|
#1
|
|||
|
|||
Beginner with OnGuard Target
Hi everyone.
First off, I'm still learning and developing my skills. I'm not a Script kiddie per say, but I don't program applications for a living. I deal more with ladder logic and Function blocks in industry. This is a hobby for me, I like puzzles and of course the feeling you get when you solve one, but I can't seem to generate a valid key for my application. My target is using TurboPower Onguard as protection. When you open it in Ollydbg it closes itself opens another application and then re-opens itself as a new thread. I've been able to just patch one jump to keep it open as the same thread, but I've just been attaching to it after it runs, because I'm pretty sure it detects that the thread wasn't closed anyway. Anyway, So far it's been too complicated for me, so I've resorted to downloading the onguard examples from sourceforge and trying to follow everything out in Ollydbg to see if I can create a key generator for either binary. By doing this, I think I discovered that the developer is using the same Key info as the HelloWorld Example....... Lazy developer? However, modifiers are being used and there are several different versions of keys that can be generated for different packages of this application. I've dumped Hello World exe while it's running and found my machine identifier integer in the dump. But I can't seem to do the same with my target. Anyone want to point a beginner in the right direction, without completely giving things away? Either with my target, or with reversing the hello world exe from within the binary? Code:
https://mega.nz/#!b19QWRCJ!rJef68-Wmli_fjuRMMj0gRNXIAOelbpM5Dde-B7gxew Last edited by psgama; 09-27-2015 at 09:07. |
#2
|
|||
|
|||
Machine Identifier Number on the Registration Screen is Just the C: Volume Serial Number. So I figured that out. Now to keep working on how that is being used to generate the code.
|
The Following User Says Thank You to psgama For This Useful Post: | ||
Indigo (07-19-2019) |
#3
|
|||
|
|||
Alright. I've made progress. I can Generate a Valid Demo code, that extends the Demo Version of the program. Now I just need to find what other Mod strings they are using to generate the codes. Learning is Fun!
|
The Following User Says Thank You to psgama For This Useful Post: | ||
Indigo (07-19-2019) |
#4
|
|||
|
|||
If anyone is following this thread, I have succeeded.
Tools used IDR Ollydbg 1 Hxd Hex editor |
The Following User Says Thank You to psgama For This Useful Post: | ||
Indigo (07-19-2019) |
#5
|
|||
|
|||
First of all, sorry for necrobumping.
Second, thanks for working on 'bypassing' OnGuard! I've been trying not to patch (since there are already patched but older versions of that program), but make a Keygen using this library. I used DeDe to peek over the subroutines and I found out it uses OGDaysChecked (so I think it's using some time-tied trial). It also uses Machine ID (which I found it looks for a Registry Key: HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid). Unluckily, I couldn't found the 'Master Key' it's using to generate its serials. Once I could know that, using the OnGuard example could run fine as keygen without modifying it a lot. Has anyone tried luck with this library on other applications? |
The Following User Says Thank You to cgrs For This Useful Post: | ||
Indigo (07-19-2019) |
#6
|
|||
|
|||
File no more available
The file is no more available at Mega.
Code:
https://mega.nz/#!b19QWRCJ!rJef68-Wmli_fjuRMMj0gRNXIAOelbpM5Dde-B7gxew Here are three apps, that use the OnGuard protection for their registration if you want to try your hands on them. Karaokekanta (Versions 4 and current Versions 8) SecureToken Token2Plus The Karaokekanta uses a lot of data to generate a Hardware Pin that serves as the basis for the registration code. The HardwarePin is also LocalTime dependant but once genereted some information is stored in a database so that the same HardwarePin can be generated. That said deleting that database or that specific entry in the database will generate a different Hardware Pin. Regards TemPoMat. |
The Following User Says Thank You to TempoMat For This Useful Post: | ||
Indigo (07-19-2019) |
#7
|
|||
|
|||
Sorry for no response. This post is very old and I have a hard drive crash since I worked on this target. I no longer have solution available. I can provide some references if you are still interested in these targets
hxxps://mega.nz/#F!PRt0URQR!y_xEaAP4fEadfz0YEzlu_w Old version of onGuard but may be helpful for your works Last edited by psgama; 09-18-2017 at 02:09. |
#8
|
|||
|
|||
The Link contains the OnGuard and not the target app.
Thanks for the link.
However it contains the TurboPower OnGuard and not the application using the it. I'm more interested in the application using the OnGuard features. Quote:
then there is no need. I have already generated keygens for them. |
The Following User Says Thank You to TempoMat For This Useful Post: | ||
Indigo (07-19-2019) |
#9
|
|||
|
|||
Hey @TempoMat, I'm interested in your approach on that apps. Could you help me on my quest for a keygen?
The app I'd want to keygen is called DIAL. It's using TOgDaysCode with a combination of HWID on a Windows Registry key. I tried decompiling with DeDe, but can't find the way to make a keygen. URL: hxxps://www.alceingenieria.net/nutricion/descarga.htm |
The Following User Says Thank You to cgrs For This Useful Post: | ||
Indigo (07-19-2019) |
#10
|
|||
|
|||
Quote:
The routine @ 0076EB60 generates the UserID from the Registry Key "MachineGuid" read from the location HKLM\Software\Microsoft\Cryptography It then PreCats "X" to the Hashed value from the MachineGuid and shows it as the UserID For the InitRegCode: 1. HexDecode(HexString2HexBytes) the UserID without the preceding "X" and ByteSwap=>Res_UserID 2. Use the result of 1 above and the PrivateKey= "0DEBF4F725768E6195BD7A1226CC782C" which is correctly identified by "psgama" to ApplyModifierToKeyPrim=Key for Encryption/Decryption. That means EncryptionKey= ApplyModifierToKeyPrim(Res_UserID,PrivateKey) 3. ShrinkDate (BaseDate + ExpandedDate) This software does not check for a specific BaseDate so you can use BaseDate=0XA4CB and the Date2Long of any date in the future as the ExpandedDate =>Result=2Bytes=XX 4. RegCheckCode=0XD9F9 = 2 Bytes = YY I believe this RegCheckCode is the only Magic Value the software checks after the decryption 5. HashElf(Any 16 CharString) =>Result=4Bytes=ZZZZ 6. Encrypt=>MixBlock(XXYYZZZZ,EncryptionKey) 7. Serial=HexEncode(Result from 6) Regards |
#11
|
|||
|
|||
DeDe is very old tool, try IDR (Interactive Delphi Reconstructor)
most powerful feature is to find a control-event handler (in a seconds) |
The Following User Says Thank You to sendersu For This Useful Post: | ||
Indigo (07-19-2019) |
#12
|
|||
|
|||
cgrs,
I believe the key being used is 0DEBF4F725768E6195BD7A1226CC782C It has been a very very long time since I worked on this protection, and can't seem to remember how to trace the modifiers out. But I believe this should be a start. In ollydbg it is loaded here Code:
dregistro::TFormRegistro.OgDaysCode1GetKey 00770194 push ebx 00770195 push esi 00770196 push edi 00770197 mov ebx,ecx 00770199 mov edi,ebx 0077019B mov esi,9E5674 007701A0 movs dword ptr [edi],dword ptr [esi] 007701A1 movs dword ptr [edi],dword ptr [esi] 007701A2 movs dword ptr [edi],dword ptr [esi] 007701A3 movs dword ptr [edi],dword ptr [esi] 007701A4 pop edi 007701A5 pop esi 007701A6 pop ebx 007701A7 ret |
#13
|
|||
|
|||
i just want to add a little hint, since i had to play with this protection time ago.
to generate valid keys, we need all the data described in posts above(PRIMARY KEY AND MODIFIER/S) AND to know what type of keys we need to generate. (to generate keys we can use demo generator adding our keys and modifier) To know that info, we can check into our app what function is called among Quote:
Quote:
|
#14
|
|||
|
|||
Wow guys @TempoMat @psgama @conan981 thank you so much! I could not see where the PKey was, I think I gave up too soon before diving deeper.
I'll try to create a keygen with the key and those modifiers using the OnGuard sample generator. |
The Following User Says Thank You to cgrs For This Useful Post: | ||
Indigo (07-19-2019) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
SoftIce For 9x Beginner - HELP | PiG_DoG | General Discussion | 3 | 06-27-2003 17:31 |