Log in

View Full Version : Impossible Protection?


vikingp
April 14th, 2005, 01:04
After days and nights of failing and failing... I wonder , can this be reversed???
Maybe, since none has made a working keygen beside the single one Snowpanter made some years ago. But for a older version of this software!

The software generate a key with 192 Characther based on a Cd key, then gives u a user code based on username (also cd key i think), then it want a user password back based on the cd key, username and usercode...
Also, the cd key is version based, and type (Student, Base, Full)!

Kanal 2.82 plugin for PEiD shows 9 crypto signatures:
Blowfish [sbox]
CRC32
CryptCreateHash [Import]
CryptDecrypt [Import]
CryptEncrypt [Import]
CryptHashData [Import]
MD2 [Char]
PI fraction (NIMBUS / BLOWFISH)

PEiD Gives:
Detecded: Microsoft Visual C++ 7.0 [Debug]
Entropy: 6.32 (Not Packed)
EP Check: Not Packed
Fast Check: Not Packed

So... How does it look?? Can this be done?
Surely some good reverser/cracker can fix this. But since no one has bother to make a keygen to this verry nice cad/architect software... I had to make a try... Haven't done this in years now so lot's of this encryption is new to me.

So my big question is... Is there any easy solution?

Since i'm not sure about this forums rules (couldn't find it ) i haven't posted any information about what software this is.
If anyone is curious or simply would like to test this software pm me.

Ahh.. There was the faq!

0xf001
April 14th, 2005, 02:57
hi,

i think this is not uncommon situation. i ie discovered once a very similar type of protection (that was "layer 1" of it) also on linux.
i thought it is impossible (as there were so many layers, keys and algos involved), the trick was to turn the checking routine against itself.
in my case i was able (after a really long (3 weeks nearly every night)) to identify one part where the comparison for this first check is done. there were multiple license modes involved which made it harder to find ...

if the check is only needed for verification, you might really patch it to accept any code.
that works well, but if the code is used to build a decryption key for an ie encrypted SW installation archive you can not do it this way.

try to find this comparison. in my case i was lucky to print out the expected bytes by patching the installers code verification by inserting printf("%2X ", c) calls. it might not be easy, but the only tip i can give is really try to find the verification of your entered string (what is quite a standard approach)

cheers, 0xf001

vikingp
April 14th, 2005, 11:49
Need something to do the next couple of weeks then

So this is quite a good protection then? Maybe that's why nobody has made a keygen to this then! It's really a damn good software that peoples are crying after all around the net.

Anyway, here is what i have come up with. Can anybody make some coment on this? Would help me a lot. Also some good tips on how to bypass or reverse. Don't need a tutorial, just a simple tip!

I guess a good thing to know is that the cd key is xxxxxxx-xxxxxxx.

When putting a break on GetDlgItemTextA OllyDbg pops, and after a couple of Ctrl-F9 i get back inside my software module.

->My first part of cd key is 5A6BCDE.

00AD7E6A |. 8BC6 MOV EAX,ESI -> ESI=09C17B78, (ASCII "5A6BCDE" EAX=00000007
00AD7E6C |. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
00AD7E6F |. 90 NOP
00AD7E70 |> 8A08 MOV CL,BYTE PTR DS:[EAX]
00AD7E72 |. 40 INC EAX
00AD7E73 |. 84C9 TEST CL,CL
00AD7E75 |.^75 F9 JNZ SHORT APPZ_Name.00AD7E70 ->Loop.


Here it takes my cd key and runs every characther trou this funktion, Left To Right.
Since it's stores my key up CL i guess its before the verification? Right?

After last characther and it has passed a zero value true the function it passes on.


00AD7E77 |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
00AD7E7B |. 2BC2 SUB EAX,EDX
00AD7E7D |. 50 PUSH EAX
00AD7E7E |. 56 PUSH ESI
00AD7E7F |. E8 9CA993FF CALL APPZ_Name.00412820

Stepping into the call:
Did just copy some part of my function window. Can my verification be in here?
Or have the verification already been done?

00412820 /$ 53 PUSH EBX
00412821 |. 8BD9 MOV EBX,ECX
00412823 |. 8B53 18 MOV EDX,DWORD PTR DS:[EBX+18]
00412826 83FA 10 CMP EDX,10 ->App is Version 10, could this be a version check?
00412829 |. 56 PUSH ESI
0041282A |. 57 PUSH EDI
0041282B |. 72 05 JB SHORT APPZ_Name.00412832
0041282D |. 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4]
00412830 |. EB 03 JMP SHORT APPZ_Name.00412835
00412832 |> 8D43 04 LEA EAX,DWORD PTR DS:[EBX+4]
00412835 |> 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10]
00412839 3BF0 CMP ESI,EAX -> Cmp my cd key with EAX
0041283B |. 72 34 JB SHORT APPZ_Name.00412871
0041283D 83FA 10 CMP EDX,10
00412840 |. 8D43 04 LEA EAX,DWORD PTR DS:[EBX+4]
00412843 |. 72 04 JB SHORT APPZ_Name.00412849
00412845 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00412847 |. EB 02 JMP SHORT APPZ_Name.0041284B
00412849 |> 8BC8 MOV ECX,EAX
0041284B |> 8B7B 14 MOV EDI,DWORD PTR DS:[EBX+14]
0041284E |. 03F9 ADD EDI,ECX
00412850 3BFE CMP EDI,ESI
00412852 |. 76 1D JBE SHORT APPZ_Name.00412871
00412854 |. 83FA 10 CMP EDX,10
00412857 |. 72 02 JB SHORT APPZ_Name.0041285B
00412859 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0041285B |> 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
0041285F |. 51 PUSH ECX
00412860 |. 2BF0 SUB ESI,EAX
00412862 |. 56 PUSH ESI
00412863 |. 53 PUSH EBX
00412864 |. 8BCB MOV ECX,EBX
00412866 |. E8 C5FEFFFF CALL APPZ_Name.00412730
0041286B |. 5F POP EDI
0041286C |. 5E POP ESI
0041286D |. 5B POP EBX
0041286E |. C2 0800 RETN 8
00412871 |> 55 PUSH EBP
00412872 |. 8B6C24 18 MOV EBP,DWORD PTR SS:[ESP+18]
00412876 83FD FE CMP EBP,-2
00412879 |. 76 07 JBE SHORT APPZ_Name.00412882
0041287B |. 8BCB MOV ECX,EBX
0041287D |. E8 AE568C00 CALL APPZ_Name.00CD7F30
00412882 |> 8B43 18 MOV EAX,DWORD PTR DS:[EBX+18]
00412885 3BC5 CMP EAX,EBP
00412887 |. 73 1B JNB SHORT APPZ_Name.004128A4
00412889 |. 8B53 14 MOV EDX,DWORD PTR DS:[EBX+14]
0041288C |. 52 PUSH EDX
0041288D |. 55 PUSH EBP
0041288E |. 8BCB MOV ECX,EBX
00412890 |. E8 1B95FFFF CALL APPZ_Name.0040BDB0
00412895 |. 85ED TEST EBP,EBP
00412897 |> 76 68 JBE SHORT APPZ_Name.00412901
00412899 |. 837B 18 10 CMP DWORD PTR DS:[EBX+18],10
0041289D |. 72 2F JB SHORT APPZ_Name.004128CE
0041289F |. 8B7B 04 MOV EDI,DWORD PTR DS:[EBX+4]
004128A2 |. EB 2D JMP SHORT APPZ_Name.004128D1
004128A4 |> 85ED TEST EBP,EBP
004128A6 |.^75 EF JNZ SHORT APPZ_Name.00412897
004128A8 83F8 10 CMP EAX,10
004128AB |. 896B 14 MOV DWORD PTR DS:[EBX+14],EBP
004128AE |. 72 0F JB SHORT APPZ_Name.004128BF
004128B0 |. 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4]
004128B3 |. 5D POP EBP
004128B4 |. 5F POP EDI
004128B5 |. C600 00 MOV BYTE PTR DS:[EAX],0
004128B8 |. 5E POP ESI
004128B9 |. 8BC3 MOV EAX,EBX
004128BB |. 5B POP EBX
004128BC |. C2 0800 RETN 8
004128BF |> 5D POP EBP
004128C0 |. 8D43 04 LEA EAX,DWORD PTR DS:[EBX+4]
004128C3 |. 5F POP EDI
004128C4 |. C600 00 MOV BYTE PTR DS:[EAX],0
004128C7 |. 5E POP ESI
004128C8 |. 8BC3 MOV EAX,EBX
004128CA |. 5B POP EBX
004128CB |. C2 0800 RETN 8
004128CE |> 8D7B 04 LEA EDI,DWORD PTR DS:[EBX+4]
004128D1 |> 8BCD MOV ECX,EBP
004128D3 |. 8BC1 MOV EAX,ECX
004128D5 |. C1E9 02 SHR ECX,2
004128D8 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
004128DA |. 8BC8 MOV ECX,EAX
004128DC |. 83E1 03 AND ECX,3
004128DF |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
004128E1 |. 837B 18 10 CMP DWORD PTR DS:[EBX+18],10
004128E5 |. 896B 14 MOV DWORD PTR DS:[EBX+14],EBP
004128E8 |. 72 10 JB SHORT APPZ_Name.004128FA
004128EA |. 8B43 04 MOV EAX,DWORD PTR DS:[EBX+4]
004128ED |. C60428 00 MOV BYTE PTR DS:[EAX+EBP],0

Am i eaven close to be on the right track here?
I am new to this and can't say i can see straight up what all this code does.

And if any one who feel's good enough to have a wack on this software, i'll be happy to share. As loong as i get some feedback/help

Sorry if my english suck, so no jokes about it!

0xf001
April 15th, 2005, 02:12
hi vikingp,

cool you dig into it hehehe

> So this is quite a good protection then?

well the actual implementation will show this, the principle is quite standard imho

this part ....
Code:

00AD7E6A |. 8BC6 MOV EAX,ESI -> ESI=09C17B78, (ASCII "5A6BCDE" EAX=00000007
00AD7E6C |. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
00AD7E6F |. 90 NOP
00AD7E70 |> 8A08 MOV CL,BYTE PTR DS:[EAX]
00AD7E72 |. 40 INC EAX
00AD7E73 |. 84C9 TEST CL,CL
00AD7E75 |.^75 F9 JNZ SHORT APPZ_Name.00AD7E70 ->Loop.


right this runs through your code. it does not compare anything. it goes until your code byte (first "5", then "A", then "6", "B", ... ) equals to 0. Meaning it goes to the end of the string.
It might then check if the length (number of entered chars) is correct, or needs the pointer to the end of the string elsewhere.

Code:
00AD7E77 |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
00AD7E7B |. 2BC2 SUB EAX,EDX


like here above: EAX ist still your start of string and EDX was setup as DWORD PTR DS:[EAX+1]. this might be for some check of the different parts of the string.

you are on the right track

imho what will follow in the code is that it takes several parts of the string and lets it run through some maths. what I would recommend to you is to step through the following part of code and carefully singlestep it.

write everything down that may be of interest. give your variables names. you can use a disassembler that helps with naming, or simply copy/paste the code to an editor and do it there. inspect the contents of the registers. all guesses you might have, comment them - as you allready did.
go line by line until (maybe a few tens of times) until you figure what is going on. you might not need to understand all immediatley.
go through the code and in the first run do not step into subroutines. just let them execute and compare the registers before and after the call. try to interpret a little what the ppl who wrote the SW want to achieve and in tht context what the functions might do.
most of it will be taking parts of strings and messing them up with other parts of the string, other keys, ... so it is important to verify all the involved pointers.

i hope this helps,

cheers, 0xf001

vikingp
April 15th, 2005, 03:32
Thx 0xf001!
Nice to see that i might be on the right track!
I will try your sugestion, on writing everything down and commenting them.
Forcing the brain to think

Yea, that did help! Atleast on my spirite

Thx, once again!

vikingp
April 15th, 2005, 05:06
After running a few more steps i get some strange info in dump.
Could this be of any use?
______________________________________________________
0091ACEA |. 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4]
0091ACED |. 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] ; Appz_name.00DCAC10
______________________________________________________
Stack DS:[00120908]=00DCAC10 (Appz_name.00DCAC10)
ECX=7C91056D (ntdll.7C91056D)
______________________________________________________
Value In dump (ascii):
00DCA638 HX@par != NULL..\source\sup
00DCA678 rroom.cpp...rP->sequence < rmSize...rP->sequence < size._key.siz
00DCA6B8 e() % 4 == 0...._key.size() > 12.....\source\blowfish.cpp..._key
00DCA6F8 .length() % 4 == 0.._key.length() > 12..encryptedData.size() ==
00DCA738 lSize...AccessCheck() failed with error %lu.........u.n.
00DCA778 P.dn.0.͞.͞.|.|.wizard != NULL...\source\regwiz.cpp.
00DCA7B8 o.P.*.....0.|.do.૑.‘..͞...pG.|.
00DCA7F8 o...Н..͞.͞.M.|.o. .໑.@Ñ.*.͞.U.|.
00DCA838 <p.@.*Y.V.͞..|..DefCompany..DefName.Software\Mic
00DCA878 rosoft\MS Setup (ACME)\User Info....encrypted User Informati....
00DCA8B8 c:\autobuild 10.0\source\source\Secure.h....Pp.".p.A.0A.
00DCA8F8 A.¬.¬..A.....dp.*A.`".pK.b.@ ..*T..p.
00DCA938 .p.Ш.p.p...0A.PA.`A.*p.p.ݼ.*ܼ.ܼ.ռ..ּ.
00DCA978 `A._i.pA.0ݼ.ݼ.A.@p.n.@u.A..A.A.. A.0A.n.
00DCA9B8 *n.r.@A.pK.b.*R.p|..x.ݼ..޼.`.PA. .. ..
00DCA9F8 *A.Pr.`A.`y.y.Px.y.0y.*R.@߼.߼.q.Pq...*.P~.
00DCAA38 ps.s.r..U.r.t.pt.*t.U.A..0.*׼.`..p.
00DCAA78 *.....A.׼.{.`{.0. q.@q.z.z.`z..@|.
00DCAAB8 `}..|.U. .0.y.˼.ʼ.^. v.P.0O.*м.̼.Pw. .
00DCAAF8 W.0..0..D.P*.pV.͞. X. #..PX.*R.ج.NP.
00DCAB38 p".#. ,.๬...*R.D.*R.".@Xz.*.A.PX.".p.D~.
00DCAB78 D~.D~.*"..#.*R.0.p.p.".p.".p|.͞.ЖA..0.
00DCABB8 P.".*R.p.*R.*R.׬.p|.|.#*.p.P.@V.V.D.Й.
00DCABF8 NP.PV.`V.*V.V.V.......Emergency:..e+../cgi-bin/reg
00DCAC38 ister8?.AL8MNFR432EGHQXK015679SPYTUWDB...\source\secrutil.cpp...
00DCAC78 outSize > strlen(in)/2..num == 0........)

lostson
April 20th, 2005, 08:31
hiho...

Quote:
00DCABF8 NP.PV.`V.*V.V.V.......Emergency:..e+ ../cgi-bin/reg
00DCAC38 ister8?.AL8MNFR432EGHQXK015679SPYTUWDB...\source\s ecrutil.cpp...


seems like it uses an online check for verification... the cgi-script may indicate that.

just my two cent...
regards,

vikingp
April 20th, 2005, 11:00
Ok! yes it tryes to connect to internet for download of user information based on the cd-key.
Btw, i'm totaly stuck on this! Have tested and tested, and tryed to follow 20-30 tutorials based on different encryption.
So if anyone has some time to spend on this i'll be happy to share this software. Just PM me.

Aimless
April 24th, 2005, 23:04
Maybe you could PM me about this when you have the time.

Have Phun