Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Never faced a target like this ... please help! (https://forum.exetools.com/showthread.php?t=5325)

ShadeOfRed 09-12-2004 17:50
Never faced a target like this ... please help!
 
Hello,

I must admit that this target is just beyond my skills. Below you'll find everything I was able to discover. The targets at hand is RegSupreme v1.2 downloadeable at hxxp://www.macecraft.com/downloads/RegSupreme_setup.exe (748 KB).

The target at first would seem and easy one, especially considering its cost ($12.95) and thus the effort that its developers might have put into protecting it, but it is not so. The target seems to employ sophisticated techniques (or at least it would seem so since I have experienced that only moving around hardware breakpoints has been enough to make it change its behavior .. once immediately terminating another time loading but not properly initialized, etc.). But then this behavior seems to arise after having fiddled with it for sometime. I have even started to think that its developers might have implemented a set of different behaviors and that the application after having detected "sospicious" behavior of the application for sometime simply starts executing randomly one of those behaviors (different code paths) to confuse any cracker out there.

Anyhow the following is what I have been able to discover:

Code:
- upx protected
- delphi coded
- checks if still packed and does not initialize itself properly if not packed
- checks for the presence of a few RCE tools (ollydbg, softice, regmon, etc.) and does not load if one is found
- all important strings are crypted (unimportant ones are provided unencrypted)
- in the unpacked application 28 different crypto algorithms seem to be identified!!!

----------------------------------------
The application searches for a few common RCE tools (softice, ollydbg, regmon, etc):

004B2A97  CALL RegSupre.004AFB88      ; controlling the presence of some RCE tools
004B2A9C  CMP AL,1
004B2A9E  JNZ SHORT RegSupre.004B2AD8  ; does not jump if one is found

forcing the jump is not enough. The application seems to startup not properly
initialized. Problably the routine at 004AFB88 contributes to the initialization
of the app.

----------------------------------------
All important strings are encoded:

004AD6C7  CALL RegSupre.004AD404      ; at 004AD404 is the routine responsible for decoding strings

An example of an encrypted string is the following:

00CC44C4  51 49 4A 22 42 59 56 2B  QIJ"BYV+
00CC44CC  36 44 50 4B 64 60 41 56  6DPKd`AV
00CC44D4  46 2E 5E 45              F.^E

00CCC220  2A 55 4E 4C 49 43 45 4E  *UNLICEN
00CCC228  53 45 44 20 56 45 52 53  SED VERS
00CCC230  49 4F 4E 2A              ION*

----------------------------------------
The application creates the following files in the system32 folder:

AuxDrv32_g.dlx
SndDrv32_g.dlx

and the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\{9F1C11AA-197B-4942-BA54-47A8489BB47g}

when the trial expires and (probably) also when it identifies some "suspicious"
behavior at runtime.

----------------------------------------
Strings are all double or triple checked!! I've tried changing for example the
caption of the main window (TMainForm) to remove the "UNLICENSED" string
and the change seems to be identified since the application either terminates
immediately or does not initialize correctly. Before deciding to "hide" ollydbg I
have tried seeing if I could simply change the string that the application was
looking for (changing "ollydgb.exe" to anything else) .... well, there are (at
least) two instances of the word "ollydbg.exe", one unencrypted and one
encrypted (and decoded at 004AD404) ... even changing them both in the
same manner the application seems to identity the change since it does not
initialize the GUI properly. I suppose that either there is a third check or more
probably these strings are used in the code (for example calculating some
value out of them and then that value in the code as part of the implemented
logic).

---------------------------------------
Display of the caption showing the "UNREGISTERED" word is done by calling
CallWindowProcA at 00452403.

---------------------------------------
Check of the remaining days is done by a call to GetLocalTime at 0040B064.
I'll be honest, I could just give up this target and in fact I already have, but at this point I'd really like to understand better what is it that I was after.
I'd love if someone could shed some light on all surprising behaviors I've seen this application display.


Shade

MaRKuS-DJM 09-12-2004 18:51
i cracked this one some time before, the solution is a well hidden debugger and you have to repack it after cracking. if your debugger isn't hidden, you won't succeed because there are meny checks for it. the crypted strings are the solution to crack it.

ShadeOfRed 09-13-2004 00:04
Hello MaRKuS,

thanks for the suggestion. Unfortunately doing something "well" is always relative. :D :D :D
Anyhow I got now to a point that I really don't know what else to do. As I said in my previous post even changing as little as a caption is identified ... and I only tried changing it in memory with no patching involved!!! Being this the situation I have exhausted all my options.
If anyone was so good to take a look at the apps and provide me a more detailed hint ....

Shade


All times are GMT +8. The time now is 19:39.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX