EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #61  
Old 03-26-2004, 14:36
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
the error you refer to by xoring mov eax,...., is due to a refrence to region 970000"imagebase", 973861"Va" , which isnot there any more, if you aren't registered then eax==0, this is why it is running ok in your case, if it were to return other value for unregistered, then I would think it will effect the target.

Last edited by britedream; 03-26-2004 at 14:43.
Reply With Quote
  #62  
Old 03-27-2004, 04:37
Kyrios Kyrios is offline
Friend
 
Join Date: Feb 2003
Posts: 48
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Kyrios Reputation: 0
decrypt 2 fragmenst

there are 2 encrypted fragments in the dumped file. If it wasn't decrypted yes, it can't be FULLY working version.
Is there any way to decrypt without having to register? IF there was a blacky serial, how can we do with it?


TIA,
kyrios
Reply With Quote
  #63  
Old 03-27-2004, 05:10
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
Quote:
Originally Posted by Kyrios
Is there any way to decrypt without having to register? IF there was a blacky serial, how can we do with it?
maybe you can use asload and let it run registered. You can debug it, set BP on CreateProcess and then debug the program while asload does his register-job and then dump the program fully registered & decrypted
Reply With Quote
  #64  
Old 03-27-2004, 06:22
Kyrios Kyrios is offline
Friend
 
Join Date: Feb 2003
Posts: 48
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Kyrios Reputation: 0
By hand

Quote:
maybe you can use asload and let it run registered
No, i wanna know how to do it by hand. Afterall, i've tried several ASPRed programs, but always fails. Pstrip, elcor, and articons for instance.

BR,
kyrios
Reply With Quote
  #65  
Old 03-27-2004, 19:12
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
powerstrip uses some heavy checks... it's not so easy. i don't know where these checks are located
Reply With Quote
  #66  
Old 03-28-2004, 07:08
Maltese
 
Posts: n/a
La La La La La La..... tracing into AsProtect code... watching it load, erase, load, erase code.... getting closer... will report when I get to the serial# code

-Malt
Reply With Quote
  #67  
Old 03-28-2004, 16:02
Manko
 
Posts: n/a
Hi!

Nah... Pstrip is not so very difficult... Look at the dips... there's a very useful clue! (Not THE solution, just a VERY important clue...)
And then you run it in olly and when it gives an exception (NOT the OEEDFEED) you examine that code, get to understand it and patch it.
This piece of code that throws the exception is quite common in aspr-targets...

/Manko

Quote:
Originally Posted by MaRKuS-DJM
powerstrip uses some heavy checks... it's not so easy. i don't know where these checks are located
Reply With Quote
  #68  
Old 03-29-2004, 11:41
Maltese
 
Posts: n/a
HEY!

I believe I found the solution... the problem is I'm tired and have to get up for work at 5am.

Right before the: XOR DWORD PTR DS:[EAX],EAX

is always: MOV DWORD PTR FS:[EAX],ESP

keeping this in mind I did this:

DEBUG->SET CONDITION
CHECK -> COMMAND IS ONE OF
and enter into the box: MOV DWORD PTR FS:[EAX],ESP
CLICK OK (to exit Set Condition Window)

To save on a lengthy trace at the very start I did a Hardware BP at address: 9741A1 ( MOV DWORD PTR FS:[EAX],ESP ).

I did a NOP on the XOR[EAX],EAX and then continued with CTRL+F11 (trace) till the next one... and the next....

Now I need to do this till I get to the SEH XOR[EAX],EAX @ address 974350 which should be the area before the Registry is read for the "Key".

I will confirm this tomorrow unless someone else out there does it first

Please let me know if this is correct/incorrect.

Just a reminder that on my system during this session my first SEH error address is at 9741A4, then 973AC1, then 973B09... there are too many to list... you get the idea.

Nite!
Reply With Quote
  #69  
Old 03-29-2004, 18:28
upb's Avatar
upb upb is offline
Friend
 
Join Date: Apr 2002
Posts: 63
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
upb Reputation: 0
btw, is there only one seh handler function that it uses or many ?
if there is only 1, you could just nop out the portion that clears the hardware breakpoints in the CONTEXT struct.
Reply With Quote
  #70  
Old 03-30-2004, 01:14
Maltese
 
Posts: n/a
I "believe" that because AsProtect decrypts runs, clears stack, clears memory, decrypts over cleared memory, *repeat* that just NOPing the SEH Handler function won't work.

There are 27 Memory Access Violations all occuring in different places in memory. That would be to easy to just NOP one call for the SEH handler. I just can't imagine Alexey allowing something like that.

I will try my trace in a few hours when I finish work and report back.

-Malt
Reply With Quote
  #71  
Old 03-30-2004, 09:51
Maltese
 
Posts: n/a
Well I've finally did it!

I have successfully traced the AsProtect code to the point it loads the Serial# from the Registry without any SEH ERRORs

I have confirmed that it makes 4 copies of the key (for a total of 5).
It will try to strip out any spaces from the key. Valid keys have no spaces.
DVDIldle Pro uses the following string for a look-up (which I believe is to re-create the name of the registered person- working on this now.. not sure just yet on this one):
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/= $()[]{},::-_\*

I am taking VERY good notes at the moment to see how the code is tracing thru the key. I'm tired at the moment. I'll continue tomorrow.

For those that wish to participate.... my research was correct on my last message. You must trace into the code from the beginning with MOV DWORD PTR FS:[EAX],ESP in the SET CONDITION BOX.

When Olly breaks you must NOP the following XOR[EAX],EAX
then continue with CTRL+F11 until you NOP the XOR[EAX],EAX at address location: $974350.

Once you've NOPd $974350 single step past... then BP on address $974652, single step till after the CALL $965264. Now BP on $96962D.

You will now be at the RegOpenKeyExA call. Just F8 till you get to the RegQueryKeyExA. And viola...

Hope this helps.

Now the fun part begins...

Not bad for a Newbie huh?

-Malt

P.S. You can use the same technique for PowerStrip too guys... the address's are different...but use the same technique.

Race you to the finish MaRKuS.... LOL (I would lose that one).

Last edited by Maltese; 03-31-2004 at 04:20.
Reply With Quote
  #72  
Old 03-30-2004, 21:24
crusader
 
Posts: n/a
LOL.. i hope you are enjoying yourself Maltese ...
cos i hate to spoil your fun but when you are done you will realise that there will be easier way to do what you want... but then again you LEARN a lot MORE the hard way ...

perhaps a search for aspr tools ard will be good, woodmann forum is the place to find...

like you can get AntiIsDebuggerPresent plugin for Olly... bypass seh setting in Olly, you have realised now what breakpoint to set ...

One more thing that will help you a lot if you havent done so, dump the aspr.dll (manual or search for tool), disassemble it with IDA and your life will be much simpler ...

Enjoy,
crUs
Reply With Quote
  #73  
Old 03-30-2004, 22:05
Maltese
 
Posts: n/a
crusader,

I have Hide Debugger plugin for Olly. Not sure it's the same one you mentioned. If there is a different one, please point me in the right direction.

Yes I am having fun LOL

Since I am new to IBM cracking I need to sift and sink thru the code to become more familiar with the lastest x86 tricks.

If you have any suggestions please PM me or share them here.

My focus now is learning the algorithm to create a valid key.

The problem with AsProtected programs is that once you break one... you can break them all.

-Malt
Reply With Quote
  #74  
Old 03-31-2004, 02:38
SvensK
 
Posts: n/a
Quote:
Originally Posted by Maltese
The problem with AsProtected programs is that once you break one... you can break them all.

-Malt
No no no. How can you see this as a "problem" ?
Reply With Quote
  #75  
Old 03-31-2004, 04:22
Maltese
 
Posts: n/a
Regarding the name...

Once the name is extracted from the Key, it has no other significance... there are no more checks to the size or the value.

Basically... this is important for the Keygen to assist in creating a serial# from a Name.... but other than that... it's not where the check for validity is or where it's generated entirely.

-Malt

KEEP ON DIGGIN'
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASProtect SKE unpacking TempoMat General Discussion 10 08-24-2016 17:48
need help unpacking ASProtect Fade General Discussion 8 05-25-2011 22:12
Unpacking asprotect britedream General Discussion 7 09-01-2004 01:46
Unpacking ASProtect with OllyDbg??? BoostMan General Discussion 11 01-21-2003 00:30


All times are GMT +8. The time now is 22:58.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX