Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Removing DiscGuard protection
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-19-2005, 00:07
ee45678 ee45678 is offline
Friend
  
Join Date: Jan 2005
Posts: 27
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
ee45678 Reputation: 0
Removing DiscGuard protection
I am trying to fix an app. (which is protected by DiscGuard) so that it can run without the original CD in the CD drive. I am really sick of changing the CD everytime I want to work with some other CD, also I have already had the CD slip out of hand and fall once and it is only a matter of time when it might get damaged.

A google search brought up only one spanish language tutorial about cracking a rally game and the translation was not good.

Can someone give me a few hints as to how to go about cracking this protection.

It is an app. made using VB6 and has a bunch of dlls made using VC++ 5.
PEid fails to ID the packer but the exe is definitely packed. I don't have Sice so I tried loading it in Olly but it causes an exception during the loading.

So where to now?
Reply With Quote
  #2  
Old 01-23-2005, 07:02
ee45678 ee45678 is offline
Friend
  
Join Date: Jan 2005
Posts: 27
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
ee45678 Reputation: 0
OK people, since no one has responded yet I will tell you what I have so far. Let me also state that I am a newbie in unpacking manually, hey I am a developer not a reverser.

How do I detect whether this app uses DiscGuard:
The following files exist in the installation directory:
IOSLINK.VXD
IOSLINK.SYS

The main exe (xxx.exe) is encrypted and the decryption key is somehow inscribed in the CD, this is how DiscGuard works.

The xxx.exe imports two dlls, T6111.dll and MSVBVM60.DLL.
The xxx.exe imports ordinal functions:
T6111.dll:1
MSVBVM60.DLL:0277h (rtcMidCharBstr)

The T6111.dll exports two functions.
PEid IDs it as "Microsoft Visual C++ DLL Method 1", Linker Info: 5.0, In other words a MSVC 5.0 dll.
The KANAL v2.8 Krypto analyzer plugin reports the followin:
BLOWFISH[sbox]::0002BC48::1202E048
-BLOWFISH: Sbox 2
PI fraction(NIMBUS/BLOWFISH)::0002BC00::1202E000
Fractional part of PI number - 640 bits. Used e.g. in BLOWFISH (pbox & sbox) or NIMBUS (fixed key).

When I try to load the xxx.exe into Olly it lands somewhere inside T6111.dll and reports: Access violation while writing to [004001E4], that probably is where the decrypted code was being writen into the in-memory image of xxx.exe ??. I don't know what to try next.

The very mention of BLOWFISH encryption means that I am out of my league. So, it looks like I need to read some Intro. Tutorials about manually unpacking such exes, any pointers anyone.

And please don't point me to an attachment, I can't download yet.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Removing Obfuscation Git General Discussion 4 01-04-2012 19:35
Removing UPX protection? (compressed file) Rhodium General Discussion 4 08-11-2003 19:50


All times are GMT +8. The time now is 21:02.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )