Eternal Bliss
April 4th, 2002, 15:51
Interesting... with links to us...
h**p://miracode.com/index.htm
But doesn't actually tells us how it works...
h**p://miracode.com/index.htm
But doesn't actually tells us how it works...
View Full Version : Miracode
DakienDX
April 4th, 2002, 17:11
Hello Eternal Bliss !
Interesting... with links to Astalavista...
I don't feel we've anything in common with Astalavista, expect maybe the "research" aspect.
If there wouldn't be any new protections claiming to be unbreakable we would been unemployed.
And if they're not public they'll stay "unbreakable" a bit longer.
Interesting... with links to Astalavista...
I don't feel we've anything in common with Astalavista, expect maybe the "research" aspect.
If there wouldn't be any new protections claiming to be unbreakable we would been unemployed.
And if they're not public they'll stay "unbreakable" a bit longer.
IcyDee
April 5th, 2002, 22:13
They seem to emphasise the ability to program into the program the ability to degrade operation (by for example corrupting output files or graphic images) if the main time limit check is bypassed. They don't however say anything about preventing regmon or filemon from finding all of the checks and without patching turning the clock back to regain the trial period.
The method they use to put the code into the program is by modification to the source code. There is no mention of anti-reverse-engineering code, anti-softice or self CRC checks. On the whole I think this is a pretty lame protection. A nice concept but unworkable since very few people are going to want to compile in their protection.
The method they use to put the code into the program is by modification to the source code. There is no mention of anti-reverse-engineering code, anti-softice or self CRC checks. On the whole I think this is a pretty lame protection. A nice concept but unworkable since very few people are going to want to compile in their protection.
cyberheg
April 7th, 2002, 10:11
I also think the idea is good but I doubt it's unbreakable. They give examples about a plaint prog which might start to work strangely, give bad results etc. All one would need is time to get the full hang of the protection.
However downloading the demo sdk I found a few interesting things:
First thing is that the protection prog is fully made in asm. It's even listed what compiler settings was used to build it. I noticed there was alot of 4 nop instruction sequences but if it's not selfmade it must be alignment which is overkill then since many places those 4 nop's are placed in the middle of the code.
I was able to kill the trial use (100 runs /10 days) in just 15 min finding that the prog stores them in HKLM\SOFTWARE\Miracode in the key DAVID.1.0.PE1. Atleast on my machine it got reset after deleting this key.
Alot strings inside david.exe are "encrypted". A quick idc script solved this problem for me. Most of the places are encrypted using a hardcoded byte for xor'ing until the current byte will become 0:
#include "idc.idc"
static main()
{
auto b, ea;
ea = 0x427979;
while(Byte(ea) != 0)
{
b = Byte(ea) ^ 0x4b;
PatchByte(ea, b);
Message("Current addr: 0x%x Content: 0x%x\n", ea, Byte(ea));
ea++;
}
}
---------------
As for obfuscation the technique isn't anything outstanding. Alot api's are not visible in ida because their addresses are calculated at runtime. The following show this:
.text:0040E8FC mov dword_427999, (offset CloseHandle+1)
.text:0040E906 sub dword_427999, 49h
.text:0040E90D push offset aGGEfnfJfdyFY ; "~`g'`g`\tefnf$jfdy\tf|}y|}\t"
.text:0040E912 push 4
.text:0040E914 push offset word_4279A3
.text:0040E919 push (offset aGGEfnfJfdyFY+12h)
.text:0040E91E push (offset aGGEfnfJfdyFY+8)
.text:0040E923 call dword_427999
.text:0040E929 cmp eax, 0
.text:0040E92C jnz short loc_40E942
.text:0040E92E nop
.text:0040E92F nop
.text:0040E930 nop
.text:0040E931 nop
It first puts a address into dword_427999 and then subtracts it with a hardcoded value and later calls it. It's mostlikely made with a simple macro in the original code since it's the same type of "redirection" used plenty of places there.
I also noticed it used registry strings from HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed but I didn't bother find out for what use.
Many things makes me think it's not as unbreakable as it seems.
I think many of us would like to see a target using it though.
However downloading the demo sdk I found a few interesting things:
First thing is that the protection prog is fully made in asm. It's even listed what compiler settings was used to build it. I noticed there was alot of 4 nop instruction sequences but if it's not selfmade it must be alignment which is overkill then since many places those 4 nop's are placed in the middle of the code.
I was able to kill the trial use (100 runs /10 days) in just 15 min finding that the prog stores them in HKLM\SOFTWARE\Miracode in the key DAVID.1.0.PE1. Atleast on my machine it got reset after deleting this key.
Alot strings inside david.exe are "encrypted". A quick idc script solved this problem for me. Most of the places are encrypted using a hardcoded byte for xor'ing until the current byte will become 0:
#include "idc.idc"
static main()
{
auto b, ea;
ea = 0x427979;
while(Byte(ea) != 0)
{
b = Byte(ea) ^ 0x4b;
PatchByte(ea, b);
Message("Current addr: 0x%x Content: 0x%x\n", ea, Byte(ea));
ea++;
}
}
---------------
As for obfuscation the technique isn't anything outstanding. Alot api's are not visible in ida because their addresses are calculated at runtime. The following show this:
.text:0040E8FC mov dword_427999, (offset CloseHandle+1)
.text:0040E906 sub dword_427999, 49h
.text:0040E90D push offset aGGEfnfJfdyFY ; "~`g'`g`\tefnf$jfdy\tf|}y|}\t"
.text:0040E912 push 4
.text:0040E914 push offset word_4279A3
.text:0040E919 push (offset aGGEfnfJfdyFY+12h)
.text:0040E91E push (offset aGGEfnfJfdyFY+8)
.text:0040E923 call dword_427999
.text:0040E929 cmp eax, 0
.text:0040E92C jnz short loc_40E942
.text:0040E92E nop
.text:0040E92F nop
.text:0040E930 nop
.text:0040E931 nop
It first puts a address into dword_427999 and then subtracts it with a hardcoded value and later calls it. It's mostlikely made with a simple macro in the original code since it's the same type of "redirection" used plenty of places there.
I also noticed it used registry strings from HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed but I didn't bother find out for what use.
Many things makes me think it's not as unbreakable as it seems.
I think many of us would like to see a target using it though.
DakienDX
April 7th, 2002, 16:18
Hello cyberheg !
Thank you for the nice review of the protection.
So we know what to look for when the first targets come out.
Thank you for the nice review of the protection.
So we know what to look for when the first targets come out.
cyberheg
April 7th, 2002, 19:42
After the first post I was tempted to protect one of my own progs. I never succeded though.
First thing the documentation was not too clear on how to intergrate the stuff in the source code. Then after making use of those mira tags I had to use those "helper" progs inside visual studio to paste the rest of the needed tags into the source code.
I never got them to paste anything into the editor like the manual stated they should.
So after placing some tags manually I went back to David and tried to inject the stuff into the code. This changed the clean variables into variables with values set like daysremaining was set to 100.
Other then that I couldn't find out how to go on. From what I could see only the prototypes are there but rest of the code (a library or something else) I think only is in the full version and not the demo of the sdk.
If anyone actually manages to protect a prog using this please post here
I think the manual needs some examples and there could be example projects included too. This would help alot on making it easier to start with.
First thing the documentation was not too clear on how to intergrate the stuff in the source code. Then after making use of those mira tags I had to use those "helper" progs inside visual studio to paste the rest of the needed tags into the source code.
I never got them to paste anything into the editor like the manual stated they should.
So after placing some tags manually I went back to David and tried to inject the stuff into the code. This changed the clean variables into variables with values set like daysremaining was set to 100.
Other then that I couldn't find out how to go on. From what I could see only the prototypes are there but rest of the code (a library or something else) I think only is in the full version and not the demo of the sdk.
If anyone actually manages to protect a prog using this please post here
I think the manual needs some examples and there could be example projects included too. This would help alot on making it easier to start with.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.