COMSPY98: A TOOL OF OUR TRADE
Magic APIs hooking in Windoze
Our Tools
Our own tools
by +RCG, 15 January 1998
cracker
slightly edited by fravia+
f
Courtesy of Fravia's page of reverse engineering
f
It's +RCG, it's good and tasty!

Besides we are starting right now (with +RCG's help) the new and important +HCU's project 'Our tools'... this article about APIs intercepting, together with +RCG explanations of the very poorly explained "vxd magic" in Windoze (see +RCG's new essays starting from Our protections) represents the 'basic material' to start the new project... so work on this!

In the mean time... a 'polite' question to +RCG... my friend, could you please spend some more time commenting the code? You'll agree with me that for instance your "LOST CODE is the original code 'under' the call FHK95.DLL" is a little too cryptic for many readers :-)
f
There is a crack, a crack in everything
That's how the light gets in
Rating
(x)Beginner (x)Intermediate ( )Advanced ( )Expert
APIs hooking: an useful essay for beginners and intermediates alike (and an useful tool for the +HCU :-)
Title
COMSPY98 A TOOL OF OUR TRADE
Written by +RCG
Intro

No Introduction
Tools Required
wdasm
softice
~
prudens' site at http://www.spywindows.com
Program History
There is a previous version "95" around, where the colors of the nag screen are -if possible- even more awful
T
H
E

E
S
S
A
Y
	COMSPY98 A TOOL OF OUR TRADE

Well this utility can be useful to study what
personal information give away some 'Trojan Horses'
like Micro$oft's IE (Ughhh!!!).
Also it can be useful to understand how
computers 'talk' and exchange information, but
for me, the best is that I can learn how THIS 
TARGET itself hooks APIs... do you understand me?
D'you understand HOW IMPORTANT this is for us?

After all we need to hook (or unhook) freely, so
much as necesary to understand (or remove) the 
protection schemes we find. 
You already know something about this subject from 
Footstep's essay about MemMonitor95... well, let us 
assume we don't know nothing, what do we have 
here?

A regdll32.dll file, and some crippled functions,
but the target can be registered by a key. Well, 
quite a lot of info already, thinking of it!
Fire the target and a Nagscreen will at once ask 
you for a file called COM98UR.DAT.

All right!!!! Let's remove all this crap in 30 
seconds flat (plus the time w32dasm takes in my 
486 to dissasemble 356 Kb)... we need to see the 
whole target working in order to decide if we 
need to study (and ameliorate) part of its code 
for our purposes. 
If you have never cracked for "real" educational 
reasons until now, this target will offer you the 
perfect opportunity to do it!

Fishing strings for COM98UR.DAT we find a call to a 
function on the regdll32.dll (these programmers
will never learn... it is easy, man, simple name 
it sunnyday.dll or whatever), then we see the first 
cmp with a jmp if it is zero. Lets see, some lines 
below..., ah!!! This EVAL copy ...will expire on..., 
that's all you need. The crack is so stupidly easy 
that we don't need to explain it.

Ok!!! now we can hook and unhook whatever we want with 
this target, but only now comes the REALLY interesting 
part: how does this program perform such hooking? 
(That is what we really need to know).

Lets use a kernel32 function like CloseHandle.

Before loading Comspy98 fire winice and:

u closehandle

137:????????	83EC1C		SUB	ESP,1C
137:????????	A17CC2FBBF	MOV	EAX,[BFFBC27C]
..
..
..

Now fire Comspy98, hook closehandle, fire winnie and:

u closehandle

137:????????	E8694BBCC4	CALL	84B407E0
137:????????	C2FBBF		RET	BFFB	

Ignore the 'RET BFFB' because it is only what 
the disassembler inside winice makes out of the 
remaining last bytes of the previous MOV EAX,[BFFBC27C]

So we have now a "new" hooking call... mmm...
What is stored at 84B407E0?

Oh!!! it is the FHK95.DLL file, lets have a look:

	44		inc esp
	44		inc esp
	44		inc esp
	44 		inc esp
	90		nop
	90		nop
	90		nop
	90		nop
	6800000100	push	00010000  ;*for this function
	E80EF8FDFF	call	84F40000
	C20400		ret	0004


Searching for "44" I found this interesting snippet of code:

:BFF72D55 8B45F4               mov eax, dword ptr [ebp-0C]
:BFF72D58 83C001               add eax, 00000001
:BFF72D5B 8945F4               mov dword ptr [ebp-0C], eax
:BFF72D5E 817DF4D0070000       cmp dword ptr [ebp-0C], 000007D0
:BFF72D65 0F8D2A010000         jnl BFF72E95
:BFF72D6B 8B4DF4               mov ecx, dword ptr [ebp-0C]
:BFF72D6E C1E105               shl ecx, 05
:BFF72D71 C681C017F9BF44       mov byte ptr [ecx+BFF917C0], 44
:BFF72D78 8B55F4               mov edx, dword ptr [ebp-0C]
:BFF72D7B C1E205               shl edx, 05
:BFF72D7E C682C117F9BF44       mov byte ptr [edx+BFF917C1], 44
:BFF72D85 8B45F4               mov eax, dword ptr [ebp-0C]
:BFF72D88 C1E005               shl eax, 05
:BFF72D8B C680C217F9BF44       mov byte ptr [eax+BFF917C2], 44
:BFF72D92 8B4DF4               mov ecx, dword ptr [ebp-0C]
:BFF72D95 C1E105               shl ecx, 05
:BFF72D98 C681C317F9BF44       mov byte ptr [ecx+BFF917C3], 44
:BFF72D9F 8B55F4               mov edx, dword ptr [ebp-0C]
:BFF72DA2 C1E205               shl edx, 05
:BFF72DA5 C682C417F9BF90       mov byte ptr [edx+BFF917C4], 90
:BFF72DAC 8B45F4               mov eax, dword ptr [ebp-0C]
:BFF72DAF C1E005               shl eax, 05
:BFF72DB2 C680C517F9BF90       mov byte ptr [eax+BFF917C5], 90
:BFF72DB9 8B4DF4               mov ecx, dword ptr [ebp-0C]
:BFF72DBC C1E105               shl ecx, 05
:BFF72DBF C681C617F9BF90       mov byte ptr [ecx+BFF917C6], 90
:BFF72DC6 8B55F4               mov edx, dword ptr [ebp-0C]
:BFF72DC9 C1E205               shl edx, 05
:BFF72DCC C682C717F9BF90       mov byte ptr [edx+BFF917C7], 90
:BFF72DD3 8B45F4               mov eax, dword ptr [ebp-0C]
:BFF72DD6 C1E005               shl eax, 05
:BFF72DD9 C680C817F9BF68       mov byte ptr [eax+BFF917C8], 68
:BFF72DE0 8B4DF4               mov ecx, dword ptr [ebp-0C]
:BFF72DE3 C1E105               shl ecx, 05
:BFF72DE6 C681C917F9BF00       mov byte ptr [ecx+BFF917C9], 00
:BFF72DED 8B55F4               mov edx, dword ptr [ebp-0C]
:BFF72DF0 C1E205               shl edx, 05
:BFF72DF3 C682CA17F9BF00       mov byte ptr [edx+BFF917CA], 00
:BFF72DFA 8B45F4               mov eax, dword ptr [ebp-0C]
:BFF72DFD C1E005               shl eax, 05
:BFF72E00 C680CB17F9BF00       mov byte ptr [eax+BFF917CB], 00
:BFF72E07 8B4DF4               mov ecx, dword ptr [ebp-0C]
:BFF72E0A C1E105               shl ecx, 05
:BFF72E0D C681CC17F9BF00       mov byte ptr [ecx+BFF917CC], 00
:BFF72E14 8B55F4               mov edx, dword ptr [ebp-0C]
:BFF72E17 C1E205               shl edx, 05
:BFF72E1A C682CD17F9BFE8       mov byte ptr [edx+BFF917CD], E8
:BFF72E21 8B45F4               mov eax, dword ptr [ebp-0C]
:BFF72E24 C1E005               shl eax, 05
:BFF72E27 C680D217F9BFC2       mov byte ptr [eax+BFF917D2], C2
:BFF72E2E 8B4DF4               mov ecx, dword ptr [ebp-0C]
:BFF72E31 C1E105               shl ecx, 05
:BFF72E34 C681D317F9BF00       mov byte ptr [ecx+BFF917D3], 00
:BFF72E3B 8B55F4               mov edx, dword ptr [ebp-0C]
:BFF72E3E C1E205               shl edx, 05
:BFF72E41 C682D417F9BF00       mov byte ptr [edx+BFF917D4], 00
:BFF72E48 8B45F4               mov eax, dword ptr [ebp-0C]
:BFF72E4B C1E005               shl eax, 05
:BFF72E4E C680D517F9BF00       mov byte ptr [eax+BFF917D5], 00
:BFF72E55 8B4DF4               mov ecx, dword ptr [ebp-0C]
:BFF72E58 C1E105               shl ecx, 05
:BFF72E5B C681DF17F9BF00       mov byte ptr [ecx+BFF917DF], 00
:BFF72E62 8B55F4               mov edx, dword ptr [ebp-0C]
:BFF72E65 C1E205               shl edx, 05
:BFF72E68 81C2D217F9BF         add edx, BFF917D2
:BFF72E6E B80010F7BF           mov eax, BFF71000
:BFF72E73 2BC2                 sub eax, edx
:BFF72E75 8945F8               mov dword ptr [ebp-08], eax
:BFF72E78 6A04                 push 00000004
:BFF72E7A 8D4DF8               lea ecx, dword ptr [ebp-08]
:BFF72E7D 51                   push ecx
:BFF72E7E 8B55F4               mov edx, dword ptr [ebp-0C]
:BFF72E81 C1E205               shl edx, 05
:BFF72E84 81C2CE17F9BF         add edx, BFF917CE
:BFF72E8A 52                   push edx
:BFF72E8B E80AEAFFFF           call BFF7189A
:BFF72E90 E9C0FEFFFF           jmp BFF72D55


What is this...? It is selfmodifying the code....lets see
umm!!! MAP32 FHK95.DLL ==> this area is DATA, so it is
executing at the area code!!!!!
I can't believe it!!!! Lets use one of my old programs, and
I will force the execution of data 'code'.

Wait!!!! Look!!!

Oh!!!! no problem it runs fine, good idea indeed (this is
another trick to create selfmod. code.)


If I now hook the CreateFile function as well I get the
same, except for the 'push 10000h', now it is 'push
20000h'

I am thinking it copies part of the routine, umm!!!
lets see... trace until the real code is executed.


Exported fn(): ExpFn0016() - Ord:00C9h

:BFF71000 55                push ebp
:BFF71001 8BEC              mov ebp, esp
:BFF71003 83EC6C            sub esp, 0000006C
:BFF71006 53                push ebx
:BFF71007 56                push esi
:BFF71008 57                push edi
:BFF71009 C745E000000000    mov [ebp-20], 00000000
:BFF71010 FF1590F1FABF      Call dword ptr [BFFAF190]GetCurrentProcess
:BFF71016 8945E4            mov dword ptr [ebp-1C], eax
:BFF71019 FF157CF1FABF      Call dword ptr [BFFAF17C]GetCurrentProcessId
:BFF7101F 8945F0            mov dword ptr [ebp-10], eax
:BFF71022 FF15A8F1FABF      Call dword ptr [BFFAF1A8]GetCurrentThread
:BFF71028 8945F8            mov dword ptr [ebp-08], eax
:BFF7102B FF15E0F1FABF      Call dword ptr [BFFAF1E0]GetCurrentThreadId
:BFF71031 8945E8            mov dword ptr [ebp-18], eax
:BFF71034 C745FC00000000    mov [ebp-04], 00000000
..
..
..
:BFF7129A 8B08              mov ecx, dword ptr [eax]
:BFF7129C 890D1C07F8BF      mov dword ptr [BFF8071C], ecx
:BFF712A2 8B55CC            mov edx, dword ptr [ebp-34]
:BFF712A5 FF12              call dword ptr [edx]		<==Here
:BFF712A7 8945F4            mov dword ptr [ebp-0C], eax
..
..
:BFF71400 8B45D8            mov eax, dword ptr [ebp-28]
:BFF71403 5F                pop edi
:BFF71404 5E                pop esi
:BFF71405 5B                pop ebx
:BFF71406 8BE5              mov esp, ebp
:BFF71408 5D                pop ebp
:BFF71409 C20400            ret 0004


Tracing a little we can get:

* Referenced by a Jump at Address:BFF71757(U)
|
:BFF71762 6A00                 push 00000000
:BFF71764 8B45F4               mov eax, dword ptr [ebp-0C]
:BFF71767 50                   push eax
:BFF71768 8B4DCC               mov ecx, dword ptr [ebp-34]
:BFF7176B 51                   push ecx
:BFF7176C E8A2010000           call BFF71913	<== Here
:BFF71771 8945D4               mov dword ptr [ebp-2C], eax
:BFF71774 C745D001000000       mov [ebp-30], 00000001

Tracing the call finally we get:

	LOST CODE
	LOST CODE
	push	next_instrucion_at_lost_code_offset
	ret

LOST CODE is the original code 'under' the call FHK95.DLL


Ok!!!! Lets pull some conclusions out of this "mess":

A VxD is needed to patch the Kernel32.
We can execute code at data areas.
We have discovered new ways to monitor API,s.


So, this will be the flow of our own 
Monitor_Api_Program.

At the beginning of the API function we will
put a jmp/call to our own code.
We will analize the stack and get the valuable
data we are seeking.
We will execute the missing code in our area.
We will return the control (if needed, because 
sometimes it can be interesting to return instead 
to the program with our own answers :-) 

You have now enough data!
Work on it, it's GREAT fun!!!!!
+rcg 1998

Final
Notes
OK, so this essay opens officially the new +HCU project:
Our tools: 1) The +HCU's API interceptor
Ob duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
way out
You are deep inside fravia's page of reverse engineering, choose your way out:

advanced
Back to Ourtools Project
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia+
redIs reverse engineering legal?