GitHub!!!

I've decided to put my codes on Git! potential employers, please notice me, you know who you are :)

My first commit on Github was about code injection. The reason I did code injection was to hook some API's, mainly GetLocalTime and GetSystemTime, why?

Many years ago there was this program that I wanted to crack, I wanted to remove the 30-day trial period limitation, not for profit just for fun, actually it was just to prove that I was the smart kid. I'd had done so with a few programs, including the macromedia suite, which contained dreamweaver and flash player to name a couple. On top of that, I did it without a debugger, by just following the disassembled code manually (the solution turned out to be simple, you just need to hack the starting address of the thread that was spawned by the main thread, that's all).

So I was pretty confident I could crack this other program as well but it had some protective measures, it was actually encrypted :(  So after a few frustrating days I decided to quit on it. But a few weeks ago, I was cracking another software (was bored at work), it was a popular editor and it turned out to be pretty easy too. The whole 30-day trial thing was managed by a dll and all you need to do was change the return value of the function that calculated the number of days remaining.

On top of that I also managed to crack a set of software from a very big company that I should not mention for fear of retribution :) This one was a bit more work, there were plenty of places you need to tweak to get it working right but I did it. Again, all this was just for fun, no profit, remember that people :)

So I decided to take another jab at the one program that I couldn't crack but this time I wanted to take another route, no more disassembling and stepping through code, something a bit easier, which is API hooking. I wanted to hook the time related API's such that it returns the same date every time it is called.

My first attempt didn't work. I tried the usual CreateRemoteThread trick by passing the address of LoadLibrary as my starting address of the remote thread. It might be because of ASLR (Address Space Randomization) thing that Microsoft employs in newer version of Windows, I'm not sure but it didn't work, so my only other recourse that I know of is to write a shell code.

I don't know why they call it a shell code but it's basically a bunch of assembly instructions to find the address of kernel32.dll. It was a common technique back in my younger days when I was dealing with Windows viruses.

The idea is to traverse through the linked list in the PEB (Process E .... Block, can't remember what E stands for LoL) to find the address of kernel32.dll, again all this is a standard method. So I gathered a few pieces of codes from the internet and tried different combinations of them till I succeeded :)

The tricky thing is that I didn't have an assembler so I needed to use g++'s inline assembler to do it. Again, after a few hours of messing around with it I finally got it working, i.e. I managed to compile the code.

The next challenge was to find the relative distance between the code and the data block (this is needed because in g++ you can't really specify the absolute memory location of your code/data, there are a few tricks to do this of course, just google it), this was quite tricky but I managed to do it by copying the code to another location in memory, fixing the relative delta between code and data (since now I can put the code wherever I want) and starting a thread pointing to the copy of the code.

This whole process actually turned out well because even though copying the code into another memory location sounds inefficient, the whole code turns out modular, this is because you need to do the same thing if you want to inject it to another  process. So, I hope whoever reads this blog (which is not many) can benefit from my experience, see the code here. Feel free to check out my other codes as well :)

The API hooking business turned out great, I was able to hook the time related API's using my injection code (I use minhook to do the actual API hooking). The day remaining counter will remain at 1 day forever, but what happens if it is already expired? There turned out to be a much easier way to reset the day remaining counter. You just need to delete a key in the registry. How did I find this out?

It was quite simple, step one, create a virtual machine in virtual box. Since the target program runs on windows I chose to create a Linux virtual machine, why? because I wanted to run it on wine (to keep the registry and filesystem clean since an actual windows will do who knows what with the registry and filesystem, not so with an emulator). Once I installed the program on wine I kept creating backups on wine at different points of the installation and execution, one at the point of fresh install, another after the program finished running and yet another after the program finished running at a different time (I wanted to know where the day remaining counter was set). By comparing the registry from different points in time you immediately see how they track the number of days remaining. I was actually worried that they would store the time info in a secret file hidden somewhere in the filesystem, but thankfully it wasn't so.

It is actually quite interesting, the time information was stored (encrypted, no surprise there) using a very innocent sounding registry name, MainWindowsParam LoL I guess they wanted to confuse people by masquerading crucial information under a very plain and misguided name. So, if you just erase the whole key and its subkeys, you're golden, the program will think that you still have 30 days remaining :) and so after a few long years I have my vengeance muahuahahahahaha

Well, that's all for now, see ya !