|
To svensk
registeration is in error # 1 in my above post while the missed patch is in error 2, which is after splash. |
Britedream,
I don't had to make any modifactions other then error 1 you specified. why do you have to make any changes on error 2 :confused: |
To lownoise
I don't know if it is truely registered or not , but try to keep your dump target name slightly different from the original name. |
edit by britedream
To lownoise: target will run outside olly with fixing only the first error, and will run in olly if you checked to ignore memory access voilation. it uses asprotect region 990000, which is no longer there |
Where's the push in your exe to read the name at 444600 ?
|
To Svensk
in error one above, there is a call right above it, step into, and change the value of the address being move to eax, to point to an address where your name is at. |
I see what you mean britedream.
Still some problem though. I've compared the "code" section of mine and your dumped exe and even though there are no differences, yours is registered and mine is not. Do you have custom code executed in any of the other sections. |
you saw the address at 444600 ,where my name is,just go to the address moved to eax in dump and change the value to 444600.
you should change the value of the address moved, not the address its self. |
Hehe, sorry for being so thick. All is well and it runs registered now.
Thanks a bunch m8 :) |
To lownoise,
When I changed the code to xor EAX , EAX DVDIdle Pro came up with the splash screen. Is this something that is commen with AsProtect? I recall Stripper creating a working exe out of dvdIdle Pro. I thought this whole process was to create an unpacked version of the original program. yes? I will look thru this executing exe and see if I can discover the algorithm for the serial #. |
After doing some tracing....
Since I am interested in creating a serial#.... the code to check for a valid serial # is missing. That's why the XOR EAX,EAX works because the serial# check is missing (from the program). It's not being left in "unpacked" program (which is probably why there aren't many keygens for AsProtect Programs IE: PowerStrip and DVDIdle Pro/Region Free). I BP on all (and every) RegQueryKey and it never loads hKey with "KEY" which is where the code is stored in the Registry. When you go thru the enter serial # dialog box.... it's a dummy... no check is done. It just saves it to the registry and tells you to restart. When you restart the program.... it bypasses the missing code due to the XOR EAX,EAX. How do I get that code into the pack as well? Is it impossible with AsProtect? -Malt.... Me Thinks I have to do this in memory... and not from an unpacked file. |
hm... do you think you can keygen RSA1024? Asprotect checks the serial on startup, then it sets global variables which get the program registered. a way to dump the program registered is to use asload, break on EP of asprotected program, then let Asload do his job :) you can dump registered :)
Asload has a system to bypass the RSA-Algorythm & load it registered nearly like the loader of TMG for AnyDVD. |
Well,
I am attempting to trace the code to reverse it. Things I know so far: After pressing F9 once. Press SHIFT + F9 22 (BEFORE it's placed on the stack) times and the stack holds the key brought in from the registry. It's stored here in memory: STACK 12EA90: 9910D4 (address). Address varies by size of key Try this: Create a new String Value of "KEY" in: KEY_CURRENT_USER\Software\DVDIdle Pro Right click modify and place something obvious... MARKUSMARKUSMARKUS in it Press F9 once, then SHIFT + F9 (22 times to see it already loaded in stack) Look at 12EA90 This is as far as discovery as I've made... Since I'm new to olly (not reverse engineering techniques) I am attempting to bp when my fake key is loaded and backtrace. If you are interested in this with me I will share everything I find. -Malt I could use some help too along the way if you have time. P.S. MaRKuS... I'm not trying to crack the encryption. That would be if I had an encoded string... and tried to figure out what it originally said before it was encrypted without the formula. The formula/algorithm for AsProtect/DVDIdle is in the code as it checks it's validity. One just has to reverse the steps. So technically I'm not trying to perfrom an amazing feat... Getting to that code is my focus now. |
To britedream: I see one of your stolen bytes tuts is about PWSEX.
Did you work on removing the trial limits as well, or did you just unpack it? I'm working it this myself, that's why I'm asking. I have successfully removed the splash, unregged nags and the "graying" of some passwords. Still working on the "10 accounts at a time stuff". |
To svensk:
that was done due to request from a member to find the stolen, I didn't look anyfurther. To maltese: I admire your work, I will do somthing to help you. please, check your pm. |
Quote:
the dump file once unpacked. does asload read back this region to dump, we can read any region from asprotect to be included in dump.but there is onther way to register, that is to write a dll, then have small patch in the original to load the dll and trick asprotect to allow you to patch it. I have seen this done. but I believe reading the right region back to dump is much easier to do. |
maltese, when you say "that is why xoring eax.... works", which instruction are you refering to.
|
BriteDream,
I was referring to address location (provided by lownoise): Original code: $4043AA: 8B00 MOV EAX, DWORD PTR DS:[EAX] $4043AC: 85C0 TEST EAX,EAX Change to: $4043AA: 33C0 XOR EAX,EAX This patch allowed my dump to work after fixing with Imprec. Moving along, if you press SHIFT + F9 26 times and then search the stack, the key you entered (dummy key in registry) is missing! From this, and by checking the RegQueryKey breakpoints, I determined that the serial# is loaded in the AsProtect code which is not in the final unpacked code. Also it seems on my system that the KEY from the registry is stored at location $990F3C and is pushed onto the stack. Another tale tell sign is that it removes all spaces from the serial#. Big No No. When we see a loop to remove spaces it helps let us know we are getting closer. As a test... Put MALTESE MALTESE MALTESE as the key. When it's pushed onto the stack the spaces are missing. And now for my stupid question: Don't Laugh... I noticed AsProtect employs a technique making calls to odd address's which messes with Olly. I can right click and then say follow... but is there a better way to adjust the memory locations so that the code looks the same as it is as when it executes? I will share as I go for those that might want to join in. -Malt |
After we run the trace and patch the stolen bytes and reset OEP...
When we go to dump the file, is there a way to also store the memory contents of 960000 thru 990000 so that they are reloaded in the same location when the "unpacked" program starts up? Back in the day we could save the memory and dump it to a binary file...then you could reload it back into the same memory location from the file at any time you wanted. Is there a way to do this now? -Malt |
exactly , yes, in dumped file itself we can patch to read back all the region you want , just choose the region you want,save as binary, then read it back, of course you have to allocate the space for each region using virtualAllloc.
|
the error you refer to by xoring mov eax,...., is due to a refrence to region 970000"imagebase", 973861"Va" , which isnot there any more, if you aren't registered then eax==0, this is why it is running ok in your case, if it were to return other value for unregistered, then I would think it will effect the target.
|
decrypt 2 fragmenst
there are 2 encrypted fragments in the dumped file. If it wasn't decrypted yes, it can't be FULLY working version.
Is there any way to decrypt without having to register? IF there was a blacky serial, how can we do with it? TIA, kyrios |
Quote:
|
By hand
Quote:
BR, kyrios |
powerstrip uses some heavy checks... it's not so easy. i don't know where these checks are located
|
La La La La La La..... tracing into AsProtect code... watching it load, erase, load, erase code.... getting closer... will report when I get to the serial# code
-Malt |
Hi!
Nah... Pstrip is not so very difficult... Look at the dips... there's a very useful clue! (Not THE solution, just a VERY important clue...) And then you run it in olly and when it gives an exception (NOT the OEEDFEED) you examine that code, get to understand it and patch it. This piece of code that throws the exception is quite common in aspr-targets... /Manko Quote:
|
HEY!
I believe I found the solution... the problem is I'm tired and have to get up for work at 5am. Right before the: XOR DWORD PTR DS:[EAX],EAX is always: MOV DWORD PTR FS:[EAX],ESP keeping this in mind I did this: DEBUG->SET CONDITION CHECK -> COMMAND IS ONE OF and enter into the box: MOV DWORD PTR FS:[EAX],ESP CLICK OK (to exit Set Condition Window) To save on a lengthy trace at the very start I did a Hardware BP at address: 9741A1 ( MOV DWORD PTR FS:[EAX],ESP ). I did a NOP on the XOR[EAX],EAX and then continued with CTRL+F11 (trace) till the next one... and the next.... Now I need to do this till I get to the SEH XOR[EAX],EAX @ address 974350 which should be the area before the Registry is read for the "Key". I will confirm this tomorrow unless someone else out there does it first :) Please let me know if this is correct/incorrect. Just a reminder that on my system during this session my first SEH error address is at 9741A4, then 973AC1, then 973B09... there are too many to list... you get the idea. Nite! |
btw, is there only one seh handler function that it uses or many ?
if there is only 1, you could just nop out the portion that clears the hardware breakpoints in the CONTEXT struct. |
I "believe" that because AsProtect decrypts runs, clears stack, clears memory, decrypts over cleared memory, *repeat* that just NOPing the SEH Handler function won't work.
There are 27 Memory Access Violations all occuring in different places in memory. That would be to easy to just NOP one call for the SEH handler. I just can't imagine Alexey allowing something like that. I will try my trace in a few hours when I finish work and report back. -Malt |
Well I've finally did it!
I have successfully traced the AsProtect code to the point it loads the Serial# from the Registry without any SEH ERRORs I have confirmed that it makes 4 copies of the key (for a total of 5). It will try to strip out any spaces from the key. Valid keys have no spaces. DVDIldle Pro uses the following string for a look-up (which I believe is to re-create the name of the registered person- working on this now.. not sure just yet on this one): ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/= $()[]{},::-_\* I am taking VERY good notes at the moment to see how the code is tracing thru the key. I'm tired at the moment. I'll continue tomorrow. For those that wish to participate.... my research was correct on my last message. You must trace into the code from the beginning with MOV DWORD PTR FS:[EAX],ESP in the SET CONDITION BOX. When Olly breaks you must NOP the following XOR[EAX],EAX then continue with CTRL+F11 until you NOP the XOR[EAX],EAX at address location: $974350. Once you've NOPd $974350 single step past... then BP on address $974652, single step till after the CALL $965264. Now BP on $96962D. You will now be at the RegOpenKeyExA call. Just F8 till you get to the RegQueryKeyExA. And viola... Hope this helps. Now the fun part begins... Not bad for a Newbie huh? -Malt P.S. You can use the same technique for PowerStrip too guys... the address's are different...but use the same technique. Race you to the finish MaRKuS.... LOL (I would lose that one). |
LOL.. i hope you are enjoying yourself Maltese :)...
cos i hate to spoil your fun but when you are done you will realise that there will be easier way to do what you want... but then again you LEARN a lot MORE the hard way :)... perhaps a search for aspr tools ard will be good, woodmann forum is the place to find... like you can get AntiIsDebuggerPresent plugin for Olly... bypass seh setting in Olly, you have realised now what breakpoint to set :)... One more thing that will help you a lot if you havent done so, dump the aspr.dll (manual or search for tool), disassemble it with IDA and your life will be much simpler :)... Enjoy, crUs |
crusader,
I have Hide Debugger plugin for Olly. Not sure it's the same one you mentioned. If there is a different one, please point me in the right direction. Yes I am having fun :) LOL Since I am new to IBM cracking I need to sift and sink thru the code to become more familiar with the lastest x86 tricks. If you have any suggestions please PM me or share them here. My focus now is learning the algorithm to create a valid key. The problem with AsProtected programs is that once you break one... you can break them all. -Malt |
Quote:
|
Regarding the name...
Once the name is extracted from the Key, it has no other significance... there are no more checks to the size or the value. Basically... this is important for the Keygen to assist in creating a serial# from a Name.... but other than that... it's not where the check for validity is or where it's generated entirely. -Malt KEEP ON DIGGIN' |
| All times are GMT +8. The time now is 01:00. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX