[ Pobierz całość w formacie PDF ]
.It is performing a simpledecryption of a block of code from address 500h and puttingit in address 1000h.In addition, there is a checksum beingperformed at address.The program is adding all those bytesup, then comparing the number with some other number (achecksum value) in memory at address 4300h.So what you maysay.When the program is run without any set breakpoints,the program will run fine.But when you start tracingthrough the code, or putting a breakpoint somewhere after theloop, the program will cause you to exit.If you decide tochange the program so that it will let you pass regardless ofthe checksum value, somewhere along the line, the programwill fuck up.This goes back to the idea of INT 3.Right before debugexecutes an instruction, it places an INT 3 at the nextinstruction.In this program, when debug places thisinterrupt and executes an instruction, the program is readingin this INT 3 at the address and copies it to a differentaddress.INT 3 is obviously a different number than theother instructions, so the checksum value will be different.So, now that INT 3 is copied to another location in memory,debug also cannot replace that with it's original byte value.Therefore, if you try to force the checksum to match andcontinue running the program, the program will crash becausethe INT 3 is causing the instructions after itself to beinterpreted incorrectly by the CPU.To bypass this, you have to make sure not to get yourINT 3 placed in the wrong place at the wrong time.LookingPage 22The Cracking Manualat the program, you can keep tracing normally until the SIregister points to any byte past the CMP instruction ataddress 519h.Then, you can do a "G 518" to finish off theloop quicker.Debug will place a temporary INT 3 at address518h, but it doesn't matter now since SI will be past 518h.This is obviously a simple example, but it gets the pointacross that you have to watch where you trace.Page 23The Cracking ManualOVERLAYS/LOADERSOverlays/Loaders----------------Sometimes, programs will have an initialization code andupon its completion, call up another program or overlay.These programs present unique situations in which it issometimes difficult, after finding the copy protection code,to write the changes to disk.Let's see what these programsdo before we go on to the next topic of making changespermanent.Loaders are usually small programs that might first askyou for the graphics mode or what sound card you have.Whenfinished, it will load up another program.Sometimes, thisis done with DOS' interrupt 21h, function 4B00h (load andexecute).This is the same interrupt DOS uses to load upprograms when you type them in at the DOS prompt.You cantell what file is going to be executed by tracing up to theINT 21 instruction and dumping the address pointed to byDS:DX (type in "D DS:DX").Also, internal procedures couldbe used to call up the program.Use what you've learned totrace through them.Code decryptions or dynamic heap allocation where datais to be loaded presents problems as well.Code that changesas the program progresses makes code changes difficult in thefile itself.And when you want to alter sometime in the dataarea, something called a heap is often used to store thedata.The thing with the heap is that it can be allocated atanytime and depending on what is currently in memory, youcan't tell where the memory is going to be located.In thesecases, you might choose to go with run-time memory overlays(discussed later).Writing the Changes Out to the File-----------------------------------Okay, so you've found the copy protection.You alsoknow how to bypass it.Now, the next problem you will mostlikely encounter is writing it out to a file.But first,let's assume a simple case.Using a Hex Dump Program------------------------Included is this package is one of the files from NortonUtilities which does a decent job of finding and changing thecontents of files.Before we exit that debugger, we mustknow what to look for.1) At the location of the instruction, copy down themachine language equivalent of the instruction.Atinstructions after that, also take down theirmachine level equivalents.This is what you willuse to search for the code in the file.a) If there is a near call or a near jump or a nearmemory access, you can just write down all thePage 24The Cracking Manualhex numbers
[ Pobierz całość w formacie PDF ]