EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #46  
Old 03-25-2004, 19:36
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
To Svensk
in error one above, there is a call right above it, step into, and change the value of the address being move to eax, to point to an address where your name is at.

Last edited by britedream; 03-25-2004 at 20:13.
Reply With Quote
  #47  
Old 03-26-2004, 01:52
SvensK
 
Posts: n/a
I see what you mean britedream.

Still some problem though. I've compared the "code" section of mine and your dumped exe and even though there are no differences, yours is registered and mine is not. Do you have custom code executed in any of the other sections.
Reply With Quote
  #48  
Old 03-26-2004, 01:56
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
you saw the address at 444600 ,where my name is,just go to the address moved to eax in dump and change the value to 444600.
you should change the value of the address moved, not the address its self.

Last edited by JMI; 03-26-2004 at 02:57.
Reply With Quote
  #49  
Old 03-26-2004, 02:22
SvensK
 
Posts: n/a
Hehe, sorry for being so thick. All is well and it runs registered now.
Thanks a bunch m8
Reply With Quote
  #50  
Old 03-26-2004, 03:28
Maltese
 
Posts: n/a
To lownoise,

When I changed the code to xor EAX , EAX DVDIdle Pro came up with the splash screen.

Is this something that is commen with AsProtect? I recall Stripper creating a working exe out of dvdIdle Pro.

I thought this whole process was to create an unpacked version of the original program. yes?

I will look thru this executing exe and see if I can discover the algorithm for the serial #.
Reply With Quote
  #51  
Old 03-26-2004, 04:18
Maltese
 
Posts: n/a
After doing some tracing....

Since I am interested in creating a serial#.... the code to check for a valid serial # is missing. That's why the XOR EAX,EAX works because the serial# check is missing (from the program). It's not being left in "unpacked" program (which is probably why there aren't many keygens for AsProtect Programs IE: PowerStrip and DVDIdle Pro/Region Free).

I BP on all (and every) RegQueryKey and it never loads hKey with "KEY" which is where the code is stored in the Registry.

When you go thru the enter serial # dialog box.... it's a dummy... no check is done. It just saves it to the registry and tells you to restart. When you restart the program.... it bypasses the missing code due to the XOR EAX,EAX.

How do I get that code into the pack as well? Is it impossible with AsProtect?

-Malt....

Me Thinks I have to do this in memory... and not from an unpacked file.

Last edited by Maltese; 03-26-2004 at 11:42.
Reply With Quote
  #52  
Old 03-26-2004, 04:56
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 3 Posts
MaRKuS-DJM Reputation: 6
hm... do you think you can keygen RSA1024? Asprotect checks the serial on startup, then it sets global variables which get the program registered. a way to dump the program registered is to use asload, break on EP of asprotected program, then let Asload do his job you can dump registered

Asload has a system to bypass the RSA-Algorythm & load it registered nearly like the loader of TMG for AnyDVD.
Reply With Quote
  #53  
Old 03-26-2004, 05:31
Maltese
 
Posts: n/a
Well,

I am attempting to trace the code to reverse it. Things I know so far:

After pressing F9 once.

Press SHIFT + F9 22 (BEFORE it's placed on the stack) times and the stack holds the key brought in from the registry. It's stored here in memory: STACK 12EA90: 9910D4 (address). Address varies by size of key

Try this:
Create a new String Value of "KEY" in: KEY_CURRENT_USER\Software\DVDIdle Pro

Right click modify and place something obvious... MARKUSMARKUSMARKUS in it

Press F9 once, then SHIFT + F9 (22 times to see it already loaded in stack)
Look at 12EA90

This is as far as discovery as I've made... Since I'm new to olly (not reverse engineering techniques) I am attempting to bp when my fake key is loaded and backtrace.

If you are interested in this with me I will share everything I find.

-Malt

I could use some help too along the way if you have time.

P.S. MaRKuS... I'm not trying to crack the encryption. That would be if I had an encoded string... and tried to figure out what it originally said before it was encrypted without the formula. The formula/algorithm for AsProtect/DVDIdle is in the code as it checks it's validity. One just has to reverse the steps. So technically I'm not trying to perfrom an amazing feat... Getting to that code is my focus now.

Last edited by Maltese; 03-30-2004 at 09:36.
Reply With Quote
  #54  
Old 03-26-2004, 07:16
SvensK
 
Posts: n/a
To britedream: I see one of your stolen bytes tuts is about PWSEX.
Did you work on removing the trial limits as well, or did you just unpack it?

I'm working it this myself, that's why I'm asking.

I have successfully removed the splash, unregged nags and the "graying" of some passwords.
Still working on the "10 accounts at a time stuff".

Last edited by SvensK; 03-26-2004 at 07:23.
Reply With Quote
  #55  
Old 03-26-2004, 10:30
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
To svensk:
that was done due to request from a member to find the stolen, I didn't look anyfurther.

To maltese:
I admire your work, I will do somthing to help you. please, check your pm.
Reply With Quote
  #56  
Old 03-26-2004, 11:06
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
Quote:
Originally Posted by MaRKuS-DJM
hm... do you think you can keygen RSA1024? Asprotect checks the serial on startup, then it sets global variables which get the program registered. a way to dump the program registered is to use asload, break on EP of asprotected program, then let Asload do his job you can dump registered

Asload has a system to bypass the RSA-Algorythm & load it registered nearly like the loader of TMG for AnyDVD.
Markus, I am curious to know, asprotect checks in asprotect region that isn't in
the dump file once unpacked. does asload read back this region to dump, we can read any region from asprotect to be included in dump.but there is onther way to

register, that is to write a dll, then have small patch in the original to load the dll and trick asprotect to allow you to patch it. I have seen this done. but I believe reading the right region back to dump is much easier to do.

Last edited by britedream; 03-26-2004 at 11:09.
Reply With Quote
  #57  
Old 03-26-2004, 11:59
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
maltese, when you say "that is why xoring eax.... works", which instruction are you refering to.
Reply With Quote
  #58  
Old 03-26-2004, 12:28
Maltese
 
Posts: n/a
BriteDream,

I was referring to address location (provided by lownoise):

Original code:

$4043AA: 8B00 MOV EAX, DWORD PTR DS:[EAX]
$4043AC: 85C0 TEST EAX,EAX

Change to:

$4043AA: 33C0 XOR EAX,EAX

This patch allowed my dump to work after fixing with Imprec.

Moving along, if you press SHIFT + F9 26 times and then search the stack, the key you entered (dummy key in registry) is missing!

From this, and by checking the RegQueryKey breakpoints, I determined that the serial# is loaded in the AsProtect code which is not in the final unpacked code.

Also it seems on my system that the KEY from the registry is stored at location $990F3C and is pushed onto the stack.

Another tale tell sign is that it removes all spaces from the serial#. Big No No. When we see a loop to remove spaces it helps let us know we are getting closer. As a test... Put MALTESE MALTESE MALTESE as the key. When it's pushed onto the stack the spaces are missing.

And now for my stupid question: Don't Laugh...

I noticed AsProtect employs a technique making calls to odd address's which messes with Olly. I can right click and then say follow... but is there a better way to adjust the memory locations so that the code looks the same as it is as when it executes?

I will share as I go for those that might want to join in.

-Malt

Last edited by Maltese; 03-30-2004 at 09:37.
Reply With Quote
  #59  
Old 03-26-2004, 13:35
Maltese
 
Posts: n/a
After we run the trace and patch the stolen bytes and reset OEP...

When we go to dump the file, is there a way to also store the memory contents of 960000 thru 990000 so that they are reloaded in the same location when the "unpacked" program starts up?

Back in the day we could save the memory and dump it to a binary file...then you could reload it back into the same memory location from the file at any time you wanted. Is there a way to do this now?

-Malt
Reply With Quote
  #60  
Old 03-26-2004, 14:21
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
britedream Reputation: 0
exactly , yes, in dumped file itself we can patch to read back all the region you want , just choose the region you want,save as binary, then read it back, of course you have to allocate the space for each region using virtualAllloc.

Last edited by britedream; 03-26-2004 at 14:24.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASProtect SKE unpacking TempoMat General Discussion 10 08-24-2016 17:48
need help unpacking ASProtect Fade General Discussion 8 05-25-2011 22:12
Unpacking asprotect britedream General Discussion 7 09-01-2004 01:46
Unpacking ASProtect with OllyDbg??? BoostMan General Discussion 11 01-21-2003 00:30


All times are GMT +8. The time now is 15:39.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX