iOpus Password Recovery XP ( New Version )

iOpus Password Recovery XP ( New Version )

By +Jonathan

2002-8-19

*Download: http://www.iopus.com/download/iopus-pwdrec-setup.exe ( 498 kb )

*Price: 29.99

Hi every reverser, once again it is iOpus Password Recovery XP but it is difference from first edition in these:

(1) It add a Armadillo 2.52 packer protection (Just use “Stud_PE” to analyze it) the following is the result:

(2) It add Anti-Debugger & Anti-File Scanner & ANTI-SOFT-ICE…etc (even ASProtect can not anti-File Scanner!!)

Mmmmm… iOpus company listen up here:

iOpus, Is that the best protection you got??

iOpus, Is this what you said “punish all the Reverse Engineer or my UREF team”??

iOpus, let me tell you what happen here. I AM GOING TO “REVERSE ENGINEER” YOUR APPS WITHOUT UNPACK YOUR STUPID PROTECTION. How’s that?

I know, you can hardly believe because you had NEVER seen a cracker can crack a packed program WITHOUT unpacking it, right? Keep reading iOpus company, the following is more interesting ^_^

This time I use purely SOFT-ICE. Trust me, it is NOT fun to use W32Dasm. First of all, run iOpus Password Recovery XP and press [register].

(1) Ctrl +D call SOFT-ICE out

(2) Set breakpoint by: BPX GetWindowTextA

(3) Hit F-5 (in order to start iOpus)

(4) Now enter the following: 12345678

(5) Press [activate] button.

Ok you are inside SOFT-ICE now, press F-12 until you see the following picture (Remember how may hits in order to display the picture)

The first time, it display the picture at the hit of “5”

Now this time we stop at the third (3) time. But why? Since 5 — 2 == 3. Because ALL software will check SN (serial number) ONE times before it display that wrong message, and it will ALSO add ONE more hit if it is the first time you press [activate] button. If you have press one or more times [activate button] before you use SOFT-ICE, you will wind up with the 4^th,pop up that message, and the next time you only need to minus “1” which means: 4 — 1 == 3 (the same as above one: 5 — 2 ==3)

001B:00401833 8D465C LEA EAX,[ESI+5C] * SI stop here*

001B:00401836 B948D44300 MOV ECX,0043D448

001B:0040183B 50 PUSH EAX

001B:0040183C E8B3060200 CALL 00421EF4

001B:00401841 E8EA640000 CALL 00407D30 *the ANTI-debugger and CHECK SN*

Let step into (F-8) the CALL 00421EF. If this is the first time, you might see this:

001B:00407D30 FFFF INVALID

001B:00407D32 FFFF INVALID

001B:00407D34 FFFF INVALID

001B:00407D36 FFFF INVALID

001B:00407D38 FFFF INVALID

001B:00407D3A FFFF INVALID

001B:00407D3C FFFF INVALID

001B:00407D3E FFFF INVALID

It means that iOpus was protected by a packer and is now encrypted. How to unpack it? You have to know how packers work.

First of all, when you open the iOpus Password Recovery, it will load a unpacking formula. So if it is the second times, it will fully unpack. Therefore, solution is easy. Either (1) you break point on 00407D30 or do a F-5 (which means start the program and load unpacking formula or (2) you start over again, since the second or more time it will also unpacked.

I had choose the SECOND way since it will check if you use SOFT-ICE or Debugger after the FIRST way via IsDebuggerPresen & WaitForDebugEvent API function (I hate people use anti-debugger) This is what you see when the protection detect SOFT-ICE

But anyway there is NO packer or anti-debugger code after the second times you press [activate]

Ok here is the second times I press [activate] which is decrypted:

001B:00407D30 6AFF PUSH FF

001B:00407D32 6848AF4200 PUSH 0042AF48

001B:00407D37 64A100000000 MOV EAX,FS:[00000000]

001B:00407D3D 50 PUSH EAX

001B:00407D3E 64892500000000 MOV FS:[00000000],ESP

Look same EIP but different instruction!!

If you follow my instruction, you will see this rather interesting: (remember we type 12345678 as a password)

001B:00407D6A 8A10 MOV DL,[EAX] *EAX=your password & DL=1^st byte of EAX*

001B:00407D6C 8A1E MOV BL,[ESI] *ESI= “R” & load into BL*

001B:00407D6E 8ACA MOV CL,DL *let CL = DL = “1” (the first digit of 12345678 = EAX)

001B:00407D70 3AD3 CMP DL,BL *Is the first digit equal R ?

001B:00407D72 751E JNZ 00407D92* If not, then beggar off !!*

001B:00407D74 84C9 TEST CL,CL *Is it finish loading all the digits? *

001B:00407D76 7416 JZ 00407D8E *Jump if finish*

001B:00407D78 8A5001 MOV DL,[EAX+01] *load next digit which is “2”*

001B:00407D7B 8A5E01 MOV BL,[ESI+01] *Load “E” into BL *

001B:00407D7E 8ACA MOV CL,DL *let CL = DL = our 2^nd digit

001B:00407D80 3AD3 CMP DL,BL *again compare if the second digit equal E?*

001B:00407D82 750E JNZ 00407D92 *Jump if not the same*

001B:00407D84 83C002 ADD EAX,02 *Load the 4^th digit which is 4*

001B:00407D87 83C602 ADD ESI,02 *Load the 4^th correct SN which is “5”*

001B:00407D8A 84C9 TEST CL,CL *Is it finish all the digits?*

001B:00407D8C 75DC JNZ 00407D6A *No then loop*

001B:00407D8E 33C0 XOR EAX,EAX *let EAX == 0*

001B:00407D90 EB05 JMP 00407D97 *JUMP TO 00407D79*

001B:00407D92 1BC0 SBB EAX,EAX *let EAX == 0

001B:00407D94 83D8FF SBB EAX,-01 * Let EAX == FFFFFFFF ( --1 in DEC)

001B:00407D97 85C0 TEST EAX,EAX * Is EAX == 0?*

001B:00407D99 755D JNZ 00407DF8 *Jump if EAX ≠ 0*

001B:00407D9B 6A01 PUSH 01 * Push parameter*

^^^^^^^^^Those instructions between these two are trying to get the 4^th digits individually^^^^^^^^^^^

001B:00407DB5 8A10 MOV DL,[EAX] *move the 4^th digit which is 4*( they had let

(EAX == EAX + 4) before.

001B:00407DB7 8A1E MOV BL,[ESI] *Move “5”*

001B:00407DB9 8ACA MOV CL,DL *Let CL = DL = 4^th digits*

001B:00407DBB 3AD3 CMP DL,BL *Is the 4^th digit equal “5” *

001B:00407DBD 751E JNZ 00407DDD * No, then beggar off*

001B:00407DBF 84C9 TEST CL,CL *Is it finish?*

001B:00407DC1 7416 JZ 00407DD9 *yes the jump*

001B:00407DC3 8A5001 MOV DL,[EAX+01] *load the next digit” it is “ “ nothing, since

as I had said before, it extract the 4^th digit only

001B:00407DC6 8A5E01 MOV BL,[ESI+01] * BL = “ “ too*

001B:00407DC9 8ACA MOV CL,DL * Let CL = DL =” “ * (nothing inside)

001B:00407DCB 3AD3 CMP DL,BL *Is it equal to nothing?* (of course)

001B:00407DCD 750E JNZ 00407DDD *Jump if not the same*

001B:00407DCF 83C002 ADD EAX,02 *load the next digit” it is “ “ nothing, since

as I had said before, it extract the 4^th digit only

001B:00407DD2 83C602 ADD ESI,02 *ESI + 2 == “ “ nothing, too

001B:00407DD5 84C9 TEST CL,CL * is it finish?*

001B:00407DD7 75DC JNZ 00407DB5 * If not, then jump*

001B:00407DD9 33C0 XOR EAX,EAX * Let EAX == 0

001B:00407DDB EB05 JMP 00407DE2 *jump to 00407DE2

001B:00407DDD 1BC0 SBB EAX,EAX *Let EAX == 0*

001B:00407DDF 83D8FF SBB EAX,-01 * Let EAX == FFFFFFFF ( --1 in DEC)

001B:00407DE2 85C0 TEST EAX,EAX *Does EAX == 0?*

001B:00407DE4 8D4C2408 LEA ECX,[ESP+08] *Move your SN*

001B:00407DE8 0F94C3 SETZ BL *Set (BL == true) if equal zero* ( TRUE means 1 )

001B:00407DEB E8CB9F0100 CALL 00421DBB

001B:00407DF0 84DB TEST BL,BL Is the BL flag == 0?

001B:00407DF2 7404 JZ 00407DF8 Jump if the same

001B:00407DF4 B301 MOV BL,01 Move GOOD Flag

001B:00407DF6 EB02 JMP 00407DFA Jump to 00407DFA

001B:00407DF8 32DB XOR BL,BL XOR a BAD Flag

Well that enough. We can now get some real SN:

***RE?5?????...*** (? = any word or number) for instance: (you can change the yellow high-light into anything you want :-)

(1) RE0512345678

(2) RE35

(3) RE15 Fuck you iOpus. Your protections is too fool.

(4) REF5 ^_^ ^^^^^^^ +Jonathan is the best. But iOpus is SUCK……….. HaHa shit

(5) RE65 121234345656 7878 9999-w5345-52464526-hsdf-6

Those Serial Numbers are absolutely REAL!!!! You can try creating one for your self.