Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-27-2015, 08:52
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
Beginner with OnGuard Target

Hi everyone.

First off, I'm still learning and developing my skills. I'm not a Script kiddie per say, but I don't program applications for a living. I deal more with ladder logic and Function blocks in industry.

This is a hobby for me, I like puzzles and of course the feeling you get when you solve one, but I can't seem to generate a valid key for my application.

My target is using TurboPower Onguard as protection. When you open it in Ollydbg it closes itself opens another application and then re-opens itself as a new thread. I've been able to just patch one jump to keep it open as the same thread, but I've just been attaching to it after it runs, because I'm pretty sure it detects that the thread wasn't closed anyway.

Anyway, So far it's been too complicated for me, so I've resorted to downloading the onguard examples from sourceforge and trying to follow everything out in Ollydbg to see if I can create a key generator for either binary. By doing this, I think I discovered that the developer is using the same Key info as the HelloWorld Example....... Lazy developer?

However, modifiers are being used and there are several different versions of keys that can be generated for different packages of this application.

I've dumped Hello World exe while it's running and found my machine identifier integer in the dump. But I can't seem to do the same with my target.

Anyone want to point a beginner in the right direction, without completely giving things away? Either with my target, or with reversing the hello world exe from within the binary?

Code:
https://mega.nz/#!b19QWRCJ!rJef68-Wmli_fjuRMMj0gRNXIAOelbpM5Dde-B7gxew

Last edited by psgama; 09-27-2015 at 09:07.
Reply With Quote
The Following 2 Users Say Thank You to psgama For This Useful Post:
cgrs (05-20-2017), Indigo (07-19-2019)
  #2  
Old 09-27-2015, 09:47
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
Machine Identifier Number on the Registration Screen is Just the C: Volume Serial Number. So I figured that out. Now to keep working on how that is being used to generate the code.
Reply With Quote
The Following User Says Thank You to psgama For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 09-28-2015, 22:43
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
Alright. I've made progress. I can Generate a Valid Demo code, that extends the Demo Version of the program. Now I just need to find what other Mod strings they are using to generate the codes. Learning is Fun!
Reply With Quote
The Following User Says Thank You to psgama For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 09-29-2015, 04:15
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
If anyone is following this thread, I have succeeded.

Tools used
IDR
Ollydbg 1
Hxd Hex editor
Reply With Quote
The Following User Says Thank You to psgama For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 05-20-2017, 22:15
cgrs cgrs is offline
Friend
 
Join Date: May 2017
Location: Spain
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 3 Times in 3 Posts
cgrs Reputation: 0
First of all, sorry for necrobumping.
Second, thanks for working on 'bypassing' OnGuard! I've been trying not to patch (since there are already patched but older versions of that program), but make a Keygen using this library.
I used DeDe to peek over the subroutines and I found out it uses OGDaysChecked (so I think it's using some time-tied trial). It also uses Machine ID (which I found it looks for a Registry Key: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid). Unluckily, I couldn't found the 'Master Key' it's using to generate its serials. Once I could know that, using the OnGuard example could run fine as keygen without modifying it a lot.

Has anyone tried luck with this library on other applications?
Reply With Quote
The Following User Says Thank You to cgrs For This Useful Post:
Indigo (07-19-2019)
  #6  
Old 06-26-2017, 19:49
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 87
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 28 Times in 21 Posts
TempoMat Reputation: 6
File no more available

The file is no more available at Mega.
Code:
https://mega.nz/#!b19QWRCJ!rJef68-Wmli_fjuRMMj0gRNXIAOelbpM5Dde-B7gxew
Can you please re-upload or PM me the link to download from the original site?


Here are three apps, that use the OnGuard protection for their registration if you want to try your hands on them.

Karaokekanta (Versions 4 and current Versions 8)
SecureToken
Token2Plus

The Karaokekanta uses a lot of data to generate a Hardware Pin that serves as the basis for the registration code. The HardwarePin is also LocalTime dependant but once genereted some information is stored in a database so that the same HardwarePin can be generated.
That said deleting that database or that specific entry in the database will generate a different Hardware Pin.

Regards TemPoMat.
Reply With Quote
The Following User Says Thank You to TempoMat For This Useful Post:
Indigo (07-19-2019)
  #7  
Old 09-18-2017, 02:00
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
Sorry for no response. This post is very old and I have a hard drive crash since I worked on this target. I no longer have solution available. I can provide some references if you are still interested in these targets

hxxps://mega.nz/#F!PRt0URQR!y_xEaAP4fEadfz0YEzlu_w
Old version of onGuard but may be helpful for your works

Last edited by psgama; 09-18-2017 at 02:09.
Reply With Quote
The Following 2 Users Say Thank You to psgama For This Useful Post:
Indigo (07-19-2019), TempoMat (09-18-2017)
  #8  
Old 09-18-2017, 02:37
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 87
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 28 Times in 21 Posts
TempoMat Reputation: 6
The Link contains the OnGuard and not the target app.

Thanks for the link.

However it contains the TurboPower OnGuard and not the application using the it.
I'm more interested in the application using the OnGuard features.

Quote:
I can provide some references if you are still interested in these targets
If this is in reference to the 3 apps I mentioned in my earlier post,
then there is no need. I have already generated keygens for them.
Reply With Quote
The Following User Says Thank You to TempoMat For This Useful Post:
Indigo (07-19-2019)
  #9  
Old 01-28-2018, 10:01
cgrs cgrs is offline
Friend
 
Join Date: May 2017
Location: Spain
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 3 Times in 3 Posts
cgrs Reputation: 0
Hey @TempoMat, I'm interested in your approach on that apps. Could you help me on my quest for a keygen?

The app I'd want to keygen is called DIAL. It's using TOgDaysCode with a combination of HWID on a Windows Registry key.

I tried decompiling with DeDe, but can't find the way to make a keygen.

URL: hxxps://www.alceingenieria.net/nutricion/descarga.htm
Reply With Quote
The Following User Says Thank You to cgrs For This Useful Post:
Indigo (07-19-2019)
  #10  
Old 01-29-2018, 16:28
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
DeDe is very old tool, try IDR (Interactive Delphi Reconstructor)

most powerful feature is to find a control-event handler (in a seconds)
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
Indigo (07-19-2019)
  #11  
Old 02-06-2018, 12:23
psgama psgama is offline
Friend
 
Join Date: Jul 2014
Posts: 100
Rept. Given: 0
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 12
Thanks Rcvd at 75 Times in 44 Posts
psgama Reputation: 6
cgrs,

I believe the key being used is

0DEBF4F725768E6195BD7A1226CC782C

It has been a very very long time since I worked on this protection, and can't seem to remember how to trace the modifiers out. But I believe this should be a start.


In ollydbg it is loaded here
Code:
 dregistro::TFormRegistro.OgDaysCode1GetKey
 00770194    push       ebx
 00770195    push       esi
 00770196    push       edi
 00770197    mov        ebx,ecx
 00770199    mov        edi,ebx
 0077019B    mov        esi,9E5674
 007701A0    movs       dword ptr [edi],dword ptr [esi]
 007701A1    movs       dword ptr [edi],dword ptr [esi]
 007701A2    movs       dword ptr [edi],dword ptr [esi]
 007701A3    movs       dword ptr [edi],dword ptr [esi]
 007701A4    pop        edi
 007701A5    pop        esi
 007701A6    pop        ebx
 007701A7    ret
Reply With Quote
The Following 2 Users Say Thank You to psgama For This Useful Post:
cgrs (04-04-2019), Indigo (07-19-2019)
  #12  
Old 02-21-2018, 09:46
TempoMat TempoMat is offline
Friend
 
Join Date: Jan 2006
Posts: 87
Rept. Given: 10
Rept. Rcvd 6 Times in 6 Posts
Thanks Given: 4
Thanks Rcvd at 28 Times in 21 Posts
TempoMat Reputation: 6
Quote:
Originally Posted by cgrs View Post
Hey @TempoMat, I'm interested in your approach on that apps. Could you help me on my quest for a keygen?

URL: hxxps://www.alceingenieria.net/nutricion/descarga.htm
Sorry for the late reply

The routine @ 0076EB60 generates the UserID from the Registry Key "MachineGuid" read from the location HKLM\Software\Microsoft\Cryptography

It then PreCats "X" to the Hashed value from the MachineGuid and shows it as the UserID

For the InitRegCode:
1. HexDecode(HexString2HexBytes) the UserID without the preceding "X" and ByteSwap=>Res_UserID
2. Use the result of 1 above and the PrivateKey= "0DEBF4F725768E6195BD7A1226CC782C" which is correctly identified by "psgama" to ApplyModifierToKeyPrim=Key for Encryption/Decryption. That means EncryptionKey= ApplyModifierToKeyPrim(Res_UserID,PrivateKey)
3. ShrinkDate (BaseDate + ExpandedDate)
This software does not check for a specific BaseDate so you can use BaseDate=0XA4CB and the Date2Long of any date in the future as the ExpandedDate
=>Result=2Bytes=XX
4. RegCheckCode=0XD9F9 = 2 Bytes = YY
I believe this RegCheckCode is the only Magic Value the software checks after the decryption
5. HashElf(Any 16 CharString)
=>Result=4Bytes=ZZZZ
6. Encrypt=>MixBlock(XXYYZZZZ,EncryptionKey)
7. Serial=HexEncode(Result from 6)

Regards
Reply With Quote
The Following 2 Users Say Thank You to TempoMat For This Useful Post:
cgrs (04-04-2019), Indigo (07-19-2019)
  #13  
Old 03-05-2019, 02:02
conan981 conan981 is offline
VIP
 
Join Date: Feb 2006
Posts: 197
Rept. Given: 81
Rept. Rcvd 8 Times in 6 Posts
Thanks Given: 66
Thanks Rcvd at 45 Times in 23 Posts
conan981 Reputation: 8
i just want to add a little hint, since i had to play with this protection time ago.
to generate valid keys, we need all the data described in posts above(PRIMARY KEY AND MODIFIER/S) AND
to know what type of keys we need to generate. (to generate keys we can use demo generator adding our keys and modifier)
To know that info, we can check into our app what function is called among
Quote:
ISDATECODEVALID
ISDAYSCODEVALID
ISREGCODEVALID
ISSERIALNUMBERCODEVALID
ISSPECIALCODEVALID
ISUSAGECODEVALID
every function using mixblock function extract from our serial a constant that is checked

Quote:
const
{magic values}
DaysCheckCode = Word($649B);
DateCheckCode = Word($A4CB);
NetCheckCode = Word($9341);
RegCheckCode = Word($D9F6);
SerialCheckCode = Word($3C69);
UsageCheckCode = Word($F3D5);
SpecialCheckCode = Word($9C5B);
Reply With Quote
The Following 4 Users Say Thank You to conan981 For This Useful Post:
cgrs (04-04-2019), Indigo (07-19-2019), p4r4d0x (03-05-2019), ph03n1x (03-05-2019)
  #14  
Old 04-04-2019, 16:24
cgrs cgrs is offline
Friend
 
Join Date: May 2017
Location: Spain
Posts: 5
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 3 Times in 3 Posts
cgrs Reputation: 0
Wow guys @TempoMat @psgama @conan981 thank you so much! I could not see where the PKey was, I think I gave up too soon before diving deeper.
I'll try to create a keygen with the key and those modifiers using the OnGuard sample generator.
Reply With Quote
The Following User Says Thank You to cgrs For This Useful Post:
Indigo (07-19-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SoftIce For 9x Beginner - HELP PiG_DoG General Discussion 3 06-27-2003 17:31


All times are GMT +8. The time now is 16:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )