LOL :-)

Laurentiu disprotected his latest iris.exe ver 3 with 'CryptX'

LOL ........te!te!te!

have phun

www.eeye.com

eeye is starting to go downhill.. an exploit for retina was released a little while ago, and secureiis was found to be exploitable a few days ago

figures... look what they spend all their time doing when making updates (from http://www.eeye.com/html/Support/Iris/New.html):

"Added more hints to the 'Did You Know'."

What is 'CryptX' ?

LOL .........tE!8.......

Iris 3.00 (tE!lock8 + Sheriff Licence System)
=============================================
Ok, back to reality. I tried again to play the 4 versions of violin I bought...
as well as the piano(Win32) but my violin system still can't see my VGA card or
my USB ports.....I don't have a T1 to D/L the latest CD.img .... :-(

So I revereted back to the piano (Win32) and hacked around Iris3 from eEye.com.
Ahh that's a better tune....

Ok my old friend Laurentiou made a *new* version. But wait WTF is new ? Well
packing it with tE!lock instead of PeShiELD is a new erm , challenge ! , -ok
don't snigger at the back. Some ppl can't get past this new protection. As the
target is 'protected' with tE!lock you should D/L it from www.exetools.com and dump/rebuild it then
IDA it to study what tE! has done. See that latest 'dummy' section renaming tool
? Fake a known packer like UPX or CryptX

I found some interesting stuff. But what I was after was the 'end-point'. Where
tE! code gives control back to Iris.exe
Have a look at your 'rebuilt' tE! disassembly. I found some interesting code at
:-

.SEC:004098F6 mov ecx, 109h
.SEC:004098FB lea edi, unk_409909[ebp]
.SEC:00409901 mov esi, edi
.SEC:00409903
.SEC:00409903 loc_409903: ; CODE XREF: .SEC:00409907j
.SEC:00409903 lodsb
.SEC:00409904 xor al, [esi]
.SEC:00409906 stosb
.SEC:00409907 loop loc_409903

(It will only be interesting to *YOU* once you've reversed tE!lock and study it
a while )

This 'loop' injects the last interesting bit of code before revealing the OEiP
and passing the hand back to the original exe. This code is fixed in every tE!
lock protected app. So we could call it the 'signature' bytes. So we need to
search for the following series :- "B9,09,01,00,00,8D,BD,09,99,40,00,8B,F7" at
an appropriate moment. In Win98/ME run icedump with /protect on and set eax to
the same number less 80000000 (eg eax= 8010604E then set eax = 10604E) to
bypass the IDT check. Now search with SI for the bytes. Found here at VA 55FEEE
so set a BPX 55FEEE and press F5. SI pops so press F10 until the 'loop' is
finished. Now press F8 until you see the usual POPAD (here at VA 56005) and you
are there at OEiP 46286C. Now, for those of you new to tE!lock, you will not
know that he plays with the PE header. Namely that he makes the section counter
to FFFF instead of 0500 (or no. of sections there really are - reverse byte
order) so you need to put this back at 400000+PE+7th&8th bytes. Now you can
EBFE or use ICEdumps PEdump ? err no cos the IT is f*cked as well. Check out
the mapping/destroying of the IT at offset VA 483318+ Either let it map the
IAT/IT then dump the exe to copy+paste this IAT/IT in a destroyed OEiP DMP or
use RV to rebuild the IAT/IT
for you.

Fix up the DUMPED.EXE and it should run ? NO ? WTF!. Well check out another nice
feature of tE!lock The MUTEX. Don't run away screaming in phear. Laurentiu just
checks for the existence of a child-process in memory. What is he looking for ?
well would you guess he chose the name "IrisMutex". OMG what a big clue. So 2 or
3 things to do. 1) make notepad.exe protected in tE!lock with the same name
mutex and run it. Launch Iris 3 and it should run. :-) and it does, Q.E.D. Repack
Iris Dump with tE!lock...erm we aint finished playing yet ! or reverse a JMP

So lets be coding gods and REVERSE A JMP ! Set a BPX CreateMutexA and fire up
your dumped.exe and SI will pop at 4473C1. See GetLastError call. He checks for
the 'IrisMutex' if found eax will return with an expected result 'B7'. See that
JNZ 4474D0 well make it a JE 4474D0. That fixed it ! Cool I just joined the
l33t

Right. We have iris.exe revirginated. Look around. 15 day trial. How? it used to
have PCGuard and a proprietry serialisation system. What no 'SplAj' in the dump
anymore so a serial with the name 'SplAj' is allowed again ?. But wait how the
f*ck do I enter a serial now anyway ?

Look through the exe for 'Licence'...... found something :- WTF is ACUDATA and
SHERIFF.... What is that folder doing in the Windows directory 5358-8621-2429
-7641-5701 with those 3 *.sls files ?

So I browsed the WWW for Acudata and saw it was a reseller of Sheriff
-software.com Licencing system :- http://www.sheriff-software.com Read the
blurb. Sounds familiar ? THE DOGS BOLLOCKS program just for you. Only $550
dollars for complete peace of mind !!! LOL. See there is a keygen in the SDK !

Don't register to get the files just browse the following folder :-

http://www.sheriff-software.com/zipfiles

- another security flaw !!!

How to get the codes ? Well in the
Registry already half the info is there for you:-

Product Name Iris Evaluation
Product ID 5358-8621-2429-7641-5701
Product Secrets ?1
?2
?3
?4

Ok. read the info. The 'secret' keys are plain or encrypted. Guess where they
are stored ? YES in the dumped exe ! How f*ckin lame man. What sort of Licence
system is this ! It's too embarrassing. Candy from a baby. Look in the dumped
exe for the string 5358-8621-2429-7641-5701. See after this the byte sequences
1) 41,61,6D,36,14,14 bla bla ( 4 secrets with 0Eh x 00 in between) 2) 42,62, bla
bla 3) 43,63, bla bla 4) 44 64 bla bla. These are the 'encrypted' secrets ! So
study the IDA disassembly of the slsGen.exe and you will see the bit you are
interested in. Altenatively set a BPM rw on the memory location of these 4
encrpyted keys and you will soon find the 4 plain versions for your keygen !
Childs play. Much easier than reversing a JMP

Now you can fill in the 4 secrets 1) 0763 - ******** 2) 2482- ******* 3) 3739
- ******** 4) 3739- *********** (do some of your own work bud) and you have a
master keygen available WOW! Expire iris by deleting the 3 sls files in the
folder and re-run Iris, Laurentiou thanks you for 'evaluating' (LOL what did I
evaluate?) and supplies you with your own 'users reference code' to make a full
Licence key. Do it now.

Game over Sheriff.....all sing 'I shot the sheriff, but I swear i did not shoot
the deputy....' ahh you're all too young to remember that one

So you can even forget your dumped.exe :-( Once the licence is made, Iris is
yours for as long as you want to evaluate it. BTW it IS and evaluation
version....... no graphs are available etc :-(

disavowed did his homework and found , as I did, there is nothing +new here. Just
a new help file !

'patch+play'
+SplAj }>


BTW after several pints of Guinness....you don't need a *nix challenge you can do
a lot of natural 'straining' the next day......

hey +splaj, nice job finding that /zipfiles dir on the site. i think i might finally upgrade from capturenet pro to iris now (capturenet was "bought" by eeye and used as the basis for iris, afaik). keep up the good work, dude. you're one of the few skilled reversers left on this board

and for those of you who wondered what that comment about the *nix challenge was about... don't mind +splaj, he's just pissed because he can't disassemble the challenge :P

yay, all registered. that was fun
splaj.. turns out you don't even need to decrypt the encrypted secrets.. the cleartext secrets appear in the dump. i was able to register the program from scratch with just BinaryTextScanner (and SlsGen.exe).. no softice, no ida, no hex editor.. how simple

hmm, im having trouble. i do not understand how to dump this?! my exe wont even run after i dump it. please give me instructions on how to dump it, or even upload the .BIN and dumped .EXE
?!

thanx
e1m0

first tell us how you did the dump

well, i dont know. i just did it severaly ways, trying to follow what +SplAj said... none of them have worked yet

well, i tried using procdump initially, however trying to dump iris caused procdump to crash. and since i didn't have softice running in the background, i didn't feel like rebooting just to have access to icedump. so, seeing as how i had no other process dumping tools on my computer, i decided to just whip something up in visual basic to dump the entire process from memory after it was loaded (via ReadProcessMemory API). worked beautifully

wahaha! nice ! care to share the code/program with me....? i cant even get the thing to dump right. i used icedump.. didnt work.. i used procdump and got the same thing as you, crashed. dont have softice cause it does not work properly on windows 2000.

e1m0

Splaj, thanks for your essaye on Iris and telock.
But please allow me one small note on the sheriff LS:
I think you can't create a valid registration-key for
Iris using the slsgen-program. It just creates a trial-
registrationkey, 'cause it's only a demonstration program
itself. Just try it, register Iris, and turn your system clock
some months ahead...the evaluation is expired.
But maybe some modification on the slsgen.exe would help
We'll see.....
regards

SlsGen.exe can generate a unlimited license key. I have tried the same with SecureIIS(It's not packed) and successfully registered it, even if I changed the sys date to year 2002.

BTW:
In order to make a valid license key, there is no need to dump the packed exe. Just set a BPX on one of the following 2 SLS APIs, then set a BPM on the encrypted secret array, we can find the plaintext of the 4 secret keys.

//slsapi.h
HRESULT WINAPI SLS_CreateChallenge(SLS_SECRET *pSecretArray, int nSecrectSize, const BYTE *pbStream, int nStreamSize, SLS_CHALLENGE *pChallenge);

HRESULT WINAPI SLS_VerifyChallenge(SLS_SECRET *pSecretArray, int nSecrectSize, const BYTE *pbStream, int nStreamSize, SLS_CHALLENGE *pChallenge);

The problem with the 'Domonstration has expired' is with PCG still in
the reg+windows with the tE! packed iris.exe. If you unpack it you have no probs.

Check out the registry key :-

HKCR..{F4A40EAF-137C1FDB-7377EC72}

And 'PCGwin32.li3' in your windows folder.

Running Regmon/Filemon is a big help

Delete both and the demo is reset for another 15 days. So better UNPACK the bastard. AGAIN FYI take care of the FFFF sections in the PEheader....

I repeat. D 400000, scroll down to see 'PE' then count to the 7th & 8th bytes. See the FFFF. Change it to 0500. THEN you can dump
if you sorted out the IAT/IT already.

Try dumping with PEeditor1.7. My favorite (until I get LordPE - y0da have you got my envelope yet!)

Tell us more your experience.

+SplAj

ok... i must be dumping at the wrong places... i dumped with peditor.. and changed the FFFF part..it said it wasent a valid win32 app.... ARGH

where do i dump at guys? from xxxx to xxxx WHERE?

thank you for being so patient with me guys, heh

Gentlemen,

It's back to work on Iris as 3.1 is now out

I have tried to unpack v3.1. I have managed to find oep and fixed Pe header.When I run it program just hangs and only way to close it is via ctrl+alt+del.I can't fix iat.I have tried revirgin v110b9b but some entries couldnt be resolved.Some of them redirected and some of them just 0.I have tried to resolve again button several times.Also I have clicked once more Iat resolver button.Suddenly some of the entries just dissaperad and some of the redirected entries resolved.

I have used 6c000 as IAT Start RVA and 1500 as IAT length.
Thanks

ok, I promise this is my next one, but thanks to save me some time and email me + post there the oep, I'll do the rest.

later,

+tsehp

I tried this first with RV, but was also experiencing crashing upon execution...I then tried using ImportRec, and was successful..But you must cut the thunks at certain positions (read the TIPS.txt included)...Im sure RV will work as well...As for the MuteEx check, Im not sure if this is universal with all winXX, but in winME, a mutex MPRMutex seems to be created before execution of iris.exe (or any for that matter??)...So hex edit "IrisMuteX" to "MPRMutex" and the packer check is defeated. Havent looked at protection yet though =) Have fun

madmax