tricks (Int 01h, Int 03h) but didn't find anything.
Then, as I knew that the program used a "cmp byte ptr [1E8A],00" to check if we are debugging it, I though the best would be to write a TSR that would check [1E8A]. It would work like this:

1)-Grab an interrupt as closed as possible to the "Any_Cracker_Around" routine
2)-Check the flag at [1E8A]:
   a)-If "0" ( cracker detected) then do nothing, restore the interrupt and go ahead (nagscreen..)
   b)-If "1" (no debugging) then get rid of the NagScreen and go ahead
3)-Restore original Interrupt used by Dos Navigator.

We must grab an Int as closed as possible to the routine because during its execution, the program jumps/jumps back from DN.COM to DN.PRG. The routine is only loaded at the latest moment. As this happens during the program initialization, intercepting Int 10h should be fine.
I found a good one:
Int 10h / AX=03h (get cursor position and size). The routine to check is loaded right before the call to this Int (but is located far from it).

And now, the TSR:
 

;***********************;
Check_DN.asm         ;
;                       ;
;***********************;
 
 code          segment
              org      100h
              assume   cs:code

start:        jmp      Install

int10         label    dword                       ; Save old Int10
int10off      dw 0                                 ; address
int10seg      dw 0                                 ;

NewInt10      proc     far                         ; Our new Int10.
              pushf                                ; Save flags.
              cmp      ax,0300h                    ; Chech if it is
              jne      Exit                        ; the right one
              cmp      cx,0020h                    ; otherwise
              jne      Exit                        ; exit.
Check_Flag:   push     ax                          ; Save ax,
              push     bp                          ; and bp.
              mov      bp,sp                       ; sp=>bp.
              mov      ax,[bp+8]                   ; Get previous segment in DN.EXE.
              add      ax,2F0Fh                    ; +2F0Fh to get segment to check.
              push     es                          ; Save es
              push     di                          ; and di.
              push     ax                          ; Push ax
              pop      es                          ; Pop it back into es.
              mov      di,1E8Ah                    ; Get offset to check.
              cmp      byte ptr es:[di],0          ; Check our AntiCracker_Flag.
              je       Bad_Guy                     ; If 0 (Bad_guy), then jump...
Patch_Nag:    sub      ax,309Fh                    ; -309Fh to get segment to patch.
              push     ax                          ; Save it.
              pop      es                          ; Pop it back into es.
              mov      di,18B7h                    ; Offset to patch.
              mov      byte ptr es:[di],74h        ; Get rid of the NagScreen.
Bad_Guy:      pop      di                          ; Restore di,
              pop      es                          ; es,
              pop      bp                          ; bp,
              pop      ax                          ; ax
Exit:         popf                                ! ; ; and flags
              jmp      dword ptr cs:[Int10]        ; Execute Int 10h.
NewInt10      endp

Install:      mov      ax,3510h                    ; Get interrupt vector.
              int      21h                         ;
              mov      Int10off,bx                 ; ES:BX = value of interrupt vector
              mov      Int10seg,es                 ;
              mov      ax,2510h                    ;
              mov      dx,offset NewInt10          ; New vector to be used for Int 10h
              int      21h                         ; ...
              mov      dx,Install-Start+100h+15    ; DX= Program size.
              mov      cl,4                        ; Divide by 4 to get
              shr      dx,cl                       ; size in paragraphs.
              mov      al,0                        ; Exit code.
              mov      ah,31h                      ;
              int      21h                         ; Terminate and stay resident.
code          ends
              end      Start

;**********************;
TLINK Check_DN      ;
TASM Check_DN /t    ;
;**********************;
 

Now, under DOS run CHECK_DN.COM and then DN.COM and...the Nagscreen is still present!
Re-boot, don't load SoftICE and try again: the NagScreen pops again!!

CONCLUSION:
The program doesn't check (and doesn't care) if you are debugging it or not,  the flag at [1E8A] is always equal to "0" (Bad_Guy) and will always display the "Hi, Hacker..." message in memory... conclusions? Draw your own conclusions!
 

Frog's Print - December 1997 - (c) Frog's Print All rights reversed


You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redjavascripts redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?