Content of the essay: hiding
Windows applications, cracking Wingate, registry settings
Case study: you are working for a company, and your Internet access is cut (for various reasons, all leading to money). What do you do?
Software needed: Wingate 1.3.17 proxy server ( a very good, fast and tiny proxy server, running on all Win32 platforms ) you can download it from www.deerfield.com/wingate
Tools: w32dasm, soft-ice, c compiler, resource workshop.
Hi again, folks. I read Reverser's essay about survival strategies in a corporation environment, and I thought to give my contribution to the cause. So, here is the story:
A while ago, my boss searched some computers in our office and found some interesting files of mine. He didn't like them, so he cut off my Internet connection. Of course I was desperate, I cried two days and two nights :o) .But then, I wiped my tears and started working on the problem. My idea was to use a proxy server installed on another computer, and to connect through that proxy. Several problems were involved here but the biggest one was that the proxy server must be invisible, and, obviously, consume very little memory. First I had to choose the proxy software. I heard about Micro$oft Proxy, so I went to M$ site. Here are the requirements:
35 Megs of HD space
Win NT Server 4.0
IIS 2.0 ??!!!
This really sucks. I need a NT Server to run the proxy, and Internet Information Server. Why the hell do I need a web server to run a proxy server? Beats me. So I dropped MS Proxy. I wanted to be able to run the proxy even on a pure win95 machine, without any sucking web server or service packs. So a simple search on the web led me to the proxy software of my dreams: Wingate. Here are the specs, to compare with the MSProxy:
300 K of HD space
Win95, NT Workstation, Server ...
Eeeh...! What do you think bout this difference? And both programs do the same thing!
The first problem was to hide the proxy. After a little search through win32.hlp file I found the solution: we can use ShowWindow(SW_HIDE) and the window will disappear from the task bar and Alt+TAB menu. In Windows NT it will disappear even from the process list in Task Manager. In Win95 it will still appear in Ctrl+Alt+Del dialog. So I did 2 little programs to hide my program. First, launch.c, launches the proxy server and hides it, then exits. The name of the proxy program is xor-ed in the code, so a dump on the exe file won't reveal the name of the launched program.
Second, browse.c, is a little utility which lists all windows from the system ( even those hidden ) and you can choose what to hide and what to show. This is useful to show the proxy server after you hide it.
After that, I cracked the wingate (I'll talk later about this). Then I used Borland Resource Workshop (thanx Reverser for the tip) to remove the icon of the program, so nobody can imagine what it is. Then copied launch.exe and wingate.exe in the windows dir of the target computer, and of course renamed them to some inoffensive names, so they will not get the attention of the user. This is very important, since the name will appear in Ctrl+Alt+Del dialog. So choose a name like csrss.exe, osa.exe or any background process which is not running.
To start the proxy server every time the computer boots, I put launch.exe in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run subkey. So the proxy will be launched in a hidden window every time somebody logs in . Nobody will know that the proxy is running, and the hacker/cracker is happy. Version 2.0 of Wingate will allow the proxy to run as a service, so it even won't be necessary to log in.
More counter measures:
You have to be more careful when browsing through your hidden proxy.
First, disable disk cache in Netscape, so they cannot see what you did. Leave only the memory cache, and eventually increase its size.
Second, use different ports than default, for the proxy. For example DO NOT leave http proxy on port 80 (the default number). Put a port like 1276, so they cannot find it through a network scan.
Another problem is that they can look into your Options/Network Settings/Proxy information submenu , and see the address and port of the proxy server.That's why is necessary to have a little utility to erase the proxy information from the options with a simple click of mouse. Make a little C program which calls RegDeleteKey. The important keys (for Netscape Navigator) are:
HKEY_CURRENT_USER/Software/Netscape/Netscape Navigator/URL History.
Delete these keys, and your tracks are gone. You can make another utility to put back all these settings.
Now the crack for Wingate:
Wingate has a user name-password type protection, combined with a time limit protection. There are 4 types of licenses:
- 1 user free license (unlimited time)
- unlimited number of users (1 month time limit)
- 2,5 or 10 users (unlimited time)
- unlimited no of users (unlimited time) the most powerful one
Start disassembling the file with w32dasm. Search the source for "Invalid Information" string. Found one location. Right before this location we can see that this code is referenced by a conditional jump at 402DCD. Around this address we find:
:00402DB0 68C4DC4400 push 0044DCC4 :00402DB5 8D45F0 lea eax, [ebp-10] :00402DB8 50 push eax :00402DB9 8975F0 mov [ebp-10], esi :00402DBC 68B8DC4400 push 0044DCB8 :00402DC1 68C0DC4400 push 0044DCC0 :00402DC6 E8455E0100 call 00418C10 :00402DCB 85C0 test eax, eax :00402DCD 0F8449010000 je 00402F1C ;if eax==0 jump to Invalid Reg no! :00402DD3 3975F0 cmp [ebp-10], esi :00402DD6 0F84E5000000 je 00402EC1 ;if equal skip verification of expiry date ;--------------------- verify expiry date ----------------------- :00402DDC 8D45E0 lea eax, [ebp-20] :00402DDF 50 push eax :00402DE0 E81B7B0100 call 0041A900 :00402DE5 DD00 fld qword ptr [eax] :00402DE7 E8BC8C0100 call 0041BAA8 :00402DEC 3B45F0 cmp eax, [ebp-10] ;--------------------- done verify ------------------------------- :00402DEF 7E43 jle 00402E34 ;if reg no has not expired jmp Good guy :00402DF1 56 push esi :00402DF2 56 push esi * Possible StringData Ref from Data Obj ->"This key has now expired." | :00402DF3 683C954400 push 0044953C :00402DF8 E800100300 call 00433DFD ;call showMessageBox
At address 402DC6 there is a call, and right after a test
eax,eax. If eax=0 the the reg number is invalid! If we change the
je to jne we'll receive a message that "this reg no has
expired!". But after the jump equal, at address 402DD3,
there is another comparison: if esi == [ebp-10] then the
registartion number isn't time limited. Changing this with cmp
esi,esi and nop will give us unlimited time.
Now I want unlimited numbers of users. For this I have to step into the routine which is called at 402DC6. This routine takes four parameters:
push 44DCB8 ---------> this is the reg no user has typed
push eax ---------------> I dont know what is this
push 44DCB8 ---------> see bellow
push 44DCC0 ---------> this is the user name
call 418C10 -----------> the check routine
Using Soft-Ice I was able to see that 44DCC0 is the user name,
and 44DCB8 is the reg no. But what is that 44DCB8 address? With a
little feeling ( ORC calls this Zen ) I guessed that this could
be the number of users (licenses). So, the check routine takes
user name and reg no, verify the reg code, and returns the number
of licenses taken from the reg no. It sets eax to zero if reg no
If we have an unlimited number of users license, than the 44DCB8 must have 0xFF or 0x00. 44DCB8 is the 3rd parameter pushed on stack, so it is at the address [EBP+0C] inside the routine. We'll search through the following code after EBP+0C.
Here is the code for the check routine, with some comments (part of it):
* Referenced by a CALL at Addresses: |:00402DC6 , :0040FC1E | :00418C10 64A100000000 mov eax, fs: :00418C16 55 push ebp :00418C17 8BEC mov ebp, esp :00418C19 6AFF push FFFFFFFF :00418C1B 687E8D4100 push 00418D7E :00418C20 50 push eax :00418C21 64892500000000 mov fs:, esp :00418C28 81ECA4000000 sub esp, 000000A4 :00418C2E 53 push ebx :00418C2F 56 push esi :00418C30 57 push edi :00418C31 8B7514 mov esi, [ebp+14] :00418C34 8B06 mov eax, [esi] :00418C36 8378F818 cmp [eax-08], 00000018 ;check length of reg code :00418C3A 7415 je 00418C51 ;if it's 24 then go on; good guy * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00418D6E(U) | :00418C3C 33C0 xor eax, eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00418D5D(U) | :00418C3E 8B4DF4 mov ecx, [ebp-0C] :00418C41 5F pop edi :00418C42 64890D00000000 mov fs:, ecx :00418C49 5E pop esi :00418C4A 5B pop ebx :00418C4B 8BE5 mov esp, ebp :00418C4D 5D pop ebp :00418C4E C21000 ret 0010 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00418C3A(C) | :00418C51 33FF xor edi, edi :00418C53 33DB xor ebx, ebx ;---------------------------------------------------- ; here is some math stuff, I don't even look at it ; the interesting part is here, to the end of the routine ;----------------------------------------------------- :00418D31 3A5DEC cmp bl , [ebp-14] :00418D34 752C jne 00418D62 ;if not equal exit-invalid reg no :00418D36 837DE800 cmp [ebp-18], 00000000 :00418D3A 7526 jne 00418D62 ;exit - invalid reg no :00418D3C 8B450C mov eax, [ebp+0C] ; HERE IS [EBP+0C] !!!!!!! :00418D3F 8A4DED mov cl , [ebp-13] ; mov cl<-no of users :00418D42 8B55E4 mov edx, [ebp-1C] :00418D45 8808 mov [eax], cl ; mov 44DCB8<-cl :00418D47 8B4510 mov eax, [ebp+10] :00418D4A C745FCFFFFFFFF mov [ebp-04], FFFFFFFF :00418D51 8910 mov [eax], edx :00418D53 E830000000 call 00418D88 :00418D58 B801000000 mov eax, 00000001 :00418D5D E9DCFEFFFF jmp 00418C3E
So to crack this routine we'll have to change 4 things:
1. check of the string length cmp [eax-08], 00000018 change with cmp eax,eax , nop
2,3 two jumps at 418D34 and 418D62
4. put unlimited no of users in cl at address 418D3F mov cl, [ebp-13] change with mov cl,ff , nop
There is another problem. as you can see at the beginning of the routine, it is called twice. And this makes sense. Once is called when you register the program, and twice, when the program starts, it looks in the registry to read the settings, then verifies the reg code again. Cracking the second call is identical with the first call.
That's all folks.
This program is very useful to me. I wish I could pay for it, but I don't have the money. The authors deserve support* from us, so they can continue to build such a tiny and wonderful programs, and to fight against Micro$oft and their overbloated programs.
Bye!(c) +Yamato 1997