Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-09-2015, 12:18
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 92
Rept. Given: 0
Rept. Rcvd 5 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 71 Times in 43 Posts
psgama Reputation: 5
axprotector

Does anyone have experience with unpacking of Axprotector? by w(i)busystemsusa? I have target protected with flexlm that is now wrapped with this packer to prevent reversing and prevent reading strings / dialog tables in resource editors as well. Unfortunately I have not learned much about manually unpacking as of yet, and this protection may be impossible for me. After more research, it seems pretty integrated. My software is not using a dongle. Wrapped only.

Anyone point me in the direction of more information on this protection?

a little more information here. Seems pretty integrated.
hxxp://www.andrena.de/Entwicklertag/2010/Downloads/VKSI-Day/Hackers-Reverse-Engineering-Uncovered.pdf

Last edited by psgama; 02-09-2015 at 13:15. Reason: adding information
Reply With Quote
  #2  
Old 02-09-2015, 15:17
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
Where is your software?
Reply With Quote
  #3  
Old 02-10-2015, 04:00
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 92
Rept. Given: 0
Rept. Rcvd 5 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 71 Times in 43 Posts
psgama Reputation: 5
Target Links

Please see the following. Target detects ollydbg in path or file name of running modules, so I had to run ollydbg in a renamed folder and using the rename olly plugin to get to program to run with ollydbg opened at all.

Code:
Target Part 1 http://depositfiles.com/files/pfnkko7uy
Target Part 2 http://depositfiles.com/files/xuqgdrd57
Target Part 3 http://depositfiles.com/files/ilg7tqwft
Target Part 4 http://depositfiles.com/files/yd42nn989
Target Part 5 http://depositfiles.com/files/xwe7azaez
Reply With Quote
  #4  
Old 02-10-2015, 04:20
orfei orfei is offline
Family
 
Join Date: Aug 2010
Posts: 124
Rept. Given: 32
Rept. Rcvd 65 Times in 40 Posts
Thanks Given: 14
Thanks Rcvd at 89 Times in 41 Posts
orfei Reputation: 65
Dude, use better uploading service.
You cant expect someone download ~2,3 GB from slow download service like depositfiles.
Mirror these at mega.co.nz, dropbox.com or something like it.
Reply With Quote
  #5  
Old 02-10-2015, 05:49
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 92
Rept. Given: 0
Rept. Rcvd 5 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 71 Times in 43 Posts
psgama Reputation: 5
Okay. I will create mirror. Thank you for the suggestion. Will Post back and edit this post to add mirror for files
Reply With Quote
  #6  
Old 02-10-2015, 08:30
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 92
Rept. Given: 0
Rept. Rcvd 5 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 71 Times in 43 Posts
psgama Reputation: 5
Here is Mirror to files. PM me for archive password

Code:
Target Part 1 https://mega.co.nz/#!20lCAIKQ!MAdXmKn1Nu5qIDS_0kud_dPVEghjCljW3hmmjk4_roY
Part 2 https://mega.co.nz/#!Dp0FzCZY!CY5CJd0LFaZ_tvTb9ZwDuyZweQVraU7l3jKsWQZu7uQ
Part 3 https://mega.co.nz/#!DgkUgSBQ!dLY8Bxv-4Y3pvX8aLrq3uclAENwEKZ41dxd3N2Lm8Vc
Part 4 https://mega.co.nz/#!X0FHTQIA!MNc1pXB_WR_szmKdZkS-qxtA7MYZ1ktDepnzYw466NM
Part 5 https://mega.co.nz/#!b481nIBS!ecdTr5MJEIxDPTzUHtj6J0WWB2aAxgAO3RXX7hfm-E0
Reply With Quote
  #7  
Old 02-11-2015, 01:19
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
It seems the protected files requires valid software license (CmAct) to be unpacked.

Last edited by Syoma; 02-11-2015 at 01:35. Reason: mistake
Reply With Quote
  #8  
Old 02-11-2015, 07:58
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 92
Rept. Given: 0
Rept. Rcvd 5 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 71 Times in 43 Posts
psgama Reputation: 5
That's as far as I got with it as well, The runtime system is not installed error when inside a debugger. The service is running though, You can see it under services.msc If you turn off the service (C0de M3ter Runtime Server) you can get the same error to occur if you don't allow the service to restart after opening the program.

With the included files to bypass the FlexNet checks, the software will run fine, its just the nag screen and the internal CRC check. This is the newest version in a series of softwares that do not require a Dongle, so the packing is only done to thwart reversing of the program. Definitely an interesting protection as far as I have seen so far, this is the first time I have seen it in use.

If you have ollydbg opened and named normally, not being hidden, The software will refuse to even open outside of the debugging environment without any indication or feedback to the user.

Also, if you shut the service down after the application has been started, It will crash the program after maybe 30 seconds, but it seems the program is fully functional for that period of time, so it must be checking in with the service as well. Very interesting.

Last edited by psgama; 02-11-2015 at 08:16.
Reply With Quote
  #9  
Old 02-11-2015, 15:54
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
I see, I did not test with the CM runtime disabled. CM anti-debug is not very hard to bypass, OEP is also clear. So, all you need to do in your case is just restore few stolen import (if any) and unpack as usual.
When software protected with real hardware dongle much more chances to trap into trouble.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 04:38.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )