axprotector

[psgama]

Does anyone have experience with unpacking of Axprotector? by w(i)busystemsusa? I have target protected with flexlm that is now wrapped with this packer to prevent reversing and prevent reading strings / dialog tables in resource editors as well. Unfortunately I have not learned much about manually unpacking as of yet, and this protection may be impossible for me. After more research, it seems pretty integrated. My software is not using a dongle. Wrapped only.

Anyone point me in the direction of more information on this protection?

a little more information here. Seems pretty integrated.
hxxp://www.andrena.de/Entwicklertag/2010/Downloads/VKSI-Day/Hackers-Reverse-Engineering-Uncovered.pdf

[Syoma]

Where is your software?

[psgama]

Please see the following. Target detects ollydbg in path or file name of running modules, so I had to run ollydbg in a renamed folder and using the rename olly plugin to get to program to run with ollydbg opened at all.

Code:

Target Part 1 http://depositfiles.com/files/pfnkko7uy
Target Part 2 http://depositfiles.com/files/xuqgdrd57
Target Part 3 http://depositfiles.com/files/ilg7tqwft
Target Part 4 http://depositfiles.com/files/yd42nn989
Target Part 5 http://depositfiles.com/files/xwe7azaez

[orfei]

Dude, use better uploading service.
You cant expect someone download ~2,3 GB from slow download service like depositfiles.
Mirror these at mega.co.nz, dropbox.com or something like it.

[psgama]

Okay. I will create mirror. Thank you for the suggestion. Will Post back and edit this post to add mirror for files

[psgama]

Here is Mirror to files. PM me for archive password

Code:

Target Part 1 https://mega.co.nz/#!20lCAIKQ!MAdXmKn1Nu5qIDS_0kud_dPVEghjCljW3hmmjk4_roY
Part 2 https://mega.co.nz/#!Dp0FzCZY!CY5CJd0LFaZ_tvTb9ZwDuyZweQVraU7l3jKsWQZu7uQ
Part 3 https://mega.co.nz/#!DgkUgSBQ!dLY8Bxv-4Y3pvX8aLrq3uclAENwEKZ41dxd3N2Lm8Vc
Part 4 https://mega.co.nz/#!X0FHTQIA!MNc1pXB_WR_szmKdZkS-qxtA7MYZ1ktDepnzYw466NM
Part 5 https://mega.co.nz/#!b481nIBS!ecdTr5MJEIxDPTzUHtj6J0WWB2aAxgAO3RXX7hfm-E0

[Syoma]

It seems the protected files requires valid software license (CmAct) to be unpacked.

[psgama]

That's as far as I got with it as well, The runtime system is not installed error when inside a debugger. The service is running though, You can see it under services.msc If you turn off the service (C0de M3ter Runtime Server) you can get the same error to occur if you don't allow the service to restart after opening the program.

With the included files to bypass the FlexNet checks, the software will run fine, its just the nag screen and the internal CRC check. This is the newest version in a series of softwares that do not require a Dongle, so the packing is only done to thwart reversing of the program. Definitely an interesting protection as far as I have seen so far, this is the first time I have seen it in use.

If you have ollydbg opened and named normally, not being hidden, The software will refuse to even open outside of the debugging environment without any indication or feedback to the user.

Also, if you shut the service down after the application has been started, It will crash the program after maybe 30 seconds, but it seems the program is fully functional for that period of time, so it must be checking in with the service as well. Very interesting.

[Syoma]

I see, I did not test with the CM runtime disabled. CM anti-debug is not very hard to bypass, OEP is also clear. So, all you need to do in your case is just restore few stolen import (if any) and unpack as usual.
When software protected with real hardware dongle much more chances to trap into trouble.