|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
IDA v4.8 Prof. Standard : To load databases created in blacklisted licensee names.
Target: IDA Pro Standard v4.8
ps: details mentioned here must be applicable to the advanced version too. i'll explain details and necessary steps to load databases created in *any* standard versions of ida v4.8 and prior ( including the blackliste ones... ) ida.wll which is a pe dll and packed with asprotect, contains some core license validation checks. every ida database ( *.idb ) is watermarked with the license name of resp. ida user using which the database is created. everytime you load database in ida, the ida.wll verifies that the license name mentioned in database is a legitimate or a blacklisted one. incase it is blacklisted, ida diaplay an error "database corrupt" and denies to load the database. ida.wll contains a hashtable, which is an array of 16 bytes MD5 hash constructed from license name. this hashtable is nothing but a table of blacklisted license name hashs. for ida v4.8 there are like 16 entries, that means 16 blacklisted users. so ida.wll first calculates hash of license name contained in database, and does memcmp against each entry in hashtable. if it finds a match then it means it is blacklisted name and usual error/abort steps will be taken, and if not then the database will be loaded/upgraded as per user choice. here is the hash table entries... 00: FCAE5FC8BAE1104BE126E5D1289A0A81 01: 05E56A388C7DA2A4AB099959B80522E2 02: FBAB17CB4722FB91D039E050EC1F46AC 03: BE18ACE98931CD20E812B731D7A6200D 04: 82CA4E6D6A707B6E9FDF7F0675EE458C 05: 95C3E8C25749819643EEC4BABCFE8783 06: 3025042F5E3B929D923F93C58096CB10 07: 5C275914B5FC3D15561796CDDC148484 08: 220F75C7083490EE61AAB9721C0206CB 09: C2B9164BE8ABE4D57AD9752AAB198115 10: 95FFD062EC5937187CCF7CFB452EEE7D 11: 258BCBA086C51E9EBCFCAE033F6992E3 12: 9A4466DEDBCC2DB1861AA7B910500734 13: 4E72D58FA37B97DB2CCC1CE0ED91C028 14: 4A2AC80A380ED1F6BEC5C679BFDF7829 15: D41D8CD98F00B204E9800998ECF8427E now pls do this steps to disable this check... 1. using asprotect unpacker, unpack ida.wll file ( i used un-pack v2.3 from snow panther ) 2. do binary search and find this hash table 3. load unpacked ida.wll into ida for analysis 4. find xref to this hash table and there will be certainly one xref. only this xref. location is where you will find the code which does this checking via memcmp function 5. as per your taste and choice make a patch so this check is skipped and the resp. function always return 0 as success - either you could fill hashtable with some bytes like 0 or 0xff - or jnz -> jmp like patch - or anything else will do conclusion ---------- since there is every possibility of ida.wll being watermarked with license infos, i have presented a approach to fix it rather then a ready made patch the checking via hash table is infect done, to hide the real blacklisted license names rather then just hashes ida pro adv. must have similar method for blacklist checking ! and a final point is, "pierre" is really a hard person to talk with |
#2
|
|||
|
|||
Thanks for information
|
#3
|
|||
|
|||
You can just Clear hash table data to 0.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to shuffle names in the PE import table? | Newbie_Cracker | General Discussion | 5 | 08-25-2019 03:59 |
How to port function names from one exe to another? | schrodinger | General Discussion | 6 | 07-19-2015 22:47 |
Dangerous blacklisted codes... | swetony | General Discussion | 6 | 09-09-2004 11:21 |