MavisBeacon
April 14th, 2012, 18:42
I have in my possession a database containing about 900MB worth of useful information[1] - it uses a relatively obscure database system (nothing proprietary - just one of those third-party DBMSs that were popular in the mid-1990s) however the program is taking rather extensive steps to protect itself.
[1]This isn't illegally acquired information - actually this is an old company database from a third-party program that my boss would like me to recover data from, if I can.
To begin with, the actual data is distributed on its own CD (separate from the installer) protected with SecuROM and needs Alcohol120's RMPS Emulation. Then, within the program directory there's the tell-tale sign of CrypKey - finally, the database files themselves seem to be encrypted - though I can't tell if this is encryption built-in to the DBMS (what little documentation I've found about it denies that encryption is supported, which suggests that records are encrypted or compressed before being sent to the DBMS).
SecuROM and CrypKey seem to work together to defeat my attempts to debug the running process - I've tried a static analysis with IDA Pro and OllyDBG but after poking around I quickly get lost, and the program quits (thanks to SecuROM) if it's launched from within a debugger anyway (and CrypKey or another tool) actively prevents me from trying to attach to the process after it's launched.
I decided to start from the other end and try to access the database files directly using the DBMS engine DLL file included in the project (and a few header files and documentation pieces I found on the web) - I'm making some progress, but I won't know if it's worked for a while.
Is there a failsafe way to remove SecuROM and CrypKey from a program and still have it function okay? I know this program uses CrypKey to control access to certain features of the program, which means removing it might be harder than SecruROM (which only seems to be involved during the program's bootstrap phase).
Presumably after the DRM has been stripped out I'd be able to debug the EXE properly and inspect calls to the DBMS DLL directly and see where/why/how data is being obfuscated before being written.
Is my plan okay so far? Can anyone recommend resources for removing SecuROM et al?
Thanks.
[1]This isn't illegally acquired information - actually this is an old company database from a third-party program that my boss would like me to recover data from, if I can.
To begin with, the actual data is distributed on its own CD (separate from the installer) protected with SecuROM and needs Alcohol120's RMPS Emulation. Then, within the program directory there's the tell-tale sign of CrypKey - finally, the database files themselves seem to be encrypted - though I can't tell if this is encryption built-in to the DBMS (what little documentation I've found about it denies that encryption is supported, which suggests that records are encrypted or compressed before being sent to the DBMS).
SecuROM and CrypKey seem to work together to defeat my attempts to debug the running process - I've tried a static analysis with IDA Pro and OllyDBG but after poking around I quickly get lost, and the program quits (thanks to SecuROM) if it's launched from within a debugger anyway (and CrypKey or another tool) actively prevents me from trying to attach to the process after it's launched.
I decided to start from the other end and try to access the database files directly using the DBMS engine DLL file included in the project (and a few header files and documentation pieces I found on the web) - I'm making some progress, but I won't know if it's worked for a while.
Is there a failsafe way to remove SecuROM and CrypKey from a program and still have it function okay? I know this program uses CrypKey to control access to certain features of the program, which means removing it might be harder than SecruROM (which only seems to be involved during the program's bootstrap phase).
Presumably after the DRM has been stripped out I'd be able to debug the EXE properly and inspect calls to the DBMS DLL directly and see where/why/how data is being obfuscated before being written.
Is my plan okay so far? Can anyone recommend resources for removing SecuROM et al?
Thanks.