|
#1
|
|||
|
|||
hashing algorithms
hi every one
I am not familiar with hashing algorithms and I am not sure if they can prevent a program from execution .. but I got this target that got alot of them and here it is..... target : Proxy switcher standard 3.11 site : h**p://www.proxyswitcher.com packer :UPX .... (very easy) after unpacking it is crached .. I analyze with PEID then found these ADLER32 :: 00252EE1 :: 00652EE1 The reference is above. ADLER32 :: 00252FAA :: 00652FAA The reference is above. ADLER32 :: 00252FB7 :: 00652FB7 The reference is above. BASE64 table :: 000E190C :: 004E190C Referenced at 006A02E0 BASE64 table :: 001EE87E :: 005EE87E Referenced at 005EE879 BASE64 table :: 00209DB4 :: 00609DB4 Referenced at 006B66DC BLOWFISH [sbox] :: 002A8B6C :: 006A8B6C Referenced at 005FFEFA CCITT-CRC16 [long] :: 0029F888 :: 0069F888 Referenced at 004B5530 CCITT-CRC16 [word] :: 001FD63B :: 005FD63B Referenced at 005FD61F CRC16 (rev) [word] :: 001EF276 :: 005EF276 Referenced at 005EF25E CRC32 :: 001EF4A0 :: 005EF4A0 Referenced at 005EF486 CRC32 :: 0029FC88 :: 0069FC88 Referenced at 004B5553 CRC32 :: 002B7AB0 :: 006B7AB0 Referenced at 00653165 Referenced at 00653170 Referenced at 00653290 Referenced at 00653566 GOST [sbox 1] :: 002A7B6C :: 006A7B6C Referenced at 005FF9AA Referenced at 005FFB16 HAVAL (5 pass) [char] :: 002A05CC :: 006A05CC Referenced at 005FA9E1 Referenced at 005FAC71 Referenced at 005FAFAD MD5 :: 001F1ABB :: 005F1ABB The reference is above. MD5 :: 0029F3F8 :: 0069F3F8 The reference is above. Q128 :: 002A9BB4 :: 006A9BB4 Referenced at 00601452 Referenced at 00601467 Referenced at 0060147D Referenced at 00601493 Referenced at 006014E6 Referenced at 006014FC Referenced at 00601512 Referenced at 00601528 Referenced at 00601592 Referenced at 006015B3 Referenced at 006015D6 Referenced at 006015F9 RIPEMD-256 [Init] :: 001F6D35 :: 005F6D35 The reference is above. RIPEMD-320 [Init] :: 001F1920 :: 005F1920 The reference is above. SHA1 [Compress] :: 0008EA51 :: 0048EA51 The reference is above. SHA1 [Compress] :: 001FA435 :: 005FA435 The reference is above. SHARK [CE-box] :: 002ABFF4 :: 006ABFF4 Referenced at 00602B53 Referenced at 00603118 Referenced at 006033CC SNEFRU :: 002A064C :: 006A064C Referenced at 005FBA6A SQUARE [SD] :: 002ABEB4 :: 006ABEB4 Referenced at 00602ECF Referenced at 00602EE4 Referenced at 00602EFB Referenced at 00602F0D Referenced at 00602F1D Referenced at 00602F32 Referenced at 00602F49 Referenced at 00602F5A SQUARE [SD] :: 002B40F4 :: 006B40F4 Referenced at 00603AA0 Referenced at 00603AAF Referenced at 00603AC3 Referenced at 00603AD9 Referenced at 00603AF7 Referenced at 00603B09 Referenced at 00603B20 Referenced at 00603B39 Referenced at 00603B56 Referenced at 00603B68 Referenced at 00603B7F Referenced at 00603B98 Referenced at 00603BAD Referenced at 00603BB7 Referenced at 00603BC6 Referenced at 00603BD9 SQUARE [TE] :: 002A6B4C :: 006A6B4C Referenced at 005FD105 Referenced at 005FD14D Referenced at 005FD19E Referenced at 005FD1E7 SQUARE [TE] :: 002B45F4 :: 006B45F4 Referenced at 00603687 TEAN [32 rounds] :: 0001D4C1 :: 0041D4C1 The reference is above. TIGER :: 002A464C :: 006A464C Referenced at 005FBC7C TWOFISH [8x8] :: 002AABB4 :: 006AABB4 Referenced at 00602251 Referenced at 00602266 Referenced at 006022C3 Referenced at 006022DB Referenced at 006022ED Referenced at 00602314 Referenced at 0060233E Referenced at 0060234F Referenced at 00602522 Referenced at 00602548 Referenced at 00602597 Referenced at 006025C4 Referenced at 006026A8 Referenced at 006026B1 Referenced at 00602710 Referenced at 0060273D Referenced at 0060276A Referenced at 006027A0 Referenced at 0060280D {Big number} :: 00205630 :: 00605630 Referenced at 006054D0 {Big number} :: 00205D40 :: 00605D40 The reference is above. {Big number} :: 002591A4 :: 006591A4 Referenced at 00659070 {Big number} :: 0025A640 :: 0065A640 Referenced at 0065A4B6 {Big number} :: 0025A6DC :: 0065A6DC Referenced at 0065A4DD {Big number} :: 0026BE74 :: 0066BE74 Referenced at 0066BB73 I stuck here any help... |
#2
|
|||
|
|||
hm
In the brief minute that I looked at this app I see two things. First is I patched a few random bytes on the original file and it did not crash. The fact I was even able to patch any bytes tells me it is not packed. Also I just loaded it in ida, and with the exception of some weird segment names and some ida msg, the file looks comphrensible and not packed. Why do you think it is upx? Although I could be wrong, I would suggest delete your unpack version, make a copy of the original app and just dissamble it in ida and have fun should run fine and be patchable. To answer your original question, just about any algo can be a crc algo. The most likely algos to be a crc are usually hash algos. And when you do encounter these, they are easy to spot as they either read from disk or read from memory the pe file, so just break on approriate apis, readfile, readmem etc. I dont think you have to do anything here but install the app and then patch the registration check.
|
#3
|
|||
|
|||
Thankz alot for your reply Sabor ..and when I analyzed that app with PEID it said it is UPX also when manual unpacking did not work for me, I could unpack it with upx v 3.1 with parameter -d and I successfully did but still not working... please take a look to attached picture.
|
#4
|
||||
|
||||
PEiD is actually saying that it is UPolyX which is PEiD's way of saying it has no idea if it is packed or not. The section names have been renamed to UPX to fool you. Doesn't sound like it is packed at all.
PETools is more reliable than PEiD and PE Explorer is very good at identifying and unpacking UPX if it is present. Git |
#5
|
|||
|
|||
thnkz GIT... and while I am trying to find any solution for this I hope if somebody could take a look to the code and tell us any hints about that.
|
#6
|
|||
|
|||
hmm
You can load it in olly/ida/sice directly and dont need to unpack or fix anything. Just find the registration routine which accesses registry for reg info. Patch it to be nice and you should be done.
|
#7
|
|||
|
|||
Quote:
well, I tryed to run under ollydbg ,it always crachs and I think it got anti-debug tricks or something like that here what I got 00497D16 C600 00 mov byte ptr [eax], 0 error : access violation when writing to [00000000] and it goes into loop because I tryed to continue with shift+f9 and I used a plugin to hide debuger but with no lock at all.... Last edited by abccc; 09-30-2007 at 00:24. |
#8
|
|||
|
|||
hmm
Do we have the same app?
Program Files\Proxy Switcher Standard Thats the dir I have and the .app is ProxySwitcher.exe 4.15mb. I place it in olly with ignoring all debug exceptions. I have normal antidebug. Also that address you pasted instruction does not correpond. Try downloading the app again and doing a fresh install, I think your unpack attempt broke it. 00497D06 . B9 48804900 MOV ECX,ProxySwi.00498048 ; ASCII "InProcess debug forced." 00497D0B . B2 01 MOV DL,1 00497D0D . A1 BCA14000 MOV EAX,DWORD PTR DS:[40A1BC] 00497D12 . E8 5D69F7FF CALL ProxySwi.0040E674 00497D17 . E8 28BEF6FF CALL ProxySwi.00403B44 00497D1C > 6A 00 PUSH 0 ; /RootPathName = NULL 00497D1E . E8 09F9F6FF CALL <JMP.&kernel32.GetDriveTypeA> ; \GetDriveTypeA 00497D23 . 83F8 04 CMP EAX,4 00497D26 . 75 20 JNZ SHORT ProxySwi.00497D48 00497D28 . A1 04C46B00 MOV EAX,DWORD PTR DS:[6BC404] 00497D2D . 8338 01 CMP DWORD PTR DS:[EAX],1 00497D30 . 74 16 JE SHORT ProxySwi.00497D48 00497D32 . B9 68804900 MOV ECX,ProxySwi.00498068 ; ASCII "Shellexecute wont work properly on network drive." Thats what I have for that addr. So reinstall app, start fresh, and just load it directly in olly and see what you get. DONGS |
#9
|
|||
|
|||
yupppppp, you are great man sabor and I realy have great regard for your patience. you are right WE ARE not talking about same apps.
i'am really sorry about that. reason because I have Downloaded it from another site i discover that when you write down size of your app 4.15 mine was 1.92 and it was compressed with upx I do not know why the other site has to compresse it, anyway I realy want to thank you for everything Now one more question please, when I enter name and serial and press OK botton I did not get any message like invalid registration or so..any hints where I should but my Breakpoint |
#10
|
|||
|
|||
hmmm
Probably because it is constantly reading the registration information prior to hitting the ok button. What this likely means, it has already checked your registration information before even clicking "ok". That might not be the case though. What you can do is set a memory breakpoint (if your using olly this is easy) on the code section in memory manager when you are at registration screen. This should land you in the loop where it is relative to getting the reginfo either constantly or after clicking "ok" button. Just do some sniffing around that area and you will find it.
DONGS |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Hashing Utility v1.0 | chessgod101 | Community Tools | 16 | 11-07-2021 11:58 |
quick CRC32 hashing tool with drag and drop support | destr0 | Community Tools | 1 | 05-16-2015 09:28 |