Test2000
February 21st, 2004, 13:48
Okay while doing some searching on various crackmes I decided to try out what I had learned on some more commerical games. I downloaded a range of old products that I like (mainly text simulations) and a few other things. Had no problems with most of these simple serial protection. Thats when I came across something tricky. I'll break it down in steps:
(1) I opened up the .exe of the programme I was attempting to reverse saw that it was your standard 14 day evaluation yada yada yada. Okay so advance clock and go back and see what happens.
(2) Ohh look at that the application has expired yada yada yada. Lets look for some references. Hmm seems standard serial protection lets enter a couple of those okay we've got our invalid message lets have a search again.
(3) Open up various tools to look for references (WDASM, HiEW) nothing so this looks like the application is packed.
(4) Lets have a look what its packed with well according to PEiD its packed with Protection Plus.
(5) Lets have a search around for some tutorials on Protecion Plus or any unpackers on Protection Plus. Found total: 0.
Thats about where I have hit the snag. I tried opening up the application with OllyDbg but it has some rather odd modules. The oddest one seems to be that it has a duplicate module of the actual exe file but its not the exe file. I've also looked at the actual PE header of the programme and the flags seem to be unpacked yet I know the application is packed because of the PEiD scan and the way the code displays in WDASM. Might be something for someone more advanced to have a play with and see what type of protection its using. If you want the .exe I've been trying to unpack for interests sake I'll PM you. Supposedly CORE already did a crack on this version but I believe it does not work.
Any information on the Protection Plus scheme if known would also be welcome as I may put this on my #2 list of priorities after I've finished my reading.
[Edit: One other thing I forgot to add is when I loaded up OllyDbg and tried to go back to the .exe it seemed to corrupt it. When I tried with SoftIce it had SoftIce detection running. As I use XP FrogsIce was not an option this may well be an option for someone running this scheme on a ME/9x platform].
(1) I opened up the .exe of the programme I was attempting to reverse saw that it was your standard 14 day evaluation yada yada yada. Okay so advance clock and go back and see what happens.
(2) Ohh look at that the application has expired yada yada yada. Lets look for some references. Hmm seems standard serial protection lets enter a couple of those okay we've got our invalid message lets have a search again.
(3) Open up various tools to look for references (WDASM, HiEW) nothing so this looks like the application is packed.
(4) Lets have a look what its packed with well according to PEiD its packed with Protection Plus.
(5) Lets have a search around for some tutorials on Protecion Plus or any unpackers on Protection Plus. Found total: 0.
Thats about where I have hit the snag. I tried opening up the application with OllyDbg but it has some rather odd modules. The oddest one seems to be that it has a duplicate module of the actual exe file but its not the exe file. I've also looked at the actual PE header of the programme and the flags seem to be unpacked yet I know the application is packed because of the PEiD scan and the way the code displays in WDASM. Might be something for someone more advanced to have a play with and see what type of protection its using. If you want the .exe I've been trying to unpack for interests sake I'll PM you. Supposedly CORE already did a crack on this version but I believe it does not work.
Any information on the Protection Plus scheme if known would also be welcome as I may put this on my #2 list of priorities after I've finished my reading.
[Edit: One other thing I forgot to add is when I loaded up OllyDbg and tried to go back to the .exe it seemed to corrupt it. When I tried with SoftIce it had SoftIce detection running. As I use XP FrogsIce was not an option this may well be an option for someone running this scheme on a ME/9x platform].
