MP3 Producer

Hi all today's lesson is about MP3 Producer target cracking, this task is reached in different manner than classical patching or unpacking technique. From some point of view this method is not really new because is also implemented in Windows Enabler application, but I've made some test and finally code a simple loader/patcher which is able to act like as this toolkit then I think it can be interesting to know more about this loader coding. Also I hope this simple tutorial is able to point the need of more attention in program debugging from author point of view.
Full C source is also included and ready to compile and test.

There are following sections in the remaining of this tutorial:

1. What we can do (brief explanation about the patching).
2. Proof of concepts.
3. Coding a loader and source code explanation.
4. Conclusion and remark.

Well, as usual we have to look on program behaviour after installing step and know if the target is packed or in a plain form. To perform this test we can use classical PeID approach then:

Fig. 1 PeID file scannig.

program isn't packed anyway then scan about some signature (press -> button then Plugins and finally select Krypto ANALyzer):

Fig. 2 Crypto signature.

There are some crypto signature, but this is not a problem trust me ;-).

Well now is time to launch the program and see the behaviour, we have a classical registration nag which tell us about some License Name and a License Code.

Fig. 3 Starting registration nag.

more interesting you can see in the bottom right a disabled button labeled Unlock, well, first try to attack this target can be forcing enabling button with Windows Enabler and check if this can work, you can believe it, but using it make program fully registered (on next program starting nag isn't show anyway and from About menu we have a proof of it).

Fig. 4 About menu

fig. 5 About menu say you're registered!

To restore the program state in original unregistered form just go into OllyDbg and place a breakpoint on 00488B65 and change the JNZ instruction with NOP, then press F9 and after some exception close OllyDbg.

Fig. 6 Restoring the unregistered mode.

now if you run the target this is unregistered. Keep it in mind during your experiment (or if you prefer simply delete the file ntP2.trk which is on System32 folder).

Mainly two type of process loader, simple loader and loader debugger, first one is able to load the process and read/write into it but don't have any debugging feature, second one act also like a debugger (yes similar to OllyDbg) and is able to recognize and break execution when a debug event from the debugged application is set.

From MSDN you have this definition: "A debugger is an application that enables a developer to observe and correct programming errors", then a loader debugger is a program able to load another program called "the target process" in memory and run it, also it's able to stop, restart, read and write into the process memory space and is able to hook some common debug event like exception or other event which is interesting from debuggin point of view. Coding a loader isn't difficult and require a little knowledge how a process is and work. All this stuff is widely covered from Shub-Nigurrath tutorial "Guide on How to play with processes memory, write loaders and Oraculums", version 1.1 January 2005.

In a short form a loader make some step in order to load the process using the well know CreateProcess API function, and into the case of loader-debugger, target (victim) process is executed into the main debugger loop, inside it debugger wait for some exception and can choose if manage it or pass control to the program SEH (Structured Exception Handling). Also traditional loader approach a loader debugger can wait for some event like a window creation and choose appropriate action to do, for example make some patch, place hardware breakpoint and so on.

This is enough to know how loader-debugger work, then is time to show a flowchart for our code:

Fig. 3 Nag screen on the startup program.

the left branch is about CreateProcess failure (this is when file can't be found) right branch is about right target memory loading, next instruction block is made by one infinite loop, inside this loop the loader made all the work needed to patch the program and debugging application when exception was found (Switch block).
But for now just take a look on the CreateProcess function:

Fig. 4 Code snippet for CreateProcess API fuinction.

after CreateProcess execution target can be run freely and related behaviour is controlled inside the main loop (with WaitForDebugEvent and 0 time value function return every time, if you put INFINITE this function return only if some exception is found). Main loop is made using infinite FOR cicle, exit condition is when application stop from user or is just patched.
Now go into the main loop:

Fig. 5 Snipped for the main loop code (following section is related to exception handling).

in order to enable the Button, as first point, you have to know where it reside, in other word you've to find the window which contain this control, to find it we can see at the program behaviour, registration nag is the topmost window then we have to search one API function which is able to found the handle to the topmost windows, well this function can be GetForegroundWindows, from MSDN you've:

Fig. 6 GetForegroundWindow Function

Now you've to sure about the window, to do it just check the caption and compare if it is the expected one, again you can find a suitable API, this is GetWindowText:

Fig. 7 GetWindowText function

Use this two API to retrieve the caption of the topmost visible windows and check if this text is equal to the registration nag, a close look reveal a little difference from nag caption and main window caption, for our purpose we can compare with the text "MP3Producer v 2.40" then if comparing succeed the next step will cover the button handle searching, in each other case just continue to loop and run the target freely until a new caption was found.
We now suppose of to have found the right caption, then we have to retrieve the class window identifier in order to perform followinfg search about the button control which is a child for the nag windows. To do it just use another API called GetClassName:

Fig. 8 GetClassName Function

each class window have a class name starting with # then we made a little check about it, if this check succed next step is find the right handle to refer to Unlock button, then again another API help us this means that the nag window has been created, but it is not said that all the controls in it contained are already active then to sure about it we have to look for the button, again another API help us:

Fig. 9 FindWindowEx Function.

now we have all the info needed to refer Unlock button, just wait some cycle to sure about all object was created and then send a WM_CREATE message to this control in order to enable it, to do it we can use the EnableWindow API function:

Fig. 10 EnableWindow Function.

since we want to enable a disabled control we must use value 1 or true for bEnable parameter, for the last things we have to simulate the pushing action (like you do with Window Enabler) and this can be performed using the SendMessage API function.

Fig. 11 SendMessage Function.

this function work with window, but also a button is a window then we can use this API with a BM_CLICK message and if you search trough MSDN another interesting information can be found:

Fig. 12 SendMessage Function and BM_CLICK message.

well, this is really the end of story.

[MAIN TEAM]
[Nilrem][MaDMAn_H3rCuL3s][Ferrari][EJ12N][Kruger]
[Shub-Nigurrath][Teerayoot][R@dier]
[JDOG45][Eggi][ThunderPwr][Gabri3l][KaGra]

[Support]
[Bone Enterprise]

[Groupz]
[TSRh][SnD][LUCiD]