Log in

View Full Version : How to remove the very good trick of ReGet Deluxe?


Solomon
March 17th, 2002, 07:37
v2.2 beta build 113
hxxp://download.reget.com/dl/dx/regetdx_113.exe

I unpacked it with RV and patched it to a regged version. It never displays Nag at start-up again and now shows "Registered to: xxx" in the about box. But actually this is fake. It will randomly replace your downloaded zip files with some garbage readme.txt which contains only one word "This file is donwloaded with cracked ReGet". Hi Alex, is this part of your nice "encryption mechanism"?

With a HexEditor I can see that it overwrites the ZIP header at the begin of downloaded file or at the end of it with its own data block(this block is decrypted each time you start a new d/l task). It may also destroy the other bytes of file(not sure).

Setting a BPX SetFilePointer if *(esp+8)==0 do "db *(ebp+c)",
I found when it will overwrite file header and patched it. But I can not figrue out when it overwrites file tail and where the garbage data block comes from yet. So I need some help to find the tricky cracked-or-not check. Thx

BTW:
1. Some secret strings in ReGet are encoded(base64 or other). It's easy to locate the base64-decoding routine and find those strings.
2. It's easy to reset 30-day trial period:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExtW
Software\Microsoft\Internet Explorer\TempCLSID
%systemRoot%\win.ini:s1 (NTFS stream?)
3. ReGet uses Thread Local Storage(TlsSetVale/TlsGetValue) to set/get some suspicious flags.

phop007
March 17th, 2002, 08:54
Hi Solomon.

After I set bpx Getversion to find 61,FF,E0 and then bpx IRETD, run AAtools and keep press F5 almost 43 times and then F8 I found this:

015605CE POP DWORD PTR FS[00000000]
015605D5 POP EAX
015605D6 CMP DWORD PTR[015649DC],00
015605DD JZ 015605F3
015605DF PUSH OC
015605E1 MOV ECX,015649DC
015605E6 LEA EAX,[EBP-080]
015605E9 MOV EDX,00000004
015605EE CALL 0155C8FC
015605F3 PUSH DWORD PTR[EBP-04]
015605F6 PUSH DWORD PTR[EBP-08]
015605F9 MOV EAX,[EBP-OC]
015605FC CMP DWORD PTR[EAX],00
015605FF JZ 01560603
01560601 PUSH DWORD PTR[EAX]
01560603 PUSH DWORD PTR[EBP-10]
01560606 PUSH DWORD PTR[EBP-14]
01560609 RET

So I set bpm on OEP(BPM 6953A8 X) I guess, set EBFE and dump program, run RV&Aatools and set RVA 002A0258 &Length 00000B04, add It.bin to Dumped.exe with LoardPE, set Import table to 3AC000, RebuildPE (Only Validate PE and Status Windows on), run Hexeditor change EBFE to 558B and run dumped.exe....... It does't nothing. What wrong??? any suggest I appreciate. Thankz


Here My it.txt from RV

phop007
March 17th, 2002, 09:00
I also set OEM to 2953A8 but I don't know Alex does something with this ASproctect or I do something wrong?????????????

Stone()
March 17th, 2002, 11:09
RegetDeluxe starting from Build 106:

You're are missing a size check.

Try to repack the file exactly to it's original size, then see if it still scrambles your zip files.

Mine does not.

foxthree
March 17th, 2002, 11:28
Hi Phoop:

You're missing a indirected call to ASProtect. Now that've you've unpacked the proggie without ASPR, the indirected call just would crash or worse yet run in an infinite loop without showing any screen. Just BPX at the OEiP in the repacked exe and F8 down a couple of lines... you must see it !

Signed,
-- FoxThree

Solomon
March 17th, 2002, 11:59
Thx Stone() for your hint! Here is the size check. I replaced GetFileSize call with "Mov eax, Original_Size", or change 195A00(original size) at DS:[5055E8] to unpacked size.

Code:

001B:00479711 PUSH EBP
001B:00479712 MOV EBP,ESP
001B:00479714 SUB ESP,14
001B:00479717 PUSH EDI
001B:00479718 XOR EDI,EDI
001B:0047971A CMP [00514840],EDI
001B:00479720 JNZ 004797E4
001B:00479726 MOV EAX,[004F7F88]
001B:0047972B PUSH EBX
001B:0047972C PUSH ESI
001B:0047972D MOV ESI,00000800
001B:00479732 PUSH ESI
001B:00479733 LEA ECX,[EBP-04]
001B:00479736 MOV [EBP-04],EAX
001B:00479739 CALL 00402403
001B:0047973E PUSH ESI
001B:0047973F PUSH EAX
001B:00479740 MOV EAX,[005166E4]
001B:00479745 PUSH DWORD PTR [EAX+04]
001B:00479748 CALL [KERNEL32!GetModuleFileNameA]
001B:0047974E PUSH FF
001B:00479750 LEA ECX,[EBP-04]
001B:00479753 CALL 0040246A
001B:00479758 PUSH EDI
001B:00479759 PUSH 20
001B:0047975B PUSH 03
001B:0047975D PUSH EDI
001B:0047975E PUSH 01
001B:00479760 PUSH EDI
001B:00479761 PUSH DWORD PTR [EBP-04]
001B:00479764 CALL [KERNEL32!CreateFileA]
001B:0047976A MOV EBX,EAX
001B:0047976C CMP EBX,-01
001B:0047976F JZ 004797AA
001B:00479771 PUSH EDI
001B:00479772 PUSH EBX
001B:00479773 CALL [KERNEL32!GetFileSize]
001B:00479779 MOV ESI,EAX
001B:0047977B CMP ESI,EDI
001B:0047977D JZ 004797A3
001B:0047977F PUSH 14
001B:00479781 CDQ
001B:00479782 POP ECX
001B:00479783 IDIV ECX
001B:00479785 MOV ECX,[005055E8]
001B:0047978B MOV EDX,ECX
001B:0047978D SUB EDX,EAX
001B:0047978F CMP ESI,EDX
001B:00479791 JL 00479799
001B:00479793 ADD EAX,ECX
001B:00479795 CMP ESI,EAX
001B:00479797 JLE 004797A3
001B:00479799 MOV DWORD PTR [0051483C],00000001
001B:004797A3 PUSH EBX
001B:004797A4 CALL [KERNEL32!CloseHandle]
001B:004797AA LEA EAX,[EBP-14]
001B:004797AD PUSH EAX
001B:004797AE CALL [KERNEL32!GetSystemTime]
001B:004797B4 CMP [0051483C],EDI
001B:004797BA POP ESI
001B:004797BB POP EBX
001B:004797BC JZ 004797D2
001B:004797BE CMP WORD PTR [EBP-10],06
001B:004797C3 JZ 004797D2
001B:004797C5 CMP WORD PTR [EBP-10],04
001B:004797CA JZ 004797D2
001B:004797CC MOV [0051483C],EDI
001B:004797D2 LEA ECX,[EBP-04]
001B:004797D5 MOV DWORD PTR [00514840],00000001
001B:004797DF CALL 00401F30
001B:004797E4 POP EDI
001B:004797E5 LEAVE
001B:004797E6 RET

001B:004797E7 XOR EAX,EAX
001B:004797E9 CMP [0051483C],EAX
001B:004797EF JZ 004797FE
001B:004797F1 CALL [KERNEL32!GetTickCount]
001B:004797F7 AND AL,03
001B:004797F9 NEG AL
001B:004797FB SBB EAX,EAX
001B:004797FD INC EAX
001B:004797FE RET

Stone()
March 17th, 2002, 13:13
Yes good Job.

You said you unpacked it with RV alone?

I can't get the tracer to work without having reboots.

Can you pls. tell me a bit more about that.

I just finished unpacking Buil 112, if I can save some time with 113 I would be happy.

Thanks.

Solomon
March 17th, 2002, 13:39
yeah, RV works well with it. I'm using Win2K. The latest RV seldom causes BSOD.

Here is some data:
OEP = 4CA5FE

CS:47A383 read registration info from registry. We can patch this routine to let it return 1, then get a regged version.

The attachment is resolved API names.

Stone()
March 17th, 2002, 18:03
Thanks for the resolved.

I have another question about the Dump. Is there any other way to get a dump you can fix than with RV without using SI?

I'm working with XP & W2K and ME, but SI gives me a lot of exceptions, so my hardes time is spent in getting it working instead of debugging.

Thanks.

Solomon
March 18th, 2002, 02:16
Due to the trick used by ASPR to fool API tracer, I always have to manually examine some suspicious API entries with SI(+SplAj played a joke with my button-pressing reversing some time ago). For ReGet, there are 9 unresolved entries(IAT RVA: ED194, ED288, ED2E0, ED2E4, ED2E8, ED30C, ED384, ED3DC, ED61C). SI from DriverStudio 2.6 works well with my Win2K, the only exception is that it will randomly cause BSOD when I press F12. And do you put "faults off" in its init command line?

Though RV/ImpREC can save us a lot of time, we have to do some manual tracing, which is the ultimate way and is the fun of reversing.

phop007
March 18th, 2002, 03:45
Thank!! foxthree
I will try to trace it...

Solomon
March 18th, 2002, 08:35
hi phop007,

please check your resolved API names. Here is what I got:
2A02C0 GetCommandLineA
2A0430 LockResource
2A048C GetVersion
2A0514 GetCurrentProcessId

Please examine the code there with SI manually! This is the button-click reversing called by +SplAj. You press the button, then let the tool do everything for you, whithout knowing what actually happens......

There is a redirected call at CS:6953C4.
call [69C4F0] ======> call 694928
And it still crashes after fixing this redirected call. Maybe there is d-dip?

Stone()
March 18th, 2002, 09:51
I tried with Faults On and Off, but I even get BSOD under W2K right after starting, so I don't know what works better.

I presume you're using Icedump, I have a hard time to get it going under W2K.

I got only everything to work perfectly after a fresh install of W2k without adding anything.

In the meantime with all the security fixes there must be something which makes SI unstable.

Solomon
March 18th, 2002, 10:44
yes I have integrated IceDump into SI(from DriverStudio 2.6). Both versions(with and without IceDump) work well. My OS: Win2K Adv Server SP2 build 2195. The older versions of RV often cause BSOD, but the latest does not.

Stone()
March 18th, 2002, 12:48
I downloaded Driver Studio 2.6 and will give it another try on my W2k Server box.

Would you mind to give me some hints about how to integrate Icedump into it?

Thanks in advance.

Solomon
March 18th, 2002, 14:16
I don't know whether IceDump will enhance the stability of SI.

1. put 3 files named "ntid.exe", "IceDump\wnt\4.26.922\icedump" and "ntice.sys" in the same directory.
2. run "ntid.exe" to get a new "ntice.sys".
3. use LordPE to fix the checksum of the new "ntice.sys"
4. replace the old "ntice.sys" in %SystemRoot%\system32\drivers with the new one.

That's OK. Hope this helps.

Stone()
March 19th, 2002, 09:11
Thanks for the info.

Regretfully I can't get SI get to work on this box.

W2K BSOD at startup. Due to the long boot times of W2K I decided to install it on ME.


Load app, push translate and SI does not break.

So I'm afraid no SI on this box.

Solomon
March 27th, 2002, 02:32
DAMN IT! Today ReGet Deluxe still destroied my zip files!
Actually I have already patched the size check. There seems to be more hidden checks

Stone()
March 27th, 2002, 11:51
There must be, as my with ASprotect 1.2 repacked version (to it's original size) until now did not destroy my zip files.

Solomon
March 27th, 2002, 13:28
successfully located the other 2 size checks. File size is hard-coded in the instructions

Stone, how did you pack it to original size? Just fill it with some bytes?

crUsAdEr
March 27th, 2002, 13:59
Hi Solomon.

I downloaded the exact version as yours, same opcodes and everything... patched it to make it register... did not touch the size check at all.. but my downloads seems fine.... no funny message liek yours :>

How did you trigger it?

Thanx,

Solomon
March 27th, 2002, 14:18
hi binh81,

It's random. Just check the ASM list. I think GetTickCount( ) does the random trick. Try to change the return value in EAX to see what will happen(I have not test this)
Code:

001B:004797E7 XOR EAX,EAX
001B:004797E9 CMP [0051483C],EAX
001B:004797EF JZ 004797FE
001B:004797F1 CALL [KERNEL32!GetTickCount]
001B:004797F7 AND AL,03
001B:004797F9 NEG AL
001B:004797FB SBB EAX,EAX
001B:004797FD INC EAX
001B:004797FE RET

In order to test my crack, I manually downloaded one zip file more than 100 times. Crazy? In the past few days it worked fine, but it begins to destroy files again this morning.

So Stone's way is the best to pass the size check.

MarcElBichon
March 28th, 2002, 09:53
look at http://rev.fannet.ru/cgi-bin/ceilidh.cgi/ceilidh/?C3d53bf6ebEUy-4469-1355+07.htm

Mike

Solomon
March 28th, 2002, 11:09
thx Mike. I got it

Stone()
March 28th, 2002, 12:20
This certainly will be blacklisted within next version, so cracking it is still the way to go.

To repack it to exactly the same size just try to add as many 00 bytes you need using UPX or whatever packer works.

I could not repack it with Asprotect 1.2 as it said that the file is already protected.

Stone()
March 28th, 2002, 19:34
Hey try to look at the new protection scheme from Reget Build 114.

Registration with on-line server check.

I'm half thru with the un-protection. Completely changed compared to build 113.

Have fun.