Hi guys,
I need help with some strange looking unpacker/decryptor code (see snipet below), maybe somebody already took a look at it as it's used in both versions of the recent DivX 5.0 Pro Codec (ad-supported & retail versions).
The protector has been developed by Protexis (http://www.protexis.com).
The main DLL is crypted and a lib named psikey.dll (some anti-dasm stuff, no encryption), which performs key setup and validation routines, is copied to your SysDir.
The protected DIVX.DLL contains 8 sections of which the 7th (.data) obviously contains the decryptor code.
So I replaced the first opcode (pushad) by CCh to break on INT3 and adjusted things in SoftICE accordingly - but this messed up the whole thing and a nonsense-msgbox was displayed.
How is this possible when it is the first instruction of the whole protected module that is executed? And how can the further code be executed following the snippet below?


Here is the mentioned code snippet:

divx.dll (5.0 PRO GAIN):

.1015F000 90 nop (start of .data section)
.1015F001 60 pushad (code entry point)
.1015F002 E803000000 call .1015F00A (see code snippet below)
.1015F007 E9EB045D45 jmp 0456434F7 (invalid?)
.1015F00C 55 push ebp
.1015F00D C3 ret

called from .1015F002:

.1015F00A 5D pop ebp
.1015F00B 45 inc ebp
.1015F00C 55 push ebp
.1015F00D C3 ret


Thanks a lot, Pyrae

Hello Pyrae !

I'm sorry, but I've to correct your post a bit.

Only the full version of DivX Pro 5.0 comes with the PSIKEY.DLL file. The add-supported version hasn't this file because it can't be registered.
If you look at the retail and ad-supported version you'll find out very soon that they use the same protector to prevent reversing. And this is not the one by Protexis. The Protexis system is only used to register the full version, it is called from the DIVX.DLL.
The fact that the protection is located in an external .DLL doesn't make it look very secure.
The nice message box you get when you change a bit in DIVX.DLL has nothing to do with Protexis.

So if you just want to register DivX Pro, get the ad-supported version and remove the "ad-supported".
If you're interested in reversing the protection go on and find a way to bypass the little messagebox.
After that start reversing the Protexis part.

Hi Dakien, thanks for your fast reply and sorry for being imprecise. Of course you're right and psikey.dll is only required for the retail version.
Concerning the PE cryptor, well, I just guessed that it is part of the Protexis system, but it may be a self-made one as well.
The first thing I did (as you wrote: unencrypted external dlls do not seem very secure) was patching functions in the psikey.dll, but even if all relevant exports give back correct results (I used the DAMN keymaker to compare the results each function delivers) the codec produced crappy results, so chances are that there's some key calculation (from serial and activation key) involved at a very low level (i.e. some flags or vars are set, which I'm not yet aware of).
As my primary goal was to unwrap the main dll completely and patch it in some way to have a codec that doesn't require any license info or the ad-ware registry entries, I decided to tamper with the PE cryptor to unpack the ad-supported version, so I can patch it to not require those gator entries. But that's were my problems arise: Looking at the decryptor start code (see above), I simply don't see how this routine can escape out of this snippet to check it's validity (probably by using in-memory checksums?).

Hello Pyrae !

But it may be a well-known one as well.

No reversing work is needed for this target. Just use your brain.

Else you might want to trace the startup code and find out how it works yourself. It's really easy. It will escape. (Yes, there are also in-memory checksums)

Uhoh right, please don't beat me.
Guess I just didn't tamper enough with ASPack/ASProtect yet...


Nevertheless, thanks for your kind replies, Dakien.




so long, Pyrae

Hi together,

now i have a prog too, which is protected with Protexis and PSIKey.dll.

Anyone have experience with this protection and reversing.

Thanks in advance.

Enigma

I've seen this before, but I can't remember which vendor was using it, maybe Corel??
You may see a Windows service running in the background:
C:\WINDOWS\system32\PSIService.exe which you can disable.
You can also bypass any calls within your program to this sevice, but you already
knew that, right?

cheers