[ Pobierz całość w formacie PDF ]
.But what if the software vendor reprograms INT 3to point to an INT 21? Many programs use INT 21 to accessDOS functions like reading a file, etc.There would be aconflict now as the program uses INT 3 to call up DOS whiledebug wants to use INT 3 for its breakpoints.There is alsoanother problem.INT 21 uses two bytes (CD21h) while INT 3uses only one byte (CCh).Therefore, you cannot replace INT3 with the INT 21.Page 21The Cracking ManualAlso, INT 3 could be reprogrammed so that everytime itis used, the program will just exit to its higher process.So everytime you single step, you will be kicked out of theprogram.Parity Errors with INT 3------------------------The tough copy protections use the change of memory toobstruct tracing.Examine the code below:2E0B:0500 FC CLD2E0B:0501 B80000 MOV AX,00002E0B:0504 BB0000 MOV BX,00002E0B:0507 BE0005 MOV SI,05002E0B:050A BF0010 MOV DI,10002E0B:050D B90005 MOV CX,05002E0B:0510 AC LODSB2E0B:0511 345A XOR AL,5A ;'Z'2E0B:0513 01C3 ADD BX,AX2E0B:0515 AA STOSB2E0B:0516 E2F8 LOOP 05102E0B:0518 3B1E0043 CMP BX,[4300]2E0B:051C 7403 JZ 05212E0B:051E E9EF2A JMP 30102E0B:0521 D1E0 SHL AX,1Notice what the program is doing.It is performing a simpledecryption of a block of code from address 500h and puttingit in address 1000h.In addition, there is a checksum beingperformed at address.The program is adding all those bytesup, then comparing the number with some other number (achecksum value) in memory at address 4300h.So what you maysay.When the program is run without any set breakpoints,the program will run fine.But when you start tracingthrough the code, or putting a breakpoint somewhere after theloop, the program will cause you to exit.If you decide tochange the program so that it will let you pass regardless ofthe checksum value, somewhere along the line, the programwill fuck up.This goes back to the idea of INT 3.Right before debugexecutes an instruction, it places an INT 3 at the nextinstruction.In this program, when debug places thisinterrupt and executes an instruction, the program is readingin this INT 3 at the address and copies it to a differentaddress.INT 3 is obviously a different number than theother instructions, so the checksum value will be different.So, now that INT 3 is copied to another location in memory,debug also cannot replace that with it's original byte value.Therefore, if you try to force the checksum to match andcontinue running the program, the program will crash becausethe INT 3 is causing the instructions after itself to beinterpreted incorrectly by the CPU.To bypass this, you have to make sure not to get yourINT 3 placed in the wrong place at the wrong time.LookingPage 22The Cracking Manualat the program, you can keep tracing normally until the SIregister points to any byte past the CMP instruction ataddress 519h.Then, you can do a "G 518" to finish off theloop quicker.Debug will place a temporary INT 3 at address518h, but it doesn't matter now since SI will be past 518h.This is obviously a simple example, but it gets the pointacross that you have to watch where you trace.Page 23The Cracking ManualOVERLAYS/LOADERSOverlays/Loaders----------------Sometimes, programs will have an initialization code andupon its completion, call up another program or overlay.These programs present unique situations in which it issometimes difficult, after finding the copy protection code,to write the changes to disk.Let's see what these programsdo before we go on to the next topic of making changespermanent
[ Pobierz całość w formacie PDF ]