Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-26-2010, 03:02
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Avast 5 and Debugging

Hi All,
I've tried to debug Avast5 Internet Security, basically to create a keygenerator, to find out it is debug-protected.

No packers, only plain C++ Code. I succesfully killed the AvastUI process and tried to debug in Olly, but there is something that protects memory and wont let me debug it.

I have been not able to understand if the driver is detecting the process and is trying to protect it, nor if the Process itself tries to protect itself.
I also tried to play with Olly Settings to break not at WinMain OEP but at system breakpoint and even the other third option(thinking of execryptor that performed antidebugging before OEP), but memory errors occur before (can't read/write memory).

So here is the question/discussion: has anyone beein able to debug it? are there any papers to read and learn from with these kind of protections?

I am thinking about building a virtual box with Windows 2000 and Softice and try there. (A thought that came to my mind is that maybe the licensing routine is in the avast driver, to keep it away from prying eyes and RING3 debuggers, but I don't have enough evidence to state that).

I tried to use syser but apart from the point that i don't know the program at all, when i try to load avast i get memory errors again, so maybe the problem is not RING3/RING0 but enforced memory protection by Avast.
Reply With Quote
  #2  
Old 03-26-2010, 11:11
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
EDIT: (can't find info to edit the thread)

I copied some files out of avast dir and the program is debuggable. I think the driver is protecting the avast folder.

I succesfully identified the registration scheme but it is DSA. (sig key is 40 bytes long so DSA320 is used) so i think we can forget a keygen for the time beein, unless vulnerabilities are discovered.
Maybe someone will release patch+keygen.
Reply With Quote
  #3  
Old 03-26-2010, 19:03
Nacho_dj's Avatar
Nacho_dj Nacho_dj is offline
Lo*eXeTools*rd
 
Join Date: Mar 2005
Posts: 207
Rept. Given: 14
Rept. Rcvd 179 Times in 34 Posts
Thanks Given: 44
Thanks Rcvd at 134 Times in 40 Posts
Nacho_dj Reputation: 100-199 Nacho_dj Reputation: 100-199
TmC, it won't be keygennable* if it compares the hash of any key with a table of purchased hashes. Is there any kind of table containing those purchased hashes anywhere?

Best regards

Nacho_dj

* There exist tricks for that also...
__________________
http://arteam.accessroot.com
Reply With Quote
  #4  
Old 03-27-2010, 07:44
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Quote:
Originally Posted by Nacho_dj View Post
TmC, it won't be keygennable* if it compares the hash of any key with a table of purchased hashes. Is there any kind of table containing those purchased hashes anywhere?

Best regards

Nacho_dj

* There exist tricks for that also...
Uhm...do you mean online or on disk? Because if on disk, for every definition update there should be included a database with all signatures and we have (supposing 1 milion users) 8 Mb with crc32 and 64 Mb with sha256...a bit too much.

What i know is that

Avast 5 reads the License File (license.avastlic) and checks if the Certificate section of the ini license file corresponds to the AWSign appended at the end of the file with the function DSA_FileVerifyWithSigCompare in the aswCmnBS.dll, loaded only when needed and located in the defs folder.

So the only two ways i see are to 1. patch the public key (general purpose patch since files are updated often) 2. binary patch to make sure DSA_FileVerifyWithSigCompare returns always that the license is good.
Reply With Quote
  #5  
Old 03-27-2010, 12:14
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
The new Avast 5.x has a too strong online check. It has been suggested to patch the exe in way, that it believes it`s a full functional, registered copy and only while updating it still pretends to be a trial version (as trial versions can update without key check).
Reply With Quote
  #6  
Old 03-28-2010, 01:57
mantovano
 
Posts: n/a
@deepzero
Are you sure updates possibles working in trial mode?
If possible, we only need to compare windows reg before and after installation and delete differences...
BR
Reply With Quote
  #7  
Old 05-08-2010, 20:33
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Quote:
Originally Posted by mantovano View Post
If possible, we only need to compare windows reg before and after installation and delete differences...
Wrong! License file (.avastlic) contains start date and end date of license. Nothing is written in the registry nor in files. It's simply a difference between EOL (end of license) and current date. (plus a check to ensure date has not been changed).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 10:39.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )