Log in

View Full Version : Fusion v3 cracked, Titanium v3 defeated, Bit Arts fooled!


Heathcliff
July 21st, 2002, 03:09
Fusion v3 build 2.0.1.0 by Bit Arts cracked

First a little introduction.

I, Heathcliff, am an application-programmer and do not have any cracking-background. I am not a member of any cracking-crew either. Until a little while ago I just downloaded cracks for the programs I use at home. I recently downloaded Fusion v3 from Bit Arts. Unfortunately I couldn't find a crack for this neat program. I noticed the program was protected with Titanium v3 which is protection software from Bit Arts. So I tried to find cracks for Titanium v3. But I couldn't find them eiter.

When I came to read messages on forum's I understood that this protection system is not easy. So I thought this to be a challenge. I mean, I never cracked a program before, but I wanted to use the software, I didn't want to pay $199 for it and there are no cracks yet.

In about a month time I read many cracking-tutorials, learned assembly, downloaded and tested many tools like: SoftIce, Icedump, PE editors, Revirgin and IDA Pro. I made 23 pages of notes while wandering through the code.

I finally managed to defeat all of the Titanium protections, but I am not planning on doing more cracks, because I am dreaming in hexadecimal now and my girlfriend is complaining that I am behind the computers all night, instead of enjoying her or getting
some sleep. I will write a tutorial on how to crack Fusion v3 manually and post it on this messageboard in a few days.

Here's a summary of the target file. There are limitations on the demo version:

Nag screen.
Time limit.
Your saved work will be renamed.

There are quite a few protections:

There is a Titanium shield with time limit and nag-screen, which encapulates the target executable. This shield has also anti-softice and anti-frogsice routines. The targed executable is packed and encoded. On entering the target executable the IT is destroyed. The target executable is mutated by titanium. The original code needs to be restored and the mutation code must be disabled. The mutation code contains anti-disassembling and anti-trace protection through insertion of corrupt code and data, runtime decoding and encoding of critical code and messing with the stack. The mutation code also contains anti-patch and anti-relocation code by doing header-checks, using instruction-pointers for decription-keys and calling memory-messing routines. In the target executable are registration-checks that need to be fooled.

I made a cracked executable that fully works! But since I have no further cracking experiences at all, I don't know where to upload my crack. I wanted to attach it to this message, but the filesize exceeds the limit. So please give me a few location where I can upload!

Greetz and respect to the cracking community!

Heathcliff

Woodmann
July 21st, 2002, 04:10
Howdy,

I would love to see you write a tutorial about your works.
I would ask that you post no cracks/patches/keygens to this site.

We are far more interested in the "workings" of protection, encryption and packing/unpacking.

Congratulations on the rewards of your hard work.

Peace, Woodmann

Heathcliff
July 21st, 2002, 10:33
Hi woodmann,

I will start writing tonight, after I've seen Formula1 on TV. But as I told you, I made 23 pages of notes. And I have to sort that out and write it down in a sensible way. So I don't think I will be able to finish it today.

Nevertheless, I would like you people to give me some locations where I can upload the cracked exe (other sites or ftp-sites) so that other people can enjoy Fusion v3 too (and show that I was the first to crack it )

Bye!!

Heathcliff

Athlon
July 21st, 2002, 12:38
May I ask where you learned assembly in a month?

esther
July 21st, 2002, 15:30
>I made a cracked executable that fully works! But since I have >no further cracking experiences at all, I don't know where to >upload my crack. I wanted to attach it to this message, but the >filesize exceeds the limit. So please give me a few location >where I can upload!

>Greetz and respect to the cracking community!


YOU DON'T SEEM TO RESPECT THE BOARD!!!!
YOU WILL NOT GET ANY HELP FOR UPLOADING YOUR CRACKS!!!

Heathcliff
July 21st, 2002, 15:48
Quote:
Originally posted by Athlon
May I ask where you learned assembly in a month?


Hi Athlon,

I've had a lot of assembly experience on the good old Commodore 64. Assembly on the PC has the same basic elements like registers, stacks, hexadecimal and binary operations, immediate and relative addressing, etc. Only on a PC there a alot more registers and other features. But with a good assembly reference by hand it is easy to understand. Remember, I haven't done alot of coding myself to crack this program, I only had to be able to read and understand the code to do some modifications.

Greetz,

Heathcliff

Heathcliff
July 21st, 2002, 15:54
Quote:
Originally posted by esther
YOU DON'T SEEM TO RESPECT THE BOARD!!!!
YOU WILL NOT GET ANY HELP FOR UPLOADING YOUR CRACKS!!!


Hi Esther,

Please don't get angry so quick. I should have better read the rules of this board to know that I shouldn't attach cracks to the messages. And I'm sincerely sorry for that. But when I asked for locations to upload the crack before, I meant other sites or ftp-sites. I know only locations where I can download cracks, but I don't know where I can upload them. I will read the rules of this board again and I did not and I do not mean to disrespect someone.

Greetz,

Heathcliff

esther
July 21st, 2002, 16:01
>But when I asked for locations to upload the crack before, I >meant other sites or ftp-sites. I know only locations where I can >download cracks, but I don't know where I can upload them
NO Asking in here remember that!!!Go elsewhere and ask and don't ask me where!
If you write a tute you are welcome in sending to Woomann

Heathcliff
July 21st, 2002, 16:27
Quote:
Originally posted by esther
[BNO Asking in here remember that!!!Go elsewhere and ask and don't ask me where!
If you write a tute you are welcome in sending to Woomann [/B]


Alright Esther,

You made your point. I won't come back here until I finished my tutorial and I'll find out where to upload myself. But why the hostality? You don't make it very enjoying for newbies to get around here and share experiences . Cool off a little, woman .

I'll start writing the tutorial this evening and hope to finish it as soon as possible.

Greetz and still respect,

Heathcliff (see you again when I'll post my tut)

esther
July 21st, 2002, 16:51
The reason is simple read this from one of the admins Kayaker explains coz I don'twanna repeat the same old question

>There's a history here that may not be apparent to the newbie >or casual viewer, or even to the regulars, as to the continuing >attempts of certain individuals/groups to get the hosting ISP to >close this site. After several unsuccessful attempts (the latest >not that many weeks ago), their final arguments have withered >to the occasional accusation that this site supplies cracks or >serial numbers. Their unfounded accusations of "warez" have> >disappeared at least from their latest libelous statements.

>So, it falls on the admins to try to keep these dogs at bay. My >theory is if we can keep the discussions under the realm >of "intellectual property", and don't give 'em anything smelling >like a crack or s/n, then they've got no case and we'll be left >alone. Am I being anal (or delusional) about this? Probably, but >that's what I'm getting paid for ;-> This is however a community >MB, and all decisions are at least open for discussion.

>>Cool off a little, woman
You d** is

LaptoniC
July 21st, 2002, 18:58
Esther why you treat people in this way.I didnt want to get involve in this, but I saw same kind of messages by you a lot.You respond every message with anger.Woodman replied kindly and you reply again with BIG WORDS c'mon grow up.

Woodmann
July 21st, 2002, 20:40
Howdy,

Everybody calm down......

Heathcliff was dealt a fair hand. Normally his type of post would have been removed.
It's one thing to read the guidelines, it's another to understand them. The only reason I left the thread was because it sounded like he may have actually done something usefull. Unfortunatly, he got caught up in his happiness and wants to "claim his fame".
He can claim his fame but, he should have known from the guidelines that we dont tolerate such posts. They only draw attention from those who seek to shut us down.

He paid his respects, let's wait for his tute.

Peace, Woodmann

(esther is not a woman)

Heathcliff
July 22nd, 2002, 02:25
Edited by Woodmann

Heathcliff
July 22nd, 2002, 02:28
ditto

Heathcliff
July 22nd, 2002, 02:29
You can get the tutorial here:

http://www.woodmann.net/fravia/fusion_v31.txt

Heathcliff
July 22nd, 2002, 08:09
After the last ajustment you have to validate the checksum of the executable again with a PE Editor.

Greetz,

Heathcliff

esther
July 22nd, 2002, 10:47
Quote:
Originally posted by LaptoniC
Esther why you treat people in this way.I didnt want to get involve in this, but I saw same kind of messages by you a lot.You respond every message with anger.Woodman replied kindly and you reply again with BIG WORDS c'mon grow up.


Hi Laptonic,
I don't have to tell you why I acted this way.About big words I have only post a few,I can delete the post without answering any post if I felt the post is threatening the forum .Prevention is better than cure if you understand what I meant.

regards

nofurs
July 22nd, 2002, 10:53
Quote:
Originally posted by LaptoniC
Esther why you treat people in this way.I didnt want to get involve in this, but I saw same kind of messages by you a lot.You respond every message with anger.Woodman replied kindly and you reply again with BIG WORDS c'mon grow up.



Y0 Laptonic,

I think you have made a mistake,I'm the one who wrote caps and colors not esther.

Heathcliff
July 22nd, 2002, 12:03
More thread cleaning, Woodmann

Athlon
July 22nd, 2002, 14:32
is it ok if I make this html and post it on my site?

Heathcliff
July 22nd, 2002, 15:01
Quote:
Originally posted by Athlon
is it ok if I make this html and post it on my site?


No problem, but use the attached text file, not the messages I posted here.

Greetz,

Heathcliff

sandworm
July 22nd, 2002, 22:13
I've tested u're tut with fusion and it worked
but when push the run button the prog crash with
an mem pag error. I tried to find what got wrong but get
stuck after reading again u're tut i've seen that u only gave 27 locations to patch on the 31 an I think there's some mutation routines left in my exe, am T right and have u done it on purpose to prevent people using u're tut to crack fusion instead of understanding it ?

Heathcliff
July 22nd, 2002, 23:20
Hi everyone, I have to appologise! I made an error in writing the tutorial! Sandman told that he tried it, but he still got a page fault. That's because the tutorial misses one patch! I compared the tut with my notes very thoroughly. And I found a mistake I made in the tutorial. The missing patch was in my notes, but I didn't write it in the tutorial. The missing patch is in mem @ 412895h or @ raw-offset 11C95h in the dumped file. These values should be written there: 89 5E 58 8B C6. After this patch it should really work!

Sandman suggested that I forgot more patches, because I told there were 31 calls to protection-routines and he counted only 27 patches. Maybe he should count again, because there are 26 patches in the original tutorial and there should be 27 (like in the revised version of the tutorial, attached to this message). The reason that there are only 27 paches is that 4 of those patches are longer than all the others, because they patch two calls at once, including the code that was scrambled between the two calls. As I told already in the tutorial, some calls are called in pairs to decrypt and encrypt the code between.

If you allready published the tutorial, pleaz replace it with this version! Thanks.

Greetz,

Heathcliff

cah
July 23rd, 2002, 07:58
It is good work done by you on manually unpacking a target file & it is like exercise work for newbies who choses their career in RE.

Give us tips, basics & advice on how to learn fast of assembly language.

Cah...

esther
July 23rd, 2002, 10:08
http://archive.yates2k.net/%2BSandman/Main.html

Zen, The Art Of...
'Learning...'
A reversing student went to his teacher and said earnestly, "I am devoted to studying your teachings. How long will it take me to become a reverser like you?"

The teacher's reply was casual, "10 years."

Impatiently, the student answered, "But I want to learn it faster than that. I will work very hard. I will practice everyday, ten or more hours a day if I have to. How long will it take then?"

The teacher thought for a moment, "20 years."

sandworm
July 23rd, 2002, 10:18
yeah this time it works flawlessly, great work!!!
I can now concentrate upon the proctection and try
to understand everything.

one last question, is it possible to search for patterns with jokers like e8 ? ? 09 in sice or hex workshop (caus i don't know how) or have you made a little proggy to scan the exe ?


One more time congratulations and thanks for sharing this tute

ps: I said 27 patchs cause i counted the patch at 44cb77 aswell

Heathcliff
July 23rd, 2002, 11:21
Quote:
Originally posted by cah
It is good work done by you on manually unpacking a target file & it is like exercise work for newbies who choses their career in RE.

Give us tips, basics & advice on how to learn fast of assembly language.

Cah...



Hi Cah,

As I told in an earlier message, learnig assembly on a PC was probably easier for me than for other people. The reason is that I've programmed assembly on the good old Commodore 64 and Commodore Amiga. The basics of the languages are the same so it was easier to understand. I also have a high degree in software engineering, which is also my daily work. So with alot of other programming experience it is easier to master the assembly language. I just needed an assembly-reference to look up some commands now and then. I really don't want to discourage you, but I just want to say that it might take you longer than a month. You don't need to know all in's and out's of the assembly-language to be able to crack programs. You just need to understand what is going on in some routines instead of understanding every command. The basics you need to know about assembly are:

- How values are moved between registers, memory and stack.
- What exactly happens to the stack when pushing and popping values and calling routines.
- How to parse arguments on the stack for a routine being called.

There are some good websites discussing these topics. For example do a Google-search on: argument stack routine assembly.

It might even be easier to buy a book on assembly. I recommend you don't buy a very thick book with all in's and out's but a book that explains everything short and clear.

If you understand the basics of assembly you could use cracking manuals, like the one I wrote, to understand protection routines more detailed. This is also what I did myself. Before I started with Fusion and Titanium I read dozens of tutorials.

If you have more specific questions about assembly I'll be happy to answer the for you, but maybe you should start a new thread for that.

Keep up the good worx! Greetz,

Heathcliff.

Heathcliff
July 23rd, 2002, 11:29
Quote:
Originally posted by sandworm
yeah this time it works flawlessly, great work!!!
I can now concentrate upon the proctection and try
to understand everything.

one last question, is it possible to search for patterns with jokers like e8 ? ? 09 in sice or hex workshop (caus i don't know how) or have you made a little proggy to scan the exe ?


One more time congratulations and thanks for sharing this tute

ps: I said 27 patchs cause i counted the patch at 44cb77 aswell



Hi Sandworm,

Sorry that I called you Sandman before. I meant Sandworm ofcourse. I'm really glad you could reproduce all my findings. I did the pattern-search with IDA. I couldn't find something like that in SoftIce or IceDump. I think most Hex Editors are able to do the job, but I'm not sure and I don't know how it works. In IDA Pro 4 you search for a byte-array and type e8 ? ? 09. Sorry again for the missing patch, I did not mean to make you sweat

Greetz,

Heathcliff.

sandworm
July 23rd, 2002, 12:05
that not a problem for me to be called sandman cause he is a great reverser but I think he won't be glad to see his name usurpated by a newbie

still no problem for the patch, you did all the hard job and it's normal for the other to swear a little to reproduce and understand.

In fact now that you gave me the solution, I'm a little ashamed cause with just a little work I could have given you the culprid call and avoided you one more night reading your notes and abandoning your girlfriend

But I'm still a newbie and wasn't sure of the cause, first tought I hadn't rebuilded it the right way.

As a conclusion I would say that the development of this protection will be interesting to follow cause no doubt bit art response will be to increase the number of such calls
to make manual unpacking very painfull.

(in fact this may result in an app slowdown but do they really care? did you see the difference of runtime between protected and unpacked app? it's a shame!).

So it may become another challenge for our coding gurus, write a tool to automate the patching of these calls!! Moreover this scheme could provide ideas to other protection writers, reading this thread alexey?

ps: ok silly me didn't see you've added the 44cb77 call to the patch list

Heathcliff
July 23rd, 2002, 19:00
Quote:
Originally posted by sandworm
As a conclusion I would say that the development of this protection will be interesting to follow cause no doubt bit art response will be to increase the number of such calls
to make manual unpacking very painfull.

So it may become another challenge for our coding gurus, write a tool to automate the patching of these calls!! Moreover this scheme could provide ideas to other protection writers, reading this thread alexey?


It's funny you say that. I've been thinking about that too. You know, when a reverser has a job to do and he's got 100 hours to do it, he'd rather uses 99 hours to write a tool which does the job in a few seconds

Anyway, if you look at all the mutation code in the reloc section you see that non of all routines is the same, yet they all have similarities. The routines use different registers, there are three different header-checks in the routines, some use relative addressing and others use absolute addressing. It shouldn't be too hard to make a little program which performs a very specific pattern-search to identify the protection routines. In my daily work I program algorithms a lot. After the routines are identified, the relative calls to the protection-routines can be found by performing another pattern-search which searches very specificly for the assembler CALL command and the exact relative offset between the search position and the protection-routines. The most difficult part will be to get the encoded code from the mid-section of the routine. This can only be done by identifying very specific parts in the routines which are responsible for loading the registers before calling the decode-routine at the end. Then you have to simulate it and call the routine. The replacemt-code should also not be difficult to identify, because it's allways just after four PUSH-commands from which two are allways PUSHFD. This code that is responsible for loading the registers is never the same, but there are only a few variation, so it is possible. The last thing you have to identify and patch is the routine where registration level is read from the environment variable STATUS. But if all Titanium v3 targets are as easy as Fusion, it should really not be hard. The unpacker just gives a registration level between 0 and 9999 which will be the value moved into EAX in the patch.

I don't think I will code a whole unpacker, because this also involves coding a unpackers for the Titanium shield, the IT and the packed targed executable. Maybe I will write a piece of code, which makes all the patches for you in a way I just described. If someone else wants to do it I'll be happy to assist. Also if someone wants to code the unpackers, I'll be happy to assist. It wouldn't surprise me if the Titanium shield itself has the same type of protection routines.

Greetz,
Heathcliff.

Pyrae
July 24th, 2002, 05:53
Great job, Heathcliff, thanks very much for your extraordinarily well elaborated essay (pretty rare nowadays)!
Indeed the routines you described seem to be the Titanium3 default ones (currently taking a look @ Crunch4). I have to admit that the general idea behind them seems pretty neat - though the bi tarts take 598 bucks too much for TT3 and the massive use causing severe performance degradation to the "protected" apps.
Time to put their Photoshop aside and do some coding...

Please keep on using your RCE talent, Pyrae

cah
July 24th, 2002, 08:16
Give me your email id. I will mail you. I have couple of interesting queries & doubts in assembly language.

Waiting for your reply. Thanks in advance for your reply
Cah...

Heathcliff
July 24th, 2002, 15:51
Hi cah and others,

I'd rather not give my email-address to anyone. You can send me private mail or email through this site. The reason I don't give my email is that I think I've made some enemies at Bit Arts by realeasing the tutorial. Titanium and Fusion are their products and I probably damaged their good name. I don't want them to bug me.

If you have usefull info, why don't share it with everyone, like I did. Just post it on this forum!

See y'all around,
Heathcliff

NeO'X'QuiCk
July 25th, 2002, 01:52
First of all i would like to congratulated on Heathcliff tuts .!!its very good..


but i would like to add some info also for other unpackers so they will not have to play with it soo much..!!after dumping it..i used imprec..with 401000 add that to dumped file..and fix eop which was the same !!so i run exe got error on

JJ_ caused an invalid page fault in
module JJ_.EXE at 017f:004e36b3.

so if you trace until there or you put a break on it ..its the same..
soo look at the code now..

017F:004E3655 E800000000 CALL 004E365A
017F:004E365A 5D POP EBP
017F:004E365B 81ED08000000 SUB EBP,00000008
017F:004E3661 60 PUSHAD
017F:004E3662 8D95AE000000 LEA EDX,[EBP+000000AE]
017F:004E3668 8D9D24000000 LEA EBX,[EBP+00000024]
017F:004E366E 8DB5AA000000 LEA ESI,[EBP+000000AA]
017F:004E3674 FFD2 CALL EDX /**here is a decrypting rutin**/
017F:004E3676 EB27 JMP 004E369F
017F:004E3678 35463C3783 XOR EAX,83373C46
017F:004E367D F730 DIV DWORD PTR [EAX]
017F:004E367F 37 AAA
017F:004E3680 3D163D3739 CMP EAX,39373D16
017F:004E3685 262137 AND ES:[EDI],ESI
017F:004E3688 AE SCASB
017F:004E3689 CB RETF
017F:004E368A 098A8B362E37 OR [EDX+372E368B],ECX
017F:004E3690 A4 MOVSB
017F:004E3691 8B8C3729369DF0 MOV ECX[ESI+EDI+F09D3629]
017F:004E3698 45 INC EBP
017F:004E3699 35520B14B6 XOR EAX,B6140B52
017F:004E369E 1E PUSH DS
017F:004E369F 37 AAA
017F:004E36A0 1DBD1A1C5C SBB EAX,5C1C1ABD
017F:004E36A5 1C5F SBB AL,5F
017F:004E36A7 43 INC EBX /**error**/
017F:004E36A8 09BDF5BC7C04 OR [EBP+047CBCF5],EDI
017F:004E36AE 0DCF867B24 OR EAX,247B86CF
017F:004E36B3 C4AD57FD6351 LES EBP,[EBP+5163FD57]
017F:004E36B9 3AFB CMP BH,BL
017F:004E36BB A2D0367E37 MOV [377E36D0],AL
017F:004E36C0 F6625E MUL BYTE PTR [EDX+5E]
017F:004E36C3 33F0 XOR ESI,EAX


as you can see its crypted..
so look at that 017F:004E3674 FFD2 CALL EDX

017F:004E3700 B95B000000 MOV ECX,0000005B
017F:004E3705 8A4601 MOV AL,[ESI+01]
017F:004E3708 32C1 XOR AL,CL
017F:004E370A 300419 XOR [EBX+ECX],AL
017F:004E370D 300C19 XOR [EBX+ECX],CL
017F:004E3710 49 DEC ECX
017F:004E3711 75F5 JNZ 004E3708
017F:004E3713 C3 RET


as you can see it uncrypts 5b bytes..and with XOR command so its easy..actually lame :P



so decrypting our code looks like this:
017F:004E3674 FFD2 CALL EDX
017F:004E3676 EB10 JMP 004E3688 (JUMP )
017F:004E3678 00700E ADD [EAX+0E],DH
017F:004E367B 00B2C10E0000 ADD [EDX+00000EC1],DH
017F:004E3681 2007 AND [EDI],AL
017F:004E3683 0000 ADD [EAX],AL
017F:004E3685 1007 ADC [EDI],AL
017F:004E3687 008BFD2BBDAA ADD [EBX+AABD2BFD],CL
017F:004E368D 0000 ADD [EAX],AL
017F:004E368F 0089BDA60000 ADD [ECX+0000A6BD],CL
017F:004E3695 008BC7500340 ADD [EBX+400350C7],CL
017F:004E369B 3C05 CMP AL,05
017F:004E369D 800000 ADD BYTE PTR [EAX],00
017F:004E36A0 008B002B452A ADD [EBX+2A452B00],CL
017F:004E36A6 59 POP ECX
017F:004E36A7 740C JZ 004E36B5 /**important**/
017F:004E36A9 8BF7 MOV ESI,EDI
017F:004E36AB 8B7D32 MOV EDI,[EBP+32]
017F:004E36AE 03F8 ADD EDI,EAX
017F:004E36B0 8B4D2E MOV ECX,[EBP+2E]
017F:004E36B3 F3A4 REPZ MOVSB /**here error come**/
017F:004E36B5 61 POPAD


and above that error you can see jz ..if you change that to jnz..the app runs well..use hiew ...go to offset 4e36a7..and change 43 crypted hex to 42..and apps runs fine ...hope this helped a little ..


app unpacked now crack it :P

NeO'X'QuiCk

NeO'X'QuiCk
July 25th, 2002, 03:13
ok i forgot to add one thing..when i did this..i opened about box i got error again..

module JJ_1.EXE at 017f:004e3011.so i trace until i got to..

017F:00448603 894650 MOV [ESI+50],EAX
017F:00448606 8B44240C MOV EAX,[ESP+0C]
017F:0044860A E802AA0900 CALL 004E3011 /*here makes second error*/
017F:0044860F 894E40 MOV [ESI+40],ECX
017F:00448612 8BC6 MOV EAX,ESI


this is also the decrypto rutin..but its empty this time if you trace it,,
so i didnt wanted to lose time.. so i change it to..

017F:0044860A 8BC8 MOV ECX,EAX
017F:0044860C 90 NOP
017F:0044860D 90 NOP
017F:0044860E 90 NOP
017F:0044860F 894E40 MOV [ESI+40],ECX

ok..this is all done i think all futures are working,..didnt tested all yet..but its all good so fare,,,so crack it now,,,


i wrote this because i am too lazy and most ppl are to make so many patchs..but tut is great would be nice if he used more asm code so ppl get to see what is really going ok...


And also i would like to add one thing it should be more ppl like Heathcliff prepared to share info..its really rare this days..

Keep a good work Heathcliff...you are on the right path !!


NeO'X'QuiCk

Heathcliff
July 25th, 2002, 11:38
Hi NeO'X'QuiCk,

I'm sorry to disappoint you, but the way you avoid the protections is NOT sufficient! I did not make about 30 patches just for the fun. They're all nessesary! You only patched a few and sooner or later you will get more page-faults when you use code where one of the other protection routines is called. The patch you made in the first message is alright, but it is not a general one. The way I described it in the tut is the way it always worx. You decoded the mid-section, patched the JZ to avoid the fuck-up code when the header check fails and then dumped it, right? But you would have to do it with all the routines in the reloc section and at the end of the text section. That's why I did the pattern search to find all the calls. The way you patched this routine worx for this one but not for all the routines. There are also routines that decrypt and encrypt parts of code in the text section and the decription-key is calculated from some header values and can never be patched by just changing the JZ. You would have to run the original to see what values are used to decode the parts in the text section.

The patch you describe in the seconde message is not valid either. All of the 31 protection routines contain some code that is executed in the context of the caller. Actually this is the original code in the text section which is replaced by the call to the Titanium protection. There's allways an piece of code with length of 5 bytes. These are replaced by the relative call to the reloc section and then executed there in de encoded mid-section of the routine. To make this work all registers, flags and stack are restored to the state they were in, BEFORE calling the protection routine. You would have to execute all routines manually to determine what command were replaced by the call. These commands can allways be identified, because they are just after the second PODFD in the decoded mid-section of the protection-routine. That's what I did and those are all the patches. You can't just NOP them. You're program will get really unstable because it just misses some commands here and there.

I am still convinced that the way I described in the tut is the only way to successfully patch a Titanium-protected executable.

Keep up the worx!!

Heathcliff.

Pyrae
July 25th, 2002, 13:04
Another - probably quicker - way is to redirect the entry point to a small routine that restores the original header data (a very small inliner, the rest is "copy&paste". As all those anti-dumping tricks rely on it, this is also a very safe way to circumvene the checks (just did it on Crunch4)...

Did anyone take a look at the filename check (bitarts_evaluation.exe) for files protected with demo versions of bi tarts stuff? They seem pretty strange cause they appearantly don't use any file api (CreateFile, _lopen etc.) and some (random) filename characters may be changed without any influence - time for me to do some research...

so long, Pyrae

sandworm
July 25th, 2002, 13:35
pretty well tought zen cracking!!

By the way bit art response will be to do some checks elsewhere or on the file size etc...
Sooner or later we will be obliged to do it the patching way

So I hope some goog +hcukers will help him to write his tool to automate the patching process!!!

Heathcliff
July 25th, 2002, 13:36
Hi Pyrae,

I already tried that, exactly the way you describe it, but the header is in protected memory. If you write the original header you'll get a page-fault. I don't know how to get passed by that. If there is a way to do that you've got around all the protection-routines and just need the last patch to make it registered. Maybe you could tell me how to do that, if that's possible anyway (remember I'm a newbie!)

Greetz,
Heathcliff

sandworm
July 25th, 2002, 14:24
heathcliff,

I think it can be done with lordPe just choose your section , click edit section header and change the flag (on some lordpe versions it is only possible to registered users so download the last lordpe version which is freeware at www.protools.cjb.net)

is it what u've done pyrea ?

Heathcliff
July 25th, 2002, 14:40
Quote:
Originally posted by sandworm
heathcliff,

I think it can be done with lordPe just choose your section , click edit section header and change the flag (on some lordpe versions it is only possible to registered users so download the last lordpe version which is freeware at www.protools.cjb.net)

is it what u've done pyrea ?



Thanx for the tip, but it won't work. I've got LordPE latest version, but the header is not a section! You can't set flags for the header.

Greetz,
Heathcliff

Pyrae
July 25th, 2002, 17:07
I actually did the inliner on some other header checking protector a while ago and only tested the
Crunch stuff in Softice. IIRC, using (and importing) "VirtualProtectEx - WriteProcessMemory - VirtualProtectEx" has been sufficient to overwrite the header data. But I'll check...

+SplAj
July 27th, 2002, 19:37
CrunchV4 ..another 'all fur coat and no knickers' release from the Transvestites
================================================================================

Dump at OEiP (VA 428E3E)
Leave Entry Point as 0x148000 (VA 548000)
Set IT to E2000 and the delete the remnants of tity3 code at 0x148000 (yes ALL 0xFE000 bytes).

Insert 0x100 bytes for our use...we'll add VirtualProtect call and set page 400000 to write-access to fix all lame checks by Bi-Tarts Transvestite Perverts. No need to patch
all those XOR checks

Now rip the REAL PE Header for 0x1000 bytes and paste it to offset 0x148100 (VA 548100)

Now add the following code :-
and type word 'VirtualProtect' into offset 0x148080

0167:00548000 55 PUSH EBP
0167:00548001 8BEC MOV EBP,ESP
0167:00548003 6874954B00 PUSH 004B9574 <-text 'KERNEL32'
0167:00548008 FF15D42E4E00 CALL [KERNEL32!GetModuleHandleA]
0167:0054800E 85C0 TEST EAX,EAX <-found Kernel32.dll?
0167:00548010 7443 JZ 00548055
0167:00548012 6880805400 PUSH 00548080 <-text 'VirtualProtect'
0167:00548017 50 PUSH EAX
0167:00548018 FF15E02E4E00 CALL [KERNEL32!GetProcAddress]
0167:0054801E 85C0 TEST EAX,EAX <- EAX holds address of VP
0167:00548020 7433 JZ 00548055
0167:00548022 A370805400 MOV [00548070],EAX <- store it
0167:00548027 90 NOP
0167:00548028 90 NOP <- A MISTAKE
0167:00548029 90 NOP
0167:0054802A 90 NOP
0167:0054802B 90 NOP
0167:0054802C 6A00 PUSH 00 <-now set write access page 400000
0167:0054802E 54 PUSH ESP
0167:0054802F 6A04 PUSH 04
0167:00548031 6800100000 PUSH 00001000
0167:00548036 6800004000 PUSH 00400000
0167:0054803B FFD0 CALL EAX <- Call VirtualProtect
0167:0054803D 85C0 TEST EAX,EAX <- 1/2 == Success
0167:0054803F 83C404 ADD ESP,04 <- reset Stack
0167:00548042 7411 JZ 00548055
0167:00548044 BE00815400 MOV ESI,00548100 <- now patch back original
0167:00548049 BF00004000 MOV EDI,00400000 <- header stored at 548100
0167:0054804E B900040000 MOV ECX,00000400
0167:00548053 F3A5 REPZ MOVSD
0167:00548055 E9E70DEEFF JMP 00428E41 <- lets jmp to oeip after 55 8B EC...

Now DONT change offset 0x3594 from 8BC6 TO 4090...AS THAT IS CRACKING

Have a nice summer...see ya'all in winter time.

Spl/\j
(c)2002

Exocist
August 5th, 2002, 10:36
it's been a pleasure reading this thread, Splaj... you rock dude, I applied your method today and learnt plenty! again you have taught me plenty

This routine will find it's way into several of my projects

@Heathcliff

thanks for starting this thread dude, very enlightening

-Ex