-----------------------------------------------------------
Cracking InstaPass Pro v1.20  by Ashish Computer Systems
By cHaron
-----------------------------------------------------------


Target:
-------
InstaPass Pro v1.20  by Ashish Computer Systems

This program can find the database password for MS Access databases from
Access '95 and up to Access 2000.
You can find the demo version at http://www.ashishsystems.com
This demo version is limited to files up to 150 kilobyte in size.


Required software:
------------------
SoftICE for Windows 9x v4.05 (search the net, buy it, or download evaluation
   version from www.numega.com)
HIEW v6.16 (I think you can find it on protools.cjb.net)
ANY MS Access '95 or newer database over 150kb in size - if you can't find
   one, or don't know how to create one yourself, email me.
TDUMP.EXE - I'm not around my own computer right now, but I think it is
   Turbo Dump, or something. I'll correct this in the next version, but
   for now I'd just like some feedback.


Preface:
--------
I have been into the art of Reversing for the past three or four years now,
but I have never really taken the time to find some tutorials on the 'net to
get myself really started. Many people claim that reversing is very difficult
to learn and master, but in reality all it takes is a day or two of dedicated
experimentation, and you're set to go. Of course, you are not anywhere near
a super-reverser yet, but at least you'll know the basics, and if nothing
else you'll be able to do some small, simple reversing/cracking jobs.

In any event, I found it very difficult to find an essay which wasn't too
difficult to read - many contained a lot of small assembly dumps, and those
were pretty hard to follow, so I thought I'd give it a go and write something
which I thought would be good for an apprentice in the art of Reversing.


Background:
-----------
This is pretty much my first crack-job, but it does work, and I have done
other half-baked stuff before this. The meaning of this essay is to teach
the basics of using SoftICE, and to be a small introduction to reversing
a simple protection.

PLEASE let me know if you've even read this essay, and if you have any
comments, let me know! I want to write more essays in the hope of strengthening
the reverser-community, but if I'm not sure the way I'm writing these essays
is good, it'll be pretty hard to produce any quality.

Also, if there are ANY terms you are unclear on, or any passages which are
unreadable either because of too many fancy words, or because of bad English,
please do not hesitate to let me know!


Tutorial:
---------
First of, it might be a good idea to print this out in some way, since it
is very hard to memorize all the steps. You could also just read it, make
some notes, and try without reading again, but be aware that once you are
inside SoftICE, you can't switch back to a Windows program and read this -
you have to exit the SoftICE-window, and then you'll have to start over.

Try running the program on your database. If your database was over 150kb in
size, you'll see it pops up with an error message when you press "Go".
Since it will be able to do it's job to the fullest as long as the database
is less than 150kb, we will for now assume that it is simply a matter of
checking the filesize and showing a dialog box.

Now, the next step is to see if we can get any help from the .EXE file itself.
I used TDUMP.EXE, but anything that dumps the imports and exports of the EXE-
file can be used. In any event, you'll see that this EXE imports functions
from MSVBVM50.DLL. If you don't already know, this is the runtime DLL for
programs built in Visual Basic v5.0 (Microsoft Visual Basic Virtual
Machine 5.0). If there are anybody who wants me to expand on this subject
(like, what is a runtime DLL, what is Visual Basic, or what imported functions
are), please lemme know, and I'll write a section on it.

Visual Basic is an interpreted language, meaning that you don't actually
do much work in the program file, but rather rely on the .DLL file to supply
the functions you want to do. This makes Visual Basic a VERY high level
language - it is easy to learn, but extremely in-efficient. So, what you
want to do is see which functions are exported from MSVBVM50.DLL, to see if
there are any functions we can set a breakpoint on (more on this later).

Running "TDUMP.EXE c:\windows\system\msvbvm50.dll > msvbvm50.exp" suffices.
This will produce a file called "msvbvm50.exp" with the output from the TDUMP
command. You will see all the exports, which are the functions available
for other programs to use. We are interested in anything that has to do with
file lengths, and perusing down the list we see "rtcFileLen" and
"rtcFileLength". Okay, remember these. Now we will get into action with
SoftICE.


I assume that you have installed SoftICE, and that it is running. You can
verify this by pressing CTRL+D - SoftICE should pop up. Press CTRL+D to
remove it again. If SoftICE is not installed, or it is installed but isn't
working/running, and you'd like me to explain how this should be set up,
email me and I'll include it here.

Now, start InstaPass if it isn't running already. Press CTRL+D to get into
SoftICE.

The layout of the SoftICE screen can be customized, so how it looks on your
screen might vary, but I hope that this short introduction is good enough.
What you see on the top is the registers of the CPU. We'll deal shortly with
this later. Beneath is usually the data window - it is equal to a hex dump
of the memory. This window might not be on your screen, though.
Next is the Code window - this window can display source-code if you are
debugging an application, or it can show assembler-instructions, as it
probably is doing now.
In the lower, right corner you'll see what context we are in now. The context
is the program we are currently working in, and the place where our
breakpoints will take effect. It might read "DISPLAY" or ".text!MsAccess", or
something else. We need to change it to our InstaPass program.
If you type in "ADDR", you will see all the address context's we can switch
to. Now, just type "addr InstaPas", and we will be in InstaPas's context.

Remember to two functions we saw? Now, we can make a breakpoint on these,
so each time one of the two functions are called, SoftICE will halt the
system temporarily, and switch into the debugger (what you are seeing now).
There are many types of breakpoints, but that is for another tutorial.

Right now, we use the "bpx" command. Type these two commands:

    "bpx rtcFileLen"
    "bpx rtcFileLength"

and press CTRL+D. Now, select your test database, and press "Go". SoftICE
interrupts, saying that the breakpoint was encountered.
Just below the CPU registers window, it will say something with "msvbvm50" in
it. This means that the execution point (the point where the computer is 
running code) is in the msvbvm50 module. We want to be in the Instapas-module,
since this is the code we need to hack. If you press F12, SoftICE will trace
the code until it encounters the next "ret"-instruction, meaning that it will
execute all the assembler-instructions, until it meets "ret". The "ret"-
instruction will return the computer to the place where a "call" instruction
was issued.

In this case, in the Instapas-program, the program wants to know the file
length, so it can see if it is larger than the allowed 150 kilobyte.
It calls the function "rtcFileLen", and the computer starts running code from
msvbvm50.dll, where the function rtcFileLen is located. When the "ret"-
instruction is encountered, we are returned to Instapas. This is the point
were we will be after having pressed F12.

Now, in the code window, you will se a lot of numbers, and towards the right
side, these two assembler instructions:

	CMP EAX, 000249F0
        SETGE CL

Now, this is were the registers come into play. If you have ever programmed,
you'll know what a variable is. The registers are variables in the CPU.
If you have never programmed - you might want to try it, good experience... -
this is similar to the x and y stuff from math class. EAX, EBX, ECX and EDX
are four of the variables available to us, and what the first assembler
instruction does is compare the value we have stored in the register EAX
to the hex-value 0x249F0.
Now, at the very top, you'll see the registers, and their current contents.
You can also see the EAX register. Now, try typing "? " and the value you can
see in the EAX register. This will evaluate the expression you have just
typed. Also, it will display the value again, along with the decimal
representation. I'll bet you this value is the same as the filesize of your
test database. So, what it does is compare your test-databases filesize with
0x249F0. Try typing "? 249F0", and you'll see that in decimal this is
"150000". Does this ring a bell? This is precisely what we have been looking
for - the 150kb limit (actually, pretty imprecise, since 150kb = 153600 bytes).

Now, the next instruction is what we want to modify. As I said earlier, I'm
pretty much still learning this, so I'm not quite sure what this command does
precisely, but I know it modifies something based on the flags in the CPU.
The flags, in turn, get set by the result of the CMP command, so what these
two lines do is check if the filesize is greater than 150.000 bytes, and
modifies a flag based upon that comparison.
What we want it to do is ALWAYS return with a success.

We can alter the CMP-instruction, so it compares with a greater value.
"CMP EAX, 00ABCDEF" will make the max filesize equal 11259375 bytes (roughly
11 megabytes), but this is not what we want. No limits! :)
So, we change this (more on how to change later) to "CMP EAX, 00000000", which
will fail always - files over 0 byte not allowed. Now we are sure of the
outcome of the CMP-instruction. On to changing the SETGE-instruction. Now, I
have really not checked what this instruction does, and I will post a more
up-to-date version explaining what this instruction does, but instead I just
toyed around with the manual to NASM, a great freeware assembler - find it
at "htpp://www.cryogen.com/nasm". It listed the different SET* instructions
there are, and I just tested them until I found one which worked :)
Not the most elegant method, I know. Sorry about that...

Anyway, "SETZ CL" worked, and with these two modifications, InstaPass will
accept all files, regardless of size.

This is how you do the actual modification. Bear in mind, though, that this
is only in-memory, and not the actual contents of the file itself we are
changing. Once your quit InstaPass, the changes will be lost - however, I 
will demonstrate how to make the changes permanent a little later on.

The command we are looking for now is "A" for Assemble. This is because we
want to enter the two new machine-code statements we have just figured out.

The argument to A is the address at which we want to start assembling. This
_should_ be 0x00408C42, but there is a little possiblity of this changing
(e.g. a newer or older version of the program). You can see the address
just to the left of the "CMP EAX, ..." instruction in the code window.

Now, type "A 408C42" (or the correct address, if this is not the one)
The input window will display "00408C42 " and wait for your input. Type the
new commands:
    "CMP EAX, 0"
    "SETZ CL"
    and make another blank return, to end the assembler mode.

You will be able to see your changes in the code window.
Lastly, type "bc *" to clear the two breakpoints we've set. We have patched
the memory, and don't want SoftICE to use the breakpoints anymore.
Type CTRL+D, and verify that InstaPass indeed works with files larger than
150kb!

This is actually a crack! There are more things you could do, like change
the text in the About box (it says "Evaluation Version"), but this is
only cosmetic.

What we want to do know is make the changes permanent. There are two ways
to accomplish this. Either we make a process patcher, or we patch the program
now.

The first method is a bit complicated, and outside the scope of this essay.
Suffice to say, you "attach" a small program at the end of the real program,
which will, once the "real" program is loaded, patch certain memory locations.
This has a couple of advantages, but you should search for more information
before using this.

The other method I'll describe here. I wrote that HIEW is a requirement - this
is because it is what I find the easiest to use on these kind of operations.
There might be other editors suited, but for now, stick with HIEW.

Just run HIEW, and use it's file-browser to select InstaPas.exe.
Now, press F4, select Decode, and press F5. We want to go to the location
where we patched the program. If we were using a regular editor, we couldn't
just type "408C42" and get there, since this is a virtual offset, or
something akin to that. Now, here comes the reason why I use HIEW -
type ".408C42", and press RETURN. With the "." in front, HIEW knows it is a
virtual (or whatever) address, and we land smash right where we were in
SoftICE. This time, it's just the actual EXE file.

Now, press F3 to get into edit mode. Navigate the cursor past the "3D"-portion
of the hex-code, and enter "000000". Now, press <TAB> to enter assembler-mode,
and enter "SETZ CL". The reason for not entering the "CMP"-command the same
way is that HIEW translates this to a shorter version, and we have to patch
a little more. Nothing dangerous, but it's just a notch over beginner if you're
totally new to assembler.
Anyway, <ESC> to quit assembler-mode, press F9 to keep the changes, and press
F10 to exit HIEW. Quit any running InstaPass-instances, start the new
patched version, and voila - no limits! Your very own, semi-registered
InstaPass!

-------------------------------------------------------------------------------

I hope this essay has been helpfull. If you feel something is missing,
something is wrong, something is unexplained, have something nice to say
about it (or bad), or just want to chat, please email me at
    charon@synaptic.8m.com

/ cHaron '00

