Log in

View Full Version : Challenge

Jak
May 12th, 2005, 12:30
The protection on Popcap games is very difficult. I have been ReEngineering for a year but i still think this can give you bigshots a run for your money. I'm not asking for spoon-feeding, just give me a few tips if you can (try mummy maze, rocket mania, seven seas or heavy weapon).
Jak
condzero
May 12th, 2005, 18:17
Jak, Jak, Jak..... I am not all too impressed by your challenge.
Without mentioning names, I downloaded and installed one of your programs.
The program was neither packed nor encrypted. After spending about 1/2 hour fooling around, I keyed on the area of the program that YOU should have noticed where the program calls a procedure that reads a registry key and goes through a rather lengthy and laborious algorithm to determine if you have a valid key, then lower order byte of EAX is set:

MOV AL,BYTE PTR SS:[ESP+13]

You can modify this instruction to:
MOV AL,1
NOP
NOP

The procedure returns and the program moves the value in AL to an area
in the .data section:

MOV BYTE PTR SS:[EBP+2F0],AL.

Further down in the program, the value is checked to determine if
you are registered.

I have not interest in this program, so it is still possible that there might be
another condition set. The main point is that with a little digging you can
find the solution. I assume you are using a debugger and that you have some knowledge on how to use it.

So my answer is an emphatic NO. I don't believe their protection is that great.
As an aside, if you find the same game elsewhere, and it is (protected) by a version of software that you can crack, go there.

Good Luck!
Woodmann
May 12th, 2005, 19:04
Howdy,

A very good reply from condzero.
This is not difficult and, if you dont understand it,
go get a patch from somewhere out there and study it.

Woodmann

(Did ya'll want me to bash the shit out of him ??? )
Jak
May 15th, 2005, 12:58
To try and save myself a bit of dignity:
I did work out how it is done - i was looking in the wrong direction entirely (at the error message and not the protection - well that was what i was taught. I think i'll use my own methods from now on.). Oh well, these things happen. Thanks for the replies - don't think i deserved the shit bashed out of me, though.
Jak
naides
May 15th, 2005, 13:37
Jak. you would really have to do something very shitty to get the bashing wrath of Woodmann going!

In a little more serious tone (as if I ever can be taken seriusly) It is not unusual even for experienced crackers to bark in the wrong tree for a while and overlook the obvious. Tell me about it.
It is also not at all sinful to cheat a little bit and download already made cracks in order to compare the before and after files and see the solution someone else already figure out. Then try to understand why or how you had not found the critical code of the protection
Woodmann
May 15th, 2005, 15:34
Hi Jak,

You have lost no dignity here.
I had the desire to look around inside some of those games
to see how they worked. I got close to figuring it out but my old
brain just couldnt figure out the last step.

So I cheated and looked at someone elses work.
It was just one of those things that when you see how it is done,
you think "son of a bitch" how could I not see that.

You did it yourself. Good job

Woodmann
curVV
May 18th, 2005, 12:17
hey jak,

how bout writing a tutorial on how you RE'd one of those titles for the not so advanced n00bs like meself??
Jak
May 19th, 2005, 13:30
Alright my friend, it's coming soon.
I have to tell ya you'll be disappointed with it, because evrytime you start it up it'll ask you to register again, but to get around that i'd have to research a it more about those two-letter registers like ax and al, which i know very little about.
evlncrn8
May 19th, 2005, 14:25
google for 'helppc21', download it, it'll explain those little registers and the asm commands
ax = 16 bit counterpart of eax (eax being 32 bit)
ah = high 8 bit part of ax
al = low 8 bit part of ax
gabri3l
May 19th, 2005, 14:26
Allright, a question I can actually answer.

Jak the EAX, AX, AH, and AL registers are all part of Register A

Register A is 32 bits (8 hexadecimal Bytes)

The whole Register A is called EAX, the one you see in the regsiters window of Olly.

However Register A can be divided into AX which is the lower 4 bytes of EAX.
So if EAX is 1111FF00 then AX is just FF00

Now AX can be divided as well. Into HIGH and LOW BYTES. This is AH and AL. AH is the High byte and AL is the LOW byte.
So if AX is FF00 then AH is FF and AL is 00

This can be applied to most of the other registers as well. So if you see BL you know that it is the last Byte of the EBX register.
Jak
May 19th, 2005, 14:28
Cheers, man. Hey, i'm so glad i found this messageboard - i'm learning more now than i have been for a good few months. Far be it from me to suggest it, but perhaps a messageboard with fundamental tips for newbies might be prudent - golden rules.
I think it would help me and people like me.
Anyway...think about it.
Cheers,
Jak
evlncrn8
May 20th, 2005, 06:32
register A ? thats a new one on me heh, as for fundamental tips.. FAQ and Search.. just like it says in your signature when you sign up, do like it says and you'll make jmi a happy chappie
naides
May 20th, 2005, 09:17
Be aware: The fact that Those AX and BX registers are old, legacy code, does not mean that Debugging and RCE 16 bit code is any easier. Quite the contrary, the use of segmented memory and other wrinkles make tracing 16 bit code a fucking maze.
If you are doing it on a XP OS, the code often goes to a 16 bit VM subsytem, and you have to use a different debugger to be able to trace.

Do not underestimate the complexity of 16 bit code
Jak
May 22nd, 2005, 13:45
You asked for it, you got it. This is my tutorial for three popcap games (hell, it’ll probably work with more). It doesn’t work with heavy weapon, my limited knowledge tells me it’s packed, and I don’t know shit about that kind of thing. Anyway, read on and learn about how untutored pikies crack things. *Note: This tutorial is written for seven seas*

As with all good crackers, I will start my crack with w32dasm. As you all should know, we are looking for the error message in “string references”, the error message being “The registration number you have entered blablabla”. So - load up either seven seas, mummy maze or rocket mania into w32dasm (it doesn’t matter which one, they all work with this technique). Click on string references, and look for our string. Found it? Double click on it. And again. It appears in two places. It seems to my uneducated mind as if the writer is attempting to confuse crackers, or simply it is loading the string into a register for further use. Anyway…
* Possible StringData Ref from Data Obj ->"The registration number you entered " =>instance one
->"is not valid for that name."
|
:00420EDF BFF0644A00 mov edi, 004A64F0 => at address 004a64f0 is your string, “the registration…” this procedures moves it to edi (for future reference?)
:00420EE4 83C9FF or ecx, FFFFFFFF
:00420EE7 33C0 xor eax, eax
:00420EE9 6A01 push 00000001
:00420EEB F2 repnz
:00420EEC AE scasb
:00420EED F7D1 not ecx
:00420EEF 49 dec ecx
:00420EF0 8BD9 mov ebx, ecx
:00420EF2 8D4C2420 lea ecx, dword ptr [esp+20]
:00420EF6 53 push ebx
:00420EF7 E814B4FEFF call 0040C310
:00420EFC 84C0 test al, al
:00420EFE 7427 je 00420F27
:00420F00 8B7C2420 mov edi, dword ptr [esp+20]
:00420F04 8BCB mov ecx, ebx
:00420F06 8BC1 mov eax, ecx

* Possible StringData Ref from Data Obj ->"The registration number you entered " =>instance two
->"is not valid for that name."
|
:00420F08 BEF0644A00 mov esi, 004A64F0
:00420F0D C1E902 shr ecx, 02
This was where I made my mistake and went crying to this message board. Usually I would scroll up and find a J* (JMP, JZ, JNZ etc) that jumps over these two strings. Like…this one-
:00420E82 3BC6 cmp eax, esi
:00420E84 89742474 mov dword ptr [esp+74], esi
:00420E88 0F843F010000 je 00420FCD =>this one here
Then, invert it like so:
:00420E82 3BC6 cmp eax, esi
:00420E84 89742474 mov dword ptr [esp+74], esi
:00420E88 0F843F010000 jne 00420FCD
Go ahead, try it……….

Bugger. All it did was to cut that text out of the bad boy msgbox.

>explanation time
>this msgbox is made up of three “pieces”
>1: The title – string “invalid”
>2: The text – string “the registration…”
>3: The go-away button – string “ok”
>If you wanna have a little fun, get rid of each of these strings in turn by >inverting the J* above them. What happens? You get a new messagebox >saying you have registered, but you don’t actually get regged. This is >because the program keeps plodding along the code until it reaches a string >that it can put in because you have killed the other strings. (Hmmmm…>maybe I’m not that crap after all)
>explanation time over

So I got pissed off and ate a pizza. I tried again. Go to The String (I can’t be arsed to type it out every time. It’s called The String from here on in) in w32dasm. Scroll up until you find where it’s referenced from *note: on mummy maze and rocket mania, it is referenced from two Calls – don’t worry. Either set breakpoints on them and find which one breaks when you press ok after typing in your dummy reg details, or find the one with code that looks like this*

* Referenced by a CALL at Address:
|:00421CC6 => looky here!
|
:00420E40 6AFF push FFFFFFFF
:00420E42 68D0F34800 push 0048F3D0
:00420E47 64A100000000 mov eax, dword ptr fs:[00000000]
:00420E4D 50 push eax

See that – go there

:00421CC6 E875F1FFFF call 00420E40 => here’s yer call
:00421CCB 33FF xor edi, edi
:00421CCD E9E7010000 jmp 00421EB9 => oh dear, an unconditional jump – it can’t reference our registration, that would mean we either always would or always wouldn’t get regged.

So that ain’t it. Hold on – look higher! Is that the hacker’s threesome? Call, Test, J*? It is!

:00421CBD FF5040 call [eax+40] => I
:00421CC0 84C0 test al, al =>Love
:00421CC2 750E jne 00421CD2 =>You
:00421CC4 8BCD mov ecx, ebp
:00421CC6 E875F1FFFF call 00420E40
:00421CCB 33FF xor edi, edi
:00421CCD E9E7010000 jmp 00421EB9

Yes indeed, the hacker’s threesome. We’re onto something. Just for a laugh, nop the call (in ollydbg, press space, and replace call [eax+40] with NOP). Try and get regged. Nothing happens. That means that this call references the procedure to get regged. You now have two choices:
1. Do like me: change the jne 00421CD2 to je 00421CD2 and deal with having to register every time you start up (it’s not that bad.). Or…
2. Step into the Call (F7), and be a proper hacker and find the valid code using keygens and mathematics and whatnot.
Well, that’s about it. I could try and “be a proper hacker” right now, but it’s late, and frankly staring at a computer screen for too long depresses me somehow. Until next time, my friends.
Jak

P.S. This was my first tutorial – if it’s shit, let me know.
Jak
May 22nd, 2005, 13:48
it seems that my tutorial has been "squished" as i forgot to preview it. Text beginning with "=>" is commentary and will not appear in w32dasm. (Obvious, yes, but this stuff confused me when i first started)
curVV
May 24th, 2005, 13:09
Nice. Thanks Jak. Great way to learn - writing tuotrials!
Either JMI or Woodmann is prolly gawn slaughter yo ass for your total disregard of forum policy but thanks for the effort anyhoo!
JMI
May 24th, 2005, 15:14
That option is under consideration. The only delay has been in considering whether we may wish to modify our Rules in light of the current location of our Forum.

Regards,
Woodmann
May 24th, 2005, 15:56
And..........

The fact that finding cracks for those games requires just about no effort

Woodmann
evlncrn8
May 25th, 2005, 03:08
yeh, now for challenge 2 - make a keygen from reversing the algo you found..
Admiral
May 25th, 2005, 06:55
Quote:
[Originally Posted by evlncrn8]yeh, now for challenge 2 - make a keygen from reversing the algo you found..


Surely this is less a challenge and more of a tedious and laborious trawl through an already understood protection. That said, feel free to indulge yourself if you have nothing better to do for a few hours.
J2005
May 26th, 2005, 00:14
Thanx and all the best for your future challenges
JohnWho
May 26th, 2005, 05:52
Here's my mini tute for 'Seven Seas'(probably all popcap games).

It's written for complete newbies so it's extremely simply! And yes those popcap games are extremely easy to deal with.
esther
May 26th, 2005, 09:12
I wondered.....
The names of the targetand codes were posted here its seems no one cares about the rules?
Woodmann
May 26th, 2005, 15:05
This matter is currently being discussed


Woodmann
curVV
May 29th, 2005, 05:28
JohnWho: Nice tutorial. thnx.

quote from tut: Our pointer is pointing at address 004AD704

I know it might be different on my computer, but where did you get that? I'm a lil confused...
condzero
May 29th, 2005, 09:55
I'll chip in my 2cents worth.

Based on the material I am reading from the ActiveMark website:

http:\\www.trymedia.com

and I quote:

Quote:
Trymedia Systems, secure digital distribution services provider and operator of the world’s largest distribution network for downloadable games, has further bolstered its digital distribution network by establishing new partnerships with top casual game publishers and developers Big Fish Games, FreshGames, iWin, PlayFirst, Selecsoft and Toy Box Games.


You will see Popcap listed as one of the many partners. So it's only a matter
of time before most of you will become all too familiar with ActiveMark.
However, many games/apps protected by this software are also more easily
obtainable elsewhere.
JohnWho
May 29th, 2005, 10:38
Quote:
[Originally Posted by curVV]JohnWho: Nice tutorial. thnx.

quote from tut: Our pointer is pointing at address 004AD704

I know it might be different on my computer, but where did you get that? I'm a lil confused...


I'm not sure what exactly you confused about, but...

This compare function...

:00425D4E 38992C030000 cmp byte ptr [ecx+0000032C], bl

...is pointing at our registration address. Do a "d ecx+32c" without the quotes when your on the instruction and you'll see the pointed address!
curVV
May 29th, 2005, 23:02
ok. was confused coz we were still in w32dasm. wondered how you got the address from there..
JohnWho
May 30th, 2005, 00:22
Quote:
[Originally Posted by curVV]ok. was confused coz we were still in w32dasm. wondered how you got the address from there..


Hehe... yeah i know i'm not specially good at explaining stuff, thats why i almost never write tutorials.
curVV
May 30th, 2005, 13:02
Quote:
[Originally Posted by condzero]

You will see Popc4p listed as one of the many partners. So it's only a matter
of time before most of you will become all too familiar with ActiveMark.
However, many games/apps protected by this software are also more easily
obtainable elsewhere.


Hmm no wonder. Another Popcap title already mentioned in this thread above by Jak, loaded into PEiD yields:
Nothing found [Overlay] *
7.95 (Packed)
Packed
Packed

So maybe its already packed with ActiveMark

after a quick dump in olly i checked it again with the Krypto plugin and found refs to crc32, md5 and some other stuff i've never heard of.

Dont think we'll ever find a popc4p game as easy as s3v3n s34s to RE...
MEPHiST0
June 4th, 2005, 14:32
ive dumped a Trymedia protect game just yesterday..

i dumped at the licence layer entry point..
fixed imports with imprec..
found the GetModuleHandleA call in the licence layer EP..

traced into the call under it..

Code:
00BB0723   FF15 E841BD00    CALL DWORD PTR DS:[BD41E8] ; kernel32.GetModuleHandleA

00BB0729   50               PUSH EAX

00BB072A   E8 EF2BF2FF      CALL .00AD331E



u see
Code:
00AD331E   B8 D431BC00      MOV EAX,.00BC31D4

00AD3323   E8 08D30D00      CALL .00BB0630

00AD3328   51               PUSH ECX

00AD3329   83EC 18          SUB ESP,18

00AD332C   53               PUSH EBX

00AD332D   56               PUSH ESI

00AD332E   57               PUSH EDI

00AD332F   8965 F0          MOV DWORD PTR SS:[EBP-10],ESP

00AD3332   8365 EC 00       AND DWORD PTR SS:[EBP-14],0

00AD3336   8365 FC 00       AND DWORD PTR SS:[EBP-4],0

00AD333A   FF75 08          PUSH DWORD PTR SS:[EBP+8]

00AD333D   FF75 10          PUSH DWORD PTR SS:[EBP+10]

00AD3340   E8 EE9F0000      CALL .00ADD333

00AD3345   59               POP ECX

00AD3346   59               POP ECX

00AD3347   8945 D8          MOV DWORD PTR SS:[EBP-28],EAX  - i made this jump to OEP.. dump crashed on the PUSHAW below.. (didnt crash on any other trymedia i tried)

00AD334A   837D D8 00       CMP DWORD PTR SS:[EBP-28],0

00AD334E   74 49            JE SHORT .00AD3399  -  this jump = on to exitprocess

00AD3350   813D 709BAC00 54>CMP DWORD PTR DS:[AC9B70],416E6454

00AD335A   75 2F            JNZ SHORT .00AD338B

00AD335C   6A 00            PUSH 0

00AD335E   FF15 E841BD00    CALL DWORD PTR DS:[BD41E8]               ; kernel32.GetModuleHandleA

00AD3364   8B0D 7C9BAC00    MOV ECX,DWORD PTR DS:[AC9B7C]

00AD336A   03C8             ADD ECX,EAX

00AD336C   890D 0869A600    MOV DWORD PTR DS:[A66908],ECX

00AD3372   8B25 0069A600    MOV ESP,DWORD PTR DS:[A66900]

00AD3378   A1 0469A600      MOV EAX,DWORD PTR DS:[A66904]

00AD337D   64:A3 00000000   MOV DWORD PTR FS:[0],EAX

00AD3383   66:61            POPAW

00AD3385   FF25 0869A600    JMP DWORD PTR DS:[A66908]      get modified above.. and jumps to OEP 

00AD338B   6A 00            PUSH 0

00AD338D   68 686AA600      PUSH .00A66A68                    ; ASCII "Everything OK!"


after this the dump runs fine.

when i switch to fullscreen.. it crashes because somthing in ddraw.dll .. go figure :P

ive only dumped and cracked this one exe, and i think its older trymedia..
yet to work on some other exes..
bad technique?
gabri3l
June 4th, 2005, 18:00
Mephisto I am working on an activemark game as well. And I am pretty much at the same area you are.
Here's what I've done so far:

-Set HW BP on OEP (found OEP using PEID and verified by dumping the file and searching for for "TdnA" and counting 13 bytes, including TdnA)
-Run program till we hit OEP.
(you have to hit play free trial)
-Analyze program
-you will be here:
Code:
20003BC4  /. 55             PUSH EBP

20003BC5  |. 8BEC           MOV EBP,ESP

20003BC7  |. 6A FF          PUSH -1

20003BC9  |. 68 F0810020    PUSH XXXX.200081F0

20003BCE  |. 68 204E0020    PUSH XXXX.20004E20           ;  SE handler installation

20003BD3  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]

20003BD9  |. 50             PUSH EAX

20003BDA  |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP

20003BE1  |. 83EC 58        SUB ESP,58

20003BE4  |. 53             PUSH EBX

20003BE5  |. 56             PUSH ESI

20003BE6  |. 57             PUSH EDI

20003BE7  |. 8965 E8        MOV DWORD PTR SS:[EBP-18],ESP

20003BEA  |. FF15 24F21720  CALL NEAR DWORD PTR DS:[2017F224];  kernel32.GetVersion

20003BF0  |. 33D2           XOR EDX,EDX

20003BF2  |. 8AD4           MOV DL,AH

20003BF4  |. 8915 2CCE0020  MOV DWORD PTR DS:[2000CE2C],EDX

20003BFA  |. 8BC8           MOV ECX,EAX

20003BFC  |. 81E1 FF000000  AND ECX,0FF

20003C02  |. 890D 28CE0020  MOV DWORD PTR DS:[2000CE28],ECX

20003C08  |. C1E1 08        SHL ECX,8

20003C0B  |. 03CA           ADD ECX,EDX


-Now dumping and fixing the imports did not work for me so I set a BP on the first .bss section. and continued running
- I then broke here:
Code:
2009A3BE   B8 D99D0920      MOV EAX,XXXX.20099DD9

2009A3C3   E8 B0110C00      CALL XXXX.2015B578  ****STEP OVER***

2009A3C8   83EC 20          SUB ESP,20

2009A3CB   E9 CB0B0000      JMP XXXX.2009AF9B

2009A3D0   E8 BDD50800      CALL XXXX.20127992  ***STEP INTO***

2009A3D5   8B45 D8          MOV EAX,DWORD PTR SS:[EBP-28]

2009A3D8   E9 5C0B0000      JMP XXXX.2009AF39

2009A3DD   AF               SCAS DWORD PTR ES:[EDI]

2009A3DE   A9 0F8238FC      TEST EAX,FC38820F


-Step into the second call and you are here:
Code:
20127992   B8 88EB1620      MOV EAX,XXXX.2016EB88

20127997   E8 DC3B0300      CALL XXXX.2015B578  ***STEP INTO***

2012799C   81EC 74010000    SUB ESP,174

201279A2   53               PUSH EBX

201279A3   56               PUSH ESI



-Step into that call and you are here:
Code:


2015B578   6A FF            PUSH -1

2015B57A   50               PUSH EAX

2015B57B   64:A1 00000000   MOV EAX,DWORD PTR FS:[0]

2015B581   50               PUSH EAX

2015B582   8B4424 0C        MOV EAX,DWORD PTR SS:[ESP+C]

2015B586   64:8925 00000000 MOV DWORD PTR FS:[0],ESP

2015B58D   896C24 0C        MOV DWORD PTR SS:[ESP+C],EBP

2015B591   8D6C24 0C        LEA EBP,DWORD PTR SS:[ESP+C]

2015B595   50               PUSH EAX

2015B596   C3               RETN


Scroll down and we see the beginning of something:
Code:
2015B597   55               PUSH EBP

2015B598   8BEC             MOV EBP,ESP

2015B59A   6A FF            PUSH -1

2015B59C   68 E80B0820      PUSH XXXX.20080BE8

2015B5A1   68 70191620      PUSH XXXX.20161970

2015B5A6   64:A1 00000000   MOV EAX,DWORD PTR FS:[0]

2015B5AC   50               PUSH EAX

2015B5AD   64:8925 00000000 MOV DWORD PTR FS:[0],ESP

2015B5B4   83EC 58          SUB ESP,58

2015B5B7   53               PUSH EBX

2015B5B8   56               PUSH ESI

2015B5B9   57               PUSH EDI

2015B5BA   8965 E8          MOV DWORD PTR SS:[EBP-18],ESP

2015B5BD   FF15 24F21720    CALL NEAR DWORD PTR DS:[2017F224]; kernel32.GetVersion

2015B5C3   33D2             XOR EDX,EDX

2015B5C5   8AD4             MOV DL,AH

2015B5C7   8915 7C9D1720    MOV DWORD PTR DS:[20179D7C],EDX

2015B5CD   8BC8             MOV ECX,EAX

2015B5CF   81E1 FF000000    AND ECX,0FF

2015B5D5   890D 789D1720    MOV DWORD PTR DS:[20179D78],ECX

2015B5DB   C1E1 08          SHL ECX,8

2015B5DE   03CA             ADD ECX,EDX

2015B5E0   890D 749D1720    MOV DWORD PTR DS:[20179D74],ECX

2015B5E6   C1E8 10          SHR EAX,10


-So this is around where you are as well.
-I set a hardware BP on 2015B597 and then restarted the program. I ran until we reached it. I then dumped fixed the imports using this as my OEP
- Running the program brings about immediate exitprocess, however if you look at the call stack in Olly you can trace it back to the same code you posted:
Code:
200827F8   51               PUSH ECX

200827F9   83EC 18          SUB ESP,18

200827FC   53               PUSH EBX

200827FD   56               PUSH ESI

200827FE   57               PUSH EDI

200827FF   8965 F0          MOV DWORD PTR SS:[EBP-10],ESP

20082802   8365 EC 00       AND DWORD PTR SS:[EBP-14],0

20082806   8365 FC 00       AND DWORD PTR SS:[EBP-4],0

2008280A   FF75 08          PUSH DWORD PTR SS:[EBP+8]

2008280D   FF75 10          PUSH DWORD PTR SS:[EBP+10]

20082810   E8 2B820000      CALL XXXX.2008AA40  ****SETS UP BROWSER WINDOW, CHECKS LICENSE ETC***

20082815   59               POP ECX

20082816   59               POP ECX

20082817   8945 D8          MOV DWORD PTR SS:[EBP-28],EAX

2008281A   837D D8 00       CMP DWORD PTR SS:[EBP-28],0

2008281E   74 49            JE SHORT XXXX.20082869 ***IF BROWSER, LICENSE ETC IS OKAY THEN CONTINUE ELSE ExitProcess***

20082820   813D C0900720 54>CMP DWORD PTR DS:[200790C0],416E6454

2008282A   75 2F            JNZ SHORT XXXX.2008285B

2008282C   6A 00            PUSH 0  ***CONTINUE EXECUTION***

2008282E   FF15 CCF11720    CALL NEAR DWORD PTR DS:[2017F1CC]  ; kernel32.GetModuleHandleA

20082834   8B0D CC900720    MOV ECX,DWORD PTR DS:[200790CC]

2008283A   03C8             ADD ECX,EAX

2008283C   890D E8680120    MOV DWORD PTR DS:[200168E8],ECX  ***MOVES OUR OEP INTO 200168E0***

20082842   8B25 E0680120    MOV ESP,DWORD PTR DS:[200168E0]

20082848   A1 E4680120      MOV EAX,DWORD PTR DS:[200168E4]

2008284D   64:A3 00000000   MOV DWORD PTR FS:[0],EAX

20082853   66:61            POPAW

20082855  -FF25 E8680120    JMP NEAR DWORD PTR DS:[200168E8]   ;***WILL JUMP TO OUR OEP*** 

2008285B   6A 00            PUSH 0

2008285D   68 486A0120      PUSH XXXX.20016A48             ; ASCII "Everything OK!"

20082862   E8 F78C0000      CALL XXXX.2008B55E

20082867   59               POP ECX

20082868   59               POP ECX

20082869   EB 6E            JMP SHORT XXXX.200828D9

2008286B   8365 EC 00       AND DWORD PTR SS:[EBP-14],0

2008286F   B8 D9280820      MOV EAX,XXXX.200828D9

20082874   C3               RETN

- This jump here:
Code:
20082855  -FF25 E8680120    JMP NEAR DWORD PTR DS:[200168E8]   ;***WILL JUMP TO OUR OEP***
will jump to the OEP we found with PEID
-Basically it seems that the program goes into CALL XXXX.2008AA40.
-This call sets up browser etc, and sets stuff up depending on if you choose "Continue Trial" or just close the browser box. If you continue the trial the rest of the program is initialized. Otherwise nothing is init. My trial has run out so I have to close the window.
-I tried reversing this jump in my dumped file:
Code:
2008281E   74 49            JE SHORT XXXX.20082869 ***REVERSED THIS JUMP SO IT WOULD ALWAYS CONTINUE***

20082820   813D C0900720 54>CMP DWORD PTR DS:[200790C0],416E6454

2008282A   75 2F            JNZ SHORT XXXX.2008285B

- HOWEVER, You get this error when running:
"Unable to load Movie Playlist. Does the INI file exist? It must contain a section [Movies] with an entry..."
- So I tried on my real executable. I cannot run the game part so I have to choose close on the browser window. That JE SHORT XXXX.20082869 is never reached instead we go straight to ExitProcess. Setting a BP on Exit Process I found that it was called by this section of code:
Code:
200828D9   834D FC FF       OR DWORD PTR SS:[EBP-4],FFFFFFFF

200828DD   E8 D5810000      CALL XXXX.2008AAB7

200828E2   FF75 EC          PUSH DWORD PTR SS:[EBP-14]

200828E5   FF15 28F11720    CALL NEAR DWORD PTR DS:[2017F128]   ; kernel32.ExitProcess

200828EB   8B4D F4          MOV ECX,DWORD PTR SS:[EBP-C]

200828EE   64:890D 00000000 MOV DWORD PTR FS:[0],ECX

200828F5   5F               POP EDI

200828F6   5E               POP ESI

200828F7   5B               POP EBX

200828F8   C9               LEAVE

-So I set a HW BP on the beginning of that little section. When I broke, I tried changing my origin to:
Code:
2008282C   6A 00            PUSH 0  ***CONTINUE EXECUTION***

2008282E   FF15 CCF11720    CALL NEAR DWORD PTR DS:[2017F1CC]   ; kernel32.GetModuleHandleA

20082834   8B0D CC900720    MOV ECX,DWORD PTR DS:[200790CC]

2008283A   03C8             ADD ECX,EAX

2008283C   890D E8680120    MOV DWORD PTR DS:[200168E8],ECX

20082842   8B25 E0680120    MOV ESP,DWORD PTR DS:[200168E0]

20082848   A1 E4680120      MOV EAX,DWORD PTR DS:[200168E4]

2008284D   64:A3 00000000   MOV DWORD PTR FS:[0],EAX

20082853   66:61            POPAW

20082855   FF25 E8680120    JMP NEAR DWORD PTR DS:[200168E8]    ; XXXX.2015B597

-This brought about the same error I recieved when running the dumped file. So somewhere in that program is determined if we chose continue trial or just closed the window. And depending on what we pick it will initilize the rest of the program. At least that is what happens in my target; Activemark version 5.31.1140
-So at this point I am stuck; but at least I know that I am in the right area.
condzero
June 5th, 2005, 11:43
gabri3l / MEPHiST0,

The questions you raise, and the means to circumvent the protection
would require a Tutorial. The problem you may both be running into can
be any one of the following:

1) The application utilizes the Macromedia Flash Projector as in the case of
gabri3l.
2) The application has packed/encrypted resources. You will generally get some sort of error when the app loads a particular data file resource. You can easily identify these by opening them up in a hex editor. If you find the string "TMSAMV0H" in the header, it's packed.
3) The application originated on CD/DVD. For this, Activemark will setup a temp path in your registry. Sometimes, you can identify and change (the app's path) this reference in your registry to a more static one, i.e. a reference to the program's directory where the data is physically located. You may have to change a DWORD reference in the program to look for your new registry change. This is unscientific.

If your lucky enough to have a normal program, then I would recommend
dumping the app at the first EP, which is usually like below:

Code:
00EB12D8 >  66:60                    PUSHAW

00EB12DA    8925 F048E400            MOV DWORD PTR DS:[E448F0],ESP

00EB12E0    64:A1 00000000           MOV EAX,DWORD PTR FS:[0]

00EB12E6    A3 F448E400              MOV DWORD PTR DS:[E448F4],EAX

00EB12EB    6A 00                    PUSH 0

00EB12ED    FF15 FC21FB00            CALL DWORD PTR DS:[FB21FC]               ; kernel32.GetModuleHandleA

00EB12F3    A3 F848E400              MOV DWORD PTR DS:[E448F8],EAX

00EB12F8    A1 F848E400              MOV EAX,DWORD PTR DS:[E448F8]

00EB12FD    0305 687BEA00            ADD EAX,DWORD PTR DS:[EA7B68]            ; xxxxxx.00B8E577

00EB1303    A3 F848E400              MOV DWORD PTR DS:[E448F8],EAX

00EB1308    FF25 F848E400            JMP DWORD PTR DS:[E448F8]

00EB130E    B8 0411FA00              MOV EAX,Xxxxxx.00FA1104

00EB1313    E8 40D20D00              CALL Xxxxxx.00F8E558

00EB1318    51                       PUSH ECX

00EB1319    83EC 18                  SUB ESP,18

00EB131C    53                       PUSH EBX

00EB131D    56                       PUSH ESI

00EB131E    57                       PUSH EDI

00EB131F    8965 F0                  MOV DWORD PTR SS:[EBP-10],ESP

00EB1322    8365 EC 00               AND DWORD PTR SS:[EBP-14],0

00EB1326    8365 FC 00               AND DWORD PTR SS:[EBP-4],0

00EB132A    FF75 08                  PUSH DWORD PTR SS:[EBP+8]

00EB132D    FF75 10                  PUSH DWORD PTR SS:[EBP+10]

00EB1330    E8 EE9F0000              CALL Xxxxxx.00EBB323

00EB1335    59                       POP ECX

00EB1336    59                       POP ECX

00EB1337    8945 D8                  MOV DWORD PTR SS:[EBP-28],EAX

00EB133A    837D D8 00               CMP DWORD PTR SS:[EBP-28],0		<< change 0 to 1

00EB133E    74 49                    JE SHORT Xxxxxx.00EB1389

00EB1340    813D 607BEA00 54646E41   CMP DWORD PTR DS:[EA7B60],416E6454

00EB134A    75 2F                    JNZ SHORT Xxxxxx.00EB137B

00EB134C    6A 00                    PUSH 0

00EB134E    FF15 FC21FB00            CALL DWORD PTR DS:[FB21FC]               ; kernel32.GetModuleHandleA

00EB1354    8B0D 6C7BEA00            MOV ECX,DWORD PTR DS:[EA7B6C]

00EB135A    03C8                     ADD ECX,EAX

00EB135C    890D F848E400            MOV DWORD PTR DS:[E448F8],ECX

00EB1362    8B25 F048E400            MOV ESP,DWORD PTR DS:[E448F0]

00EB1368    A1 F448E400              MOV EAX,DWORD PTR DS:[E448F4]

00EB136D    64:A3 00000000           MOV DWORD PTR FS:[0],EAX

00EB1373    66:61                    POPAW

00EB1375    FF25 F848E400            JMP DWORD PTR DS:[E448F8]

00EB137B    6A 00                    PUSH 0

00EB137D    68 584AE400              PUSH Xxxxxx.00E44A58                     ; ASCII "Everything OK!"

00EB1382    E8 64750000              CALL Xxxxxx.00EB88EB

00EB1387    59                       POP ECX

00EB1388    59                       POP ECX

00EB1389    EB 6E                    JMP SHORT Xxxxxx.00EB13F9


Load your favorite import rec utility to rebuild and add an IAT to the above
dump.

Make the above noted change to your code, and see if the app runs. If it flames, it will probably be due to one of the items I listed above.

A few points. ActiveMark, does a CRC check on your newly created unpacked file. You can follow the logic after (usually in more newer versions) the 2nd CREATEFILE in the program. If it fails this check you immediately kick out, with the BAD EAX value of '0', referenced in code above where I make note of a change.

After this it does the license check. Sets the appropriater status, then if you're not licensed, it will CREATEFILE all the data files in your ALL USERS
or PROGRAM FILES\TRYMEDIA directories where it keeps track of your usage (Time limitations). There are also (4) registry keys:

HKEY_LOCAL_MACHINE, "SOFTWARE\\Classes\\CLSID\\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" identifed by the subkey "Implemented Categories". There are usually a bunch of ascending encrypted subkeys (maybe as many as 7).

You can find the (4) registry keys by running your dumped program looking at the REGOPENKEY functions or by using a registry snapshot utility before and after running the program.

The program will then build the all too familiar browser screen.

The program will reset the above temp data files and registry keys after
getting LOCALTIME/SYSTEMTIME.

The program will then set a timer (SETTIMER) with an elapsed time of 60 seconds to keep track of your program usage every minute on the minute.
So when you're time is up, the program will kick out with the no time left
browser screen.

So, if you're not up to writing a custom loader to apply the necessary changes to the program's memory, you can delete the data files and registry keys and get back your time and run the app, knowing you can run if for no more than the allowable time before having to re-delete the files/keys again.

I can offer more, but not here. Active minds, pardon the pun, are watching these threads.

Good Luck,

condzero
UPucker
June 6th, 2005, 12:20
This is exactly the thread I was looking for. An explanation of what I am currently working on. Its nice to get experienced explanations in addition to the tutorials. The idea of live tutorials alone makes this forum invaluable.
MEPHiST0
June 6th, 2005, 16:28
hi condzero

Quote:
2) The application has packed/encrypted resources. You will generally get some sort of error when the app loads a particular data file resource. You can easily identify these by opening them up in a hex editor. If you find the string "TMSAMV0H" in the header, it's packed.

yes, almost all the data files an encrypted..
i dump from the 2nd layer (and near the first where you mentioned.. )
the game runs fine in windowed mode, crashes after 5 or 10 minutes tho.
(my point, the file is decrypting the data files properly so the game is playable.)
Full screen however runs and starts, crashes while doing somthing with ddraw.dll..
yet to figure that out.. maybe where i dump?


as for the other tips, thanks, ill check it out
psunlock
June 10th, 2005, 17:08
latest games from that web are packed with weird packer and need intrnet to register can anyone identify the packer please so i can start on the reg process cheers
curVV
June 10th, 2005, 18:09
ActiveMark?
Woodmann
June 10th, 2005, 18:34
Quote:
latest games from that web are packed with weird packer and need intrnet to register can anyone identify the packer please so i can start on the reg process cheers


Wait right there, the bus is coming for you

Woodmann
Nacho_dj
August 4th, 2005, 09:20
Hello:

As I have been handling all the games you have been talking about with, I would like to tell you that you can find all of them in another URL:
hxxp://www.zylom.com

and they are using different protection of that of ActiveMARK.

Just try it...

Cheers

Nacho_dj
gabri3l
August 4th, 2005, 10:35
The zylom games use softwrap as a protection.
Most of them can be unpacked following the directions here:
hxxp://intechhosting.com/~access/forums/?showtopic=607

There are a few games that cannot be unpacked with this method. Some of the newer games use a copymem feature. If you dump the dll you will notice some NOP's at the OEP. By breaking on WriteProcessMemory you can recover those Bytes. I'm pretty sure there are some more bytes that need to be recovered as well. I haven't played around with it long enough to make a correct dump. But doesn't seem to hard.