iOpus Password Recovery XP ( New
Version )
By +Jonathan
2002-8-19
*Download: http://www.iopus.com/download/iopus-pwdrec-setup.exe
( 498 kb )
*Price: 29.99
Hi every
reverser, once again it is iOpus Password Recovery XP but it is difference from
first edition in these:
(1)
It
add a Armadillo 2.52 packer protection (Just
use Stud_PE to analyze it) the following
is the result:
(2)
It
add Anti-Debugger & Anti-File Scanner & ANTI-SOFT-ICE
etc (even ASProtect can not anti-File Scanner!!)
Mmmmm
iOpus company listen up here:
iOpus, Is
that the best protection you got??
iOpus, Is
this what you said punish all the Reverse Engineer or my UREF
team??
iOpus,
let me tell you what happen here. I AM GOING TO REVERSE
ENGINEER YOUR APPS WITHOUT UNPACK YOUR STUPID PROTECTION. Hows
that?
I
know, you can hardly believe because you had NEVER
seen a cracker can crack a packed program WITHOUT
unpacking it, right? Keep reading iOpus company, the following is more
interesting ^_^
This
time I use purely SOFT-ICE. Trust me, it is NOT fun to
use W32Dasm. First of all, run iOpus Password Recovery XP and press [register].
(1)
Ctrl +D call SOFT-ICE
out
(2)
Set
breakpoint by: BPX GetWindowTextA
(3)
Hit
F-5 (in order to start iOpus)
(4)
Now
enter the following: 12345678
(5)
Press [activate] button.
Ok
you are inside SOFT-ICE now, press F-12 until you see the following picture (Remember how may hits in order to display the picture)
The first time, it display the picture at the hit of
5
Now this time we stop at the third
(3) time. But why? Since 5 2 == 3. Because ALL software will check SN (serial number)
ONE times before it display that wrong message, and it will ALSO add ONE more
hit if it is the first time you press [activate] button. If you have press one
or more times [activate button] before you use SOFT-ICE, you will wind up with
the 4th, pop up that message, and the next time you only need to
minus 1 which means: 4 1 == 3 (the same as above one: 5 2 ==3)
001B:00401833
8D465C LEA EAX,[ESI+5C] * SI stop
here*
001B:00401836
B948D44300 MOV ECX,0043D448
001B:0040183B
50 PUSH EAX
001B:0040183C
E8B3060200 CALL 00421EF4
001B:00401841
E8EA640000 CALL 00407D30 *the
ANTI-debugger and CHECK SN*
Let
step into (F-8) the CALL 00421EF. If this is the first time, you might
see this:
001B:00407D30 FFFF INVALID
001B:00407D32 FFFF INVALID
001B:00407D34 FFFF INVALID
001B:00407D36 FFFF INVALID
001B:00407D38 FFFF INVALID
001B:00407D3A FFFF INVALID
001B:00407D3C FFFF INVALID
001B:00407D3E FFFF INVALID
It
means that iOpus was protected by a packer and is now encrypted. How to unpack
it? You have to know how packers work.
First of all, when you open the iOpus Password Recovery, it will
load a unpacking formula. So if it is the second
times, it will fully unpack. Therefore,
solution is easy. Either (1) you break point on 00407D30 or do a F-5 (which means start the program
and load unpacking formula or (2) you start over again, since the
second or more time it will also unpacked.
I
had choose the SECOND way since it will check if you use SOFT-ICE or Debugger
after the FIRST way via IsDebuggerPresen
& WaitForDebugEvent API function (I hate people use anti-debugger) This is what you see when the protection detect
SOFT-ICE
But anyway there is NO packer or anti-debugger code after the second times you
press [activate]
Ok
here is the second times I press [activate] which is decrypted:
001B:00407D30
6AFF PUSH FF
001B:00407D32
6848AF4200 PUSH 0042AF48
001B:00407D37
64A100000000 MOV EAX,FS:[00000000]
001B:00407D3D
50 PUSH EAX
001B:00407D3E
64892500000000 MOV FS:[00000000],ESP
Look
same EIP but different instruction!!
If
you follow my instruction, you will see this rather interesting: (remember we
type 12345678 as a password)
001B:00407D6A
8A10 MOV DL,[EAX] *EAX=your
password & DL=1st byte of EAX*
001B:00407D6C
8A1E MOV BL,[ESI] *ESI= R &
load into BL*
001B:00407D6E
8ACA MOV CL,DL
*let CL = DL = 1 (the first digit of 12345678 = EAX)
001B:00407D70
3AD3 CMP DL,BL
*Is the first digit equal R ?
001B:00407D72
751E JNZ 00407D92* If
not, then beggar off !!*
001B:00407D74
84C9 TEST CL,CL
*Is it finish loading all the digits? *
001B:00407D76
7416 JZ 00407D8E *Jump
if finish*
001B:00407D78
8A5001 MOV DL,[EAX+01] *load
next digit which is 2*
001B:00407D7B
8A5E01 MOV BL,[ESI+01] *Load E into BL
*
001B:00407D7E
8ACA MOV CL,DL *let CL
= DL = our 2nd digit
001B:00407D80
3AD3 CMP DL,BL *again
compare if the second digit equal E?*
001B:00407D82
750E JNZ 00407D92 *Jump if
not the same*
001B:00407D84
83C002 ADD EAX,02 *Load
the 4th digit which is 4*
001B:00407D87
83C602 ADD ESI,02 *Load
the 4th correct SN which is 5*
001B:00407D8A 84C9
TEST CL,CL *Is it
finish all the digits?*
001B:00407D8C
75DC JNZ 00407D6A *No then
loop*
001B:00407D8E
33C0 XOR EAX,EAX *let EAX ==
0*
001B:00407D90
EB05 JMP 00407D97 *JUMP TO
00407D79*
001B:00407D92
1BC0 SBB EAX,EAX *let EAX
== 0
001B:00407D94
83D8FF SBB EAX,-01 * Let
EAX == FFFFFFFF ( --1 in DEC)
001B:00407D97
85C0 TEST EAX,EAX * Is EAX ==
0?*
001B:00407D99
755D JNZ 00407DF8 *Jump if
EAX ≠ 0*
001B:00407D9B
6A01 PUSH 01 *
Push parameter*
^^^^^^^^^Those instructions between
these two are trying to get the 4th digits individually^^^^^^^^^^^
001B:00407DB5
8A10 MOV DL,[EAX] *move the 4th
digit which is 4*( they had let
(EAX
== EAX + 4) before.
001B:00407DB7
8A1E MOV BL,[ESI] *Move 5*
001B:00407DB9
8ACA MOV CL,DL *Let CL =
DL = 4th digits*
001B:00407DBB
3AD3 CMP DL,BL *Is the 4th
digit equal 5
*
001B:00407DBD
751E JNZ 00407DDD * No, then
beggar off*
001B:00407DBF
84C9 TEST CL,CL *Is it
finish?*
001B:00407DC1
7416 JZ 00407DD9 *yes the
jump*
001B:00407DC3
8A5001 MOV DL,[EAX+01] *load
the next digit it is nothing, since
as I had said before, it extract the 4th digit
only
001B:00407DC6
8A5E01 MOV BL,[ESI+01] * BL = too*
001B:00407DC9
8ACA MOV CL,DL * Let CL = DL =
* (nothing inside)
001B:00407DCB
3AD3 CMP DL,BL *Is it
equal to nothing?* (of course)
001B:00407DCD
750E JNZ 00407DDD *Jump if not
the same*
001B:00407DCF
83C002 ADD EAX,02 *load
the next digit it is nothing, since
as I had said before, it extract the 4th
digit only
001B:00407DD2
83C602 ADD ESI,02 *ESI
+ 2 == nothing, too
001B:00407DD5
84C9 TEST CL,CL * is
it finish?*
001B:00407DD7
75DC JNZ 00407DB5 * If not,
then jump*
001B:00407DD9
33C0 XOR EAX,EAX * Let EAX
== 0
001B:00407DDB
EB05 JMP 00407DE2 *jump to
00407DE2
001B:00407DDD
1BC0 SBB EAX,EAX *Let EAX
== 0*
001B:00407DDF
83D8FF SBB EAX,-01 * Let
EAX == FFFFFFFF ( --1 in DEC)
001B:00407DE2
85C0 TEST EAX,EAX *Does EAX
== 0?*
001B:00407DE4
8D4C2408 LEA ECX,[ESP+08] *Move your SN*
001B:00407DE8
0F94C3 SETZ BL
*Set (BL == true) if equal zero* ( TRUE means 1 )
001B:00407DEB
E8CB9F0100 CALL
00421DBB
001B:00407DF0
84DB TEST BL,BL Is
the BL flag == 0?
001B:00407DF2
7404 JZ 00407DF8 Jump
if the same
001B:00407DF4
B301 MOV BL,01 Move
GOOD Flag
001B:00407DF6
EB02 JMP 00407DFA Jump to 00407DFA
001B:00407DF8
32DB XOR BL,BL XOR
a BAD Flag
Well
that enough. We can now get some real SN:
***RE?5?????...*** (? = any word or number) for instance: (you
can change the yellow
high-light into anything you want :-)
(1)
RE0512345678
(2)
RE35
(3)
RE15 Fuck you iOpus. Your protections is too
fool.
(4)
REF5 ^_^ ^^^^^^^ +Jonathan is the best. But iOpus is SUCK
.. HaHa shit
(5)
RE65 121234345656 7878
9999-w5345-52464526-hsdf-6
Those Serial Numbers are absolutely
REAL!!!! You can try creating one for your self.