Exetools - Datarescue IDA pirated .idb database

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Datarescue IDA pirated .idb database (https://forum.exetools.com/showthread.php?t=12087)

Datarescue IDA pirated .idb database

Well, i'd like to understand something about Conficker virus code, but IDA doenst open pirated idb database and it shows "Database corrupt". So i created this little patch for my IDA v5.2 debugger, it seems 100% working. If you encounter the same problem exploring other pirated databases, here is the patch. Hope it will be useful for you too! ;)

UNiQUE made a fix for 5.2 back in 12/07 when it was originally released.

Yes, UNiQUE has made a fix but i will try your fix :D

Regards

it's so simple that it shouldn't ever be considered a release.

1. before 5.2 unpack the dll named ida.wll with any aspack unpacker like aspackdie or "All versions ASPack unpacker by PE_Kill". Consider that after version 5.2 (or from version also 5.2, don't remember) that dll is even not packed, so simpler.

2. find string "pirate" with Olly and skip the messagebox paching into a JMP the conditional jump just above

3. save the patch, voilà.

The protection was placed, as once even the author told, just as a light discouragement, not as a real protection. If you don't know how to patch is a symptom that you shouldn't use IDA. ;-)

Patching of JMP "pirate" was not enough to achieve my goal (the incriminated message is "database corrupt" and not "you are using a pirate..."). Anyway i have patched both the ways ;)
Regards

Quote:

Originally Posted by kienmanowar (Post 62264)

Yes, UNiQUE has made a fix but i will try your fix :D

Regards

Thanks bro, pls let me know if it works good :)

Quote:

Originally Posted by LouCypher (Post 62262)

UNiQUE made a fix for 5.2 back in 12/07 when it was originally released.

I tested UNiQUE fix but when i load the idb "pirated" Ida says "Database corrupt". If you apply my patch you will able to open the database. In other words my patch really works. You dont believe??? Ok, try youself! :D

Code:

h--p://metasploit.com/users/pusscat/conficker-thread.idb

The Unique patch works fine too, what do you think people have been using for the past 1+ year?

Git

Code:

You dont believe??? Ok, try youself!

Quote:

Originally Posted by arlequim (Post 62296)

Code:

h--p://metasploit.com/users/pusscat/conficker-thread.idb

So your patch did indeed let me open that .idb whereas the UNiQUE fix wouldn't. If the ida64.wll suffers from the same fault, would you be so kind as to make a patch for it as well?

ida32.wll + ida64.wll

ida64.wll

Code:

.text:1010E8FC ; int __fastcall sub_1010E8FC(void *src)

.text:1010E8FC sub_1010E8FC    proc near               ; CODE XREF: sub_1010EB24+C6

.text:1010E8FC

.text:1010E8FC var_6C          = dword ptr -6Ch

.text:1010E8FC s1              = byte ptr -14h

.text:1010E8FC

.text:1010E8FC                 push    ebx

.text:1010E8FD                 add     esp, 0FFFFFF98h

.text:1010E900                 mov     ebx, eax

.text:1010E902                 push    esp

.text:1010E903                 call    MD5Init

.text:1010E908                 push    ebx             ; s

.text:1010E909                 call    _strlen

.text:1010E90E                 pop     ecx

.text:1010E90F                 push    eax             ; n

.text:1010E910                 push    ebx             ; src

.text:1010E911                 lea     eax, [esp+74h+var_6C]

.text:1010E915                 push    eax             ; int

.text:1010E916                 call    MD5Update

.text:1010E91B                 push    esp             ; s

.text:1010E91C                 lea     edx, [esp+70h+s1]

.text:1010E920                 push    edx             ; dest

.text:1010E921                 call    MD5Final

.text:1010E926                 xor     ebx, ebx

.text:1010E928

.text:1010E928 loc_1010E928:                           ; CODE XREF: sub_1010E8FC+53

.text:1010E928                 push    10h             ; n

.text:1010E92A                 mov     eax, ebx

.text:1010E92C                 shl     eax, 4

.text:1010E92F                 add     eax, offset unk_1014CDCC ; <<<

.text:1010E935                 push    eax             ; s2

.text:1010E936                 lea     edx, [esp+74h+s1]

.text:1010E93A                 push    edx             ; s1

.text:1010E93B                 call    _memcmp

.text:1010E940                 add     esp, 0Ch

.text:1010E943                 test    eax, eax

.text:1010E945                 jnz     short loc_1010E94B

.text:1010E947                 mov     al, 1

.text:1010E949                 jmp     short loc_1010E953

.text:1010E94B ; ---------------------------------------------------------------------------

.text:1010E94B

.text:1010E94B loc_1010E94B:                           ; CODE XREF: sub_1010E8FC+49

.text:1010E94B                 inc     ebx

.text:1010E94C                 cmp     ebx, 19h

.text:1010E94F                 jb      short loc_1010E928

.text:1010E951                 xor     eax, eax

.text:1010E953

.text:1010E953 loc_1010E953:                           ; CODE XREF: sub_1010E8FC+4D

.text:1010E953                 add     esp, 68h

.text:1010E956                 pop     ebx

.text:1010E957                 retn

.text:1010E957 sub_1010E8FC    end

you can see comparison after MD5Final call - patch it ;)

in ida32.wll method is similar

credits: infern0

Mission accomplished, new patch for IDA 32&64 bit ;)

quick patch:

ida.wll
Offset | Old | New
000F05F9: D0 D1

ida64.wll
Offset | Old | New
0010DF31: CC CD

not available (=not cr4ck3d) on w4r3z yet ... btw lastest is 5.4 :rolleyes:

is there some news on 5.3 (or 5.4) there seems to be a bit more talk recently, but i have seen no news yet?

--
bedrock

This doesn't remove the water mark but you have patched the routine which warns that a bad file has been loaded. (Correct me if I am wrong).

So you can use any pirated IDA, change the signature and still be able to use the databases? (even though the MD5 does not match ?) or does this patch the checksum checking on the IDB only ?

Quote:

Originally Posted by redbull (Post 62616)

Hello :)
i have only patched the check about "database corrupt" and "pirated copy" (you right)

Quote:

So you can use any pirated IDA, change the signature...

To be honest i dont know, i have only loaded the conficker database. That means you should to try other databases and if you encounter some prob i will try to analyze the MD5 check procedure.

It would be more clear and helpful if somebody can show up and give us more information about the water mark.

Then, we can try to fake or erase the water mark.

I wonder if some one has a tool to show the water mark.
It would be a great help, though.

Quote:

Originally Posted by zenix (Post 62620)

Exactly, you right: i'm not great user of IDA so i need more infos about "water mark". Then i can go on, but let me know how many times you need to load .idb files??? Most of times i open .exe or .dll files.

Well if someone was able to get 2 copies of a product same version / same build and do a comparison, it might shed some light, hehe but I think its hard enough to get ahold of 1 copy of this product, never mind about 2 copies

Darren

Depends on if you shut down your machine at night, but I have IDB files I have opened hundreds of times. I doubt I have any that have not been opened at least 20 times. Exe's and Dll's get opened only once, thereafter you are working on the IDB file.

Git

Quote:

Originally Posted by Jupiter (Post 62404)

quick patch:

ida.wll
Offset | Old | New
000F05F9: D0 D1

ida64.wll
Offset | Old | New
0010DF31: CC CD

Elegant one, Jupiter. :D
Here's an additional 'assignment' (if ne1 is insterested in this little game ;)):
How many bits do u need to patch w/o touching any code and/or how many other possibilities of 1-bit code patches do u have in order to achieve the same goal?

Have fun,
Pyrae