Log in

View Full Version : Challenge


Jak
May 12th, 2005, 12:30
The protection on Popcap games is very difficult. I have been ReEngineering for a year but i still think this can give you bigshots a run for your money. I'm not asking for spoon-feeding, just give me a few tips if you can (try mummy maze, rocket mania, seven seas or heavy weapon).
Jak

condzero
May 12th, 2005, 18:17
Jak, Jak, Jak..... I am not all too impressed by your challenge.
Without mentioning names, I downloaded and installed one of your programs.
The program was neither packed nor encrypted. After spending about 1/2 hour fooling around, I keyed on the area of the program that YOU should have noticed where the program calls a procedure that reads a registry key and goes through a rather lengthy and laborious algorithm to determine if you have a valid key, then lower order byte of EAX is set:

MOV AL,BYTE PTR SS:[ESP+13]

You can modify this instruction to:
MOV AL,1
NOP
NOP

The procedure returns and the program moves the value in AL to an area
in the .data section:

MOV BYTE PTR SS:[EBP+2F0],AL.

Further down in the program, the value is checked to determine if
you are registered.

I have not interest in this program, so it is still possible that there might be
another condition set. The main point is that with a little digging you can
find the solution. I assume you are using a debugger and that you have some knowledge on how to use it.

So my answer is an emphatic NO. I don't believe their protection is that great.
As an aside, if you find the same game elsewhere, and it is (protected) by a version of software that you can crack, go there.

Good Luck!

Woodmann
May 12th, 2005, 19:04
Howdy,

A very good reply from condzero.
This is not difficult and, if you dont understand it,
go get a patch from somewhere out there and study it.

Woodmann

(Did ya'll want me to bash the shit out of him ??? )

Jak
May 15th, 2005, 12:58
To try and save myself a bit of dignity:
I did work out how it is done - i was looking in the wrong direction entirely (at the error message and not the protection - well that was what i was taught. I think i'll use my own methods from now on.). Oh well, these things happen. Thanks for the replies - don't think i deserved the shit bashed out of me, though.
Jak

naides
May 15th, 2005, 13:37
Jak. you would really have to do something very shitty to get the bashing wrath of Woodmann going!

In a little more serious tone (as if I ever can be taken seriusly) It is not unusual even for experienced crackers to bark in the wrong tree for a while and overlook the obvious. Tell me about it.
It is also not at all sinful to cheat a little bit and download already made cracks in order to compare the before and after files and see the solution someone else already figure out. Then try to understand why or how you had not found the critical code of the protection

Woodmann
May 15th, 2005, 15:34
Hi Jak,

You have lost no dignity here.
I had the desire to look around inside some of those games
to see how they worked. I got close to figuring it out but my old
brain just couldnt figure out the last step.

So I cheated and looked at someone elses work.
It was just one of those things that when you see how it is done,
you think "son of a bitch" how could I not see that.

You did it yourself. Good job

Woodmann

curVV
May 18th, 2005, 12:17
hey jak,

how bout writing a tutorial on how you RE'd one of those titles for the not so advanced n00bs like meself??

Jak
May 19th, 2005, 13:30
Alright my friend, it's coming soon.
I have to tell ya you'll be disappointed with it, because evrytime you start it up it'll ask you to register again, but to get around that i'd have to research a it more about those two-letter registers like ax and al, which i know very little about.

evlncrn8
May 19th, 2005, 14:25
google for 'helppc21', download it, it'll explain those little registers and the asm commands
ax = 16 bit counterpart of eax (eax being 32 bit)
ah = high 8 bit part of ax
al = low 8 bit part of ax

gabri3l
May 19th, 2005, 14:26
Allright, a question I can actually answer.

Jak the EAX, AX, AH, and AL registers are all part of Register A

Register A is 32 bits (8 hexadecimal Bytes)

The whole Register A is called EAX, the one you see in the regsiters window of Olly.

However Register A can be divided into AX which is the lower 4 bytes of EAX.
So if EAX is 1111FF00 then AX is just FF00

Now AX can be divided as well. Into HIGH and LOW BYTES. This is AH and AL. AH is the High byte and AL is the LOW byte.
So if AX is FF00 then AH is FF and AL is 00

This can be applied to most of the other registers as well. So if you see BL you know that it is the last Byte of the EBX register.

Jak
May 19th, 2005, 14:28
Cheers, man. Hey, i'm so glad i found this messageboard - i'm learning more now than i have been for a good few months. Far be it from me to suggest it, but perhaps a messageboard with fundamental tips for newbies might be prudent - golden rules.
I think it would help me and people like me.
Anyway...think about it.
Cheers,
Jak

evlncrn8
May 20th, 2005, 06:32
register A ? thats a new one on me heh, as for fundamental tips.. FAQ and Search.. just like it says in your signature when you sign up, do like it says and you'll make jmi a happy chappie

naides
May 20th, 2005, 09:17
Be aware: The fact that Those AX and BX registers are old, legacy code, does not mean that Debugging and RCE 16 bit code is any easier. Quite the contrary, the use of segmented memory and other wrinkles make tracing 16 bit code a fucking maze.
If you are doing it on a XP OS, the code often goes to a 16 bit VM subsytem, and you have to use a different debugger to be able to trace.

Do not underestimate the complexity of 16 bit code

Jak
May 22nd, 2005, 13:45
You asked for it, you got it. This is my tutorial for three popcap games (hell, it’ll probably work with more). It doesn’t work with heavy weapon, my limited knowledge tells me it’s packed, and I don’t know shit about that kind of thing. Anyway, read on and learn about how untutored pikies crack things. *Note: This tutorial is written for seven seas*

As with all good crackers, I will start my crack with w32dasm. As you all should know, we are looking for the error message in “string references”, the error message being “The registration number you have entered blablabla”. So - load up either seven seas, mummy maze or rocket mania into w32dasm (it doesn’t matter which one, they all work with this technique). Click on string references, and look for our string. Found it? Double click on it. And again. It appears in two places. It seems to my uneducated mind as if the writer is attempting to confuse crackers, or simply it is loading the string into a register for further use. Anyway…
* Possible StringData Ref from Data Obj ->"The registration number you entered " =>instance one
->"is not valid for that name."
|
:00420EDF BFF0644A00 mov edi, 004A64F0 => at address 004a64f0 is your string, “the registration…” this procedures moves it to edi (for future reference?)
:00420EE4 83C9FF or ecx, FFFFFFFF
:00420EE7 33C0 xor eax, eax
:00420EE9 6A01 push 00000001
:00420EEB F2 repnz
:00420EEC AE scasb
:00420EED F7D1 not ecx
:00420EEF 49 dec ecx
:00420EF0 8BD9 mov ebx, ecx
:00420EF2 8D4C2420 lea ecx, dword ptr [esp+20]
:00420EF6 53 push ebx
:00420EF7 E814B4FEFF call 0040C310
:00420EFC 84C0 test al, al
:00420EFE 7427 je 00420F27
:00420F00 8B7C2420 mov edi, dword ptr [esp+20]
:00420F04 8BCB mov ecx, ebx
:00420F06 8BC1 mov eax, ecx

* Possible StringData Ref from Data Obj ->"The registration number you entered " =>instance two
->"is not valid for that name."
|
:00420F08 BEF0644A00 mov esi, 004A64F0
:00420F0D C1E902 shr ecx, 02
This was where I made my mistake and went crying to this message board. Usually I would scroll up and find a J* (JMP, JZ, JNZ etc) that jumps over these two strings. Like…this one-
:00420E82 3BC6 cmp eax, esi
:00420E84 89742474 mov dword ptr [esp+74], esi
:00420E88 0F843F010000 je 00420FCD =>this one here
Then, invert it like so:
:00420E82 3BC6 cmp eax, esi
:00420E84 89742474 mov dword ptr [esp+74], esi
:00420E88 0F843F010000 jne 00420FCD
Go ahead, try it……….

Bugger. All it did was to cut that text out of the bad boy msgbox.

>explanation time
>this msgbox is made up of three “pieces”
>1: The title – string “invalid”
>2: The text – string “the registration…”
>3: The go-away button – string “ok”
>If you wanna have a little fun, get rid of each of these strings in turn by >inverting the J* above them. What happens? You get a new messagebox >saying you have registered, but you don’t actually get regged. This is >because the program keeps plodding along the code until it reaches a string >that it can put in because you have killed the other strings. (Hmmmm…>maybe I’m not that crap after all)
>explanation time over

So I got pissed off and ate a pizza. I tried again. Go to The String (I can’t be arsed to type it out every time. It’s called The String from here on in) in w32dasm. Scroll up until you find where it’s referenced from *note: on mummy maze and rocket mania, it is referenced from two Calls – don’t worry. Either set breakpoints on them and find which one breaks when you press ok after typing in your dummy reg details, or find the one with code that looks like this*

* Referenced by a CALL at Address:
|:00421CC6 => looky here!
|
:00420E40 6AFF push FFFFFFFF
:00420E42 68D0F34800 push 0048F3D0
:00420E47 64A100000000 mov eax, dword ptr fs:[00000000]
:00420E4D 50 push eax

See that – go there

:00421CC6 E875F1FFFF call 00420E40 => here’s yer call
:00421CCB 33FF xor edi, edi
:00421CCD E9E7010000 jmp 00421EB9 => oh dear, an unconditional jump – it can’t reference our registration, that would mean we either always would or always wouldn’t get regged.

So that ain’t it. Hold on – look higher! Is that the hacker’s threesome? Call, Test, J*? It is!

:00421CBD FF5040 call [eax+40] => I
:00421CC0 84C0 test al, al =>Love
:00421CC2 750E jne 00421CD2 =>You
:00421CC4 8BCD mov ecx, ebp
:00421CC6 E875F1FFFF call 00420E40
:00421CCB 33FF xor edi, edi
:00421CCD E9E7010000 jmp 00421EB9

Yes indeed, the hacker’s threesome. We’re onto something. Just for a laugh, nop the call (in ollydbg, press space, and replace call [eax+40] with NOP). Try and get regged. Nothing happens. That means that this call references the procedure to get regged. You now have two choices:
1. Do like me: change the jne 00421CD2 to je 00421CD2 and deal with having to register every time you start up (it’s not that bad.). Or…
2. Step into the Call (F7), and be a proper hacker and find the valid code using keygens and mathematics and whatnot.
Well, that’s about it. I could try and “be a proper hacker” right now, but it’s late, and frankly staring at a computer screen for too long depresses me somehow. Until next time, my friends.
Jak

P.S. This was my first tutorial – if it’s shit, let me know.

Jak
May 22nd, 2005, 13:48
it seems that my tutorial has been "squished" as i forgot to preview it. Text beginning with "=>" is commentary and will not appear in w32dasm. (Obvious, yes, but this stuff confused me when i first started)

curVV
May 24th, 2005, 13:09
Nice. Thanks Jak. Great way to learn - writing tuotrials!
Either JMI or Woodmann is prolly gawn slaughter yo ass for your total disregard of forum policy but thanks for the effort anyhoo!

JMI
May 24th, 2005, 15:14
That option is under consideration. The only delay has been in considering whether we may wish to modify our Rules in light of the current location of our Forum.

Regards,

Woodmann
May 24th, 2005, 15:56
And..........

The fact that finding cracks for those games requires just about no effort

Woodmann

evlncrn8
May 25th, 2005, 03:08
yeh, now for challenge 2 - make a keygen from reversing the algo you found..

Admiral
May 25th, 2005, 06:55
Quote:
[Originally Posted by evlncrn8]yeh, now for challenge 2 - make a keygen from reversing the algo you found..


Surely this is less a challenge and more of a tedious and laborious trawl through an already understood protection. That said, feel free to indulge yourself if you have nothing better to do for a few hours.

J2005
May 26th, 2005, 00:14
Thanx and all the best for your future challenges

JohnWho
May 26th, 2005, 05:52
Here's my mini tute for 'Seven Seas'(probably all popcap games).

It's written for complete newbies so it's extremely simply! And yes those popcap games are extremely easy to deal with.

esther
May 26th, 2005, 09:12
I wondered.....
The names of the targetand codes were posted here its seems no one cares about the rules?

Woodmann
May 26th, 2005, 15:05
This matter is currently being discussed


Woodmann

curVV
May 29th, 2005, 05:28
JohnWho: Nice tutorial. thnx.

quote from tut: Our pointer is pointing at address 004AD704

I know it might be different on my computer, but where did you get that? I'm a lil confused...

condzero
May 29th, 2005, 09:55
I'll chip in my 2cents worth.

Based on the material I am reading from the ActiveMark website:

http:\\www.trymedia.com

and I quote:

Quote:
Trymedia Systems, secure digital distribution services provider and operator of the world’s largest distribution network for downloadable games, has further bolstered its digital distribution network by establishing new partnerships with top casual game publishers and developers Big Fish Games, FreshGames, iWin, PlayFirst, Selecsoft and Toy Box Games.


You will see Popcap listed as one of the many partners. So it's only a matter
of time before most of you will become all too familiar with ActiveMark.
However, many games/apps protected by this software are also more easily
obtainable elsewhere.

JohnWho
May 29th, 2005, 10:38
Quote:
[Originally Posted by curVV]JohnWho: Nice tutorial. thnx.

quote from tut: Our pointer is pointing at address 004AD704

I know it might be different on my computer, but where did you get that? I'm a lil confused...


I'm not sure what exactly you confused about, but...

This compare function...

:00425D4E 38992C030000 cmp byte ptr [ecx+0000032C], bl

...is pointing at our registration address. Do a "d ecx+32c" without the quotes when your on the instruction and you'll see the pointed address!

curVV
May 29th, 2005, 23:02
ok. was confused coz we were still in w32dasm. wondered how you got the address from there..

JohnWho
May 30th, 2005, 00:22
Quote:
[Originally Posted by curVV]ok. was confused coz we were still in w32dasm. wondered how you got the address from there..


Hehe... yeah i know i'm not specially good at explaining stuff, thats why i almost never write tutorials.

curVV
May 30th, 2005, 13:02
Quote:
[Originally Posted by condzero]

You will see Popc4p listed as one of the many partners. So it's only a matter
of time before most of you will become all too familiar with ActiveMark.
However, many games/apps protected by this software are also more easily
obtainable elsewhere.


Hmm no wonder. Another Popcap title already mentioned in this thread above by Jak, loaded into PEiD yields:
Nothing found [Overlay] *
7.95 (Packed)
Packed
Packed

So maybe its already packed with ActiveMark

after a quick dump in olly i checked it again with the Krypto plugin and found refs to crc32, md5 and some other stuff i've never heard of.

Dont think we'll ever find a popc4p game as easy as s3v3n s34s to RE...

MEPHiST0
June 4th, 2005, 14:32
ive dumped a Trymedia protect game just yesterday..

i dumped at the licence layer entry point..
fixed imports with imprec..
found the GetModuleHandleA call in the licence layer EP..

traced into the call under it..

Code:
00BB0723 FF15 E841BD00 CALL DWORD PTR DS:[BD41E8] ; kernel32.GetModuleHandleA
00BB0729 50 PUSH EAX
00BB072A E8 EF2BF2FF CALL .00AD331E



u see
Code:
00AD331E B8 D431BC00 MOV EAX,.00BC31D4
00AD3323 E8 08D30D00 CALL .00BB0630
00AD3328 51 PUSH ECX
00AD3329 83EC 18 SUB ESP,18
00AD332C 53 PUSH EBX
00AD332D 56 PUSH ESI
00AD332E 57 PUSH EDI
00AD332F 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
00AD3332 8365 EC 00 AND DWORD PTR SS:[EBP-14],0
00AD3336 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00AD333A FF75 08 PUSH DWORD PTR SS:[EBP+8]
00AD333D FF75 10 PUSH DWORD PTR SS:[EBP+10]
00AD3340 E8 EE9F0000 CALL .00ADD333
00AD3345 59 POP ECX
00AD3346 59 POP ECX
00AD3347 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX - i made this jump to OEP.. dump crashed on the PUSHAW below.. (didnt crash on any other trymedia i tried)
00AD334A 837D D8 00 CMP DWORD PTR SS:[EBP-28],0
00AD334E 74 49 JE SHORT .00AD3399 - this jump = on to exitprocess
00AD3350 813D 709BAC00 54>CMP DWORD PTR DS:[AC9B70],416E6454
00AD335A 75 2F JNZ SHORT .00AD338B
00AD335C 6A 00 PUSH 0
00AD335E FF15 E841BD00 CALL DWORD PTR DS:[BD41E8] ; kernel32.GetModuleHandleA
00AD3364 8B0D 7C9BAC00 MOV ECX,DWORD PTR DS:[AC9B7C]
00AD336A 03C8 ADD ECX,EAX
00AD336C 890D 0869A600 MOV DWORD PTR DS:[A66908],ECX
00AD3372 8B25 0069A600 MOV ESP,DWORD PTR DS:[A66900]
00AD3378 A1 0469A600 MOV EAX,DWORD PTR DS:[A66904]
00AD337D 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
00AD3383 66:61 POPAW
00AD3385 FF25 0869A600 JMP DWORD PTR DS:[A66908] get modified above.. and jumps to OEP
00AD338B 6A 00 PUSH 0
00AD338D 68 686AA600 PUSH .00A66A68 ; ASCII "Everything OK!"


after this the dump runs fine.

when i switch to fullscreen.. it crashes because somthing in ddraw.dll .. go figure :P

ive only dumped and cracked this one exe, and i think its older trymedia..
yet to work on some other exes..
bad technique?

gabri3l
June 4th, 2005, 18:00
Mephisto I am working on an activemark game as well. And I am pretty much at the same area you are.
Here's what I've done so far:

-Set HW BP on OEP (found OEP using PEID and verified by dumping the file and searching for for "TdnA" and counting 13 bytes, including TdnA)
-Run program till we hit OEP.
(you have to hit play free trial)
-Analyze program
-you will be here:
Code:
20003BC4 /. 55 PUSH EBP
20003BC5 |. 8BEC MOV EBP,ESP
20003BC7 |. 6A FF PUSH -1
20003BC9 |. 68 F0810020 PUSH XXXX.200081F0
20003BCE |. 68 204E0020 PUSH XXXX.20004E20 ; SE handler installation
20003BD3 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
20003BD9 |. 50 PUSH EAX
20003BDA |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
20003BE1 |. 83EC 58 SUB ESP,58
20003BE4 |. 53 PUSH EBX
20003BE5 |. 56 PUSH ESI
20003BE6 |. 57 PUSH EDI
20003BE7 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
20003BEA |. FF15 24F21720 CALL NEAR DWORD PTR DS:[2017F224]; kernel32.GetVersion
20003BF0 |. 33D2 XOR EDX,EDX
20003BF2 |. 8AD4 MOV DL,AH
20003BF4 |. 8915 2CCE0020 MOV DWORD PTR DS:[2000CE2C],EDX
20003BFA |. 8BC8 MOV ECX,EAX
20003BFC |. 81E1 FF000000 AND ECX,0FF
20003C02 |. 890D 28CE0020 MOV DWORD PTR DS:[2000CE28],ECX
20003C08 |. C1E1 08 SHL ECX,8
20003C0B |. 03CA ADD ECX,EDX



-Now dumping and fixing the imports did not work for me so I set a BP on the first .bss section. and continued running
- I then broke here:
Code:
2009A3BE B8 D99D0920 MOV EAX,XXXX.20099DD9
2009A3C3 E8 B0110C00 CALL XXXX.2015B578 ****STEP OVER***
2009A3C8 83EC 20 SUB ESP,20
2009A3CB E9 CB0B0000 JMP XXXX.2009AF9B
2009A3D0 E8 BDD50800 CALL XXXX.20127992 ***STEP INTO***
2009A3D5 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
2009A3D8 E9 5C0B0000 JMP XXXX.2009AF39
2009A3DD AF SCAS DWORD PTR ES:[EDI]
2009A3DE A9 0F8238FC TEST EAX,FC38820F


-Step into the second call and you are here:
Code:
20127992 B8 88EB1620 MOV EAX,XXXX.2016EB88
20127997 E8 DC3B0300 CALL XXXX.2015B578 ***STEP INTO***
2012799C 81EC 74010000 SUB ESP,174
201279A2 53 PUSH EBX
201279A3 56 PUSH ESI



-Step into that call and you are here:
Code:

2015B578 6A FF PUSH -1
2015B57A 50 PUSH EAX
2015B57B 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
2015B581 50 PUSH EAX
2015B582 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
2015B586 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
2015B58D 896C24 0C MOV DWORD PTR SS:[ESP+C],EBP
2015B591 8D6C24 0C LEA EBP,DWORD PTR SS:[ESP+C]
2015B595 50 PUSH EAX
2015B596 C3 RETN



Scroll down and we see the beginning of something:
Code:
2015B597 55 PUSH EBP
2015B598 8BEC MOV EBP,ESP
2015B59A 6A FF PUSH -1
2015B59C 68 E80B0820 PUSH XXXX.20080BE8
2015B5A1 68 70191620 PUSH XXXX.20161970
2015B5A6 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
2015B5AC 50 PUSH EAX
2015B5AD 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
2015B5B4 83EC 58 SUB ESP,58
2015B5B7 53 PUSH EBX
2015B5B8 56 PUSH ESI
2015B5B9 57 PUSH EDI
2015B5BA 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
2015B5BD FF15 24F21720 CALL NEAR DWORD PTR DS:[2017F224]; kernel32.GetVersion
2015B5C3 33D2 XOR EDX,EDX
2015B5C5 8AD4 MOV DL,AH
2015B5C7 8915 7C9D1720 MOV DWORD PTR DS:[20179D7C],EDX
2015B5CD 8BC8 MOV ECX,EAX
2015B5CF 81E1 FF000000 AND ECX,0FF
2015B5D5 890D 789D1720 MOV DWORD PTR DS:[20179D78],ECX
2015B5DB C1E1 08 SHL ECX,8
2015B5DE 03CA ADD ECX,EDX
2015B5E0 890D 749D1720 MOV DWORD PTR DS:[20179D74],ECX
2015B5E6 C1E8 10 SHR EAX,10


-So this is around where you are as well.
-I set a hardware BP on 2015B597 and then restarted the program. I ran until we reached it. I then dumped fixed the imports using this as my OEP
- Running the program brings about immediate exitprocess, however if you look at the call stack in Olly you can trace it back to the same code you posted:
Code:
200827F8 51 PUSH ECX
200827F9 83EC 18 SUB ESP,18
200827FC 53 PUSH EBX
200827FD 56 PUSH ESI
200827FE 57 PUSH EDI
200827FF 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
20082802 8365 EC 00 AND DWORD PTR SS:[EBP-14],0
20082806 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
2008280A FF75 08 PUSH DWORD PTR SS:[EBP+8]
2008280D FF75 10 PUSH DWORD PTR SS:[EBP+10]
20082810 E8 2B820000 CALL XXXX.2008AA40 ****SETS UP BROWSER WINDOW, CHECKS LICENSE ETC***
20082815 59 POP ECX
20082816 59 POP ECX
20082817 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
2008281A 837D D8 00 CMP DWORD PTR SS:[EBP-28],0
2008281E 74 49 JE SHORT XXXX.20082869 ***IF BROWSER, LICENSE ETC IS OKAY THEN CONTINUE ELSE ExitProcess***
20082820 813D C0900720 54>CMP DWORD PTR DS:[200790C0],416E6454
2008282A 75 2F JNZ SHORT XXXX.2008285B
2008282C 6A 00 PUSH 0 ***CONTINUE EXECUTION***
2008282E FF15 CCF11720 CALL NEAR DWORD PTR DS:[2017F1CC] ; kernel32.GetModuleHandleA
20082834 8B0D CC900720 MOV ECX,DWORD PTR DS:[200790CC]
2008283A 03C8 ADD ECX,EAX
2008283C 890D E8680120 MOV DWORD PTR DS:[200168E8],ECX ***MOVES OUR OEP INTO 200168E0***
20082842 8B25 E0680120 MOV ESP,DWORD PTR DS:[200168E0]
20082848 A1 E4680120 MOV EAX,DWORD PTR DS:[200168E4]
2008284D 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
20082853 66:61 POPAW
20082855 -FF25 E8680120 JMP NEAR DWORD PTR DS:[200168E8] ;***WILL JUMP TO OUR OEP***
2008285B 6A 00 PUSH 0
2008285D 68 486A0120 PUSH XXXX.20016A48 ; ASCII "Everything OK!"
20082862 E8 F78C0000 CALL XXXX.2008B55E
20082867 59 POP ECX
20082868 59 POP ECX
20082869 EB 6E JMP SHORT XXXX.200828D9
2008286B 8365 EC 00 AND DWORD PTR SS:[EBP-14],0
2008286F B8 D9280820 MOV EAX,XXXX.200828D9
20082874 C3 RETN


- This jump here:
Code:
20082855 -FF25 E8680120 JMP NEAR DWORD PTR DS:[200168E8] ;***WILL JUMP TO OUR OEP***
will jump to the OEP we found with PEID
-Basically it seems that the program goes into CALL XXXX.2008AA40.
-This call sets up browser etc, and sets stuff up depending on if you choose "Continue Trial" or just close the browser box. If you continue the trial the rest of the program is initialized. Otherwise nothing is init. My trial has run out so I have to close the window.
-I tried reversing this jump in my dumped file:
Code:
2008281E 74 49 JE SHORT XXXX.20082869 ***REVERSED THIS JUMP SO IT WOULD ALWAYS CONTINUE***
20082820 813D C0900720 54>CMP DWORD PTR DS:[200790C0],416E6454
2008282A 75 2F JNZ SHORT XXXX.2008285B

- HOWEVER, You get this error when running:
"Unable to load Movie Playlist. Does the INI file exist? It must contain a section [Movies] with an entry..."
- So I tried on my real executable. I cannot run the game part so I have to choose close on the browser window. That JE SHORT XXXX.20082869 is never reached instead we go straight to ExitProcess. Setting a BP on Exit Process I found that it was called by this section of code:
Code:
200828D9 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
200828DD E8 D5810000 CALL XXXX.2008AAB7
200828E2 FF75 EC PUSH DWORD PTR SS:[EBP-14]
200828E5 FF15 28F11720 CALL NEAR DWORD PTR DS:[2017F128] ; kernel32.ExitProcess
200828EB 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
200828EE 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
200828F5 5F POP EDI
200828F6 5E POP ESI
200828F7 5B POP EBX
200828F8 C9 LEAVE

-So I set a HW BP on the beginning of that little section. When I broke, I tried changing my origin to:
Code:
2008282C 6A 00 PUSH 0 ***CONTINUE EXECUTION***
2008282E FF15 CCF11720 CALL NEAR DWORD PTR DS:[2017F1CC] ; kernel32.GetModuleHandleA
20082834 8B0D CC900720 MOV ECX,DWORD PTR DS:[200790CC]
2008283A 03C8 ADD ECX,EAX
2008283C 890D E8680120 MOV DWORD PTR DS:[200168E8],ECX
20082842 8B25 E0680120 MOV ESP,DWORD PTR DS:[200168E0]
20082848 A1 E4680120 MOV EAX,DWORD PTR DS:[200168E4]
2008284D 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
20082853 66:61 POPAW
20082855 FF25 E8680120 JMP NEAR DWORD PTR DS:[200168E8] ; XXXX.2015B597

-This brought about the same error I recieved when running the dumped file. So somewhere in that program is determined if we chose continue trial or just closed the window. And depending on what we pick it will initilize the rest of the program. At least that is what happens in my target; Activemark version 5.31.1140
-So at this point I am stuck; but at least I know that I am in the right area.

condzero
June 5th, 2005, 11:43
gabri3l / MEPHiST0,

The questions you raise, and the means to circumvent the protection
would require a Tutorial. The problem you may both be running into can
be any one of the following:

1) The application utilizes the Macromedia Flash Projector as in the case of
gabri3l.
2) The application has packed/encrypted resources. You will generally get some sort of error when the app loads a particular data file resource. You can easily identify these by opening them up in a hex editor. If you find the string "TMSAMV0H" in the header, it's packed.
3) The application originated on CD/DVD. For this, Activemark will setup a temp path in your registry. Sometimes, you can identify and change (the app's path) this reference in your registry to a more static one, i.e. a reference to the program's directory where the data is physically located. You may have to change a DWORD reference in the program to look for your new registry change. This is unscientific.

If your lucky enough to have a normal program, then I would recommend
dumping the app at the first EP, which is usually like below:

Code:
00EB12D8 > 66:60 PUSHAW
00EB12DA 8925 F048E400 MOV DWORD PTR DS:[E448F0],ESP
00EB12E0 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00EB12E6 A3 F448E400 MOV DWORD PTR DS:[E448F4],EAX
00EB12EB 6A 00 PUSH 0
00EB12ED FF15 FC21FB00 CALL DWORD PTR DS:[FB21FC] ; kernel32.GetModuleHandleA
00EB12F3 A3 F848E400 MOV DWORD PTR DS:[E448F8],EAX
00EB12F8 A1 F848E400 MOV EAX,DWORD PTR DS:[E448F8]
00EB12FD 0305 687BEA00 ADD EAX,DWORD PTR DS:[EA7B68] ; xxxxxx.00B8E577
00EB1303 A3 F848E400 MOV DWORD PTR DS:[E448F8],EAX
00EB1308 FF25 F848E400 JMP DWORD PTR DS:[E448F8]
00EB130E B8 0411FA00 MOV EAX,Xxxxxx.00FA1104
00EB1313 E8 40D20D00 CALL Xxxxxx.00F8E558
00EB1318 51 PUSH ECX
00EB1319 83EC 18 SUB ESP,18
00EB131C 53 PUSH EBX
00EB131D 56 PUSH ESI
00EB131E 57 PUSH EDI
00EB131F 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
00EB1322 8365 EC 00 AND DWORD PTR SS:[EBP-14],0
00EB1326 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00EB132A FF75 08 PUSH DWORD PTR SS:[EBP+8]
00EB132D FF75 10 PUSH DWORD PTR SS:[EBP+10]
00EB1330 E8 EE9F0000 CALL Xxxxxx.00EBB323
00EB1335 59 POP ECX
00EB1336 59 POP ECX
00EB1337 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
00EB133A 837D D8 00 CMP DWORD PTR SS:[EBP-28],0 << change 0 to 1
00EB133E 74 49 JE SHORT Xxxxxx.00EB1389
00EB1340 813D 607BEA00 54646E41 CMP DWORD PTR DS:[EA7B60],416E6454
00EB134A 75 2F JNZ SHORT Xxxxxx.00EB137B
00EB134C 6A 00 PUSH 0
00EB134E FF15 FC21FB00 CALL DWORD PTR DS:[FB21FC] ; kernel32.GetModuleHandleA
00EB1354 8B0D 6C7BEA00 MOV ECX,DWORD PTR DS:[EA7B6C]
00EB135A 03C8 ADD ECX,EAX
00EB135C 890D F848E400 MOV DWORD PTR DS:[E448F8],ECX
00EB1362 8B25 F048E400 MOV ESP,DWORD PTR DS:[E448F0]
00EB1368 A1 F448E400 MOV EAX,DWORD PTR DS:[E448F4]
00EB136D 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
00EB1373 66:61 POPAW
00EB1375 FF25 F848E400 JMP DWORD PTR DS:[E448F8]
00EB137B 6A 00 PUSH 0
00EB137D 68 584AE400 PUSH Xxxxxx.00E44A58 ; ASCII "Everything OK!"
00EB1382 E8 64750000 CALL Xxxxxx.00EB88EB
00EB1387 59 POP ECX
00EB1388 59 POP ECX
00EB1389 EB 6E JMP SHORT Xxxxxx.00EB13F9


Load your favorite import rec utility to rebuild and add an IAT to the above
dump.

Make the above noted change to your code, and see if the app runs. If it flames, it will probably be due to one of the items I listed above.

A few points. ActiveMark, does a CRC check on your newly created unpacked file. You can follow the logic after (usually in more newer versions) the 2nd CREATEFILE in the program. If it fails this check you immediately kick out, with the BAD EAX value of '0', referenced in code above where I make note of a change.

After this it does the license check. Sets the appropriater status, then if you're not licensed, it will CREATEFILE all the data files in your ALL USERS
or PROGRAM FILES\TRYMEDIA directories where it keeps track of your usage (Time limitations). There are also (4) registry keys:

HKEY_LOCAL_MACHINE, "SOFTWARE\\Classes\\CLSID\\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" identifed by the subkey "Implemented Categories". There are usually a bunch of ascending encrypted subkeys (maybe as many as 7).

You can find the (4) registry keys by running your dumped program looking at the REGOPENKEY functions or by using a registry snapshot utility before and after running the program.

The program will then build the all too familiar browser screen.

The program will reset the above temp data files and registry keys after
getting LOCALTIME/SYSTEMTIME.

The program will then set a timer (SETTIMER) with an elapsed time of 60 seconds to keep track of your program usage every minute on the minute.
So when you're time is up, the program will kick out with the no time left
browser screen.

So, if you're not up to writing a custom loader to apply the necessary changes to the program's memory, you can delete the data files and registry keys and get back your time and run the app, knowing you can run if for no more than the allowable time before having to re-delete the files/keys again.

I can offer more, but not here. Active minds, pardon the pun, are watching these threads.

Good Luck,

condzero

UPucker
June 6th, 2005, 12:20
This is exactly the thread I was looking for. An explanation of what I am currently working on. Its nice to get experienced explanations in addition to the tutorials. The idea of live tutorials alone makes this forum invaluable.

MEPHiST0
June 6th, 2005, 16:28
hi condzero

Quote:
2) The application has packed/encrypted resources. You will generally get some sort of error when the app loads a particular data file resource. You can easily identify these by opening them up in a hex editor. If you find the string "TMSAMV0H" in the header, it's packed.

yes, almost all the data files an encrypted..
i dump from the 2nd layer (and near the first where you mentioned.. )
the game runs fine in windowed mode, crashes after 5 or 10 minutes tho.
(my point, the file is decrypting the data files properly so the game is playable.)
Full screen however runs and starts, crashes while doing somthing with ddraw.dll..
yet to figure that out.. maybe where i dump?


as for the other tips, thanks, ill check it out

psunlock
June 10th, 2005, 17:08
latest games from that web are packed with weird packer and need intrnet to register can anyone identify the packer please so i can start on the reg process cheers

curVV
June 10th, 2005, 18:09
ActiveMark?

Woodmann
June 10th, 2005, 18:34
Quote:
latest games from that web are packed with weird packer and need intrnet to register can anyone identify the packer please so i can start on the reg process cheers


Wait right there, the bus is coming for you

Woodmann

Nacho_dj
August 4th, 2005, 09:20
Hello:

As I have been handling all the games you have been talking about with, I would like to tell you that you can find all of them in another URL:
hxxp://www.zylom.com

and they are using different protection of that of ActiveMARK.

Just try it...

Cheers

Nacho_dj

gabri3l
August 4th, 2005, 10:35
The zylom games use softwrap as a protection.
Most of them can be unpacked following the directions here:
hxxp://intechhosting.com/~access/forums/?showtopic=607

There are a few games that cannot be unpacked with this method. Some of the newer games use a copymem feature. If you dump the dll you will notice some NOP's at the OEP. By breaking on WriteProcessMemory you can recover those Bytes. I'm pretty sure there are some more bytes that need to be recovered as well. I haven't played around with it long enough to make a correct dump. But doesn't seem to hard.