Thread: ActiveM***
View Single Post
  #22  
Old 05-01-2005, 01:50
MEPHiST0 MEPHiST0 is offline
Friend
  
Join Date: Jul 2004
Location: In the depth of my soul
Posts: 33
Rept. Given: 1
Rept. Rcvd 28 Times in 5 Posts
Thanks Given: 1
Thanks Rcvd at 9 Times in 9 Posts
MEPHiST0 Reputation: 28
hi everyone

recently i downloaded a 'trial version' of a video game.
the video game is complete tho, the only trial is ActiveMark protection.

i wanna play this game
so i spent some time on it last night and took some notes for everyone..

1: Debug check..
The EXE add's a command line to the exe if there is a debugger detected..
(how the debug detection works im not sure)

Load in Olly, set a memory on write on SECOND .TEXT section (mines 5f2000), now follow the address of the second text section in teh dump window.. now Shift+F9 once, and wait for it to Break, once it breaks.. you will see this below:
MOV ECX,.005F3020 ; ASCII " --MPRMMGVA--"
this added command line is what stops the game from launching any further.

at the beginning of the second text section (005F2000)
is where the command line.. "c:/Games/thisgame" --MPRMMGVA--" is.
(if you shift+f9 acouple more times you will see this appear in the begiinning of 2nd text section)
simply from memory, in the dump window, ERASE the --MPRMMGVA-- either from the address from ECX or at the beginning of 2nd .text section.

it seems the first time i bypassed this debugger, it allows me to run the exe without fixing the debug check everytime... so once you fix it the first time, it should be fixed forever in your olly as long as u have the .udd file

2.) FAKE OEP.. or second layer OEP..
PEiD came very handy at this point, using PEID Generic OEP finder.. scan the exe and get the OEP with PEiD.. this is the second layer OEP.. (if you leave that memory on write on .text, and set a hardware break on the 2nd layer OEP... you will break there..)
the second layer is nothing special.. it has the Trial Info and stuff..

if you execute from the 2nd layer OEP.. you will get the 'you have 200 minutes remaining' Notice. (UNLESS you are executing from dumped EXE.. then a certain long jump in a CALL under the first GetModuleHandleA in the second layer EP.. if you change this long JE to JNE then the dump will launch)

if you look from teh second layer EP.. down just alittle, under GetModuleHandleA there is a CALL.. this call takes us thru 2 Process's
1 - Trial stuff
2 - JUMP to OEP

notes: at OEP, there seem to be some Redirected API CALLS
the redirected API CALLS are not too difficult to find.

I Might work on a OLLY SCRIPT to fix the redirected API CALLS,
otherwise heres how i started to fix them:

at real OEP.. i search 401000 for: "90 E8" without qoutes, setting a breakpoint on every one i find..
it seems ALL the Redirected API have NOP instruction before the redirected CALL.. so they are easy to find

this is all the info i have right now..

ill write a tutorial for this protector if i succeed with unpacking it..
all i have left to do is find the rest of redirected API

good luck, see you all soon.
Last edited by MEPHiST0; 05-01-2005 at 01:53.
Reply With Quote