Log in

View Full Version : DVDXcopy 3.1 Removing "Features"

cHeCksUm
January 25th, 2003, 12:30
Hello,
Finally I had some time to practice some cracking and found (or rather bought) an interesting target; DVDXcopy. The program is packed but I cannot for my life figure out what program the author used... not that it mattered a great deal. Anyhow I have come as far as I can with this target until I have read more about PE format and such so that then I maybe can unpack it. This is what I have found so far if someone else is interested in looking at the target.

Well first of all I bought this program to try it out and I must admit it works quite well except for a certain number of annoying "features". First of all the program appends some silly text to the copied DVD... this I do not like. Second it will not let you copy the copy... of course I would NEVER do such a thing ... but it annoyed me none the less. And last but not least it has an irritating nag.

So I loaded up my favorite debugger and started working. It was clear from the begining that the exe is packed. This wasn't much of a problem (at first) since I used the live approach to cracking it. Anyhow looking through the code I found all the licensing crap... but not the things I was after. So I traced around in the code and finally, a multitude of program restarts and many breakpoints later, I stumbled/arrived at the code I wanted. Seeing as how I am a newbie, I am not sure about this statement, but the program seems to be "double packed" or it only unpacks certain parts at a time. Could someone elborate on exactly how this target is packed should you or have you worked on it. Anyhow once inside the right code the DVD backup copy crap and annoying text could be quickly removed. Now since all I ahve to learn is memory patching and I'll be set ... until then I guess I'll have to use some ready made loader/memory patcher. Actually I think memory patching will be the next thing I look at. Well if anyone needs help with this target feel free to ask and I will help as much as I can. Like I said above if anyone could elaborate on the packing method (or even just the name so I can read up on it) please post here. Thanks.

// cHeCksUm
squidge
January 25th, 2003, 14:42
Not sure what packer was used on this file, and whatever it was, it's got some kind of anti-dump protection which renders progs like LordPE unusable.

Does not seem to have anti-debug protection however, and so it's quite easy to dump the unpacked program using OllyDbg, fixup the IAT, and then begin working on the unpacked program.

I downloaded the "registered users only update" from there website, so hopefully this is the same version as you have. Just need to write some kind of keygen for it now as I aint a registered user...


Edit:


Seems like this is no packer, but a license manager that adds it's 180Kb stub onto the program to be protected. Anti-Dump and Anti-SoftIce, but not Anti-OllyDbg

Until a valid registration code is entered, I don't know the original entry point of the actual program, or have the correct import table, but I'm sure it can't be too hard to reverse the algo or patch the LM to find those...
nikolatesla20
January 25th, 2003, 18:11
I'll be looking at this for a little while just for the enjoyment.

Here's a report from Commview 4.0, which I also just finished

After you press the register button.

Code:


GET /solo/unlock/getcode.asp?LicenseID=2147483647&CustomerPW=YELLOW&code1=311097607&code2=4620484 HTTP/1.0

HOST: activate.321studio.com



HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Date: Sat, 25 Jan 2003 23:08:58 GMT

Connection: Keep-Alive

Content-Length: 478

Content-Type: text/html

Cache-control: private



<html>

<head>

<title>Customer Service | Unlock Key Results</title>

</head>

<script language="JavaScript">

<!--

function setfieldfocus(work)

{



}

//-->

</script>



<body bgcolor="#FFFFFF" onload="setfieldfocus()" link="#663399" alink="#663399" vlink="#663399" text="#000000">

<center><img src="solo/customer_top_01.gif">

<p><h2>Invalid Data Entered!<h2><p><input type=hidden value="Error Response = 100" id=hidden3 name=hidden3></center>

</body>

</html>


hehe. Might be able to just hack this by editing hosts file for name resolution and feed it your own web page. Just thinkin' outside the box like I like to do. Haven't tried it tho.

Also, click "Phone registration" and enter a password - the password must be 7 chars long. 8 chars is "invalid password". (7 is "incorrect password"

-nt20
Js
January 25th, 2003, 18:16
Hiya,
version I did was sometime in dec 2002 so may have been updated
oeip 00443648.
iat 00[4]48000
Seem to recall bp on dialogparama or one of dialogbox calls where you are asked to enter a code before it will even start, exit's if you select cancel but returns to main code if you just use the close gadget so next time don't enter that call, I'm fairly sure a bp on Getprocaddress was enough to see where the api's are being redirected and easily fixed. I know its a bit sketchy but I didn't make many notes on this one. I got a working dump out of it and could maybe dig out the rv resolved text if it helps though obviously not allowed to post it here.
squidge
January 25th, 2003, 18:40
yup, been updated since then.

to be honest, not looked at this proggy till cHeCksUm posted about it. Seems that it could be pretty useful after it's had a few features removed

Don't know how it worked back in december, but it seems now that when the program loads up, it allocated a piece of memory, which then contains the license manager part of it, and it is this code that calls the original OEP. Only spent about 5 - 10 minutes on it so far, so stopped at the point where it calls the win32 dialog procedure.

Will take a look at the phone and web methods, and see if I can get it to go past the "enter your license" part, then hopefully will have a good OEP and IAT to play with

Must say though, I love how it uses SEH to move between the protection dialogs and check your activation codes

This is almost a proper license manager, none of that Crypkey crap
squidge
January 25th, 2003, 19:15
Quote:
Originally posted by nikolatesla20
hehe. Might be able to just hack this by editing hosts file for name resolution and feed it your own web page. Just thinkin' outside the box like I like to do. Haven't tried it tho.

Also, click "Phone registration" and enter a password - the password must be 7 chars long. 8 chars is "invalid password". (7 is "incorrect password"

-nt20


Seems like the password length is variable - If you enter a single "1" for the password without a license ID, you get the "Enter activation code" rather than "Invalid/Incorrect Password". Entering another "1" in both boxes gets you "Invalid activation". So it's seems everything is variable, and a single character is best to bypass most of the checks
nikolatesla20
January 25th, 2003, 19:20
hehe

dang can't concentrate on this right now - did 3 programs last night.

Well whatevah - tried a few eax edits and jump redirects, no where just yet.

-nt20
Iwarez
January 25th, 2003, 20:23
I passed through the license manager onto the OEP at 450114, could rebuild IAT but I fail to get a correct dump. Maybe someone here can help me on how to get a valid dump?
squidge
January 25th, 2003, 22:05
Well, I've digged up some information on this program from some foolish debugging strings that were left in the license manager. I suppose they thought it was ok to leave them in considering the code is compressed afterwards - do they think we don't check for this kind of stuff? Anyway...

This program is protected with SoftWareKey's ProtectionPlus system. You can download a demo of there software from there website, and the SDK manual is available for viewing online I don't know if the demo is actually the SDK or not as I've not managed to connect to the ftp site as yet

The documentation alone however has told me what a number of the functions inside the manager are doing however, which should be handy when it comes to keygen time - and it doesn't seem that difficult ! However, I think the best approach is to strip the program of this LM completely. Then we can start removing the features we don't want from it.

Ok, typical license manager. Replace the checking routine with "MOV EAX, 1; RET" and the program registers itself and never bothers you again with the "please register" nag screen. I thought this was going to be better than Crypkey for a minute then as well, but it turns out worse than some shareware programs
nikolatesla20
January 26th, 2003, 02:07
havent found the place for that mov eax,1 yet but I did find this string whilst memory fishing

nowizdatymeferallgudmenstocumtwodaateofdarekuntry


pretty funny huh

-nt20
squidge
January 26th, 2003, 07:57
Doesn't make a whole lot of sense, but pretty funny none the less!

The place to put the MOV EAX, 1; RETN is in the SEH handler after the DialogBoxParamA call and the call to pp_tcode. Basically I've looked at the SDK docs, and this function needs to return a valid number in EAX between 1 and 50 to say the activation number and license you entered is valid, and a zero return is invalid. So just make it return 1 in your debugger (no need to modify the exe on disk) and it'll register itself forever. The code doesn't seem to be ever called again after the first run

So hopefully today I can easily find the OEP and reconstruct the import table, then patch this muther
+SplAj
January 26th, 2003, 07:59
version 3.1 wtf

u mean 1.31 ? :-

DvdXcopy v1.3.1 *INCL KEYMAKER*þ Cracked by....: tam Release-Name..: CR-DV131.ZIP
Supplied......: CORE
Release-Date..: 01/08/2003

don't waste yer time lads....

Also isn't this DVDx another 'front end' for a load of old beta softs (divx, tmpeg, cdburner aspi from roxio/nero, dvd ripper) to make a DVD rip 'suite' like 'Replicant coded in VB6 !!!!' How can they have the nerve to 'sell' such shiiiiite.... and ppl pay $99 for it !!!!

bwaaaa.

Squidge I am interested in CrapKey6 detail.......

wtf did u do with their *lame* API name scrambler and wtf did u do about *rally lame* Int3 debug/debugee Armadillo clone.

All done, had a busy weekend .....now /me bored waiting for PElock 1.07....cumon bart wotsit :P
squidge
January 26th, 2003, 09:13
Quote:
Originally posted by +SplAj
version 3.1 wtf

u mean 1.31 ? :-

DvdXcopy v1.3.1 *INCL KEYMAKER*þ Cracked by....: tam Release-Name..: CR-DV131.ZIP
Supplied......: CORE
Release-Date..: 01/08/2003

don't waste yer time lads....


+SplAj,

Registering the program seems to be the easy part. I now want to remove the license manager from the code completely, so we can change a few things in the way it operates. I think the version released by Core is just a keygen/hack ?


Quote:
Also isn't this DVDx another 'front end' for a load of old beta softs (divx, tmpeg, cdburner aspi from roxio/nero, dvd ripper) to make a DVD rip 'suite' like 'Replicant coded in VB6 !!!!' How can they have the nerve to 'sell' such shiiiiite.... and ppl pay $99 for it !!!!


Apparantly this version is "all our own work". Apart from they use Nero and Gear DLLs. No shareware/freeware apps here. Or so they say...

Quote:

Squidge I am interested in CrapKey6 detail.......

wtf did u do with their *lame* API name scrambler and wtf did u do about *rally lame* Int3 debug/debugee Armadillo clone.


There name scrambler is just a simple XOR which I wrote a builder prog for descrambling. It finds the two parts of the import table, combines them together and then decrypts the names using simple XOR. The resulting file can then be placed into the program.

There Armadillo clone INT 3 stuff was even easier - when the program is unpacked, there's a load of data before the exe, this contains pointers and lengths to each part of the program - so my prog just grabs all of them and combines them together. Since these are unpacked onto a layer of INT 3 calls, my prog simply overwrites all the INT 3's with the original code. The result is that you don't need the loader anymore

After that, it was a simple matter of generating a sig file, and replacing the crypkey functions so the program was authorised without having to reg it.

If you want my name descrambler and/or prog builder, just ask. They are by no means standalone, and you still need to do a fair amount of debugging and the like yourself - I don't think think there are enough programs out there yet to make it all in one.

Quote:

All done, had a busy weekend .....now /me bored waiting for PElock 1.07....cumon bart wotsit :P


Yup, waiting for a prog with some real protection eh?
+SplAj
January 26th, 2003, 09:28
Squidge

yup, did that, coded a simple app to 'decrypt' the .code section from debug dump (with nice array of pointer buffered with 00 / 01 ) and paste to dumped exe and also xor the api names....I thought about selling it....maybe $999 but maybe your version is cheaper

Yup the core is just a keymaker... did not try it yet .... i'm gonna take the stuff home..

later

Spl/\j

btw (*)(*) free pron at woodmanns ....
cHeCksUm
January 26th, 2003, 09:40
@+SplAj
>Also isn't this DVDx another 'front end' for a load of old beta >softs (divx, tmpeg, cdburner aspi from roxio/nero, dvd ripper) to >make a DVD rip 'suite' like 'Replicant coded in VB6 !!!!' How can >they have the nerve to 'sell' such shiiiiite.... and ppl pay $99 for >it !!!!

No actually they have the author of Ifoedit working on the program now. Before it was seriously bloated at like 24MB but as soon as they hired him they got it down to the size it is now.... makes you wonder what the hell they did in the first place . It works rather well except for the annoying "features" I mentioned before... but they are gone now. The program never uses DivX or the like as the DVD is copied not ripped and compressed, hence no loss in quality etc. It keeps it in MPEG2.0. However the price is steep... but hey what can one do.

About the keygen. I saw it too... but didn't really meet my needs as I am licensed... I wouldn't ever looked at the target if it wasn't for the annoying "Cannot copy a copy" crap they have added to the program. You want to know the really funny thing? They argued in their defece (to MPAA) that it could not be used to pirate DVD's becasuse the copies of the original would be encrypted... hahahaha... yeah right... only silly check which is easily bypassed and your homefree to copy the backup... and it's backup and on and on... well you get the point .

Back to the target. I have installed the thing on another computer to crack it from virgin condition without registration. I'll post my findings later as I am in a bit of a hurry.

@nikolatesla20

>nowizdatymeferallgudmenstocumtwodaateofdarekuntry

Hehe... that is quite funny.


// cHeCksUm
squidge
January 26th, 2003, 09:50
cHeCksUm : Well done, if you crack it from virgin PC, then there's no possibility of any watermarking features being placed in the copy. Although I think the only possible "watermarking" they do is perhaps add another file to the disk. Like they say, the video is not de/re-compressed, so can't really be watermarked can it ?

Better be safe though really and use a bogus license key

BTW, How did you patch the "You can't copy a copy" ? Did you use in-memory patching via a loader, or actually strip the program of it's license manager first and patch the actually exe file on disk?
nikolatesla20
January 26th, 2003, 14:06
Well I feel retarted, I managed to get to the "Accept license agreement" dialog, but when I click accept, the main window comes up and then dissappears right away - so I apparently haven't found the right spot yet for the mov eax, 1 :P

Some days I'm on, and other days I can't get anywhere heh. Not in code mode this weekend I guess


-nt20
squidge
January 26th, 2003, 14:23
big hint: to find the correct place to put the mov eax, 1, all you need to do is look for the debug text

Actually, you don't even need to overwrite the code, just let the routine run and modify the value of eax after the call, as it seems that part of code is never run again anyway
cHeCksUm
January 26th, 2003, 17:10
Quote:
Originally posted by squidge
BTW, How did you patch the "You can't copy a copy" ? Did you use in-memory patching via a loader, or actually strip the program of it's license manager first and patch the actually exe file on disk?


Well at the moment I am using a loader. But I will try to strip the program completely as I think I could learn a lot in doing so. Finding the right place for the nag about the "Can't copy a copy" and disabling it wasn't hard. DVDXcopy adds a file to the DVD (the file is in the program directory and can be editing to ones liking). It also adds a "watermark" to this file with program name, version and date as well as a string of characters. Other than that the copy is not watermarked in any way (well that I could find... and trust me I searched for it ). Well I got home late so I don't have any time to work on it today. I'll look more at it tomorrow. Tonight it's back to another target.... legato networker... blah... I've been working on it for like three months (well not constantly but still) and I have got it to accept any activation code (that was really easy) but I still need to figure out how it generates the damn hostid to be able to make it accept keys for any machine. Then I have to do the same for the Solaris version.... hehe at least I have something to do tonight .

// cHeCksUm
squidge
January 26th, 2003, 18:33
Well I backed up a DVD using the program, and notice the extra file it placed on the disk. I was going to hack it in a different way to what you mention however - instead of looking for the "you can't copy a copy" text, I was going to see how difficult it would be to get the program not to write that text file in the first place.

Also, do you know if there is a way of getting to program to write at 1x instead of 2x to dvd media?

Sounds like your diary however is pretty much booked up for the rest of the week to say the least
nikolatesla20
January 26th, 2003, 20:22
I have to say I am only interested in this program to "dump" it and practice another license manager.

to copy DVD's I just use freeware tools :

DVDdecrypter
IFOEdit
ImgTools

And HP RecordNow with a Sony MRU500A DVD Burner.

Works like a charm.

Used DVD+RW Sony media, works in both XBox and PS2 dvd players.



-nt20
squidge
January 27th, 2003, 01:10
Must say, I'm only really interested in the protection also, but playing with it, it does seem to make doing DVD a little easier instead of using lots of different software, and I'm all for that
nikolatesla20
January 27th, 2003, 15:40
Still, I have trubble with this thing! hehehehehe I feel stoopid

For those interested - I downloaded the demo of the SoftwareKey protection plus and ran a demo project and dumped the key dll file from mem.

Here's pp_tcode() (This is the function that verifies the machine and user codes and entered code - it sends back a number according to the function to enable)

Code:


                 public pp_tcode

seg000:30D33513 pp_tcode        proc near               ; CODE XREF: seg000:30D247D4p

seg000:30D33513                                         ; pp_eztrig1ex+19p ...

seg000:30D33513 

seg000:30D33513 arg_0           = dword ptr  8

seg000:30D33513 arg_4           = dword ptr  0Ch

seg000:30D33513 arg_8           = dword ptr  10h

seg000:30D33513 arg_C           = dword ptr  14h

seg000:30D33513 

seg000:30D33513                 push    ebp

seg000:30D33514                 mov     ebp, esp

seg000:30D33516                 push    esi

seg000:30D33517                 mov     esi, [ebp+arg_C]

seg000:30D3351A                 add     esi, 34h

seg000:30D3351D                 cmp     [ebp+arg_8], 1

seg000:30D33521                 jge     short loc_30D3352A

seg000:30D33523                 mov     [ebp+arg_8], 1

seg000:30D3352A 

seg000:30D3352A loc_30D3352A:                           ; CODE XREF: pp_tcode+Ej

seg000:30D3352A                 mov     eax, [ebp+arg_4]

seg000:30D3352D                 xor     edx, edx

seg000:30D3352F                 mov     ecx, eax

seg000:30D33531                 push    ebx

seg000:30D33532                 sar     ecx, 0Fh

seg000:30D33535                 mov     dh, ch

seg000:30D33537                 mov     ecx, eax

seg000:30D33539                 sar     ecx, 13h

seg000:30D3353C                 mov     ebx, eax

seg000:30D3353E                 and     ecx, 0Fh

seg000:30D33541                 sar     ebx, 8

seg000:30D33544                 mov     dl, al

seg000:30D33546                 add     ecx, 1FEh

seg000:30D3354C                 and     ebx, 1Fh

seg000:30D3354F                 imul    ecx, 108h

seg000:30D33555                 sar     eax, 0Dh

seg000:30D33558                 imul    ebx, 0F3h

seg000:30D3355E                 and     eax, 3Fh

seg000:30D33561                 add     ecx, ebx

seg000:30D33563                 imul    eax, 44h

seg000:30D33566                 add     ecx, eax

seg000:30D33568                 lea     eax, [edx+esi*2]

seg000:30D3356B                 mov     ebx, esi

seg000:30D3356D                 push    1

seg000:30D3356F                 add     ebx, eax

seg000:30D33571                 pop     eax

seg000:30D33572                 add     ebx, [ebp+arg_8]

seg000:30D33575                 lea     edx, [edx+ebx*2]

seg000:30D33578                 pop     ebx

seg000:30D33579                 add     edx, esi

seg000:30D3357B                 lea     esi, [ecx+ecx]

seg000:30D3357E                 imul    ecx, 1Fh

seg000:30D33581                 add     ecx, edx

seg000:30D33583 

seg000:30D33583 loc_30D33583:                           ; CODE XREF: pp_tcode+83j

seg000:30D33583                 mov     edx, ecx

seg000:30D33585                 and     edx, 7FFFFFFFh

seg000:30D3358B                 cmp     edx, [ebp+arg_0]

seg000:30D3358E                 jz      short loc_30D3359A

seg000:30D33590                 inc     eax

seg000:30D33591                 add     ecx, esi

seg000:30D33593                 cmp     eax, 32h

seg000:30D33596                 jle     short loc_30D33583

seg000:30D33598                 xor     eax, eax

seg000:30D3359A 

seg000:30D3359A loc_30D3359A:                           ; CODE XREF: pp_tcode+7Bj

seg000:30D3359A                 pop     esi

seg000:30D3359B                 pop     ebp

seg000:30D3359C                 retn    10h

seg000:30D3359C pp_tcode        endp

seg000:30D3359C



Kinda simple I guess.

-nt20
squidge
January 27th, 2003, 17:19
yup, so all you have to do is find code that is very similar to that and force it to return 1.

can't describe it in too much detail, otherwise the mods will be on my back for publishing an out-and-out crack but trace through the prog until it jumps into the memory it allocates before hand. Set a breakpoint on RaiseException API call, set another breakpoint on the exception handler pointed to in the SEH entry on the stack. Continue the program and pass the exception through to it. You'll now land in the exception handling code. Shortly after the DialogBoxParamA, you see code like the code you posted above. Mod it and your done

Can't really explain it much more than that.
squidge
January 27th, 2003, 17:27
What you post will be like the following (bit easier to follow)

eax = edx;
ecx = edx;
edx = edx & 516096;
eax = eax & 7864320;
edx = edx / 8192;
eax = eax / 524288;
edx = edx + 1980;
edx = edx * 68;
eax = eax * 264;
edx = edx + eax;
eax = ecx;
eax = eax & 7936;
eax = eax / 256;
eax = eax * 243;
esi = edx + eax;
edx = ecx;
edx = edx & 2139095040;
ecx = ecx & 255;
edx = edx / 32768;
eax = 6621511;
edx = edx + ecx;
edx = edx * 3;
eax = eax * 7;
edi = edi * 2;
edi = edi + edx;
edx = esi;
ecx = edi + eax;
edx = edx * 31;
edi = edx + ecx;
ecx = esi * 2;
edx = edi;
edx = edx & 2147483647;

/*
Now we add the loop to get the 3rd value.
*/

for (int i=0; i < 3; i++) {
edi = edi + ecx;
edx = edi;
edx = edx & 2147483647;
}

Author of that was Crackz, although I can't say which program it's for because of obvious reasons...

Quote:
Originally posted by nikolatesla20
Still, I have trubble with this thing! hehehehehe I feel stoopid

For those interested - I downloaded the demo of the SoftwareKey protection plus and ran a demo project and dumped the key dll file from mem.

Here's pp_tcode() (This is the function that verifies the machine and user codes and entered code - it sends back a number according to the function to enable)

Code:


                 public pp_tcode



<<<snip>>>



Kinda simple I guess.

-nt20
nikolatesla20
January 27th, 2003, 18:01
Just out of curiosity, are you using OllyDbg?


HAAH I am using Olly now and now I see the debug strings you were talking about !


OK I finally got it. Actually, I had it at home already too, but the main window wouldn't stay up for some reason - notice it won't let you run without a DVD drive anyway.

-nt20
nikolatesla20
January 27th, 2003, 18:19
Since this is an MFC application,

the first call will be to msvcrt.__set_app_type

but a bpx on that and run it. (remember to load msvcrt.dll with symbol loader)

Scroll up, your OEP is 00443648.



ImpREC recovers almost all the table.

-nt20
nikolatesla20
January 27th, 2003, 18:49
I'm done.


It's unpacked and running like a baby. Bye bye license manager.

I knew I could unpack it quickly ( unpacking has become my specialty lately, since I do it so much I've gotten fairly good at it) , as long as I could get the program to run, which was what I was having problems with.

Thanks squidge.

Anyone wants a nice unpacked file....... j/k.....or am i....

-nt20
squidge
January 27th, 2003, 19:00
No probs m8, I enjoy helping people that are willing to learn

Yeah, I use OllyDbg a lot, I find it very handy for this kind of work. Must say it was kind of silly for SoftwareKey to put that piece of debug text in there, it made it slightly easier.

I've put it aside now for the time being whilst I look at another application that I'm very interested in. The author decided to protect it with ASProtect, hopefully it won't take long to remove the ASProtect and find out how the program works itself. If it works out as good as I think it will, it could mean junking dvdxcopy.
cHeCksUm
January 28th, 2003, 12:03
@nikolatesla20:

Well done. Cracking it was easy but I am new to unpacking so I am having some troubles. Could you just post a brief description of how you went about doing it. I am not asking for anything specific just the general jist. Appreciate any help. Thanks.

// cHeCksUm
nikolatesla20
January 28th, 2003, 13:28
OK

First we want to get the program's OEP. But of course first it has to run! So the first task was to get the program to run, which I finally did *durr to me*.

Then we want to get OEP. Notice that the program is MFC program (imports mfc42.dll). All MFC programs start with __set_app_type after the OEP. So we can put a breakpoint on that routine and run the program. After the license manager runs and jumps to the real program, we will land on our breakpoint.

Now we are about 6 lines down from the OEP (by the way, write down the OEP for later use), no major code has taken place. In other words, there haven't been any variables initialized, etc. So we can dump right from here. In SoftICE we can assemble the current instruction so it loops on itself ("a eip <enter> jmp eip <enter>". Now the program is frozen in an infinite loop. Make sure you write down what the 2 bytes are at EIP's location first, so you can restore them later, after dumping. (do a "db eip" and write down the first two bytes you see).

Exit SoftICE and fire up LordPE and select the DVDXCopy process. When you do so, notice one small "error". DVDXCopy reports its image size as 1000. That's wrong. It's a trick. Right click and select "correct ImageSize". LordPE will fix it. Now do a full dump. Remember that infinite loop you made? You have to go in with a Hex Editor later and restore those bytes you overwrote. (2 bytes)

Now we have to fix 2 things about the dump. Notice it does not have an icon. This is because the last section is incorrect. Open up the dumped.exe in LordPE or PEditor and go to the section editor. The last section shows 00000000 as the RawSize and VirtualSize. This is wrong. Fix it (ImageSize says 7D000, last section's size should be 1A000 for both Raw and Virtual). Hey, your icon is back now

Now you get to restore the imports.

How do we know where they are in the program when in memory? Easy. Disasm the dumped.exe you have now. Go to the entry point. Remember, about 6 - 10 lines down is the __set_app_type call. This is an import, so you will see the call dword ptr [xxxxxxxx]. The xxxxxxxx is where the first thunk is, which can never change. Which means in memory the IAT is in this area!

Run the program again and go into SoftICE and go to the IAT area. Scroll up and down both and get the IAT start and what you think the length is. Write it down.

Fire up ImpREC and select the process, type in the OEP, the IAT start, and IAT length and "Get Imports", and then "Autotrace". ImpREC gets almost everything in one pass, just like 14 or so not done yet. YOu can do these manually in SoftICE by going to the memory area the ImpREC says the import is at and "u <import address>" to see what the code says. I found most of them were simple "mov eax, GetDlgItemInt ; push eax, ret". So there you have your import. Depending on how good your guess was at the IAT length, you might end up with junk thunks on the end of the tree. You can cut these off. You'll know if they are junk if they don't reference a higher memory area like the other unresolved calls do.

Leave "add a section" checked and press "Fix Dump" and wallah you are done.

-nt20
Iwarez
January 28th, 2003, 14:17
Man! Have I learned something! Now it works perfectly, thanks nikolatesla20. I've tried everything to get the dump working, but I failed to notice the last section was incorrectly sized. DUH!!! It works now so I can delete it. Nice practice.
cHeCksUm
January 28th, 2003, 14:56
@nikolatesla20:
Thanks you very much. A thurough explanation. I had got so far as to get the OEP... that wasn't a problem, I simply traced with Ollydbg until it gave an "error message" noted the call I was on and then did that again this time breaking on the call and so forth until I got to the OEP (this is how I cracked the "cannot copy copy crap and the file it places on the DVD). I then read two tutes (+HCU tute and one more on manual unpacking) and managed to dump each section using ollydbg, but they dumped into .mem files (although I changed them to exe) and I wasn't sure how to go about rebuilding them (is that even possible!?). I will read through your comments again and see if I can do the same using other tools (mainly thinking of using Olly instead of softice) that way I at least have to engage my brain a little and not just be spoon fed .... Anyhow I REALLY appreciate the help. Thanks.

// cHeCksUm
squidge
January 28th, 2003, 17:37
To make an exe file with Olly - save each memory block as a .mem file. Combine them together with the dos command copy:

copy /b part1.mem + /b part2.mem + /b part3.mem prog.exe

where prog.exe is the output file and the rest are your inputs.

Now you need to fix PE header (rs=vs, etc) and generate a valid import table.

Overall, it's much easier to pause the program with olly, and then dump it with LordPE. But the olly way is good to learn - as lordpe may not always work.
Iwarez
January 29th, 2003, 02:02
There is also a plugin for olly called ollydump. Works good.
cHeCksUm
March 27th, 2003, 16:25
For anyone who found the last version challanging and would like to take the next step 1.5 is out. A little more effort on the authors part (more anti-debugging)yet still allot same same. Good practice anyhow. It almost seems as if they read our posts on this board and then changed the protection scheme... I mean like not prompting for non-backup disk etc. hehe. The authors seem to be spending a little to mcuh time concentrating on the protection when they should be ironing out the bugs... I mean I paid 99USD for a program to backup my DVD's... not for cracking practice on how to remove unwanted features . Oh well.. c'set la vie. Time to get fresh with networker 7... wonder if they bothered updating their protection scheme, and then I need to look at cluster server for Solaris, and samfs. and.... and... well I got my weekend all mapped out (no really I do have a life). Later boys and girls... and happy cracking to all.

// cHeCksUm
squidge
March 27th, 2003, 18:29
Heh, happy cracking cHeCksUm, seems like you got your weekend all sorted out

Myself, I'm moving away from cracking and doing more RE work and finding out exactly how things work, and also putting a lot more effort into my own tools for that very job.

Really can't be bothered to do the latest version as I don't like using two disks per film, so I just use a hacked up version of dvd95copy that'll put every film onto a single DVD-R rather than 2 (I've no interest in the extras, see).
cHeCksUm
March 28th, 2003, 07:07
I think I'll stick to cracking until I am a bit more experianced. Then I might look at RE in a more general sense. I started looking more at programming again though, mainly perl but I am planning on dusting off the old ASM books . Maybe I'll also look at C again but 99% of my work is on ?nix (and mosly constitute text-filtering of some sort) so Perl really fits the bill and that is my main language of choice.

I really don't care that much about the extras either but I like the one button simplicity of DVDXcopy. Most of all I am just pissed that the programmers are trying to restrict what dvd's I can or cannot copy... that I do not like .

Well good luck witht he tools... maybe we'll see, and use, some of them on the net .

// cHeCksUm
the_analyst
March 28th, 2003, 10:16
Hello,

i have an application that is supposed to be protected by
Protection Plus.
I suppose its the same target, but there wasn't any License Manager part in it. Just the wrapper Apparently.
Or its another product from the same company.

Its basically the same than Asprotect, but easier
If anyone want to try his hand on it (its NOT the site of the company, some guy host it on his personal web site because he is studying the protection on a forum)
here is the url:

h**p://hiacelee.free.fr/pe/AVTEval30a94setup.exe

Have fun