Log in

View Full Version : DVDXcopy 3.1 Removing "Features"


cHeCksUm
January 25th, 2003, 12:30
Hello,
Finally I had some time to practice some cracking and found (or rather bought) an interesting target; DVDXcopy. The program is packed but I cannot for my life figure out what program the author used... not that it mattered a great deal. Anyhow I have come as far as I can with this target until I have read more about PE format and such so that then I maybe can unpack it. This is what I have found so far if someone else is interested in looking at the target.

Well first of all I bought this program to try it out and I must admit it works quite well except for a certain number of annoying "features". First of all the program appends some silly text to the copied DVD... this I do not like. Second it will not let you copy the copy... of course I would NEVER do such a thing ... but it annoyed me none the less. And last but not least it has an irritating nag.

So I loaded up my favorite debugger and started working. It was clear from the begining that the exe is packed. This wasn't much of a problem (at first) since I used the live approach to cracking it. Anyhow looking through the code I found all the licensing crap... but not the things I was after. So I traced around in the code and finally, a multitude of program restarts and many breakpoints later, I stumbled/arrived at the code I wanted. Seeing as how I am a newbie, I am not sure about this statement, but the program seems to be "double packed" or it only unpacks certain parts at a time. Could someone elborate on exactly how this target is packed should you or have you worked on it. Anyhow once inside the right code the DVD backup copy crap and annoying text could be quickly removed. Now since all I ahve to learn is memory patching and I'll be set ... until then I guess I'll have to use some ready made loader/memory patcher. Actually I think memory patching will be the next thing I look at. Well if anyone needs help with this target feel free to ask and I will help as much as I can. Like I said above if anyone could elaborate on the packing method (or even just the name so I can read up on it) please post here. Thanks.

// cHeCksUm

squidge
January 25th, 2003, 14:42
Not sure what packer was used on this file, and whatever it was, it's got some kind of anti-dump protection which renders progs like LordPE unusable.

Does not seem to have anti-debug protection however, and so it's quite easy to dump the unpacked program using OllyDbg, fixup the IAT, and then begin working on the unpacked program.

I downloaded the "registered users only update" from there website, so hopefully this is the same version as you have. Just need to write some kind of keygen for it now as I aint a registered user...


Edit:


Seems like this is no packer, but a license manager that adds it's 180Kb stub onto the program to be protected. Anti-Dump and Anti-SoftIce, but not Anti-OllyDbg

Until a valid registration code is entered, I don't know the original entry point of the actual program, or have the correct import table, but I'm sure it can't be too hard to reverse the algo or patch the LM to find those...

nikolatesla20
January 25th, 2003, 18:11
I'll be looking at this for a little while just for the enjoyment.

Here's a report from Commview 4.0, which I also just finished

After you press the register button.

Code:

GET /solo/unlock/getcode.asp?LicenseID=2147483647&CustomerPW=YELLOW&code1=311097607&code2=4620484 HTTP/1.0
HOST: activate.321studio.com

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 25 Jan 2003 23:08:58 GMT
Connection: Keep-Alive
Content-Length: 478
Content-Type: text/html
Cache-control: private

<html>
<head>
<title>Customer Service | Unlock Key Results</title>
</head>
<script language="JavaScript">
<!--
function setfieldfocus(work)
{

}
//-->
</script>

<body bgcolor="#FFFFFF" onload="setfieldfocus()" link="#663399" alink="#663399" vlink="#663399" text="#000000">
<center><img src="solo/customer_top_01.gif">
<p><h2>Invalid Data Entered!<h2><p><input type=hidden value="Error Response = 100" id=hidden3 name=hidden3></center>
</body>
</html>



hehe. Might be able to just hack this by editing hosts file for name resolution and feed it your own web page. Just thinkin' outside the box like I like to do. Haven't tried it tho.

Also, click "Phone registration" and enter a password - the password must be 7 chars long. 8 chars is "invalid password". (7 is "incorrect password"

-nt20

Js
January 25th, 2003, 18:16
Hiya,
version I did was sometime in dec 2002 so may have been updated
oeip 00443648.
iat 00[4]48000
Seem to recall bp on dialogparama or one of dialogbox calls where you are asked to enter a code before it will even start, exit's if you select cancel but returns to main code if you just use the close gadget so next time don't enter that call, I'm fairly sure a bp on Getprocaddress was enough to see where the api's are being redirected and easily fixed. I know its a bit sketchy but I didn't make many notes on this one. I got a working dump out of it and could maybe dig out the rv resolved text if it helps though obviously not allowed to post it here.

squidge
January 25th, 2003, 18:40
yup, been updated since then.

to be honest, not looked at this proggy till cHeCksUm posted about it. Seems that it could be pretty useful after it's had a few features removed

Don't know how it worked back in december, but it seems now that when the program loads up, it allocated a piece of memory, which then contains the license manager part of it, and it is this code that calls the original OEP. Only spent about 5 - 10 minutes on it so far, so stopped at the point where it calls the win32 dialog procedure.

Will take a look at the phone and web methods, and see if I can get it to go past the "enter your license" part, then hopefully will have a good OEP and IAT to play with

Must say though, I love how it uses SEH to move between the protection dialogs and check your activation codes

This is almost a proper license manager, none of that Crypkey crap

squidge
January 25th, 2003, 19:15
Quote:
Originally posted by nikolatesla20
hehe. Might be able to just hack this by editing hosts file for name resolution and feed it your own web page. Just thinkin' outside the box like I like to do. Haven't tried it tho.

Also, click "Phone registration" and enter a password - the password must be 7 chars long. 8 chars is "invalid password". (7 is "incorrect password"

-nt20


Seems like the password length is variable - If you enter a single "1" for the password without a license ID, you get the "Enter activation code" rather than "Invalid/Incorrect Password". Entering another "1" in both boxes gets you "Invalid activation". So it's seems everything is variable, and a single character is best to bypass most of the checks

nikolatesla20
January 25th, 2003, 19:20
hehe

dang can't concentrate on this right now - did 3 programs last night.

Well whatevah - tried a few eax edits and jump redirects, no where just yet.

-nt20

Iwarez
January 25th, 2003, 20:23
I passed through the license manager onto the OEP at 450114, could rebuild IAT but I fail to get a correct dump. Maybe someone here can help me on how to get a valid dump?

squidge
January 25th, 2003, 22:05
Well, I've digged up some information on this program from some foolish debugging strings that were left in the license manager. I suppose they thought it was ok to leave them in considering the code is compressed afterwards - do they think we don't check for this kind of stuff? Anyway...

This program is protected with SoftWareKey's ProtectionPlus system. You can download a demo of there software from there website, and the SDK manual is available for viewing online I don't know if the demo is actually the SDK or not as I've not managed to connect to the ftp site as yet

The documentation alone however has told me what a number of the functions inside the manager are doing however, which should be handy when it comes to keygen time - and it doesn't seem that difficult ! However, I think the best approach is to strip the program of this LM completely. Then we can start removing the features we don't want from it.

Ok, typical license manager. Replace the checking routine with "MOV EAX, 1; RET" and the program registers itself and never bothers you again with the "please register" nag screen. I thought this was going to be better than Crypkey for a minute then as well, but it turns out worse than some shareware programs

nikolatesla20
January 26th, 2003, 02:07
havent found the place for that mov eax,1 yet but I did find this string whilst memory fishing

nowizdatymeferallgudmenstocumtwodaateofdarekuntry


pretty funny huh

-nt20

squidge
January 26th, 2003, 07:57
Doesn't make a whole lot of sense, but pretty funny none the less!

The place to put the MOV EAX, 1; RETN is in the SEH handler after the DialogBoxParamA call and the call to pp_tcode. Basically I've looked at the SDK docs, and this function needs to return a valid number in EAX between 1 and 50 to say the activation number and license you entered is valid, and a zero return is invalid. So just make it return 1 in your debugger (no need to modify the exe on disk) and it'll register itself forever. The code doesn't seem to be ever called again after the first run

So hopefully today I can easily find the OEP and reconstruct the import table, then patch this muther

+SplAj
January 26th, 2003, 07:59
version 3.1 wtf

u mean 1.31 ? :-

DvdXcopy v1.3.1 *INCL KEYMAKER*þ Cracked by....: tam Release-Name..: CR-DV131.ZIP
Supplied......: CORE
Release-Date..: 01/08/2003

don't waste yer time lads....

Also isn't this DVDx another 'front end' for a load of old beta softs (divx, tmpeg, cdburner aspi from roxio/nero, dvd ripper) to make a DVD rip 'suite' like 'Replicant coded in VB6 !!!!' How can they have the nerve to 'sell' such shiiiiite.... and ppl pay $99 for it !!!!

bwaaaa.

Squidge I am interested in CrapKey6 detail.......

wtf did u do with their *lame* API name scrambler and wtf did u do about *rally lame* Int3 debug/debugee Armadillo clone.

All done, had a busy weekend .....now /me bored waiting for PElock 1.07....cumon bart wotsit :P

squidge
January 26th, 2003, 09:13
Quote:
Originally posted by +SplAj
version 3.1 wtf

u mean 1.31 ? :-

DvdXcopy v1.3.1 *INCL KEYMAKER*þ Cracked by....: tam Release-Name..: CR-DV131.ZIP
Supplied......: CORE
Release-Date..: 01/08/2003

don't waste yer time lads....


+SplAj,

Registering the program seems to be the easy part. I now want to remove the license manager from the code completely, so we can change a few things in the way it operates. I think the version released by Core is just a keygen/hack ?


Quote:
Also isn't this DVDx another 'front end' for a load of old beta softs (divx, tmpeg, cdburner aspi from roxio/nero, dvd ripper) to make a DVD rip 'suite' like 'Replicant coded in VB6 !!!!' How can they have the nerve to 'sell' such shiiiiite.... and ppl pay $99 for it !!!!


Apparantly this version is "all our own work". Apart from they use Nero and Gear DLLs. No shareware/freeware apps here. Or so they say...

Quote:

Squidge I am interested in CrapKey6 detail.......

wtf did u do with their *lame* API name scrambler and wtf did u do about *rally lame* Int3 debug/debugee Armadillo clone.


There name scrambler is just a simple XOR which I wrote a builder prog for descrambling. It finds the two parts of the import table, combines them together and then decrypts the names using simple XOR. The resulting file can then be placed into the program.

There Armadillo clone INT 3 stuff was even easier - when the program is unpacked, there's a load of data before the exe, this contains pointers and lengths to each part of the program - so my prog just grabs all of them and combines them together. Since these are unpacked onto a layer of INT 3 calls, my prog simply overwrites all the INT 3's with the original code. The result is that you don't need the loader anymore

After that, it was a simple matter of generating a sig file, and replacing the crypkey functions so the program was authorised without having to reg it.

If you want my name descrambler and/or prog builder, just ask. They are by no means standalone, and you still need to do a fair amount of debugging and the like yourself - I don't think think there are enough programs out there yet to make it all in one.

Quote:

All done, had a busy weekend .....now /me bored waiting for PElock 1.07....cumon bart wotsit :P


Yup, waiting for a prog with some real protection eh?

+SplAj
January 26th, 2003, 09:28
Squidge

yup, did that, coded a simple app to 'decrypt' the .code section from debug dump (with nice array of pointer buffered with 00 / 01 ) and paste to dumped exe and also xor the api names....I thought about selling it....maybe $999 but maybe your version is cheaper

Yup the core is just a keymaker... did not try it yet .... i'm gonna take the stuff home..

later

Spl/\j

btw (*)(*) free pron at woodmanns ....

cHeCksUm
January 26th, 2003, 09:40
@+SplAj
>Also isn't this DVDx another 'front end' for a load of old beta >softs (divx, tmpeg, cdburner aspi from roxio/nero, dvd ripper) to >make a DVD rip 'suite' like 'Replicant coded in VB6 !!!!' How can >they have the nerve to 'sell' such shiiiiite.... and ppl pay $99 for >it !!!!

No actually they have the author of Ifoedit working on the program now. Before it was seriously bloated at like 24MB but as soon as they hired him they got it down to the size it is now.... makes you wonder what the hell they did in the first place . It works rather well except for the annoying "features" I mentioned before... but they are gone now. The program never uses DivX or the like as the DVD is copied not ripped and compressed, hence no loss in quality etc. It keeps it in MPEG2.0. However the price is steep... but hey what can one do.

About the keygen. I saw it too... but didn't really meet my needs as I am licensed... I wouldn't ever looked at the target if it wasn't for the annoying "Cannot copy a copy" crap they have added to the program. You want to know the really funny thing? They argued in their defece (to MPAA) that it could not be used to pirate DVD's becasuse the copies of the original would be encrypted... hahahaha... yeah right... only silly check which is easily bypassed and your homefree to copy the backup... and it's backup and on and on... well you get the point .

Back to the target. I have installed the thing on another computer to crack it from virgin condition without registration. I'll post my findings later as I am in a bit of a hurry.

@nikolatesla20

>nowizdatymeferallgudmenstocumtwodaateofdarekuntry

Hehe... that is quite funny.


// cHeCksUm

squidge
January 26th, 2003, 09:50
cHeCksUm : Well done, if you crack it from virgin PC, then there's no possibility of any watermarking features being placed in the copy. Although I think the only possible "watermarking" they do is perhaps add another file to the disk. Like they say, the video is not de/re-compressed, so can't really be watermarked can it ?

Better be safe though really and use a bogus license key

BTW, How did you patch the "You can't copy a copy" ? Did you use in-memory patching via a loader, or actually strip the program of it's license manager first and patch the actually exe file on disk?

nikolatesla20
January 26th, 2003, 14:06
Well I feel retarted, I managed to get to the "Accept license agreement" dialog, but when I click accept, the main window comes up and then dissappears right away - so I apparently haven't found the right spot yet for the mov eax, 1 :P

Some days I'm on, and other days I can't get anywhere heh. Not in code mode this weekend I guess


-nt20

squidge
January 26th, 2003, 14:23
big hint: to find the correct place to put the mov eax, 1, all you need to do is look for the debug text

Actually, you don't even need to overwrite the code, just let the routine run and modify the value of eax after the call, as it seems that part of code is never run again anyway

cHeCksUm
January 26th, 2003, 17:10
Quote:
Originally posted by squidge
BTW, How did you patch the "You can't copy a copy" ? Did you use in-memory patching via a loader, or actually strip the program of it's license manager first and patch the actually exe file on disk?


Well at the moment I am using a loader. But I will try to strip the program completely as I think I could learn a lot in doing so. Finding the right place for the nag about the "Can't copy a copy" and disabling it wasn't hard. DVDXcopy adds a file to the DVD (the file is in the program directory and can be editing to ones liking). It also adds a "watermark" to this file with program name, version and date as well as a string of characters. Other than that the copy is not watermarked in any way (well that I could find... and trust me I searched for it ). Well I got home late so I don't have any time to work on it today. I'll look more at it tomorrow. Tonight it's back to another target.... legato networker... blah... I've been working on it for like three months (well not constantly but still) and I have got it to accept any activation code (that was really easy) but I still need to figure out how it generates the damn hostid to be able to make it accept keys for any machine. Then I have to do the same for the Solaris version.... hehe at least I have something to do tonight .

// cHeCksUm

squidge
January 26th, 2003, 18:33
Well I backed up a DVD using the program, and notice the extra file it placed on the disk. I was going to hack it in a different way to what you mention however - instead of looking for the "you can't copy a copy" text, I was going to see how difficult it would be to get the program not to write that text file in the first place.

Also, do you know if there is a way of getting to program to write at 1x instead of 2x to dvd media?

Sounds like your diary however is pretty much booked up for the rest of the week to say the least

nikolatesla20
January 26th, 2003, 20:22
I have to say I am only interested in this program to "dump" it and practice another license manager.

to copy DVD's I just use freeware tools :

DVDdecrypter
IFOEdit
ImgTools

And HP RecordNow with a Sony MRU500A DVD Burner.

Works like a charm.

Used DVD+RW Sony media, works in both XBox and PS2 dvd players.



-nt20

squidge
January 27th, 2003, 01:10
Must say, I'm only really interested in the protection also, but playing with it, it does seem to make doing DVD a little easier instead of using lots of different software, and I'm all for that

nikolatesla20
January 27th, 2003, 15:40
Still, I have trubble with this thing! hehehehehe I feel stoopid

For those interested - I downloaded the demo of the SoftwareKey protection plus and ran a demo project and dumped the key dll file from mem.

Here's pp_tcode() (This is the function that verifies the machine and user codes and entered code - it sends back a number according to the function to enable)

Code:

public pp_tcode
seg000:30D33513 pp_tcode proc near ; CODE XREF: seg000:30D247D4p
seg000:30D33513 ; pp_eztrig1ex+19p ...
seg000:30D33513
seg000:30D33513 arg_0 = dword ptr 8
seg000:30D33513 arg_4 = dword ptr 0Ch
seg000:30D33513 arg_8 = dword ptr 10h
seg000:30D33513 arg_C = dword ptr 14h
seg000:30D33513
seg000:30D33513 push ebp
seg000:30D33514 mov ebp, esp
seg000:30D33516 push esi
seg000:30D33517 mov esi, [ebp+arg_C]
seg000:30D3351A add esi, 34h
seg000:30D3351D cmp [ebp+arg_8], 1
seg000:30D33521 jge short loc_30D3352A
seg000:30D33523 mov [ebp+arg_8], 1
seg000:30D3352A
seg000:30D3352A loc_30D3352A: ; CODE XREF: pp_tcode+Ej
seg000:30D3352A mov eax, [ebp+arg_4]
seg000:30D3352D xor edx, edx
seg000:30D3352F mov ecx, eax
seg000:30D33531 push ebx
seg000:30D33532 sar ecx, 0Fh
seg000:30D33535 mov dh, ch
seg000:30D33537 mov ecx, eax
seg000:30D33539 sar ecx, 13h
seg000:30D3353C mov ebx, eax
seg000:30D3353E and ecx, 0Fh
seg000:30D33541 sar ebx, 8
seg000:30D33544 mov dl, al
seg000:30D33546 add ecx, 1FEh
seg000:30D3354C and ebx, 1Fh
seg000:30D3354F imul ecx, 108h
seg000:30D33555 sar eax, 0Dh
seg000:30D33558 imul ebx, 0F3h
seg000:30D3355E and eax, 3Fh
seg000:30D33561 add ecx, ebx
seg000:30D33563 imul eax, 44h
seg000:30D33566 add ecx, eax
seg000:30D33568 lea eax, [edx+esi*2]
seg000:30D3356B mov ebx, esi
seg000:30D3356D push 1
seg000:30D3356F add ebx, eax
seg000:30D33571 pop eax
seg000:30D33572 add ebx, [ebp+arg_8]
seg000:30D33575 lea edx, [edx+ebx*2]
seg000:30D33578 pop ebx
seg000:30D33579 add edx, esi
seg000:30D3357B lea esi, [ecx+ecx]
seg000:30D3357E imul ecx, 1Fh
seg000:30D33581 add ecx, edx
seg000:30D33583
seg000:30D33583 loc_30D33583: ; CODE XREF: pp_tcode+83j
seg000:30D33583 mov edx, ecx
seg000:30D33585 and edx, 7FFFFFFFh
seg000:30D3358B cmp edx, [ebp+arg_0]
seg000:30D3358E jz short loc_30D3359A
seg000:30D33590 inc eax
seg000:30D33591 add ecx, esi
seg000:30D33593 cmp eax, 32h
seg000:30D33596 jle short loc_30D33583
seg000:30D33598 xor eax, eax
seg000:30D3359A
seg000:30D3359A loc_30D3359A: ; CODE XREF: pp_tcode+7Bj
seg000:30D3359A pop esi
seg000:30D3359B pop ebp
seg000:30D3359C retn 10h
seg000:30D3359C pp_tcode endp
seg000:30D3359C





Kinda simple I guess.

-nt20

squidge
January 27th, 2003, 17:19
yup, so all you have to do is find code that is very similar to that and force it to return 1.

can't describe it in too much detail, otherwise the mods will be on my back for publishing an out-and-out crack but trace through the prog until it jumps into the memory it allocates before hand. Set a breakpoint on RaiseException API call, set another breakpoint on the exception handler pointed to in the SEH entry on the stack. Continue the program and pass the exception through to it. You'll now land in the exception handling code. Shortly after the DialogBoxParamA, you see code like the code you posted above. Mod it and your done

Can't really explain it much more than that.

squidge
January 27th, 2003, 17:27
What you post will be like the following (bit easier to follow)

eax = edx;
ecx = edx;
edx = edx & 516096;
eax = eax & 7864320;
edx = edx / 8192;
eax = eax / 524288;
edx = edx + 1980;
edx = edx * 68;
eax = eax * 264;
edx = edx + eax;
eax = ecx;
eax = eax & 7936;
eax = eax / 256;
eax = eax * 243;
esi = edx + eax;
edx = ecx;
edx = edx & 2139095040;
ecx = ecx & 255;
edx = edx / 32768;
eax = 6621511;
edx = edx + ecx;
edx = edx * 3;
eax = eax * 7;
edi = edi * 2;
edi = edi + edx;
edx = esi;
ecx = edi + eax;
edx = edx * 31;
edi = edx + ecx;
ecx = esi * 2;
edx = edi;
edx = edx & 2147483647;

/*
Now we add the loop to get the 3rd value.
*/

for (int i=0; i < 3; i++) {
edi = edi + ecx;
edx = edi;
edx = edx & 2147483647;
}

Author of that was Crackz, although I can't say which program it's for because of obvious reasons...

Quote:
Originally posted by nikolatesla20
Still, I have trubble with this thing! hehehehehe I feel stoopid

For those interested - I downloaded the demo of the SoftwareKey protection plus and ran a demo project and dumped the key dll file from mem.

Here's pp_tcode() (This is the function that verifies the machine and user codes and entered code - it sends back a number according to the function to enable)

Code:

public pp_tcode

<<<snip>>>




Kinda simple I guess.

-nt20

nikolatesla20
January 27th, 2003, 18:01
Just out of curiosity, are you using OllyDbg?


HAAH I am using Olly now and now I see the debug strings you were talking about !


OK I finally got it. Actually, I had it at home already too, but the main window wouldn't stay up for some reason - notice it won't let you run without a DVD drive anyway.

-nt20

nikolatesla20
January 27th, 2003, 18:19
Since this is an MFC application,

the first call will be to msvcrt.__set_app_type

but a bpx on that and run it. (remember to load msvcrt.dll with symbol loader)

Scroll up, your OEP is 00443648.



ImpREC recovers almost all the table.

-nt20

nikolatesla20
January 27th, 2003, 18:49
I'm done.


It's unpacked and running like a baby. Bye bye license manager.

I knew I could unpack it quickly ( unpacking has become my specialty lately, since I do it so much I've gotten fairly good at it) , as long as I could get the program to run, which was what I was having problems with.

Thanks squidge.

Anyone wants a nice unpacked file....... j/k.....or am i....

-nt20

squidge
January 27th, 2003, 19:00
No probs m8, I enjoy helping people that are willing to learn

Yeah, I use OllyDbg a lot, I find it very handy for this kind of work. Must say it was kind of silly for SoftwareKey to put that piece of debug text in there, it made it slightly easier.

I've put it aside now for the time being whilst I look at another application that I'm very interested in. The author decided to protect it with ASProtect, hopefully it won't take long to remove the ASProtect and find out how the program works itself. If it works out as good as I think it will, it could mean junking dvdxcopy.

cHeCksUm
January 28th, 2003, 12:03
@nikolatesla20:

Well done. Cracking it was easy but I am new to unpacking so I am having some troubles. Could you just post a brief description of how you went about doing it. I am not asking for anything specific just the general jist. Appreciate any help. Thanks.

// cHeCksUm

nikolatesla20
January 28th, 2003, 13:28
OK

First we want to get the program's OEP. But of course first it has to run! So the first task was to get the program to run, which I finally did *durr to me*.

Then we want to get OEP. Notice that the program is MFC program (imports mfc42.dll). All MFC programs start with __set_app_type after the OEP. So we can put a breakpoint on that routine and run the program. After the license manager runs and jumps to the real program, we will land on our breakpoint.

Now we are about 6 lines down from the OEP (by the way, write down the OEP for later use), no major code has taken place. In other words, there haven't been any variables initialized, etc. So we can dump right from here. In SoftICE we can assemble the current instruction so it loops on itself ("a eip <enter> jmp eip <enter>". Now the program is frozen in an infinite loop. Make sure you write down what the 2 bytes are at EIP's location first, so you can restore them later, after dumping. (do a "db eip" and write down the first two bytes you see).

Exit SoftICE and fire up LordPE and select the DVDXCopy process. When you do so, notice one small "error". DVDXCopy reports its image size as 1000. That's wrong. It's a trick. Right click and select "correct ImageSize". LordPE will fix it. Now do a full dump. Remember that infinite loop you made? You have to go in with a Hex Editor later and restore those bytes you overwrote. (2 bytes)

Now we have to fix 2 things about the dump. Notice it does not have an icon. This is because the last section is incorrect. Open up the dumped.exe in LordPE or PEditor and go to the section editor. The last section shows 00000000 as the RawSize and VirtualSize. This is wrong. Fix it (ImageSize says 7D000, last section's size should be 1A000 for both Raw and Virtual). Hey, your icon is back now

Now you get to restore the imports.

How do we know where they are in the program when in memory? Easy. Disasm the dumped.exe you have now. Go to the entry point. Remember, about 6 - 10 lines down is the __set_app_type call. This is an import, so you will see the call dword ptr [xxxxxxxx]. The xxxxxxxx is where the first thunk is, which can never change. Which means in memory the IAT is in this area!

Run the program again and go into SoftICE and go to the IAT area. Scroll up and down both and get the IAT start and what you think the length is. Write it down.

Fire up ImpREC and select the process, type in the OEP, the IAT start, and IAT length and "Get Imports", and then "Autotrace". ImpREC gets almost everything in one pass, just like 14 or so not done yet. YOu can do these manually in SoftICE by going to the memory area the ImpREC says the import is at and "u <import address>" to see what the code says. I found most of them were simple "mov eax, GetDlgItemInt ; push eax, ret". So there you have your import. Depending on how good your guess was at the IAT length, you might end up with junk thunks on the end of the tree. You can cut these off. You'll know if they are junk if they don't reference a higher memory area like the other unresolved calls do.

Leave "add a section" checked and press "Fix Dump" and wallah you are done.

-nt20

Iwarez
January 28th, 2003, 14:17
Man! Have I learned something! Now it works perfectly, thanks nikolatesla20. I've tried everything to get the dump working, but I failed to notice the last section was incorrectly sized. DUH!!! It works now so I can delete it. Nice practice.

cHeCksUm
January 28th, 2003, 14:56
@nikolatesla20:
Thanks you very much. A thurough explanation. I had got so far as to get the OEP... that wasn't a problem, I simply traced with Ollydbg until it gave an "error message" noted the call I was on and then did that again this time breaking on the call and so forth until I got to the OEP (this is how I cracked the "cannot copy copy crap and the file it places on the DVD). I then read two tutes (+HCU tute and one more on manual unpacking) and managed to dump each section using ollydbg, but they dumped into .mem files (although I changed them to exe) and I wasn't sure how to go about rebuilding them (is that even possible!?). I will read through your comments again and see if I can do the same using other tools (mainly thinking of using Olly instead of softice) that way I at least have to engage my brain a little and not just be spoon fed .... Anyhow I REALLY appreciate the help. Thanks.

// cHeCksUm

squidge
January 28th, 2003, 17:37
To make an exe file with Olly - save each memory block as a .mem file. Combine them together with the dos command copy:

copy /b part1.mem + /b part2.mem + /b part3.mem prog.exe

where prog.exe is the output file and the rest are your inputs.

Now you need to fix PE header (rs=vs, etc) and generate a valid import table.

Overall, it's much easier to pause the program with olly, and then dump it with LordPE. But the olly way is good to learn - as lordpe may not always work.

Iwarez
January 29th, 2003, 02:02
There is also a plugin for olly called ollydump. Works good.

cHeCksUm
March 27th, 2003, 16:25
For anyone who found the last version challanging and would like to take the next step 1.5 is out. A little more effort on the authors part (more anti-debugging)yet still allot same same. Good practice anyhow. It almost seems as if they read our posts on this board and then changed the protection scheme... I mean like not prompting for non-backup disk etc. hehe. The authors seem to be spending a little to mcuh time concentrating on the protection when they should be ironing out the bugs... I mean I paid 99USD for a program to backup my DVD's... not for cracking practice on how to remove unwanted features . Oh well.. c'set la vie. Time to get fresh with networker 7... wonder if they bothered updating their protection scheme, and then I need to look at cluster server for Solaris, and samfs. and.... and... well I got my weekend all mapped out (no really I do have a life). Later boys and girls... and happy cracking to all.

// cHeCksUm

squidge
March 27th, 2003, 18:29
Heh, happy cracking cHeCksUm, seems like you got your weekend all sorted out

Myself, I'm moving away from cracking and doing more RE work and finding out exactly how things work, and also putting a lot more effort into my own tools for that very job.

Really can't be bothered to do the latest version as I don't like using two disks per film, so I just use a hacked up version of dvd95copy that'll put every film onto a single DVD-R rather than 2 (I've no interest in the extras, see).

cHeCksUm
March 28th, 2003, 07:07
I think I'll stick to cracking until I am a bit more experianced. Then I might look at RE in a more general sense. I started looking more at programming again though, mainly perl but I am planning on dusting off the old ASM books . Maybe I'll also look at C again but 99% of my work is on ?nix (and mosly constitute text-filtering of some sort) so Perl really fits the bill and that is my main language of choice.

I really don't care that much about the extras either but I like the one button simplicity of DVDXcopy. Most of all I am just pissed that the programmers are trying to restrict what dvd's I can or cannot copy... that I do not like .

Well good luck witht he tools... maybe we'll see, and use, some of them on the net .

// cHeCksUm

the_analyst
March 28th, 2003, 10:16
Hello,

i have an application that is supposed to be protected by
Protection Plus.
I suppose its the same target, but there wasn't any License Manager part in it. Just the wrapper Apparently.
Or its another product from the same company.

Its basically the same than Asprotect, but easier
If anyone want to try his hand on it (its NOT the site of the company, some guy host it on his personal web site because he is studying the protection on a forum)
here is the url:

h**p://hiacelee.free.fr/pe/AVTEval30a94setup.exe

Have fun