Hi

I'm new here so I'm sorry if this question is dumb;
My question is thoretical coz I aint gonna do anything with it - I dont have any hands-on experience in exe related stuff, asm n drivers.

Say we wanna crack a software protected with starforce or something alike - an encrypted exe that gets the key to decrypting itself from somewhere - driver/web/whatever.
By cracking I mean getting a non encrypted exe that would run normally w/o any protection and that can be modified directly to change the original code.

As far a my understanding goes, if we have a legit copy of the software and it runs, we can grab the exe's image from memory while it runs. In doin this we outflank any smart mechanisms that may reside in other binaries the loading and startup mess.

Further, it would be easy to eliminate the injected code as this is the only code that is present in the exe and in the memory image, on the other hand, it will be harder to find data and code segments that were in the original exe because the injected loader must relocate them and in addition it might have been compressed and encrypted.

What I'd like to know is this:
Is what I'm saying feasible or I have holes in the theory?
Are there any ready tools for all the story above?
One thing I didn't mention - dlls - how can one tell if a piece of code in memory is from a dll or the exe? the must be some table in the exe's space for that...

Thanks in advance,
jake

A#1: YES The whole field of unpacking is exactly what you are describing.
Read tutorials un "manual unpacking" and unpacking starforce and you will have an idea what you are dealing with.

A#2 Yes. You need a debugger to find the original entry point of the app.
You need a dumper PE tools

You need an import reconstructor ImpRec

You need PEID to learn waht sort of packer you are dealing with.

A#3 The debugger OLLY will give you that information, by looking at the memory map of your app...

Not exactly. Whilst dumping the running process will bypass any "startup" protection (decompression stubs, decryption etc), some protection systems will incrementally decrypt parts of the exe so that an entire decrypted exe is never found in mem. Secondly there are many other tricks to obstruct the reversing of an exe, simply dumping a post-loader image isn't going to guarantee you anything.

Yes. Thats a nice trick. I can think of a process debugging itself and decrypting every [major] function every time the breakpoint at its prologue is hit..
What are the methods againsts these?
Is startforce doin this?


Do u mean like the ones that shuffle the code and plant lots of jumps, or anything smarter?

Thanks,



According to what u say, I should be able to find unpacked exe releases of starforce protected games, right?
I know that a game released a year ago has no cracked copy yet - this ignited my interest in this field
How come nobody cracked it? Am I missing something?

Because to put it plainly, Starforce is a BITCH to deal with. From what I've read, (I don't plan to have anything to do with it, or any game that uses it), it replaces sections of code from the original program, with code from it's "virtual machine". There are opcodes in this virtual machine that STILL aren't currently understood.

Add to that the fact that there are all of these "enabler" programs out there (Daemon tools, Alcohol 120%, etc.), and you get lazy crackers. It's just not WORTH the time to do a 100% crack of something that you can create an image file of, and release.


(Old geezer rant alert!)
Back in MY day, we didn't have no fancy tools like this. The only real things like this that existed were Teledisk, and that weird program that sucked the memory out of CopyIIPC, and allowed to you send that to a friend, who then unpacked it on a floppy, and had a still protected copy of the game. We only used those to get images from the suppliers, and THEN went to work on them, not to release games. (Kids these days!). I personally hope that something comes along that can't simply be imaged, to spark a renaissance of true reversing. We had ours! It was Rob Northen's Copylock. Nothing copied it, and you couldn't run the game without the original, as it used bytes from the uncopyable section as decryption keys for the .exe image.

Ohhh... Those were the good old days!