Cracking using KERNEL32.DLL??
Amazing how things dont change!
student
Advanced
04 March 1998
by madmax!
Courtesy of Fravia's page of reverse engineering
 
fra_00F0
980304
madmax!
0010
AD
P4
Tsch tsch, madmax! Playing with kernel!
And THAT is exactly what makes the difference between master crackers and beginners!
What does a real reverser do? He reverses, of course :-)
Now, see, we have this windows overbloated world we must all swim inside... huge, heavy, slow applicationosauriers, stupidly chewing routines on the code planes... and look! The great reverser hunters come! Approaching swift, from beneath the codetrees! Man, that's an unfair match for the dick overbloated windoze protectors!
The reversers are CLEVER! They use TOOLS! They use dos and unix knowledge, and sharp assembly knives... and so the stupid, almost brainless applicationosurus lays dead... reversed in a pool of bloody code... have a good meal! burp!
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner ( )Intermediate (X)Advanced (X)Expert
NO beginner

This essay will be like nothing you've ever read. This essay does get a bit detailed and will lose those not intimately familiar with Win95/NT and its inner guts. It will show how a program that seems unpatchable can be, through our last resort =)
Cracking using KERNEL32.DLL??
Amazing how things don't change!
Written by madmax!


Introduction

Deep within the Internet lies a great game...Subspace, by VIE(Virgin)

Having gone retail just recently, it was a matter of time till the 

protection came...And it did, quite well I might add.  How do we fix

a program that has CRC checks on itself and the memory it resides

in (active checking)???


Tools required
Winice 3.22
Hiew 5.66
W32Dasm 8.9 (Regged helps)
API Knowledge (Win32.Hlp will do)


Target's URL/FTP
Not available except in Demo =( You have to get 1.32 from Hybrid and get Regged update from http://subspace.vie.com/

Program History
First Protection Scheme

Essay
SubSpace, an online game has been around for a while now. I always found it hard to cheat in...I only did it for fun, not to ruin the game. But now the retail version came out and has added a CD-Check....Woohoo! Time to crack the ol' knuckles and sit down... If you have the retail, you will notice nothing different about the game till you go to play and a "Please insert CD..." msg flashes with a time limit... This brought a smile to my face, but little did I know...So I jump in Winice immediately and:
BPX GetDriveTypeA (Commonly used in Cd-Checks to find the CDROM)

It catches and I'm then in SubSpace code...The usual routine has the following pattern:

Find CDROM drive letter (GetDriveTypeA)
Get space free on CD (GetDiskSpaceFreeA)
If zero, then CD OK
Get Label of CD (GetVolumeInformationA)
IF label == 'SUBSPACE', then CD OK
Open 'INTRO.FLC' in CD Root Dir. (CreateFileA)
If exist, then CD OK
Get filesize of INTRO.FLC (GetFileSize?)
Cmp filesize to certain #
If equal, set a flag

I won't bother with source since most people reading this won't have access to the target, thus it means nothing...The more interesting part, and the point of this essay, is how we get around the check...We could just patch it with HIEW and go on, but a CRC check stops us...We patch the crc check, and memory checksums get us...Hard to debug since Winice's breakpoints(0CCh) throw off the values...So what do we do?? Well, I looked into API Hooking (Which IS NOT a prostitute with a Computer Science Degree =) and it didn't look promising...Then I get a flashback, thinking back to my AsmEdit essay.. TSR Crack! But this isn't the good ol' DOS environment, there is not a AX=25XX, INT 21h function for Winblows...So where would our point of attack be...Windows ITSELF!

I got this idea while attempting to fix a nuker on my own that had spread on IRC...Messing with important Win95 files is dangerous, toying with the kernel is just crazy...So we know SubSpace's first call in its protection scheme is to GetDriveTypeA..This API returns a 2 for floppies, 3 for HDs, and a 5 for CDROM (Other values dont interest us)...So I get this idea that we will essentially attack this protection like a FAKECD program would...We would emulate the files needed on our HD somewhere while a TSR emulates a CD

But were going to do this runtime...In Winice, type:
U GetDriveTypeA
You will see the assembly code for the API..write a portion of the code so we will find it on disk in kernel32.dll (I can't give my example because there are too many kernel32.dll's out there) But basically you have a short routine that does some weird compares and then goes on to another API with a JMP.....Like this:


:BFF777C4 57                      push edi

:BFF777C5 6A21                    push 00000021

:BFF777C7 2BD2                    sub edx, edx

:BFF777C9 68EFE2F9BF              push BFF9E2EF

:BFF777CE 64FF32                  push dword ptr fs:[edx]

:BFF777D1 648922                  mov dword ptr fs:[edx], esp

:BFF777D4 8B7C2414                mov edi, dword ptr [esp+14]

:BFF777D8 0BFF                    or edi, edi

:BFF777DA 7407                    je BFF777E3

:BFF777DC 2BC0                    sub eax, eax

:BFF777DE 8D48FF                  lea ecx, dword ptr [eax-01]

:BFF777E1 F2                      repnz

:BFF777E2 AE                      scasb



* Referenced by a Jump at Address:BFF777DA(C)

|

:BFF777E3 648F02                  pop dword ptr fs:[edx]

:BFF777E6 83C408                  add esp, 00000008

:BFF777E9 5F                      pop edi

:BFF777EA E9E5D4FFFF              jmp BFF74CD4

So we have this small routine..Where do we put our code?!? Well, lets set a BPX on that JE and see if it ever actually jumps... So BPX BFF777DA and run through Explorer or something that trips the BPX. You will see that nothing ever makes that damn JE jump! So we can assume (mainly because MS wrote it =) that this routine has little worth..So lets modify and optimize it:

(This routine is first called by SubSpace for the drive C:)


:BFF777C4 57                      xor  edx,edx      ; the only instr. kept

:BFF777C5 6A21                    mov  eax,[esp]    ; get calling routine

:BFF777C7 2BD2                    cmp  eax,413e6e   ; is it SS CD-Check?

:BFF777C9 68EFE2F9BF              jnz  BFF777EA     ; if not, continue API

:BFF777CE 64FF32                  mov  [esp+4],eax  ; save return address

:BFF777D1 648922                  pop  eax          ; inc ESP by 4

:BFF777D4 8B7C2414                mov  eax,5	    ; we are a CDROM!

:BFF777D8 0BFF                    ret

:BFF777DA 7407                    je BFF777E3       ; useless MS stuff 

:BFF777DC 2BC0                    sub eax, eax      ; HERE!

:BFF777DE 8D48FF                  lea ecx, dword ptr [eax-01]

:BFF777E1 F2                      repnz

:BFF777E2 AE                      scasb



* Referenced by a Jump at Address:BFF777DA(C)

|

:BFF777E3 648F02                  pop dword ptr fs:[edx]

:BFF777E6 83C408                  add esp, 00000008

:BFF777E9 5F                      pop edi

:BFF777EA E9E5D4FFFF              jmp BFF74CD4

As you can see, we have intercepted this API quite brutally...We are checking to see whether it was called by SubSpace everytime it runs...Simple enough! Now that we have fooled it to think C: is a CDROM drive, we move on to the Disk space free check:

(The original is similar to above, but with more garbage...Which helps, because this routine is a bit bigger...Heres the new and improved routine!)


:BFF778C5 2BD2                    xor  edx,edx      ; All MS is good for?

:BFF778C7 68B8E2F9BF              mov  eax,[esp]    ; get calling address

:BFF778CC 64FF32                  cmp  eax,491E22   ; is it SubSpace?

:BFF778CF 648922                  jnz  BFF77900     ; if not, continue API

:BFF778D2 8B4C240C                add  esp,14h      ; Real API returns alot

:BFF778D6 E302                    mov  [esp],eax    ; return point

:BFF778D8 8A01                    mov  [esp+18],eax ; where spacefree is ret.

:BFF778DA 8B4C2410                ret               ; go back...

:BFF778DE E302                    jcxz BFF778EA     ; rest of MS stuff

:BFF778E0 8B01                    mov eax, dword ptr [ecx]

:BFF778E2 8B4C2414                mov ecx, dword ptr [esp+14]

:BFF778E6 E302                    jcxz BFF778EA

:BFF778E8 8B01                    mov eax, dword ptr [ecx]

:BFF778EA 8B4C2418                mov ecx, dword ptr [esp+18]

:BFF778EE E302                    jcxz BFF778F2

:BFF778F0 8B01                    mov eax, dword ptr [ecx]

:BFF778F2 8B4C241C                mov ecx, dword ptr [esp+1C]

:BFF778F6 E302                    jcxz BFF778FA

:BFF778F8 8B01                    mov eax, dword ptr [ecx]

:BFF778FA 648F02                  pop dword ptr fs:[edx]

:BFF778FD 83C404                  add esp, 00000004

:BFF77900 E954D5FFFF              jmp BFF74E59

So, we intercepted this routine and forced it to return 0 for disk space free, like a CDROM...Now the only part left is the label check and the file check...

So simply, we label our C: drive SUBSPACE, and with a little asm program I stewed up, we make a file that is 37,433,486...Apply these patches to the KERNEL32.DLL and reboot... Cross your fingers and it will not crash!



Final Notes

This is indeed an interesting way of approaching a crack...I've never seen anyone use this method, probably because its so dangerous and has compatibility problems...I wanted to spread the idea I found to others so they may consider this technique in the future...The main problem with using KERNEL32.DLL is that MS has so many damn versions of it, its crazy to make a patch for em all...

Amazing, no matter how far DOS goes away, its roots still follow us in cracking! TSR cracking is kind of a hobby of mine =) It's different!

PS - If you play SubSpace alot, buy the game...It's like 30 bux or something. I did this because I wanted the challenge! =)

Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

projecT3
Back to advanced cracking

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?

______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com