Reversing MXaudio - different version, different approach
by krasi
Before me +ReZiDeNt has written an essay about this program's protection scheme some three years ago.
This document is meant for beginners at the art of reversing on the linux platform.
When you hear "crackign software for linux" in almost everyone's head "Damn, it's pretty
hard reversing that freeware". Linux have gone commercial/though the OS iteslf is free/ long time ago.
Shareware is something not very often for linux software but it exists. I started porking with this
certain program as I needed a start in linux reversing and I thought that this particular program would
be a good start. I have been using MXaduio some 2 or 3 years ago when it was maybe the only X11 mp3 player
for linux. I started reading +rezident's essay and the dasm output wasn't even close to my dasm output,
so I thought what well the gyus have changed the program, I shall conitnue on my own.
As I am only a beginner in linux reversing bear with me and correct me afterwars if the essay is wrong
in any way.
Tools
As I hate reading an essay, that has been written some time ago and the links to the software site
do not work, or even that particular version of the program is off the internet, I have plugged
all the required tools and the program itself into files.required.tar.gz.
This archive file consists of dasm and xaudio-1.05. That's it. You also need objdump/it comes with most
linux distrbutions/, gdb/also/, hexedit(or any other hex editor) and perl as dasm is a perl script.
We well reverse now mxaduio, the statically linked version.
When you run the program a nasty window "The version is unregistered, Try it or enter the license code".
The program is not cut in features so we have two options. To change the program so this window will
not appear and keep the program unregistered or try to find out the correct license key and register it.
I thought that the first approach is easier so I chose it.
So what should I do first.
I tried using strace on the program and look in the out file wether some suspicious file would be
looked for. Use strace like that: strace -omxaudio.strace ./mxaudio.
I have no idea why strace gave Segmentation fault whil running mxauido but nevertheless
the mxauido.strace file was usable.Looking in it the suspicious file is right there :
--------
open("/home/krasi/.xaudio/license-key", O_RDONLY) = -1 ENOENT (No such
file or directory)
-------
I put '123456' in that file to see what will happen and run strace again:
--------
open("/home/krasi/.xaudio/license-key", O_RDONLY) = 0
fstat(0, {st_mode=02400006, st_size=3, ...}) = 0
mmap(0x50006, 65532, 0x60000, 0x6 /* MAP_??? */|0x30000, 65534, 0x60000) = 0x40008000
read(0, "123456\n", 4096) = 7
-------
But I have no idea what to do next with that info, so I decided to move on
to dasm.
Use dasm like that dasm ./mxaudio mxauio.dasm. Now let's look at the
output file.
We are particularly interested in "Xaudio Shareware" as this the name of the nasty
window. Here it is:
----------
Possible reference to string:
"Xaudio Shareware"
0x0806bf9f pushl $0x8199f01
0x0806bfa4 call 0x0804f0d0
0x0806bfa9 addl $0x20,%esp
0x0806bfac movl %eax,%esi
----------
Examinig further we have bellow references to respectivly form, splash, Try It, Enter License Key.
So we must be exaclty where we want to be as "Try It" and "Enter License Key" are the two buttons
on the window.So as we now that this is the right place to look I decided to look up to see where in
the program to see who called this window.
-------------
Referenced from call at 0x08053023 ;
0x0806bf5c pushl %ebp
0x0806bf5d movl %esp,%ebp
0x0806bf5f pushl %edi
0x0806bf60 pushl %esi
0x0806bf61 pushl %ebx
0x0806bf62 pushl $0x0
0x0806bf64 pushl $0x1
0x0806bf66 pushl $0x81e00a4
0x0806bf6b pushl $0x0
0x0806bf6d pushl $0x81dfe48
0x0806bf72 movl 0x8(%ebp),%ebx
0x0806bf75 testl %ebx,%ebx
0x0806bf77 je 0x0806bf98
Referenced from jump at 0x0806bf96 ;
0x0806bf79 pushl $0x40
0x0806bf7b pushl %ebx
0x0806bf7c call 0x0804fe40
0x0806bf81 addl $0x8,%esp
0x0806bf84 testb %al,%al
0x0806bf86 jne 0x0806bf98
0x0806bf88 pushl %eax
0x0806bf89 pushl %ebx
0x0806bf8a call 0x0804f7a0
0x0806bf8f movl %eax,%ebx
0x0806bf91 addl $0x8,%esp
0x0806bf94 testl %ebx,%ebx
0x0806bf96 jne 0x0806bf79
Referenced from jump at 0x0806bf77 ; 0x0806bf86 ;
0x0806bf98 pushl %ebx
0x0806bf99 movl 0x81ce300,%eax
0x0806bf9e pushl %eax
------------
So our first chance is 0x0806bf77. Didn't make sense to me though it was not that obvious to me
at the beginning sI played around with gdb and setting breakpoints at bf77,bf86,bf98.
Setting a program in gdb is easy: $gdb ./mxaudio; gdb>br *0x806bf77...Use 'c' to continue the program.
So after some time I moved to 0x08053023, the previous instruction is ret so this had to be the call.
----------
0x08053023 call 0x0806bf5c
----------
Let's now change this call to a nop and hopefully we will achieve our goal
Use first objdump: objdump -d --show-raw-insn ./mxaudio > mxaudio.objdump
------------
8053023: e8 34 8f 01 00 call 0x806bf5c
8053028: 83 c4 08 addl $0x8,%esp
------------
Fire up hexedit and search for "e8348f010083c408" and change
"e8 34 8f 01 00" to "90 90 90 90". With this we change the call instruction to 4 nops.
Voila. The nasty window does not appear. Was this pure luck I do not know, but hopefully you learned
something from this essay. I wrote it only because the colletion of essays on +HCU Linux page was way
too small. Anyway the program is still unregistered, if that iritates you, continue examinig the program
and do it yourself.
Greetings
I would like to thank _dose for his great essays.(If you are a beginner
like me start with them).
Disclaimer
I have done this only for education purposes, if you intend to use this program go and buy it.
I can not be held liable for your actions.
Final Notes
I have written this essay in about an hour, so it is probalby full of mistakes, the matter is not
very well explained, but anyway feedback is welcomed at the message board/http://mb.hcunix.org/.