Exetools - Datarescue IDA pirated .idb database

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Datarescue IDA pirated .idb database (https://forum.exetools.com/showthread.php?t=12087)

Datarescue IDA pirated .idb database

Well, i'd like to understand something about Conficker virus code, but IDA doenst open pirated idb database and it shows "Database corrupt". So i created this little patch for my IDA v5.2 debugger, it seems 100% working. If you encounter the same problem exploring other pirated databases, here is the patch. Hope it will be useful for you too! ;)

UNiQUE made a fix for 5.2 back in 12/07 when it was originally released.

Yes, UNiQUE has made a fix but i will try your fix :D

Regards

it's so simple that it shouldn't ever be considered a release.

1. before 5.2 unpack the dll named ida.wll with any aspack unpacker like aspackdie or "All versions ASPack unpacker by PE_Kill". Consider that after version 5.2 (or from version also 5.2, don't remember) that dll is even not packed, so simpler.

2. find string "pirate" with Olly and skip the messagebox paching into a JMP the conditional jump just above

3. save the patch, voilà.

The protection was placed, as once even the author told, just as a light discouragement, not as a real protection. If you don't know how to patch is a symptom that you shouldn't use IDA. ;-)

Patching of JMP "pirate" was not enough to achieve my goal (the incriminated message is "database corrupt" and not "you are using a pirate..."). Anyway i have patched both the ways ;)
Regards

Quote:

Originally Posted by kienmanowar (Post 62264)

Yes, UNiQUE has made a fix but i will try your fix :D

Regards

Thanks bro, pls let me know if it works good :)

Quote:

Originally Posted by LouCypher (Post 62262)

UNiQUE made a fix for 5.2 back in 12/07 when it was originally released.

I tested UNiQUE fix but when i load the idb "pirated" Ida says "Database corrupt". If you apply my patch you will able to open the database. In other words my patch really works. You dont believe??? Ok, try youself! :D

Code:

h--p://metasploit.com/users/pusscat/conficker-thread.idb

The Unique patch works fine too, what do you think people have been using for the past 1+ year?

Git

Code:

You dont believe??? Ok, try youself!

Quote:

Originally Posted by arlequim (Post 62296)

Code:

h--p://metasploit.com/users/pusscat/conficker-thread.idb

So your patch did indeed let me open that .idb whereas the UNiQUE fix wouldn't. If the ida64.wll suffers from the same fault, would you be so kind as to make a patch for it as well?

ida32.wll + ida64.wll

ida64.wll

Code:

.text:1010E8FC ; int __fastcall sub_1010E8FC(void *src)

.text:1010E8FC sub_1010E8FC    proc near               ; CODE XREF: sub_1010EB24+C6

.text:1010E8FC

.text:1010E8FC var_6C          = dword ptr -6Ch

.text:1010E8FC s1              = byte ptr -14h

.text:1010E8FC

.text:1010E8FC                 push    ebx

.text:1010E8FD                 add     esp, 0FFFFFF98h

.text:1010E900                 mov     ebx, eax

.text:1010E902                 push    esp

.text:1010E903                 call    MD5Init

.text:1010E908                 push    ebx             ; s

.text:1010E909                 call    _strlen

.text:1010E90E                 pop     ecx

.text:1010E90F                 push    eax             ; n

.text:1010E910                 push    ebx             ; src

.text:1010E911                 lea     eax, [esp+74h+var_6C]

.text:1010E915                 push    eax             ; int

.text:1010E916                 call    MD5Update

.text:1010E91B                 push    esp             ; s

.text:1010E91C                 lea     edx, [esp+70h+s1]

.text:1010E920                 push    edx             ; dest

.text:1010E921                 call    MD5Final

.text:1010E926                 xor     ebx, ebx

.text:1010E928

.text:1010E928 loc_1010E928:                           ; CODE XREF: sub_1010E8FC+53

.text:1010E928                 push    10h             ; n

.text:1010E92A                 mov     eax, ebx

.text:1010E92C                 shl     eax, 4

.text:1010E92F                 add     eax, offset unk_1014CDCC ; <<<

.text:1010E935                 push    eax             ; s2

.text:1010E936                 lea     edx, [esp+74h+s1]

.text:1010E93A                 push    edx             ; s1

.text:1010E93B                 call    _memcmp

.text:1010E940                 add     esp, 0Ch

.text:1010E943                 test    eax, eax

.text:1010E945                 jnz     short loc_1010E94B

.text:1010E947                 mov     al, 1

.text:1010E949                 jmp     short loc_1010E953

.text:1010E94B ; ---------------------------------------------------------------------------

.text:1010E94B

.text:1010E94B loc_1010E94B:                           ; CODE XREF: sub_1010E8FC+49

.text:1010E94B                 inc     ebx

.text:1010E94C                 cmp     ebx, 19h

.text:1010E94F                 jb      short loc_1010E928

.text:1010E951                 xor     eax, eax

.text:1010E953

.text:1010E953 loc_1010E953:                           ; CODE XREF: sub_1010E8FC+4D

.text:1010E953                 add     esp, 68h

.text:1010E956                 pop     ebx

.text:1010E957                 retn

.text:1010E957 sub_1010E8FC    end

you can see comparison after MD5Final call - patch it ;)

in ida32.wll method is similar

credits: infern0

Mission accomplished, new patch for IDA 32&64 bit ;)

quick patch:

ida.wll
Offset | Old | New
000F05F9: D0 D1

ida64.wll
Offset | Old | New
0010DF31: CC CD

not available (=not cr4ck3d) on w4r3z yet ... btw lastest is 5.4 :rolleyes: