Left 4 dead attack strategy

【ArticleTitle: Left 4 dead attack strategy
[Author]: sunwayking
[Author's email ]: Sunwayking@163.com
[Author's homepage ]: Http://hi.baidu.com/suwnay
[Author's QQ number]: 410109674
[Software name]: Left 4 dead (Survival path)
[Software size]: NULL
[]: Search and download by yourself
[Shelling method]: Steam app
[Protection method]: Steam detection + compression Shell
[Programming language]: VC ++
[Tools]: OD, PE tools
[Operating platform]: Windows
[Software introduction]: Left 4 dead is a very successful FPS game.
[Author's statement]: only to study encryption and decryption technology, not to crack! For errors, please enlighten us!
--------------------------------------------------------------------------------
[Detailed process]
Hello everyone, I have long promised to release the detailed CRACKING PROCESS OF left 4 dead (l4d), because it has been very busy recently and has been delayed until now. Now let's get started with the topic...

Quote

First, let's take a general look at the game's encryption means. When the left4dead.exe file is run, the game is not started, but the steam login window appears (if you have installed steam, do not close the steam login window and run l4d again. You can enter the game this time. so it can be determined that the game will haveCodeCheck whether steam is running (note that the game does not require logon or not.

So we continue to retain the steam login window, and use od to load the left4dead.exe file:

Quote:

0041c2ed> 53 push EBX
0041c2ee 51 push ECx
0041c2ef 52 push edX
0041c2f0 56 push ESI
0041c2f1 57 push EDI
0041c2f2 55 push EBP
0041c2f3 8bec mov EBP, ESP
0041c2f5 81ec 00100000 sub ESP, 1000
0041c2fb c785 78 ffffff F> mov dword ptr [ebp-88], 0041e1f4
0041c305 8bb5 78 ffffff mov ESI, dword ptr [ebp-88]
0041c30b B9 d9000000 mov ECx, 0d9
0041c310 8dbd 10 fcffff Lea EDI, dword ptr [ebp-3F0]
0041c316 F3: A5 rep movs dword ptr es: [EDI], dword p>
0041c318 8d85 10 fcffff Lea eax, dword ptr [ebp-3F0]
0041c31e 8985 04 fcffff mov dword ptr [ebp-3FC], eax
0041c324 c785 d4fbffff 7> mov dword ptr [ebp-42C], 54b777d
 

Note the following: when debugging l4d, some od uses F8 call or F4, the simplest solution is to skip using the F2 + F9 combination.

When I debug l4d for the first time, I did not perform a single-step trace, but turned it down, because the code for going to OEP is generally a large jump across segments, according to the current entry point, the register sequence is introduced into the stack. I think that before the large jump to the bright top, the register will pop up the stack according to the "Filo principle", that is:

Quote:

Pop EBP
Pop EDI
Pop ESI
Pop edX
Pop ECx
Pop EBX
JMP [OEP]


Sure enough, the required code is found below:

Quote:

0041d96b 8b85 d0fbffff mov eax, dword ptr [ebp-430]
0041d971 81c4 00100000 add ESP, 1000
0041d977 5d pop EBP
0041d978 5f pop EDI
0041d979 5E pop ESI
0041d97a 5A pop edX
0041d97b 59 pop ECx
0041d97c 5B pop EBX
0041d97d ffe0 JMP eax; // This will jump to OEP
0041d97f 0fbe85 44 fcffff movsx eax, byte PTR [ebp-3BC]
0041d986 83f8 35 CMP eax, 35

Break a breakpoint on "JMP eax" (F2, then F9 runsProgram, The program stops at "JMP eax". If your OD uses F4 (run until you choose not to fly, you can also use F4.
In this way, we continue to F8, and the peak and return turns. After a big jump, we finally reached the Bright Summit:

Quote:

004018b0 E8 55330000 call 00404c0a
004018b5 ^ E9 16 feffff JMP 004016d0
004018ba 56 push ESI
004018bb 8b35 9cf04000 mov ESI, dword ptr [40f09c]
004018c1 EB 26 JMP short 004018e9
004018c3 57 push EDI
004018c4 50 push eax
004018c5 ff7424 10 push dword ptr [esp + 10]
004018c9 E8 11350000 call 00404ddf
004018ce 83c4 0C add ESP, 0c
004018d1 85c0 test eax, eax
004018d3 75 11 jnz short 004018e6


Here (B0 is transferred to memory using the plug-in provided by OD, but the read error is found. At this time, the memory image is actually a read/write permission. run the PE tools tool to save the process (dump it out, delete the last two sections, and change the entry point (OP corrected to the obtained 004018b0, and then recreate the PE file. steam has been completely removed. the final file size should be 80 KB ~ 90kb.

Now let's look back at the general process of the protection program. I didn't make a detailed analysis here. In fact, the cracking program does not need to analyze all the code, some code is very weird or even stupid because it is compiled by the compiler.

A program may cause the game to not run (either quit or run steam:

1.

Quote:

0041c7e4 0fb685 acf2ffff movzx eax, byte PTR [ebp-D54]
0041c7eb 85c0 test eax, eax
0041c7ed 75 11 jnz short 0041c800; // Key location
0041c7ef c685 44 fcffff 4> mov byte PTR [ebp-3BC], 45
0041c7f6 E9 84110000 JMP 0041d97f
0041c7fb E9 7f110000 JMP 0041d97f
0041c800 ff55 F0 call dword ptr [ebp-10]


2.

Quote:

0041c866 8885 44 fcffff mov byte PTR [ebp-3BC], Al
0041c86c 0fbe85 44 fcffff movsx eax, byte PTR [ebp-3BC]
0041c873 83f8 30 CMP eax, 30
0041c876 74 0a je short 0041c882; // Key location
0041c878 E9 02110000 JMP 0041d97f
0041c87d E9 fd100000 JMP 0041d97f
0041c882 64: A1 18000000 mov eax, dword ptr fs: [18]
0041c888 8985 78 fbffff mov dword ptr [ebp-488], eax


3.

Quote:

0041c8d5 0fb685 77 fbffff movzx eax, byte PTR [ebp-489]
0041c8dc 85c0 test eax, eax
0041c8de 74 11 je short 0041c8f1; // Key location
0041c8e0 c685 44 fcffff 5> mov byte PTR [ebp-3BC], 54
0041c8e7 E9 93100000 JMP 0041d97f
0041c8ec E9 8e100000 JMP 0041d97f
0041c8f1 8b85 34 fcffff mov eax, dword ptr [ebp-3CC]
0041c8f7 8b00 mov eax, dword ptr [eax]


4.

Quote:

0041cac7 8885 44 fcffff mov byte PTR [ebp-3BC], Al
0041 CACD 0fbe85 44 fcffff movsx eax, byte PTR [ebp-3BC]
0041cad4 83f8 30 CMP eax, 30
0041cad7 74 0a je short 0041cae3; // Key location
0041cad9 E9 a10e0000 JMP 0041d97f
0041 Cade E9 9c0e0000 JMP 0041d97f
0041cae3 8b85 34 fcffff mov eax, dword ptr [ebp-3CC]
0041cae9 8b00 mov eax, dword ptr [eax]
0041 caeb 3b85 30 fcffff CMP eax, dword ptr [ebp-3D0]
0041caf1 74 11 je short 0041cb04; // Key location
0041caf3 c685 44 fcffff 4> mov byte PTR [ebp-3BC], 4D
0041 CAFA E9 800e0000 JMP 0041d97f
0041 caff E9 7b0e0000 JMP 0041d97f
0041cb04 ffb5 38 fcffff push dword ptr [ebp-3C8]
0041cb0a 6a 00 push 0


5.

Quote:

0041d83f 50 push eax
0041d840 ff55 C8 call dword ptr [ebp-38]
0041d843 83bd 0 cfcffff 0> cmp dword ptr [ebp-3F4], 0
0041d84a 75 11 jnz short 0041d85d; // Key location
0041d84c c685 44 fcffff 4> mov byte PTR [ebp-3BC], 42
0041d853 E9 27010000 JMP 0041d97f
0041d858 e922010000 JMP 0041d97f
0041d85d ffb5 38 fcffff push dword ptr [ebp-3C8]
0041d863 ffb5 34 fcffff push dword ptr [ebp-3CC]
0041d869 ff95 0 cfcffff call dword ptr [ebp-3F4]; // verify if steam is running, if it is running, release the real l4d code and store the OEP location information in eax
0041d86f 8985 d0fbffff mov dword ptr [ebp-430], eax; OEP deposit [ebp-430]
0041d875 8b85 38 fcffff mov eax, dword ptr [ebp-3C8]
0041d87b 8985 48f9ffff mov dword ptr [ebp-6B8], eax


6.

Quote:

0041d8cd 50 push eax
0041d8ce ff55 C8 call dword ptr [ebp-38]
0041d8d1 81bd d0fbffff F> cmp dword ptr [ebp-430], 0ff
0041d8db 73 16 JNB short 0041d8f3; // It is a key position. Modify the flag C to change the jump status.
0041d8dd 8a85 d0fbffff mov Al, byte PTR [ebp-430]
0041d8e3 8885 44 fcffff mov byte PTR [ebp-3BC], Al
0041d8e9 E9 91000000 JMP 0041d97f
0041d8ee E9 8c000000 JMP 0041d97f; the program then runs steam.
0041d8f3 8d85 10 fcffff Lea eax, dword ptr [ebp-3F0]

to sum up the features of the above Code segments, the game will not run as long as JMP to 0041d97f. why? Because the address of "JMP eax" is 0041d97d.
the annotated call function in section 5th is to decompress the OEP entry code, if steam is not running, the call will not decompress the code at the entry point. in addition, the whole process also explains why a single-host game can be started no matter whether steam is on or not, as described at the beginning of this article.