SOFTCAB TextGuard v1.1

http://www.softcab.com

TextGuard v1.1

SoftICE

Visual Basic (or any other Language)

Essay by NUKEM

Beginner (x)

Advanced ( )

Expert ( )


 



At first start TextGuard and Compleete the Registration Dialog.
Well you will not enter the right Serial firt time.
So you got a Error Message.

The Registration Dialog ends. Thats shit, but i`ll explain it later.

Start the Registration Dialog again and before you hit the OK button, 
set a breakpoint to "GetDlgItemTextA" 

To follow my Steps, please use the same Input like me "Name: NUKEM , Serial: 121212"

Hit the OK button and Softice breaks.

USER!GETDLGITEMTEXTA
018F:BFF51743 B1A1 MOV CL,A1 // land here

------- USER32!.text+0740 -------- // Check where you are, wrong here step out by hit one time F12

------ TEXTGUARD!UPX0+1C23 ------- // Right here, so on let us look what happend

:00402C29 C20C00 ret 000C // Returns to 


:00404527 6880000000 push 00000080 
:0040452C 68A0E04000 push 0040E0A0
:00404531 68FC030000 push 000003FC
:00404536 8BCE mov ecx, esi
:00404538 E8D3E6FFFF call 00402C10 // After you trace over this Call it kicks you out of Code agian 
:0040453D 6820E04000 push 0040E020 
:00404542 E899E0FFFF call 004025E0 
:00404547 68A0E04000 push 0040E0A0 
:0040454C E82FE1FFFF call 00402680 
:00404551 83C408 add esp, 00000008 
:00404554 E8B7010000 call 00404710 


----- USER!text+0740 ---- 

Hit one time F12 


:00402C29 C20C00 ret 000C // land here, and Returns to 

:0040453D 6820E04000 push 0040E020 
:00404542 E899E0FFFF call 004025E0
:00404547 68A0E04000 push 0040E0A0
:00404547 68A0E04000 push 0040E0A0 
:0040454C E82FE1FFFF call 00402680 
:00404551 83C408 add esp, 00000008 
:00404554 E8B7010000 call 00404710 // Step in here

....................

:00404710 68A0E04000 push 0040E0A0
:00404715 6820E04000 push 0040E020
:0040471A E8D1FEFFFF call 004045F0 // Step in here

:004045F0 53 push ebx
:004045F1 8B5C240C mov ebx, dword ptr [esp+0C]
:004045F5 56 push esi

* Reference To: KERNEL32., Ord:0000h
|
:004045F6 8B3598B04000 mov esi, dword ptr [0040B098]
:004045FC 57 push edi
:004045FD 53 push ebx
:004045FE FFD6 call esi
:00404600 83F803 cmp eax, 00000003
:00404603 0F8C9A000000 jl 004046A3
:00404609 8B7C2410 mov edi, dword ptr [esp+10]
:0040460D 57 push edi
:0040460E FFD6 call esi
:00404610 83F803 cmp eax, 00000003
:00404613 0F8C8A000000 jl 004046A3
:00404619 53 push ebx
:0040461A FFD6 call esi
:0040461C 8D4418FF lea eax, dword ptr [eax+ebx-01]
:00404620 3BC3 cmp eax, ebx
:00404622 760A jbe 0040462E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040462C(C)
|
:00404624 80382D cmp byte ptr [eax], 2D
:00404627 7405 je 0040462E
:00404629 48 dec eax
:0040462A 3BC3 cmp eax, ebx
:0040462C 77F6 ja 00404624

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404622(C), :00404627(C)
|
:0040462E 8A07 mov al, byte ptr [edi]
:00404630 33F6 xor esi, esi
:00404632 84C0 test al, al
:00404634 8BCF mov ecx, edi
:00404636 743D je 00404675

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040466D(C)
|
:00404638 3C20 cmp al, 20
:0040463A 742B je 00404667
:0040463C 3C0D cmp al, 0D
:0040463E 7427 je 00404667
:00404640 3C0A cmp al, 0A
:00404642 7423 je 00404667
:00404644 3C61 cmp al, 61
:00404646 7C0C jl 00404654
:00404648 3C7A cmp al, 7A
:0040464A 7F08 jg 00404654
:0040464C 0FBEC0 movsx eax, al
:0040464F 83E820 sub eax, 00000020
:00404652 EB03 jmp 00404657

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404646(C), :0040464A(C)
|
:00404654 0FBEC0 movsx eax, al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404652(U)
|
:00404657 8D14C500000000 lea edx, dword ptr [8*eax+00000000] // Start of Algo
:0040465E 2BD0 sub edx, eax
:00404660 8D1496 lea edx, dword ptr [esi+4*edx]
:00404663 8D740211 lea esi, dword ptr [edx+eax+11]


If you cant follow a algo the first time, you can break exactly at the Start of the algo, 
set a breakpoint to EIP
bpx EIP, but it will not work here, thats what i mean at the beginning of this Essay, 
the Registration Dialog closed and it cant break again directly at the Algo.

:00404657 8D14C500000000 lea edx, dword ptr [8*eax+00000000] 

EAX = 78 = N // first letter of "N"UKEM and store the Value to EDX, EDX = 78 * 8 + 0 = 624

:0040465E 2BD0 sub edx, eax 

EDX - EAX = 624 - 78 and store it again to EDX, EDX = 546 

:00404660 8D1496 lea edx, dword ptr [esi+4*edx]

At the Start ESI = 0 , EDX * 4 + ESI = 546 * 4 + 0 = 2184

:00404663 8D740211 lea esi, dword ptr [edx+eax+11]

EDX + EAX, + 11 , [11 = HEX, DEC = 17 ] = EDX + EAX + 17 = 2184 + 78 + 17 = 2279 and store it to ESI.

Thats all now, the LOOP repeat this algo with our whole name.




'---------- VB SourceCode Start -------------

'Create two TextBoxes and a CommandButton
'Write the Code below in the Command on Click Event

Private Sub Command1_Click()
ESI = 0

For i = 1 To Len(Text1.Text)
EAX = Asc(Mid$(Text1.Text, i, 1))
EDX = EAX * 8 + 0
EDX = EDX - EAX
EDX = EDX * 4 + ESI
ESI = EAX + EDX + 17
Next i

Text2.Text = ESI

End Sub

'Thats all 

'---------- VB SourceCode END ---------------
06."#" ==> 08.Char from [B]