TBBW Posted April 13, 2012 Posted April 13, 2012 Hi all,Story;At a certain stage during as setup (setup.exe) a window is displayed.It says Insert CD2.options; Ok, CancelI go for the Ok option.Using Spy ++ I see the following;IRP_MJ_CREATEIRP_MJ_QUERY_INFORMATIONIRP_MJ_QUERY_VOLUME_INFORMATIONIRP_MJ_CLEANUPIRP_MJ_CLOSEso it does a check if cd2 is inserted.Using Olly debug;I see in the windows pageHandle 002a0503Parent 0015056EID 00000001Thread Maincls proc 752358F1Is it possible to put a breakpoint on the ok button, using Olly or IDA?pressing the OK button executes a piece of code, is this easily found?I think I need to manipulate the information struct, telling the cd2 has been inserted.regards,ger
atom0s Posted April 14, 2012 Posted April 14, 2012 You could try using the 'Execute Until Usercode' feature in the debug menu.When you get the point where you see the screen you mention, hit pause in Olly, then choose Debug -> Execute Until Usercode. Then click the OK button and it should break afterward. 1
mrexodia Posted April 14, 2012 Posted April 14, 2012 You could try using the 'Execute Until Usercode' feature in the debug menu.When you get the point where you see the screen you mention, hit pause in Olly, then choose Debug -> Execute Until Usercode. Then click the OK button and it should break afterward.Agree, get the messagebox up and press the pause (II) button then press ALT+F9 and click any button. Most of the times it will get you into the code... 1
ghandi Posted April 15, 2012 Posted April 15, 2012 Unless you're unlucky enough that the 'msgbox' is actually a dialog, pausing and Alt+F9 will land in the msg pump. From there you'd need to see where the WndProc is setup, most likely the call to RegisterClass/RegisterClassEx, then set breakpoint(s) in that code loop.HR,Ghandi 1
TBBW Posted April 15, 2012 Author Posted April 15, 2012 thanks guys for all the input.It is pretty hard to find the dailog box.@ ghandi I will try your last post.did some digging,the setup is the Call of Duty (the first one) installer, yes I know it is old but I like It.the set is two CD's one called COD1 and one called CoD2. found with GetVolumeInformation.a hex search or string search does not do the job. (try to find it in the installer).So when the dialog insert CD2 is shown.the program checks if CD2 is inserted (asume) I think it will use GetVolumeInformation.so I need to find the GetVolumeInformation routine, how do I find this using Olly/IDA?On the other hand the dialog has 3 options;cancel, for me of no useok (and cd1 still in drive) results in displaying the dialog again.ok (and cd2 inserted) results in closing the dialog and continue the install.also, I can not find a install list.a list with all the files the installer has to copy (put on HDD).is this encrypted? the installer is of type Wise installer system, yep an old one.everything in one exe file.regards,ger
NikolayD Posted April 16, 2012 Posted April 16, 2012 Try scan COD.exe with ProtectionID. If it Securom it is not easy )))
mrexodia Posted April 16, 2012 Posted April 16, 2012 I think he is still busy with that project... It's not about the protection of the end product, but of the installer. Some old tutorials (don't ask me which ones) give you api hints to break... But why not simply download an ISO of both cds???
TBBW Posted April 16, 2012 Author Posted April 16, 2012 Hi All,Why not Use both ISOs, I Want to put all the CODs versions on in one ISO, blu ray....and for the fun !!So back to work;I stated I could not find the install list, well I found it.Every time when I start the program (in Olly) it allocates a memory block of 0x66000 bytes, and guess what is in there..When I edit this block, I can "remove" the insert CD2 dialog.original mem block; file-a-, file-b-, file-c-, dialog text cd2, file -d-, file -e-edit by me mem block; file -a-, file -b-, file -c-, file -d-, file -e-, dialog text cd2.runs fine , it does no checks until it 'sees' dialog cd2and file -d- and file -e- are nicely installed!! (put all the files on one dvd, for testing)so if I can remove the dialog cd2 text.than the problem is solved.so I think the program fills the mem block with install-data, only where does it come from......regards,ger 1
mrexodia Posted April 19, 2012 Posted April 19, 2012 That's an epic idea! But back to topic: does this memory block contain "dialog text cd2"?? Or is it something else?I mean: can find find some kind of table or is it the pure file data...
TBBW Posted April 20, 2012 Author Posted April 20, 2012 @ Mr. eXoDiaYes this memory block contains the "dialog text cd2"It is some kind of table as you said.It it very hard to find where this table comes from, a lot of jump's and call's.........on the other hand,if I can (externaly using C#) allocate this block I can edit it, problem solved!!like the "Memory Map" Tab in Olly, and edit optionI know it is 0x66000 bytes very time with a given base address at lets say 00400000.I can edit the memory block.regards,ger
mrexodia Posted April 20, 2012 Posted April 20, 2012 I would recommend breaking VirtualAlloc or GlobalAlloc, these function allocate memory (duh) and maybe you can find some loop if you trace a bit...
TBBW Posted May 9, 2012 Author Posted May 9, 2012 Hi All,Did some digging.....found the "insert cd2 compare statement"If I manipulate the outcome of the CMP to 0x00 iso 0xFF it continues with the installment....(YES!!!!)now I need to implement this in the setup.exe file.setup creates a tmp file which is then loaded as dll, so I'm unable to write in the dll when it is loaded.so I have to edit it before it is loaded.found the load dll call, so I have the handle (to that file) at the DS stack.now I need to write several bytes at certain positions to the created temp file.does anyone has a piece of code (which I can put directly in Olly).which does the job. Please with comment so I can see/learn what the statements are doingThanks in advance!!Best Regards,ger
mrexodia Posted May 11, 2012 Posted May 11, 2012 You could try redirecting that call where the dll is created to a code cave... This code should load a custom dll which intercepts the handle, duplicates it and changes a few bytes in the file..
TBBW Posted May 12, 2012 Author Posted May 12, 2012 @eXoDiaThanks for the reply,Your suggestion is out of my league, yet...I tried;mov ah,3d ;Open file functionmov al,20 ;Write-Only file accessmov dx,0102 ;Points to filenameint 21 ;Do itmov bx,ax ;Move retrieved file handle into BXmov ax,4000 ;Write to File functionmov dx,011a ;Points to data to writemov cx,0d ;Number of bytes to writeint 21 ;Do itmov ax,4c00 ;Exit functionint 21 ;Do itIt does not work, I think this is old stuff.I'm looking for something like kernel32.OpenFile or kernel32.WriteToFile.Any clues...Thanks,Ger
mrexodia Posted May 13, 2012 Posted May 13, 2012 It's uber-oldTry CreateFileA for opening file (if you already have a handle it's not needed), then use WriteFile (with an bytes write flag) see MSDN for more info..
TBBW Posted May 16, 2012 Author Posted May 16, 2012 Hi All,Found the Buffer which is used to create the .dll.It is a Buffer of 32K which is emptied 6 times into the file, with the dll as a result.it is using CreateFile and WriteFile.So I tried to find the buffer data.And as guessed it is not a 1 to 1 copy....It is packed, crypted or something like that.So I think I will go for the edit the dll when finished version.Will do some futher digging.Regards,ger
TBBW Posted May 19, 2012 Author Posted May 19, 2012 @ eXoDiaI use the kernel32.OpenFile call like this;push 2 ; mode read/writepush 403170 ; pOfstructpush 18FE5C ; name of the filecall kernel32.OpenFIleIf I run this in Olly, I get SUCCES_ERROR (asume verything went well, If I try to open de file with a hex editor it says it is open)and at location 403170 a piece of data is created. (in this piece of data the name of the file is shown)when I want to call the Write file function, I need a handle.where can I find this handle.....for the write call I use (for testing)push 0 ; overlappingpush 0 ; bytes writtenpush 10 ; bytes to be writtenpush 403170 ; buffer of bytes (it is the buffer created in OpenFile, no issue for testing)push xxxxxx ; the handle ...........call kernel32.WriteFileLater,Ger
deepzero Posted May 19, 2012 Posted May 19, 2012 you`re supposed to use CreateFile() to open a file and WriteFile() to write to it. The handle is returned by the CreateFile() function. (---> you will find it in eax). in c++: HANDLE x = CreateFileA("C:\\x.txt",GENERIC_READ|GENERIC_WRITE,0,0,CREATE_NEW,0,0); DWORD wrtn; WriteFile(x, "test", 4, &wrtn, 0); in olly: the code creates a new file (C:\x.txt) and writes 4 bytes of data to it ("test"). />http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx/>http://msdn.microsoft.com/en-us/library/windows/desktop/aa365747%28v=vs.85%29.aspx
TBBW Posted May 19, 2012 Author Posted May 19, 2012 (edited) Thanks,But why not use OpenFile, as the file is allready there.I'm not creating a new one.will have a go on your stuff!!Ger Edited May 19, 2012 by TBBW
deepzero Posted May 19, 2012 Posted May 19, 2012 OpenFile() is old and not used anymore, CreateFile() is a lot more powerful.to open an exisitng file, replace the CREATE_NEW (0x01) paramter with OPEN_EXISTING(0x03).IE replace the "push 1" (third push) in CreateFileA() by "push 3".
TBBW Posted May 19, 2012 Author Posted May 19, 2012 (edited) Thanks,The PUSH C0000000for the read write is not accepted in Olly.Ger Edited May 19, 2012 by TBBW
deepzero Posted May 19, 2012 Posted May 19, 2012 you cant start a constant with a letter (A-F).Instead, typepush 0C0000000
TBBW Posted May 23, 2012 Author Posted May 23, 2012 Hi all,Can not get the #$$^&&&!! Working....I doPUSH 0PUSH 0PUSH 3PUSH 0PUSH 0CPUSH 18FE5CCall KERNEL32.CreateFileAAfter this piece of code I get ERROR_SUCCESSo I asume no errors, very thing run fine up till hereNow to write a number of bytes I do;PUSH 0PUSH 0PUSH 4PUSH 720000PUSH EAXCall KERNEL32.WriteFileNOPPut breakpoint on NOP, it does not reach the breakpoint, because I get an error accces violation writing 00000000where do I go wrong??ger
kao Posted May 23, 2012 Posted May 23, 2012 You should pay more attention to MSDN: http://msdn.microsof...7(v=vs.85).aspxlpNumberOfBytesWritten [out, optional] - This parameter can be NULL only when the lpOverlapped parameter is not NULL.
TBBW Posted May 23, 2012 Author Posted May 23, 2012 IOW how should I setup the Call?I just want to write, lets say 4 bytes, to a file which is allready there.Is there a document which says where the outcomes are placed in ECX or EAX etc.Ger
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now