iOpus Password Recovery XP ( New Version )

By +Jonathan

2002-8-19

 

*Download: http://www.iopus.com/download/iopus-pwdrec-setup.exe   ( 498 kb )

*Price: 29.99

 

Hi every reverser, once again it is iOpus Password Recovery XP but it is difference from first edition in these:

 

(1)            It add a Armadillo 2.52 packer protection (Just use “Stud_PE” to analyze it) the following is the result:

(2)            It add Anti-Debugger & Anti-File Scanner & ANTI-SOFT-ICE…etc (even ASProtect can not anti-File Scanner!!)

 

Mmmmm… iOpus company listen up here: 

iOpus, Is that the best protection you got??  

iOpus, Is this what you said “punish  all the Reverse Engineer or my UREF team”??

iOpus, let me tell you what happen here. I AM GOING TO “REVERSE ENGINEER” YOUR APPS WITHOUT UNPACK YOUR STUPID PROTECTION. How’s that?

 

I know, you can hardly believe because you had NEVER seen a cracker can crack a packed program WITHOUT unpacking it, right? Keep reading iOpus company, the following is more interesting ^_^

 

This time I use purely SOFT-ICE. Trust me, it is NOT fun to use W32Dasm. First of all, run iOpus Password Recovery XP and press [register].

 

(1)            Ctrl +D call SOFT-ICE out

(2)            Set breakpoint by: BPX GetWindowTextA

(3)            Hit F-5 (in order to start iOpus)

(4)            Now enter the following: 12345678

(5)              Press [activate] button.

 

Ok you are inside SOFT-ICE now, press F-12 until you see the following picture (Remember how may hits in order to display the picture)

The first time, it display the picture at the hit of “5”

Now this time we stop at the third (3) time. But why? Since 5 — 2 == 3. Because  ALL software will check SN (serial number) ONE times before it display that wrong message, and it will ALSO add ONE more hit if it is the first time you press [activate] button. If you have press one or more times [activate button] before you use SOFT-ICE, you will wind up with the 4th, pop up that message, and the next time you only need to minus “1” which means: 4 — 1 == 3 (the same as above one: 5 — 2 ==3)

 

001B:00401833  8D465C                    LEA       EAX,[ESI+5C]         * SI stop here*

001B:00401836  B948D44300           MOV       ECX,0043D448      

001B:0040183B  50                              PUSH      EAX

001B:0040183C  E8B3060200           CALL      00421EF4               

001B:00401841  E8EA640000           CALL      00407D30        *the ANTI-debugger and CHECK SN*

 

 Let step into (F-8) the CALL 00421EF. If this is the first time, you might see this:

 

 001B:00407D30  FFFF                  INVALID

001B:00407D32   FFFF                  INVALID

001B:00407D34   FFFF                  INVALID

001B:00407D36   FFFF                  INVALID

001B:00407D38   FFFF                  INVALID

001B:00407D3A   FFFF                  INVALID

001B:00407D3C   FFFF                  INVALID

001B:00407D3E   FFFF                  INVALID

 

It means that iOpus was protected by a packer and is now encrypted. How to unpack it? You have to know how packers work.

 

First of all, when you open the iOpus Password Recovery, it will load a unpacking formula. So if it is the second times, it will fully unpack. Therefore, solution is easy. Either (1)  you break point on 00407D30 or do a F-5 (which means start the program and load unpacking formula or (2) you start over again, since the second or more time it will also unpacked.

 

I had choose the SECOND way since it will check if you use SOFT-ICE or Debugger after the FIRST way via IsDebuggerPresen & WaitForDebugEvent API function (I hate people use anti-debugger) This is what you see when the protection detect SOFT-ICE

 

But anyway there is NO packer or anti-debugger code after the second times you press [activate]

 

Ok here is the second times I press [activate] which is decrypted:

 

001B:00407D30  6AFF                               PUSH      FF

001B:00407D32  6848AF4200                   PUSH      0042AF48

001B:00407D37  64A100000000               MOV       EAX,FS:[00000000]

001B:00407D3D  50                                     PUSH      EAX

001B:00407D3E  64892500000000           MOV       FS:[00000000],ESP

 

Look same EIP but different instruction!!

If you follow my instruction, you will see this rather interesting: (remember we type 12345678 as a password)

 

001B:00407D6A  8A10                MOV       DL,[EAX] *EAX=your password & DL=1st byte of EAX*  

001B:00407D6C  8A1E                MOV       BL,[ESI]   *ESI= “R” & load into BL*

001B:00407D6E  8ACA               MOV       CL,DL   *let CL = DL = “1”  (the first digit of 12345678 = EAX)

001B:00407D70  3AD3                CMP       DL,BL    *Is the first digit equal R ?

001B:00407D72  751E                 JNZ       00407D92* If not, then beggar off !!*

001B:00407D74  84C9                 TEST      CL,CL    *Is it finish loading all the digits? *

001B:00407D76  7416                  JZ        00407D8E *Jump if finish*

001B:00407D78  8A5001             MOV       DL,[EAX+01] *load next digit which is “2”*

001B:00407D7B  8A5E01            MOV       BL,[ESI+01]   *Load “E” into BL *

001B:00407D7E  8ACA                MOV       CL,DL              *let CL = DL = our 2nd digit                                                                                                                 

001B:00407D80  3AD3                 CMP       DL,BL               *again compare if the second digit equal E?*

001B:00407D82  750E                  JNZ       00407D92           *Jump if not the same*

001B:00407D84  83C002              ADD       EAX,02              *Load the 4th   digit which is 4*

001B:00407D87  83C602              ADD       ESI,02                *Load the 4th correct SN which is “5”*

001B:00407D8A  84C9                  TEST      CL,CL               *Is it finish all the digits?*

001B:00407D8C  75DC                 JNZ       00407D6A           *No then loop* 

001B:00407D8E  33C0                  XOR       EAX,EAX          *let EAX == 0*  

001B:00407D90  EB05                  JMP       00407D97           *JUMP TO 00407D79*

001B:00407D92  1BC0                  SBB       EAX,EAX           *let EAX == 0

001B:00407D94  83D8FF             SBB       EAX,-01              * Let EAX == FFFFFFFF ( --1 in DEC)

001B:00407D97  85C0                   TEST      EAX,EAX          * Is EAX == 0?*

001B:00407D99  755D                   JNZ       00407DF8            *Jump if EAX ≠ 0*

001B:00407D9B  6A01                   PUSH      01                       * Push parameter*

^^^^^^^^^Those instructions between these two are trying to get the 4th digits individually^^^^^^^^^^^

001B:00407DB5  8A10                    MOV       DL,[EAX]    *move the 4th digit which is 4*( they had let

                                                                                                       (EAX == EAX + 4) before.

001B:00407DB7  8A1E                    MOV       BL,[ESI]      *Move “5”*        

001B:00407DB9  8ACA                   MOV       CL,DL          *Let CL = DL = 4th digits*

001B:00407DBB  3AD3                   CMP       DL,BL           *Is the 4th digit equal “5” *

001B:00407DBD  751E                    JNZ       00407DDD      * No, then beggar off*

001B:00407DBF  84C9                    TEST      CL,CL            *Is it finish?*

001B:00407DC1  7416                     JZ        00407DD9          *yes the jump*   

001B:00407DC3  8A5001                MOV       DL,[EAX+01] *load the next digit” it is “ “ nothing, since

                                                                                                          as I had said before, it extract the 4th digit only

001B:00407DC6  8A5E01                MOV       BL,[ESI+01]   * BL = “ “ too*

001B:00407DC9  8ACA                   MOV       CL,DL              *   Let CL = DL =”      “   *   (nothing inside)

001B:00407DCB  3AD3                    CMP       DL,BL              *Is it equal to nothing?* (of course)    

001B:00407DCD  750E                     JNZ       00407DDD         *Jump if not the same*

001B:00407DCF  83C002                ADD       EAX,02              *load the next digit” it is “ “ nothing, since

                                                                                                          as I had said before, it extract the 4th digit only

001B:00407DD2  83C602                ADD       ESI,02                  *ESI + 2 == “   “ nothing, too

001B:00407DD5  84C9                     TEST      CL,CL                 * is it finish?*

001B:00407DD7  75DC                    JNZ       00407DB5            * If not, then jump* 

001B:00407DD9  33C0                     XOR       EAX,EAX           * Let EAX == 0

001B:00407DDB  EB05                    JMP       00407DE2           *jump to 00407DE2

001B:00407DDD  1BC0                    SBB       EAX,EAX            *Let EAX == 0*

001B:00407DDF  83D8FF                SBB       EAX,-01               * Let EAX == FFFFFFFF ( --1  in DEC)

001B:00407DE2  85C0                      TEST      EAX,EAX            *Does EAX == 0?*     

001B:00407DE4  8D4C2408             LEA       ECX,[ESP+08]    *Move your SN*

001B:00407DE8  0F94C3                  SETZ      BL    *Set  (BL == true) if equal zero* ( TRUE means 1 )

001B:00407DEB  E8CB9F0100       CALL      00421DBB               

001B:00407DF0  84DB                      TEST      BL,BL                    Is the BL flag == 0?

001B:00407DF2  7404                        JZ        00407DF8                Jump if the same

001B:00407DF4  B301                       MOV       BL,01                    Move GOOD Flag

001B:00407DF6  EB02                       JMP       00407DFA            Jump  to 00407DFA

001B:00407DF8  32DB                       XOR       BL,BL                   XOR a BAD Flag

 

Well that enough. We can now get some real SN:

 

***RE?5?????...***   (? = any word or number) for instance: (you can change the yellow high-light into anything you want :-)

 

(1)            RE0512345678

(2)            RE35

(3)            RE15 Fuck you iOpus. Your protections is too fool.

(4)            REF5   ^_^ ^^^^^^^   +Jonathan is the best. But iOpus is SUCK……….. HaHa     shit

(5)            RE65 121234345656  7878  9999-w5345-52464526-hsdf-6

 

      Those Serial Numbers are absolutely REAL!!!! You can try creating one for your self.