GetRight Pro 6 beta 6 & Arma|====D

[TmC]

Hi,
I am having a problem unpacking GetRight Pro 6 beta 7.
Well, not a problem, because it unpacks good and it runs, but I'm experiencing some funny behaviours and strange codes that i want to check here to ensure i'm not completely gone puff!.

GetRight is protected with Standard+CodeSplicing+IAT Elimination.

I Load it in Olly dbg, run script Armadillo.v.4.0-4.4.Standard.osc and after a while the script shows OEP: 005D9454 (001D94C4 without IB).

At this point, i already notice a strange thing: OEP looks very funny to be a C++ OEP. It is not 558B etc for C++ 6 nor 6A etc for C++ 7.0. PEiD will later say C++ wthout other infos.

I fire up arminline 0.92, fill values and everything goes perfect. I dump with LordPE and fix IAT with ImpREC(perfect IAT).

I try to run the executable and whoa! it runs. OK. Now let's recall it from the tray Icon and here is the second funny behaviour: NO ICONS ON MENUS OR TOOLBARS.

After a while of thinking, i open the file with ResHack to ensure that the resources were not messed up by the dumper. I can see all the resourced and dialogs without problems and NO "packed by an exe compressor" appears.

I tried to analyse the executable with the Resurrection Team Utility Armadumper, and the OEP is the same as mine.

Last strange behaviour: In all armadillo unpacked files, i delete the text1, data1, adata, pdata sections because they are related to armadillo (adata only if not needed for IAT rebasement). If I delete the text section in getright the executable crashes, and this does not happen in all other executables i unpacked so far.

So i have a complete and running executable (no errors or exceptions are shown) with no icons on toolbar and menus, strange OEP instructions at the beginning and crashes on deletion of Armadillo sections.

Am I wrong?
If not, what or where is the problem? I can't figure out it.

Attach: My unpacked file.
Edit: 17/04 Better Optimised File: Fixed OEP and removed unused sections. Still icons problem.

[D-Jester]

Your EP looks like this:

Code:

005D94C4   E8 6FAE0000      CALL getright.005E4338; This is the OEP!  Found By: fly
005D94C9  ^E9 16FEFFFF      JMP getright.005D92E4

Very close to OEP,...

Code:

005D94C4   E8 6FAE0000      CALL getright.005E4338 <-Your OEP
005D94C9  ^E9 16FEFFFF      JMP getright.005D92E4 <-Jump To OEP

Microsoft Visual C++ v7.1 EXE *

Code:

005D92E4   6A 60            PUSH 60
005D92E6   68 48196B00      PUSH getright.006B1948
005D92EB   E8 0C9CFFFF      CALL getright.005D2EFC
005D92F0   8365 FC 00       AND DWORD PTR SS:[EBP-4],0
005D92F4   8D45 90          LEA EAX,DWORD PTR SS:[EBP-70]
005D92F7   50               PUSH EAX
005D92F8   FF15 C4284901    CALL DWORD PTR DS:[14928C4]

Although nothing changes, I am still getting the same results as you.

I haven't had time to do a full trace and investigate, but I did trace it in as far as 005D8943 which is a call that the program never returns from (terminates)...might be a good starting point.

I'll look into it some more if I get time this evening, but its easter and we need to talk my daughter out and let you hunt for eggs, etc...

its unpacked correctly, its like ftprush and lot of arma apps. it GetEnvVariable
arma during unpacking sets enviroment variables, like reigstration codes, unicode,ascii or markers that target isnt unpacked. and you have 2 ways:
1 patch all jne after getenvvar
2 inlinepatch exe with filling all env var that original packed arma sets
2nd way is most perfect.
when you do that icons are back
but getright uses own regcodes so unpack doesnt register it

[TmC]

Quote:

Originally Posted by Human

its unpacked correctly, its like ftprush and lot of arma apps. it GetEnvVariable
arma during unpacking sets enviroment variables, like reigstration codes, unicode,ascii or markers that target isnt unpacked. and you have 2 ways:
1 patch all jne after getenvvar
2 inlinepatch exe with filling all env var that original packed arma sets
2nd way is most perfect.
when you do that icons are back
but getright uses own regcodes so unpack doesnt register it

Hum...i fairly got the point. Are you saying that the getright authors are deliberately corrupting the program's state because it detected it got unpacked?

[Newbie_Cracker]

Yeah, corrupting like this is rare, but I've seen crashes or becoming UNREGISTERED in some apps !

Maybe they don't use this to detect unpacked file, just to use Arma variables as registration info.

well for example as i said ftprush can be unpacked and is regged like most of arma apps, but due no set env vars its ends in infinite waiting for message, so freezes. only way to fix it is use SetEnvironmentVariable and set all he expects to fool him. with getright it doesnt crash but icons are gone, patching it helps but not for all. havent tried to use SetEnv. also new getright become crap, when he added bittorrent he fucked up all www ftp downloads. it crashes like hell. better is old 5.2e. and author seems doesnt give a fuck about people replays, because when i posted bugs on board he havent fixed them since 7 betas, still also there is no downloading of stream. so that download menager become crap, better is hidownload or others, that have ftp www streams and dont crash so often

[D-Jester]

Quote:

Originally Posted by Human

also new getright become crap, when he added bittorrent he fucked up all www ftp downloads. it crashes like hell.

I don't agree that Getright is crap.
I am on that forum all the time also.
The problem is that if the author cant reproduce the error he can't fix it. I have always used it and will always use it.

Quote:

Originally Posted by Human

but getright uses own regcodes so unpack doesnt register it

Getright uses Armadillo's Registration System, Once its unpacked Inline Patch It To SetEnvironmentVariableA("AltUserName","D-Jester"); And its registered.

Interestingly enough after I bought my key for pro,...around beta2 I haven't had any problems until beta7 (some problems with the DynaZIP dll causing errors when download completes and Getright is to ShelExecute the file.).

I had orginally thought that Getright was still trying to access ArmAccess.dll and was crashing then (SEH handling the Access Violation with ExitProcess), OllyDBG is not breaking on anything though.

I don't believe its too complicated, probably just a CRC check, maybe MD5, but nothing exotic, Getright author hasn't been real anti-revsersing savvy until v5.x he added Armadillo 3.78. Prior versions used the same Keygen for many years.

The resources problem....I'm stumped. I'm not familiar with that part of the executable, never needed to mess with it. Sounds to me like its just simply not setting EnableWindow(), or it may be something more devious

well if someone writes that, delete mirror doesnt work since 7 betas and instead of delete does pause or even sometimes crash. then i dont know how to michael i can reproduce better error. because its on every download with mirrors :P
another thing now its its mixed ftp & www downs and you do segmented download, mostly today ftp allows 1 login per ip. but it tries even 4 for 1 ftp, and we got window with login & pass. when you press cancel it also aborts instead of skiping this mirror. and mirrors there are 15 so it can use 10 for 10 segments instead of 3

[D-Jester]

Oh I'm not saying that you making up anything, or that Micheal can't fix it, I should have phased it differently I guess.

I don't know about the segmented download problems, I'm still on dial-up
So I don't use segmented downloads.

I hate living in BFE

[The Old Pirate]

search the file for ascii string "GR_PROTECTED", change it to "TEMP" and icons are back

[TmC]

Quote:

Originally Posted by The Old Pirate

search the file for ascii string "GR_PROTECTED", change it to "TEMP" and icons are back

Works in Menus but not in Toolbar Icons.