#1
|
Datarescue IDA pirated .idb database
Well, i'd like to understand something about Conficker virus code, but IDA doenst open pirated idb database and it shows "Database corrupt". So i created this little patch for my IDA v5.2 debugger, it seems 100% working. If you encounter the same problem exploring other pirated databases, here is the patch. Hope it will be useful for you too!
|
The Following 3 Users Gave Reputation+1 to arlequim For This Useful Post: | ||
#2
|
|||
|
|||
UNiQUE made a fix for 5.2 back in 12/07 when it was originally released.
|
#3
|
||||
|
||||
Yes, UNiQUE has made a fix but i will try your fix
Regards |
#4
|
||||
|
||||
it's so simple that it shouldn't ever be considered a release.
1. before 5.2 unpack the dll named ida.wll with any aspack unpacker like aspackdie or "All versions ASPack unpacker by PE_Kill". Consider that after version 5.2 (or from version also 5.2, don't remember) that dll is even not packed, so simpler. 2. find string "pirate" with Olly and skip the messagebox paching into a JMP the conditional jump just above 3. save the patch, voilà. The protection was placed, as once even the author told, just as a light discouragement, not as a real protection. If you don't know how to patch is a symptom that you shouldn't use IDA. ;-)
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
The Following 2 Users Gave Reputation+1 to Shub-Nigurrath For This Useful Post: | ||
backdoor_b (03-11-2009), synkro (03-05-2009) |
#5
|
Patching of JMP "pirate" was not enough to achieve my goal (the incriminated message is "database corrupt" and not "you are using a pirate..."). Anyway i have patched both the ways
Regards |
#6
|
Thanks bro, pls let me know if it works good
|
#7
|
|
Quote:
Code:
h--p://metasploit.com/users/pusscat/conficker-thread.idb |
#8
|
||||
|
||||
The Unique patch works fine too, what do you think people have been using for the past 1+ year?
Git |
#9
|
Code:
You dont believe??? Ok, try youself! |
#10
|
|||
|
|||
Quote:
|
#11
|
||||
|
||||
ida32.wll + ida64.wll
ida64.wll
Code:
.text:1010E8FC ; int __fastcall sub_1010E8FC(void *src) .text:1010E8FC sub_1010E8FC proc near ; CODE XREF: sub_1010EB24+C6 .text:1010E8FC .text:1010E8FC var_6C = dword ptr -6Ch .text:1010E8FC s1 = byte ptr -14h .text:1010E8FC .text:1010E8FC push ebx .text:1010E8FD add esp, 0FFFFFF98h .text:1010E900 mov ebx, eax .text:1010E902 push esp .text:1010E903 call MD5Init .text:1010E908 push ebx ; s .text:1010E909 call _strlen .text:1010E90E pop ecx .text:1010E90F push eax ; n .text:1010E910 push ebx ; src .text:1010E911 lea eax, [esp+74h+var_6C] .text:1010E915 push eax ; int .text:1010E916 call MD5Update .text:1010E91B push esp ; s .text:1010E91C lea edx, [esp+70h+s1] .text:1010E920 push edx ; dest .text:1010E921 call MD5Final .text:1010E926 xor ebx, ebx .text:1010E928 .text:1010E928 loc_1010E928: ; CODE XREF: sub_1010E8FC+53 .text:1010E928 push 10h ; n .text:1010E92A mov eax, ebx .text:1010E92C shl eax, 4 .text:1010E92F add eax, offset unk_1014CDCC ; <<< .text:1010E935 push eax ; s2 .text:1010E936 lea edx, [esp+74h+s1] .text:1010E93A push edx ; s1 .text:1010E93B call _memcmp .text:1010E940 add esp, 0Ch .text:1010E943 test eax, eax .text:1010E945 jnz short loc_1010E94B .text:1010E947 mov al, 1 .text:1010E949 jmp short loc_1010E953 .text:1010E94B ; --------------------------------------------------------------------------- .text:1010E94B .text:1010E94B loc_1010E94B: ; CODE XREF: sub_1010E8FC+49 .text:1010E94B inc ebx .text:1010E94C cmp ebx, 19h .text:1010E94F jb short loc_1010E928 .text:1010E951 xor eax, eax .text:1010E953 .text:1010E953 loc_1010E953: ; CODE XREF: sub_1010E8FC+4D .text:1010E953 add esp, 68h .text:1010E956 pop ebx .text:1010E957 retn .text:1010E957 sub_1010E8FC end in ida32.wll method is similar credits: infern0 |
#12
|
Mission accomplished, new patch for IDA 32&64 bit
|
The Following User Gave Reputation+1 to arlequim For This Useful Post: | ||
LouCypher (03-06-2009) |
#13
|
||||
|
||||
quick patch:
ida.wll Offset | Old | New 000F05F9: D0 D1 ida64.wll Offset | Old | New 0010DF31: CC CD |
#14
|
|||
|
|||
What about 5.3 ?
|
#15
|
not available (=not cr4ck3d) on w4r3z yet ... btw lastest is 5.4
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Cannot save database as IDC script with IDA 5.0.0.879 | Git | General Discussion | 0 | 01-11-2007 20:39 |
Database programming in C++ | hmora | General Discussion | 1 | 07-12-2004 09:48 |