"Noo, Dos cracking is not dead, Dos is still VERY important for reverse engineering purposes, Windows is more "transient" than DOS, you are well advised to learn dos cracking -and tsrring- techniques, study dos and dos protections every time you get a chance to find one, fish Softice DOS lastversion 92 out of the web... etcetera."
As the name says, DOS Navigator v1.5 (available at http://www.ritlabs.com/dn/
from the authors of THE_BAT!, an e-mail program with a nice protection
that may drive crazy some newbyes...) is a DOS file manager.
It can handle any kind of file manipulation, viewing, edition, drag & drop, as well as a disk editor and even 2 versions of the famous Tetris. It doesn't support Windows95 long filenames (I really couldn't care less about that because I don't like long filenames and I'm still using the 16 bits Winfile.exe -: ).
It's a useful tool, specially when you get stuck at the DOS prompt because Win95 doesn't want to load...
It is shareware and has a nagscreen reminding it to you each time you run it.
Right after installing it, here is the listing of the files in its directory:
DN.COM 1 778 <= "Launcher"
DN.OVR 762 170
DN.PRG 132 720 <= .Exe file packed with PKLITE
DN.LNG 17 952
DN.DLG 57 031
We can see that DN.COM is 1.7Kb and could only be a "launcher" (the file is full of "jmp xxxx:xxxx" ). Due to its extension, DN.PRG seems to be the main program. After opening it with an hexeditor, we can see it is an EXE file and that it has been packed with PKLITE.
The programmers did a little mistake here, because PKLITE has an option to make compressed file unextractable but they didn't use it (or may those naughty guys from Ritlabs don't have a Registered version of the famous PKWARE soft! -: ). Anyway, we will not unpack it, it is not the purpose of this essay.
As there's a nagscreen but no registration dialog box, I just assume that the program is looking for a .reg or .key file. So let's see:
Load DN.COM with SoftICE (with any version of S-ICE Symbol Loader for DOS - I am using here DLDR.EXE v3.1from S-ICE DOS v2.95 ) and BPINT on Int21h function 3Dh (open existing file, ds:dx=ASCIZ filename - Return AX=file handle or error code):
BPINT 21 IF ah==3d do "d ds:dx"
At the 12th break you can see in the data window that
Dos Navigator is looking for DN.KEY. Of course it will return a #2 error
code (file not found) as this is the registration key file and it is not
included in the shareware package.
I simply copy a file in its directory, rename in DN.KEY, and using the same BPINT, run the program again.
When the break occures, I put a conditional BPINT Int21h/AH=3Fh (read from file):
BPINT 21 IF ah==3f && bx==?? (put DN.KEY handle returned in Eax during last open_existing_file)
At this point, I was about trying to decrypt the registration procedure. I still had SoftICE Data window pointing to DS:DX and then, about one minute later, I saw the following message in this memory area:
HI, Hacker Nice To See You Here!
I was just wondering if there was any Anti-Cracker/Debugger trick that was about to crash my PC. I noted the Offset location and decided to go ahead to verify this. So, "F12" and I got there at offset xxxx:1ADB (in DN.PRG):
1AC6 mov bp,sp
1AC8 cmp byte ptr [1E8A],00 ; Any_Cracker_Around ?
1ACD jz 1AD1 ; 1) Yes, send him the message
1ACF jmp 1AF7 ; 2) No Cracker there, go ahead
1AD1 les di, [bp+06]
1AD4 push es
1AD5 push di
1AD6 call xxxx:0020 ; "Hi Hacker..."
1ADB les di, [bp+06]
1AF8 retf 0004 ; Back to caller
Pressing "F12" again we land here:
Any_Cracker_Around routine we come from
18A6 push 0100
18A9 push 9DD1 ; "key"
18AC push 00
18AE push 00
18B0 call xxxx:19A0 ; Check if registered
18B5 or ax,dx ; Is it?
18B7 jnz 18C8 ; Good_Guy jump
18C3 call xxxx:0034 ; NagScreen
18C8 mov di,9BBA ; Go_Ahead
Obviously, patching the JNZ at offset 18B7 would get rid of the nagscreen.
The crack is done, but what about
our "Any_cracker_Around" routine?
The message doesn't appear on the program screen, only in the memory area where ds:dx pointed. It didn't crash nor it affected the program.
Let's find out how Dos Navigator
check if we are debugging it (or if SoftICE is loaded).
Fisrt I checked the usual DOS tricks to detect SoftICE (i.e. Int 2Fh/ax=1684h/ bx=0202h/ di=0/es=di...) then stupid anti-debugging tricks (Int 01h, Int 03h) but didn't find anything.
Then, as I knew that the program used a "cmp byte ptr [1E8A],00" to check if we are debugging it, I though the best would be to write a TSR that would check [1E8A]. It would work like this:
1)-Grab an interrupt as closed as
possible to the "Any_Cracker_Around" routine
2)-Check the flag at [1E8A]:
a)-If "0" ( cracker detected) then do nothing, restore the interrupt and go ahead (nagscreen..)
b)-If "1" (no debugging) then get rid of the NagScreen and go ahead
3)-Restore original Interrupt used by Dos Navigator.
We must grab an Int as closed as
possible to the routine because during its execution, the program jumps/jumps
back from DN.COM to DN.PRG. The routine is only loaded at the latest moment.
As this happens during the program initialization, intercepting Int 10h
should be fine.
I found a good one:
Int 10h / AX=03h (get cursor position and size). The routine to check is loaded right before the call to this Int (but is located far from it).
And now, the TSR:
; Check_DN.asm ;
start: jmp Install
; Save old Int10
int10off dw 0 ; address
int10seg dw 0 ;
; Our new Int10.
pushf ; Save flags.
cmp ax,0300h ; Chech if it is
jne Exit ; the right one
cmp cx,0020h ; otherwise
jne Exit ; exit.
Check_Flag: push ax ; Save ax,
push bp ; and bp.
mov bp,sp ; sp=>bp.
mov ax,[bp+8] ; Get previous segment in DN.EXE.
add ax,2F0Fh ; +2F0Fh to get segment to check.
push es ; Save es
push di ; and di.
push ax ; Push ax
pop es ; Pop it back into es.
mov di,1E8Ah ; Get offset to check.
cmp byte ptr es:[di],0 ; Check our AntiCracker_Flag.
je Bad_Guy ; If 0 (Bad_guy), then jump...
Patch_Nag: sub ax,309Fh ; -309Fh to get segment to patch.
push ax ; Save it.
pop es ; Pop it back into es.
mov di,18B7h ; Offset to patch.
mov byte ptr es:[di],74h ; Get rid of the NagScreen.
Bad_Guy: pop di ; Restore di,
pop es ; es,
pop bp ; bp,
pop ax ; ax
Exit: popf ! ; ; and flags
jmp dword ptr cs:[Int10] ; Execute Int 10h.
; Get interrupt vector.
int 21h ;
mov Int10off,bx ; ES:BX = value of interrupt vector
mov Int10seg,es ;
mov ax,2510h ;
mov dx,offset NewInt10 ; New vector to be used for Int 10h
int 21h ; ...
mov dx,Install-Start+100h+15 ; DX= Program size.
mov cl,4 ; Divide by 4 to get
shr dx,cl ; size in paragraphs.
mov al,0 ; Exit code.
mov ah,31h ;
int 21h ; Terminate and stay resident.
; TLINK Check_DN ;
; TASM Check_DN /t ;
Now, under DOS run CHECK_DN.COM and then DN.COM and...the
Nagscreen is still present!
Re-boot, don't load SoftICE and try again: the NagScreen pops again!!
The program doesn't check (and doesn't care) if you are debugging it or not, the flag at [1E8A] is always equal to "0" (Bad_Guy) and will always display the "Hi, Hacker..." message in memory... conclusions? Draw your own conclusions!
Frog's Print - December 1997 - (c) Frog's Print All rights reversed