Avast 5 and Debugging
 

Hi All,
I've tried to debug Avast5 Internet Security, basically to create a keygenerator, to find out it is debug-protected.

No packers, only plain C++ Code. I succesfully killed the AvastUI process and tried to debug in Olly, but there is something that protects memory and wont let me debug it.

I have been not able to understand if the driver is detecting the process and is trying to protect it, nor if the Process itself tries to protect itself.
I also tried to play with Olly Settings to break not at WinMain OEP but at system breakpoint and even the other third option(thinking of execryptor that performed antidebugging before OEP), but memory errors occur before (can't read/write memory).

So here is the question/discussion: has anyone beein able to debug it? are there any papers to read and learn from with these kind of protections?

I am thinking about building a virtual box with Windows 2000 and Softice and try there. (A thought that came to my mind is that maybe the licensing routine is in the avast driver, to keep it away from prying eyes and RING3 debuggers, but I don't have enough evidence to state that).

I tried to use syser but apart from the point that i don't know the program at all, when i try to load avast i get memory errors again, so maybe the problem is not RING3/RING0 but enforced memory protection by Avast.

EDIT: (can't find info to edit the thread)

I copied some files out of avast dir and the program is debuggable. I think the driver is protecting the avast folder.

I succesfully identified the registration scheme but it is DSA. (sig key is 40 bytes long so DSA320 is used) so i think we can forget a keygen for the time beein, unless vulnerabilities are discovered.
Maybe someone will release patch+keygen.

TmC, it won't be keygennable* if it compares the hash of any key with a table of purchased hashes. Is there any kind of table containing those purchased hashes anywhere?

Best regards

Nacho_dj

* There exist tricks for that also... ;)

Uhm...do you mean online or on disk? Because if on disk, for every definition update there should be included a database with all signatures and we have (supposing 1 milion users) 8 Mb with crc32 and 64 Mb with sha256...a bit too much.

What i know is that

Avast 5 reads the License File (license.avastlic) and checks if the Certificate section of the ini license file corresponds to the AWSign appended at the end of the file with the function DSA_FileVerifyWithSigCompare in the aswCmnBS.dll, loaded only when needed and located in the defs folder.

So the only two ways i see are to 1. patch the public key (general purpose patch since files are updated often) 2. binary patch to make sure DSA_FileVerifyWithSigCompare returns always that the license is good.

The new Avast 5.x has a too strong online check. It has been suggested to patch the exe in way, that it believes it`s a full functional, registered copy and only while updating it still pretends to be a trial version (as trial versions can update without key check).

@deepzero
Are you sure updates possibles working in trial mode?
If possible, we only need to compare windows reg before and after installation and delete differences...
BR

Wrong! License file (.avastlic) contains start date and end date of license. Nothing is written in the registry nor in files. It's simply a difference between EOL (end of license) and current date. (plus a check to ensure date has not been changed).