Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-04-2009, 06:53
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Datarescue IDA pirated .idb database

Well, i'd like to understand something about Conficker virus code, but IDA doenst open pirated idb database and it shows "Database corrupt". So i created this little patch for my IDA v5.2 debugger, it seems 100% working. If you encounter the same problem exploring other pirated databases, here is the patch. Hope it will be useful for you too!
Attached Files
File Type: rar datarescue.ida.v5.2.0.908.(32-bit)-patch.rar (12.2 KB, 14 views)
Reply With Quote
The Following 3 Users Gave Reputation+1 to arlequim For This Useful Post:
backdoor_b (03-11-2009), LouCypher (03-06-2009), synkro (03-04-2009)
  #2  
Old 03-04-2009, 07:02
LouCypher LouCypher is offline
Friend
 
Join Date: Aug 2004
Posts: 41
Rept. Given: 5
Rept. Rcvd 9 Times in 9 Posts
Thanks Given: 0
Thanks Rcvd at 9 Times in 9 Posts
LouCypher Reputation: 9
UNiQUE made a fix for 5.2 back in 12/07 when it was originally released.
Reply With Quote
  #3  
Old 03-04-2009, 09:36
kienmanowar's Avatar
kienmanowar kienmanowar is offline
Friend
 
Join Date: Jan 2006
Location: VN
Posts: 98
Rept. Given: 37
Rept. Rcvd 17 Times in 10 Posts
Thanks Given: 161
Thanks Rcvd at 72 Times in 35 Posts
kienmanowar Reputation: 17
Yes, UNiQUE has made a fix but i will try your fix

Regards
Reply With Quote
  #4  
Old 03-04-2009, 17:17
Shub-Nigurrath's Avatar
Shub-Nigurrath Shub-Nigurrath is offline
VIP
 
Join Date: Mar 2004
Location: Obscure Kadath
Posts: 919
Rept. Given: 60
Rept. Rcvd 419 Times in 94 Posts
Thanks Given: 68
Thanks Rcvd at 328 Times in 100 Posts
Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499 Shub-Nigurrath Reputation: 400-499
it's so simple that it shouldn't ever be considered a release.

1. before 5.2 unpack the dll named ida.wll with any aspack unpacker like aspackdie or "All versions ASPack unpacker by PE_Kill". Consider that after version 5.2 (or from version also 5.2, don't remember) that dll is even not packed, so simpler.

2. find string "pirate" with Olly and skip the messagebox paching into a JMP the conditional jump just above

3. save the patch, voilà.

The protection was placed, as once even the author told, just as a light discouragement, not as a real protection. If you don't know how to patch is a symptom that you shouldn't use IDA. ;-)
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
Reply With Quote
The Following 2 Users Gave Reputation+1 to Shub-Nigurrath For This Useful Post:
backdoor_b (03-11-2009), synkro (03-05-2009)
  #5  
Old 03-04-2009, 20:18
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Patching of JMP "pirate" was not enough to achieve my goal (the incriminated message is "database corrupt" and not "you are using a pirate..."). Anyway i have patched both the ways
Regards
Reply With Quote
  #6  
Old 03-05-2009, 00:58
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Quote:
Originally Posted by kienmanowar View Post
Yes, UNiQUE has made a fix but i will try your fix

Regards
Thanks bro, pls let me know if it works good
Reply With Quote
  #7  
Old 03-05-2009, 04:44
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Quote:
Originally Posted by LouCypher View Post
UNiQUE made a fix for 5.2 back in 12/07 when it was originally released.
I tested UNiQUE fix but when i load the idb "pirated" Ida says "Database corrupt". If you apply my patch you will able to open the database. In other words my patch really works. You dont believe??? Ok, try youself!

Code:
h--p://metasploit.com/users/pusscat/conficker-thread.idb
Reply With Quote
  #8  
Old 03-05-2009, 06:56
Git's Avatar
Git Git is offline
Old Git
 
Join Date: Mar 2002
Location: Torino
Posts: 1,115
Rept. Given: 220
Rept. Rcvd 265 Times in 157 Posts
Thanks Given: 108
Thanks Rcvd at 216 Times in 124 Posts
Git Reputation: 200-299 Git Reputation: 200-299 Git Reputation: 200-299
The Unique patch works fine too, what do you think people have been using for the past 1+ year?

Git
Reply With Quote
  #9  
Old 03-05-2009, 20:14
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Code:
You dont believe??? Ok, try youself!
Reply With Quote
  #10  
Old 03-06-2009, 11:53
LouCypher LouCypher is offline
Friend
 
Join Date: Aug 2004
Posts: 41
Rept. Given: 5
Rept. Rcvd 9 Times in 9 Posts
Thanks Given: 0
Thanks Rcvd at 9 Times in 9 Posts
LouCypher Reputation: 9
Quote:
Originally Posted by arlequim View Post
I tested UNiQUE fix but when i load the idb "pirated" Ida says "Database corrupt". If you apply my patch you will able to open the database. In other words my patch really works. You dont believe??? Ok, try youself!

Code:
h--p://metasploit.com/users/pusscat/conficker-thread.idb
So your patch did indeed let me open that .idb whereas the UNiQUE fix wouldn't. If the ida64.wll suffers from the same fault, would you be so kind as to make a patch for it as well?
Reply With Quote
  #11  
Old 03-06-2009, 20:39
Jupiter's Avatar
Jupiter Jupiter is offline
Lo*eXeTools*rd
 
Join Date: Jan 2005
Location: Moscow, Russia
Posts: 214
Rept. Given: 36
Rept. Rcvd 61 Times in 36 Posts
Thanks Given: 20
Thanks Rcvd at 149 Times in 42 Posts
Jupiter Reputation: 61
ida32.wll + ida64.wll

ida64.wll

Code:
.text:1010E8FC ; int __fastcall sub_1010E8FC(void *src)
.text:1010E8FC sub_1010E8FC    proc near               ; CODE XREF: sub_1010EB24+C6
.text:1010E8FC
.text:1010E8FC var_6C          = dword ptr -6Ch
.text:1010E8FC s1              = byte ptr -14h
.text:1010E8FC
.text:1010E8FC                 push    ebx
.text:1010E8FD                 add     esp, 0FFFFFF98h
.text:1010E900                 mov     ebx, eax
.text:1010E902                 push    esp
.text:1010E903                 call    MD5Init
.text:1010E908                 push    ebx             ; s
.text:1010E909                 call    _strlen
.text:1010E90E                 pop     ecx
.text:1010E90F                 push    eax             ; n
.text:1010E910                 push    ebx             ; src
.text:1010E911                 lea     eax, [esp+74h+var_6C]
.text:1010E915                 push    eax             ; int
.text:1010E916                 call    MD5Update
.text:1010E91B                 push    esp             ; s
.text:1010E91C                 lea     edx, [esp+70h+s1]
.text:1010E920                 push    edx             ; dest
.text:1010E921                 call    MD5Final
.text:1010E926                 xor     ebx, ebx
.text:1010E928
.text:1010E928 loc_1010E928:                           ; CODE XREF: sub_1010E8FC+53
.text:1010E928                 push    10h             ; n
.text:1010E92A                 mov     eax, ebx
.text:1010E92C                 shl     eax, 4
.text:1010E92F                 add     eax, offset unk_1014CDCC ; <<<
.text:1010E935                 push    eax             ; s2
.text:1010E936                 lea     edx, [esp+74h+s1]
.text:1010E93A                 push    edx             ; s1
.text:1010E93B                 call    _memcmp
.text:1010E940                 add     esp, 0Ch
.text:1010E943                 test    eax, eax
.text:1010E945                 jnz     short loc_1010E94B
.text:1010E947                 mov     al, 1
.text:1010E949                 jmp     short loc_1010E953
.text:1010E94B ; ---------------------------------------------------------------------------
.text:1010E94B
.text:1010E94B loc_1010E94B:                           ; CODE XREF: sub_1010E8FC+49
.text:1010E94B                 inc     ebx
.text:1010E94C                 cmp     ebx, 19h
.text:1010E94F                 jb      short loc_1010E928
.text:1010E951                 xor     eax, eax
.text:1010E953
.text:1010E953 loc_1010E953:                           ; CODE XREF: sub_1010E8FC+4D
.text:1010E953                 add     esp, 68h
.text:1010E956                 pop     ebx
.text:1010E957                 retn
.text:1010E957 sub_1010E8FC    end
you can see comparison after MD5Final call - patch it

in ida32.wll method is similar

credits: infern0
Reply With Quote
  #12  
Old 03-06-2009, 21:45
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
Mission accomplished, new patch for IDA 32&64 bit
Attached Files
File Type: rar datarescue.ida.v5.2.0.908-patch.rar (12.2 KB, 22 views)
Reply With Quote
The Following User Gave Reputation+1 to arlequim For This Useful Post:
LouCypher (03-06-2009)
  #13  
Old 03-06-2009, 23:03
Jupiter's Avatar
Jupiter Jupiter is offline
Lo*eXeTools*rd
 
Join Date: Jan 2005
Location: Moscow, Russia
Posts: 214
Rept. Given: 36
Rept. Rcvd 61 Times in 36 Posts
Thanks Given: 20
Thanks Rcvd at 149 Times in 42 Posts
Jupiter Reputation: 61
quick patch:

ida.wll
Offset | Old | New
000F05F9: D0 D1

ida64.wll
Offset | Old | New
0010DF31: CC CD
Reply With Quote
  #14  
Old 03-07-2009, 20:18
florin_m florin_m is offline
Friend
 
Join Date: Sep 2004
Posts: 8
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
florin_m Reputation: 0
What about 5.3 ?
Reply With Quote
  #15  
Old 03-07-2009, 21:36
arlequim's Avatar
arlequim arlequim is offline
IBMSecuritySystemsXForce
 
Join Date: Feb 2009
Location: Punta Entinas-Sabinar, ALMERIMAR
Posts: 292
Rept. Given: 51
Rept. Rcvd 317 Times in 104 Posts
Thanks Given: 44
Thanks Rcvd at 185 Times in 61 Posts
arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399 arlequim Reputation: 300-399
not available (=not cr4ck3d) on w4r3z yet ... btw lastest is 5.4
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot save database as IDC script with IDA 5.0.0.879 Git General Discussion 0 01-11-2007 20:39
Database programming in C++ hmora General Discussion 1 07-12-2004 09:48


All times are GMT +8. The time now is 20:52.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )