-
-
Find and patch an injected DLL
-
发表于: 2005-5-12 19:00 5459
-
Target: CreateInstall version 2003.3.5 (3w.gentee.com)
Tools used:
SoftIce 4.05
IDA 4.0.4
Hiew 6.11
RVA Convertor 1.1
Note: a product version (as the product itself) doesn't matter, but it's important that all worked and you understand what you do. The second thing that you have to keep in mind is what all the addresses, values and numbers, which corresponds to a disassembled code are represented in hexadimal system, the rest numbers are decimal.
Author: Wizard
Date: 14.01.2004
Difficulty: newbie
Origin: Vision is the art of seeing things invisible. Adam Smith.
About the product
CreateInstall is a versatile tool for creation of application installers, self-extracting archives etc. CreateInstall has a very impressive set of features, including the built-in scripting language that can be used for creation of the installation scripts.
CreateInstall is very user-friendly and you will find that most of its features are logically grouped into multiple wizard-like pages. If you do not need a feature, just leave the default value in the parameter and it will most likely suit your needs. Now, let's create professional, tightly-packed setup programs for your great applications!
Key features:
Easy Wizard. You can create your setup with Wizard during 10 minutes.
Powerful script programming language. The embedded programming language has enough potentialities that you can make such setup as you want.
Excellent compression. There are several compression algorithms (including Cabinet LZX).
The small size of the extractor module, which is added to the files being installed. It is 50-55 KB about (with uninstaller).
Macro support. You can use macros during installation or making setup.
Setup sources. About 150 KB sources for setups are available.
Multi-language setups. You can create multi-language installation without any problems.
What the Trial is?
The program help says next.
CreateInstall is not freeware. After using CreateInstall for 30 days, you must either purchase it or delete it from your computer.
During the 30-day trial period, you may test the program and create installation programs without any restriction. However, all installations created with the trial version will display a 'nag' message at the beginning of the installation process.
Knowing all the above, let's try to compile a little project. Run CreateInstall (CreateInstall.exe). Choose Project/New menu. Type "Biw project" in the project name string and press OK. Change output folder parameter (at Project tab) to a path where future installation will be created (e.g. "C:\TMP\Biw project").
Go to Files tab, push "+" button, then add some files into your project. Also you have to set a group name, e.g. "BiW". After that press OK button. Switch to Wizard tab, choose General from the list below. Type "Biw application" in Application name field. Now choose Unpack tab, press "+", select "BiW" (or how did you call it) from Data Group Name combo box, then push OK.
Now make sure that setup will include the uninstaller. This can be done by switching to Uninstallation tab. Check that flag "Include Uninstaller" has been set by setup (it should be set by default).
Leave all the rest of parameters. Select Setup/Make Setup menu item. Now, wait for a while. Program should write Finish successful in the console window. Press any key to close it. Then close CreateInstall itself. Let's prepare to see what have we just created.
The installation we've made
Run setup.exe from the folder that you specified as the output (My was in "C:\TMP\Biw project"). What do you see? You see the message, which says: "This setup was made with CreateInstall (unregistered Trial version)...", bla, bla, bla... You may also noticed that before "Continue" button appeared we had 3 seconds to wait. After that period the button has changed its caption to "Continue" and became enabled.
Do not press the button yet. Fire up SoftIce, type "bpx DestroyWindow" in it, let it run (F5). Note: I used that API function, because I didn't know what the NAG window was created with. I mean that window could be created with different API functions, like MessageBox, CreateDialog, CreateWindow, etc. Who knows what function program uses. Of course you may know that by disassembling the module, but it's not always possible. That's why by grabbing at DestroyWindow API you can be 99% sure that you will find a place where the NAG window was called from.
Now push the button... Bang! SoftIce has poped-up. Press F11 to return from the calling function. Then push F12 four times (a number of times depends upon a program you're cracking). You should settle down in here:
1000C240 : A1A03C0110 mov eax,[10013CA0]
1000C245 : 6A00 push 00
1000C247 : 68F0C10010 push 1000C1F0
1000C24C : 6A00 push 00
1000C24E : 6A73 push 73
1000C250 : 50 push eax
1000C251 : FF15DC010110 call DialogBoxParamA ; creates modal dialog box
1000C257 : C3 ret ; <= you should land here
That's the dialog you've seen. Now press F10 to return from the call and you will be taken here:
1000D0C7 : E834FDFFFF call 1000CE00
1000D0CC : 83F802 cmp eax,02 ; if (eax != 2) bad boy
1000D0CF : 7405 je 1000D0D6 ; jumps if registered
1000D0D1 : E86AF1FFFF call 1000C240 ; the NAG lays here
1000D0D6 : E835BAFFFF call 10008B10 ; <= you're here
1000D0DB : 68AC370110 push 100137AC
1000D0E0 : 6A00 push 00
1000D0E2 : 6A04 push 04
1000D0E4 : 6800D00010 push 1000D000
1000D0E9 : E8C25EFFFF call 10002FB0
I suppose everything's pretty clear here. Program brings you the splash when eax not equals to 2. Well, how it will be equal to that number, if you're not registered user? That's right, no how. Thus, you have to change one byte in code to shut up the NAG.
You have to change byte 74 to EB at address 1000D0CF. By doing that you cause the program to jump over the dialog call. Now we know what to do to avoid the message, but where we will find that code. Look at the module name, in which we're now. It name is "gert0!.text+C0D1" or something about that (it may depend on a program version).
Now we know all the information we need. Clear the breakpoint we've set before by the command "bc 0", and let the program run (F5 or Ctrl+D by default).
Doomed to destruction
Do not install program yet, and don't exit the installation. Otherwise it will delete all its temp files and won't find the file we need.
Let's search for the file. As I work under Windows XP I have TEMP folder in "C:\Documents and Settings\Leon\Local Settings\temp\". If you don't know where yours then check your environment variables settings. It's very important to know where your TEMP is, because otherwise you won't find the file we need.
Search in your TEMP folder for a file which name starts from "gert0". I've found one with name "gert0.dll". Its size equals to 90,112 bytes. We should guess that it's a DLL, because in SoftIce we've seen all the addresses begin from 1000. DLL's usually begin from such (or something close) addresses.
Let's go into CreateInstall directory. Start your favorite shell (personally I use FAR) or some string searcher to search the message we saw. Search for the string "This setup was made", but search over the whole program directory. Other words, search from the root of CreateInstall folder including all its subdirectories.
I found that NAG only in one file "inststd.dll", which lays in the subfolder "Resource". Besides, its size the same 90,112 bytes. You may compare "gert0.dll" with "inststd.dll" to find out that they're absolutely binary equal.
When we made setup.exe the installation creator program included "inststd.dll" into the first one. Therefore CreateInstall always includes that DLL into a compiled project. Thus, we have to patch that DLL once, and all the future projects will be patched (they will be without NAG).
Now continue the installation to a directory you like (e.g. "C:\A\Biw application"). Once you've done that go into the folder you just chose during the installation. When you will be in it you'll see all the files you've specified during the project compilation and also two more files: uninstall.exe and uninstall.ini.
Run uninstall.exe. You see the same message here. What does it mean for us? It means only one thing - the NAG is situated ONLY in the file "inststd.dll" and nowhere else. Thus, when we will patch it once, all the reminders will be blown away from our installer and uninstaller.
Now uninstall the program and let's patch the cursed DLL.
A million bucks for a byte
Start RVA Converter. Open file "inststd.dll" in it. Input 1000D0CF as the RVA value. You will get D0CF as the real file address. We take this address because there's the jump at that address, which concerns the message or jumps over it. After the patch your file should look like the below one.
D0C7 : E834FDFFFF call 1000CE00
D0CC : 83F802 cmp eax,02
D0CF : EB05 jmp 1000D0D6 ; set registered status forever
D0D1 : E86AF1FFFF call 1000C240 ; <= always jump over this NAG
D0D6 : E835BAFFFF call 10008B10
Compare the patch by checking the table below.
Address Original opcode Original mnemonics Patched opcode Patched mnemonics
D0CF 74 05 je 1000D0D6 EB 05 jmps 1000D0D6
Note: disassemble the file "inststd.dll" with IDA. Try to search "call 1000C240" over the whole disassembly list. You will find that string only once. You might say: so what? This call causes the NAG to appear. Thus, if we have it here, it can be anywhere else in the executable. That's why we have to find all the places where it can be.
The advise! If you will ever find more than one of such call - DO NOT patch everywhere you've found it, but patch the call itself, so it return the value a program needs to think its registered.
Run CreateInstall. Compile your project again. Run the new setup.exe. WOW! There's no crappy message at all. Good. Let's finish the installation. Go in the folder into which you've just installed all the files ("C:\A\Biw application"). Run uninstall.exe. Double WOW!! No damn NAG here too. Well, it's because our conjecture was right: the same DLL was used in the installer and uninstaller during the compilation of the project.
That's all for that DLL, but there's some things I don't like in this program. They should be corrected.
Fixing "wrong" inscriptions
There's one thing we've left to do - to remove "Trial" word from the main program caption and from the about dialog of the Help menu.
Open CreateInstall.exe with Hiew. Search for the string "CreateInstall Trial", yes, exactly just like we see it in caption. I found one at address 38DDE. To remove damn word just correct byte 20 at 38DDD to 00. That's because we've found C-style string, which terminated by null (00) byte. Thus, if we put it to a place in the string, it will be terminated exactly where we have put the null character. Note: all C strings are terminated by null character, but Delphi strings have their length at the beginning of themselves. They have their length in the first byte or in the first four bytes. It depends on a string length.
Now search for the word "Trial". This word you might seen in the Help/About dialog. I found it at address 390A8. It looks so "Trial v%s". This's an usual C-construction. Replace it with " Full v%s". Other words, replace word "Trial" with " Full". Exactly so, because otherwise, if you will put null byte as the first byte, program will think that there's no string at all (string with zero length).
Run CreateInstall.exe. It looks good now. No delirium "Trial" word in caption. Check also Help/About dialog. In this dialog we see our " Full" word instead of the original variant. Now, when you see it you're understanding why did we add one space at the beginning of the string.
Final words
Set your system clock, let's say to 5 years forward and run the program again. It works fine. It means that help is honest and programmers have included only the sticky message at the start-up of an installation. Ok, now set your clock time back to the current year.
That was a short and not hard story. I hope you will learn something from it. As for me I like that program very much, because it's fast and takes a little of HDD space. To be honest, I've never seen such a good install maker. It has pretty fast compressor and fast decompressor. Install Shield has nothing to do with CreateInstall, because the first one is too slow. Other words, I recommend you to use this tool, because I've seen a lot of tools of such kind and I can say that CreateInstall is one of the best in this class of tools. The only pity is its weak protection.
Tools used:
SoftIce 4.05
IDA 4.0.4
Hiew 6.11
RVA Convertor 1.1
Note: a product version (as the product itself) doesn't matter, but it's important that all worked and you understand what you do. The second thing that you have to keep in mind is what all the addresses, values and numbers, which corresponds to a disassembled code are represented in hexadimal system, the rest numbers are decimal.
Author: Wizard
Date: 14.01.2004
Difficulty: newbie
Origin: Vision is the art of seeing things invisible. Adam Smith.
About the product
CreateInstall is a versatile tool for creation of application installers, self-extracting archives etc. CreateInstall has a very impressive set of features, including the built-in scripting language that can be used for creation of the installation scripts.
CreateInstall is very user-friendly and you will find that most of its features are logically grouped into multiple wizard-like pages. If you do not need a feature, just leave the default value in the parameter and it will most likely suit your needs. Now, let's create professional, tightly-packed setup programs for your great applications!
Key features:
Easy Wizard. You can create your setup with Wizard during 10 minutes.
Powerful script programming language. The embedded programming language has enough potentialities that you can make such setup as you want.
Excellent compression. There are several compression algorithms (including Cabinet LZX).
The small size of the extractor module, which is added to the files being installed. It is 50-55 KB about (with uninstaller).
Macro support. You can use macros during installation or making setup.
Setup sources. About 150 KB sources for setups are available.
Multi-language setups. You can create multi-language installation without any problems.
What the Trial is?
The program help says next.
CreateInstall is not freeware. After using CreateInstall for 30 days, you must either purchase it or delete it from your computer.
During the 30-day trial period, you may test the program and create installation programs without any restriction. However, all installations created with the trial version will display a 'nag' message at the beginning of the installation process.
Knowing all the above, let's try to compile a little project. Run CreateInstall (CreateInstall.exe). Choose Project/New menu. Type "Biw project" in the project name string and press OK. Change output folder parameter (at Project tab) to a path where future installation will be created (e.g. "C:\TMP\Biw project").
Go to Files tab, push "+" button, then add some files into your project. Also you have to set a group name, e.g. "BiW". After that press OK button. Switch to Wizard tab, choose General from the list below. Type "Biw application" in Application name field. Now choose Unpack tab, press "+", select "BiW" (or how did you call it) from Data Group Name combo box, then push OK.
Now make sure that setup will include the uninstaller. This can be done by switching to Uninstallation tab. Check that flag "Include Uninstaller" has been set by setup (it should be set by default).
Leave all the rest of parameters. Select Setup/Make Setup menu item. Now, wait for a while. Program should write Finish successful in the console window. Press any key to close it. Then close CreateInstall itself. Let's prepare to see what have we just created.
The installation we've made
Run setup.exe from the folder that you specified as the output (My was in "C:\TMP\Biw project"). What do you see? You see the message, which says: "This setup was made with CreateInstall (unregistered Trial version)...", bla, bla, bla... You may also noticed that before "Continue" button appeared we had 3 seconds to wait. After that period the button has changed its caption to "Continue" and became enabled.
Do not press the button yet. Fire up SoftIce, type "bpx DestroyWindow" in it, let it run (F5). Note: I used that API function, because I didn't know what the NAG window was created with. I mean that window could be created with different API functions, like MessageBox, CreateDialog, CreateWindow, etc. Who knows what function program uses. Of course you may know that by disassembling the module, but it's not always possible. That's why by grabbing at DestroyWindow API you can be 99% sure that you will find a place where the NAG window was called from.
Now push the button... Bang! SoftIce has poped-up. Press F11 to return from the calling function. Then push F12 four times (a number of times depends upon a program you're cracking). You should settle down in here:
1000C240 : A1A03C0110 mov eax,[10013CA0]
1000C245 : 6A00 push 00
1000C247 : 68F0C10010 push 1000C1F0
1000C24C : 6A00 push 00
1000C24E : 6A73 push 73
1000C250 : 50 push eax
1000C251 : FF15DC010110 call DialogBoxParamA ; creates modal dialog box
1000C257 : C3 ret ; <= you should land here
That's the dialog you've seen. Now press F10 to return from the call and you will be taken here:
1000D0C7 : E834FDFFFF call 1000CE00
1000D0CC : 83F802 cmp eax,02 ; if (eax != 2) bad boy
1000D0CF : 7405 je 1000D0D6 ; jumps if registered
1000D0D1 : E86AF1FFFF call 1000C240 ; the NAG lays here
1000D0D6 : E835BAFFFF call 10008B10 ; <= you're here
1000D0DB : 68AC370110 push 100137AC
1000D0E0 : 6A00 push 00
1000D0E2 : 6A04 push 04
1000D0E4 : 6800D00010 push 1000D000
1000D0E9 : E8C25EFFFF call 10002FB0
I suppose everything's pretty clear here. Program brings you the splash when eax not equals to 2. Well, how it will be equal to that number, if you're not registered user? That's right, no how. Thus, you have to change one byte in code to shut up the NAG.
You have to change byte 74 to EB at address 1000D0CF. By doing that you cause the program to jump over the dialog call. Now we know what to do to avoid the message, but where we will find that code. Look at the module name, in which we're now. It name is "gert0!.text+C0D1" or something about that (it may depend on a program version).
Now we know all the information we need. Clear the breakpoint we've set before by the command "bc 0", and let the program run (F5 or Ctrl+D by default).
Doomed to destruction
Do not install program yet, and don't exit the installation. Otherwise it will delete all its temp files and won't find the file we need.
Let's search for the file. As I work under Windows XP I have TEMP folder in "C:\Documents and Settings\Leon\Local Settings\temp\". If you don't know where yours then check your environment variables settings. It's very important to know where your TEMP is, because otherwise you won't find the file we need.
Search in your TEMP folder for a file which name starts from "gert0". I've found one with name "gert0.dll". Its size equals to 90,112 bytes. We should guess that it's a DLL, because in SoftIce we've seen all the addresses begin from 1000. DLL's usually begin from such (or something close) addresses.
Let's go into CreateInstall directory. Start your favorite shell (personally I use FAR) or some string searcher to search the message we saw. Search for the string "This setup was made", but search over the whole program directory. Other words, search from the root of CreateInstall folder including all its subdirectories.
I found that NAG only in one file "inststd.dll", which lays in the subfolder "Resource". Besides, its size the same 90,112 bytes. You may compare "gert0.dll" with "inststd.dll" to find out that they're absolutely binary equal.
When we made setup.exe the installation creator program included "inststd.dll" into the first one. Therefore CreateInstall always includes that DLL into a compiled project. Thus, we have to patch that DLL once, and all the future projects will be patched (they will be without NAG).
Now continue the installation to a directory you like (e.g. "C:\A\Biw application"). Once you've done that go into the folder you just chose during the installation. When you will be in it you'll see all the files you've specified during the project compilation and also two more files: uninstall.exe and uninstall.ini.
Run uninstall.exe. You see the same message here. What does it mean for us? It means only one thing - the NAG is situated ONLY in the file "inststd.dll" and nowhere else. Thus, when we will patch it once, all the reminders will be blown away from our installer and uninstaller.
Now uninstall the program and let's patch the cursed DLL.
A million bucks for a byte
Start RVA Converter. Open file "inststd.dll" in it. Input 1000D0CF as the RVA value. You will get D0CF as the real file address. We take this address because there's the jump at that address, which concerns the message or jumps over it. After the patch your file should look like the below one.
D0C7 : E834FDFFFF call 1000CE00
D0CC : 83F802 cmp eax,02
D0CF : EB05 jmp 1000D0D6 ; set registered status forever
D0D1 : E86AF1FFFF call 1000C240 ; <= always jump over this NAG
D0D6 : E835BAFFFF call 10008B10
Compare the patch by checking the table below.
Address Original opcode Original mnemonics Patched opcode Patched mnemonics
D0CF 74 05 je 1000D0D6 EB 05 jmps 1000D0D6
Note: disassemble the file "inststd.dll" with IDA. Try to search "call 1000C240" over the whole disassembly list. You will find that string only once. You might say: so what? This call causes the NAG to appear. Thus, if we have it here, it can be anywhere else in the executable. That's why we have to find all the places where it can be.
The advise! If you will ever find more than one of such call - DO NOT patch everywhere you've found it, but patch the call itself, so it return the value a program needs to think its registered.
Run CreateInstall. Compile your project again. Run the new setup.exe. WOW! There's no crappy message at all. Good. Let's finish the installation. Go in the folder into which you've just installed all the files ("C:\A\Biw application"). Run uninstall.exe. Double WOW!! No damn NAG here too. Well, it's because our conjecture was right: the same DLL was used in the installer and uninstaller during the compilation of the project.
That's all for that DLL, but there's some things I don't like in this program. They should be corrected.
Fixing "wrong" inscriptions
There's one thing we've left to do - to remove "Trial" word from the main program caption and from the about dialog of the Help menu.
Open CreateInstall.exe with Hiew. Search for the string "CreateInstall Trial", yes, exactly just like we see it in caption. I found one at address 38DDE. To remove damn word just correct byte 20 at 38DDD to 00. That's because we've found C-style string, which terminated by null (00) byte. Thus, if we put it to a place in the string, it will be terminated exactly where we have put the null character. Note: all C strings are terminated by null character, but Delphi strings have their length at the beginning of themselves. They have their length in the first byte or in the first four bytes. It depends on a string length.
Now search for the word "Trial". This word you might seen in the Help/About dialog. I found it at address 390A8. It looks so "Trial v%s". This's an usual C-construction. Replace it with " Full v%s". Other words, replace word "Trial" with " Full". Exactly so, because otherwise, if you will put null byte as the first byte, program will think that there's no string at all (string with zero length).
Run CreateInstall.exe. It looks good now. No delirium "Trial" word in caption. Check also Help/About dialog. In this dialog we see our " Full" word instead of the original variant. Now, when you see it you're understanding why did we add one space at the beginning of the string.
Final words
Set your system clock, let's say to 5 years forward and run the program again. It works fine. It means that help is honest and programmers have included only the sticky message at the start-up of an installation. Ok, now set your clock time back to the current year.
That was a short and not hard story. I hope you will learn something from it. As for me I like that program very much, because it's fast and takes a little of HDD space. To be honest, I've never seen such a good install maker. It has pretty fast compressor and fast decompressor. Install Shield has nothing to do with CreateInstall, because the first one is too slow. Other words, I recommend you to use this tool, because I've seen a lot of tools of such kind and I can say that CreateInstall is one of the best in this class of tools. The only pity is its weak protection.
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
|
|
|---|---|
|
|
他的文章
- [转帖]用多媒体学Visual C++ 2008 系统学习VC 2008必备教程 7940
- [下载]新壳 OSP软件平台功能说明 5754
- [讨论]微点不识英文?! 6187
- [推荐]内存清零KILL进程 16140
赞赏
雪币:
留言:
