Log in

View Full Version : Pace Interlok (iLok)

nasty
March 30th, 2009, 11:05
Anyone can help to find some useful info/sdk/tutorial about this protection?
I try to search but i not have found anything of useful about this prot ..
Thx!
OHPen
April 12th, 2009, 07:24
@nasty: pm me your target, when i have time i will take a look

regards,
OHPen
OHPen
April 15th, 2009, 10:57
@nasty: i took a look at your application. is seems to be not a very strong version of paces iLok wrapper. it was not difficult to dump it with common tools like PETools...

To find the entry point you either had to have experience or a good tool

EntryPoint looks like this:

Code:


.text:00976EB6 ; =============== S U B R O U T I N E =======================================

.text:00976EB6

.text:00976EB6 ; Attributes: library function static

.text:00976EB6

.text:00976EB6                 public $LN33

.text:00976EB6 $LN33           proc near

.text:00976EB6                 call    ___security_init_cookie

.text:00976EBB                 jmp     ___tmainCRTStartup

.text:00976EBB $LN33           endp


But there is more to fix, nice target for starting with pace iLok because it is not one of advanced versions AND it is not an dll where you have more to fix.

Looking forward to see something from YOUR research

Regards,
OHPen
OHPen
April 15th, 2009, 12:00
The application is somehow deadlocking itself after unpacking it

In the following snippet you can see the function ___addlocaleref:

Code:


.text:009813F4 ; =============== S U B R O U T I N E =======================================

.text:009813F4

.text:009813F4 ; Attributes: library function bp-based frame

.text:009813F4

.text:009813F4 __initptd       proc near               ; CODE XREF: __beginthreadex+53p

.text:009813F4                                         ; __getptd_noexit+4Fp

.text:009813F4                                         ; __mtinit+16Bp

.text:009813F4

.text:009813F4 var_1C          = dword ptr -1Ch

.text:009813F4 ms_exc          = CPPEH_RECORD ptr -18h

.text:009813F4 arg_0           = dword ptr  8

.text:009813F4 arg_4           = dword ptr  0Ch

.text:009813F4

.text:009813F4                 push    0Ch

.text:009813F6                 push    offset unk_AA84E0

.text:009813FB                 call    __SEH_prolog4

.text:00981400                 mov     esi, offset aKernel32_dll_0 ; "KERNEL32.DLL"

.text:00981405                 push    esi

.text:00981406                 call    ds:dword_9D3150

.text:0098140C                 test    eax, eax

.text:0098140E                 jnz     short loc_981417

.text:00981410                 push    esi

.text:00981411                 call    __crt_waiting_on_module_handle

.text:00981416                 pop     ecx

.text:00981417

.text:00981417 loc_981417:                             ; CODE XREF: __initptd+1Aj

.text:00981417                 mov     [ebp+var_1C], eax

.text:0098141A                 mov     esi, [ebp+arg_0]

.text:0098141D                 mov     dword ptr [esi+5Ch], offset unk_A70770

.text:00981424                 xor     edi, edi

.text:00981426                 inc     edi

.text:00981427                 mov     [esi+14h], edi

.text:0098142A                 test    eax, eax

.text:0098142C                 jz      short loc_981452

.text:0098142E                 push    offset aEncodepointer ; "EncodePointer"

.text:00981433                 push    eax

.text:00981434                 mov     ebx, ds:dword_9D33F4

.text:0098143A                 call    ebx ; dword_9D33F4

.text:0098143C                 mov     [esi+1F8h], eax

.text:00981442                 push    offset aDecodepointer ; "DecodePointer"

.text:00981447                 push    [ebp+var_1C]

.text:0098144A                 call    ebx ; dword_9D33F4

.text:0098144C                 mov     [esi+1FCh], eax

.text:00981452

.text:00981452 loc_981452:                             ; CODE XREF: __initptd+38j

.text:00981452                 mov     [esi+70h], edi

.text:00981455                 mov     byte ptr [esi+0C8h], 43h

.text:0098145C                 mov     byte ptr [esi+14Bh], 43h

.text:00981463                 mov     dword ptr [esi+68h], offset unk_BC38C0

.text:0098146A                 push    0Dh

.text:0098146C                 call    __lock

.text:00981471                 pop     ecx

.text:00981472                 and     [ebp+ms_exc.disabled], 0

.text:00981476                 push    dword ptr [esi+68h]

.text:00981479                 call    ds:dword_9D30F8

.text:0098147F                 mov     [ebp+ms_exc.disabled], 0FFFFFFFEh

.text:00981486                 call    $LN10_10

.text:0098148B

.text:0098148B $LN11_14:

.text:0098148B                 push    0Ch

.text:0098148D                 call    __lock

.text:00981492                 pop     ecx

.text:00981493                 mov     [ebp+ms_exc.disabled], edi

.text:00981496                 mov     eax, [ebp+arg_4]

.text:00981499                 mov     [esi+6Ch], eax

.text:0098149C                 test    eax, eax

.text:0098149E                 jnz     short loc_9814A8

.text:009814A0                 mov     eax, dword_BC3EC8

.text:009814A5                 mov     [esi+6Ch], eax

.text:009814A8

.text:009814A8 loc_9814A8:                             ; CODE XREF: __initptd+AAj

.text:009814A8                 push    dword ptr [esi+6Ch]

.text:009814AB                 call    ___addlocaleref

.text:009814B0                 pop     ecx

.text:009814B1                 mov     [ebp+ms_exc.disabled], 0FFFFFFFEh

.text:009814B8                 call    $LN14_8

.text:009814BD

.text:009814BD $LN15_6:

.text:009814BD                 call    __SEH_epilog4

.text:009814C2                 retn

.text:009814C2 __initptd       endp


Inside this function I'm running into a lock which was already aquired. This seems to be part of the common startup code. Has anybody an idea what the problem could be ?

Regards,
OHPen
neviens
May 19th, 2009, 09:38
Usually synchronization problems arise when target is not dumped @OEP but later, when Mutexes, CriticalSections, etc had been initialized. Did you dump at OEP?

Had you the following redirection code at end of code section in your target:
Quote:
int 3
sti
jmp sub_401F80

?

I'm dumping remotely one program protected with iLok dongle and am stuck on these 20 or so redirectors.
Int 3 vector in IDT is not hooked, therefore most probably redirection is done via SEH chain or SetUnhandledExceptionFilter()
Have you a more information on this trick?