Page 3 of 3 FirstFirst 123
Results 31 to 45 of 45

Thread: Newbie trying to learn. Think my project maybe a little to advanced.

  1. #31
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    You wouldn't have it unless you are using an ATI graphics card - interesting note, I was working on another app last night and had it running fine 1 time - on the next run it crashed while accessing the same file - this was an app that I'm sure was not using open GL stuff so it's really starting to bug me - eventually I got the app. up and running with no problem.

    Skip
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  2. #32
    Michael_J
    Guest
    Hey

    I have now got the application running for as long as I want it to. So that demo restriction is no longer working. This is great. One more step and then I have actually got the application running as well as purchased copy.

    The save feature is the second bit of the app Im going to try and get sorted. It just crashes on my PC. Im going to try and clean install of XP and the application on a different PC to see if that has any effects on it.

    From what I can tell, it looks like it checks whether the file is there or not when trying to save, sees that its not. Tries to write the file and then an access error occurs and it closes the whole app. Kind of odd, but I shall work on it.

    Im going to buy the software in november so, if worst comes to worst, I shall view the legit copy and then work out how the app works.

    Cheers

    Mic
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #33
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Don't bother on the install of XP - it crashes my machine also - my SWAG is that it checks for a valid lic. before saving - setting the byte that makes it say it's a good version is not enough - there are at least 5 memory locations that need to be set and maybe more - maybe you can successfully trace into the save function, if I break the app. at the save screen and start a trace it crashes immediately, I didn't have time but try walking the stack back to the cause of the exception, after it crashes hit the"K" button set a breakpoint by double clicking on the lower line in the stack window then set a break on that line in the cpu window - do this again when it breaks on that line - repeat until you are back in a program module - then trace back to the branch to the exception.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  4. #34
    Michael_J
    Guest
    I have been playing around with the application a little more. It now believes its in extended mode. But the save feature is still not working. I have used file monitor to watch what is happening, and it would appear to be a buffer overflow. Im going to carry on tonight trying to solve the issue.

    Its now getting close to cracking the app, as the time limit is no working active, it shows its in extended mode and the save feature half works.

    Who knows, maybe soon we will have this bad boy cracked.

    Cheers

    Mic
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #35
    Good to see someone developing progress on their own.

    Perseverance is a virtue.

  6. #36
    Michael_J
    Guest
    I kind of hit a brick wall, and the more I thought about it, the more it made me think that the Keyfile added code to the software.

    The only way I was going to crack this software and work out how it works was to get a keyfile. So I opened up my wallet and did what I always planned.

    I spent $1,617 on the software so I could work out how it worked.

    I have the keyfile now sat on my desktop.

    It installs itself and when you load the software, it loads a new window asking for a serial number.

    When I dont enter a serial, it comes up with:

    "The unlock code entered is invalid. Please verify that you have entered the correct code! If the problem persists, contact us by email to *****@*****.com"

    I formatted my PC only a few days ago, and havnt installed Olly yet, but will do on a Virtual PC, and give this another go.

    Of course, Its now almost pointless as I have the software legitamitly, but I only ever did this for learning.

    Cheers for all your help, and fingures crossed I will be able to have a working crack soon.

    Cheers

    Mic
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #37
    seras
    Guest
    Noted one of your firsts posts:

    Code:
    "Registration key file '{0}' found"
    Usually {0} is used to pass arguments when printing or building strings in C#, have you checked to see if this is a C# or VB.NET related program? If so, you may make it easier by trying to look at specific tutorials and resources for disassembling the application.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #38
    pythag
    Guest
    Interestingly I've been having a go at the same application being discussed above (as my first attempt at reverse engineering).

    I was feeling really chuffed with myself for having worked past all the keyfile checking routines and being able to reliably select which version of the program I wanted to run (Demo, Extended etc...), when I hit the same problem as Michael - when you click 'Save As...' it crashed.

    Upon further inspection several of the pointers to functions used in the save routine are stored in a table and encrypted. The encryption seems to be a simple XOR key, and knowing that pointers to code almost always begin with 00 and often end in 0, I've been able to work out the repeating key length - 36 bytes in this case, and some of the XOR keys.

    However I'm really stuck now, as digging through the code it appears that the encryption key is supplied in the keyfile they deliver (this part of the key will obviously be the same for all users).

    I've had a look to see if I can take educated guesses at these function pointers, for instance I could XOR pointers encrypted with the same key together to find out the difference between the original pointers, however that didn't really narrow down the search enough.

    What I'm quite surprised about is the fact that they bothered encrypting the pointers - why not just supply the exe with 00's in the table and supply the actual function pointers in the key file? The way they've done it I at least have some clues about the data.

    Has anyone come across a similar situation before and if so, how did you solve it? Failing that if someone fances halting a working version of the app and sending me the 36 bytes of data starting at 0x009581B0 that would also be good
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #39
    pythag
    Guest
    I've just had a brainwave!

    If I can get hold of slightly earlier/later versions of the same program then the chances are the functions used will have moved slightly.... If they haven't changed their encryption key between versions then by XORing the two encrypted tables together I will cancel out the key and be left with the differences between the original location and the new function location.

    I can then do a binary comparison of the two executables and see which functions have moved by the offset given.... this should at the very least narrow down the search.

    (the version I've been working on is 1.13.4)

    This hasn't actually helped because I haven't been able to find any other versions, but I like the principle...

    Any other ideas? This is almost a straight cryptography attack problem rather than a code hacking one.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #40
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Problem with that, it's a huge pain in the ass, long calls may have changed, a bunch of stuff just adjusted slightly will throw you of big time, they also usually change the base address and multi purpose registers may have changed, disassemble both, split screen try to line them up and go from there.

    Good Luck

    S.......
    Last edited by SiGiNT; February 5th, 2009 at 17:54.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  11. #41
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  12. #42
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I have to plea idiocy on this one, I've never bothered trying bindiff, but, usually look for a common landmark in both disassembled files then try to line them up that way - frequently I find that jumps with in a routine and addresses called from another routine have been added or subtracted, so using gray matter, (I aint got much left), is usually what I rely on, if you really want to have fun, try comparing your unpacked file to someone else's unpacked file, here I'll usually scroll down in the Winhex window until they match and then trim off the top and run compare, going with the parts that make sense.

    S...........
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  13. #43
    pythag
    Guest
    Okay - maybe that idea is a non-starter (it certainly is until I find any other versions).

    I'm basically after clues to help me construct the key - here's what I know:

    * The key is 36 bytes long and is simply XOR'd with the pointers
    * The same key is used to encrypt 3 different pointers (i.e. roughly 27 pointers are encrypted in total).
    * 18 bytes of the 36 byte key are fairly easy to guess, because most function pointers begin with 0x00 (the 0x1f ones should be fairly easy to spot)
    * Statistically I can get 3 or 4 bytes more, on the basis that a lot of function pointers end in 0, however with only 3 pointers encoded with the same key this sin't really working for me.
    * I do know that the pointers will point to the start of functions - can I use this knowledge in any way?

    I did wonder if I could write a program to brute force the remaining bytes by testing each possibility (as there are only 6 bytes left per pointer to guess this is only 16 million possibilities) - in order to test each possibility I would check if all 3 pointers encoded with the guessed key line up to function entry points as decided by IDA Pro. However I'm not sure this will work - IDA pro has misidentified a couple of function entry/exit points on functions which had blatent pointers to them. As the functions I'm interested in are probably not called from anywhere except these encrypted pointers who is to say that IDA has identified them at all? I may also get several thousand 'hits' if luck isn't on my side of which I'd have to trawl through manually.

    If we think along the brute force lines - are there any other ways I could test for valid pointers? I do know the number of parameters being pushed onto the stack before the calls, however how could I check how many the functions were using in a simple script?
    Last edited by pythag; February 6th, 2009 at 06:25. Reason: spelling
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #44
    Pythag, here's a quick thought. In your brute forcing function, you could look for the typical "function setup bytes" each time. The normal "mov bp, sp", and the like. If you dig around, you should get an idea of what the compiler produces for a function, and in theory, be able to look for those bytes at the locations produced after each iteration through your function.

    Does this make sense?

  15. #45
    pythag
    Guest
    I had a quick look and unfortunately there isn't any consistent easy-to-spot pattern. Most functions start off by pushing a few bits and bobs onto the stack, but what they push varies considerably (some don't push anything).

    Around 50% of the functions seem to begin with 'push 0FFFFFFFFh' - why would a compiler do this? Maybe it's the default return value of -1 that people often use?

    As the program doing the brute-forcing can do a bit of statistical analysis I can probably say "if it starts with 'push 0FFFFFFFFh' then I've almost certainly found a function entry point" and "If it starts with a push of some kind then I might have" and use that.

    My gut feeling is that I probably have enough information here to rebuild this table, but it's going to take a bit of work.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. advanced iphone reversing tutorial
    By BLZPDA in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: February 11th, 2013, 11:24
  2. Making an advanced api redirection more advanced?
    By rendari in forum Blogs Forum
    Replies: 0
    Last Post: October 18th, 2007, 10:16
  3. Howto put advanced breakpoint
    By hosiminh in forum OllyDbg Support Forums
    Replies: 3
    Last Post: January 31st, 2005, 06:52
  4. advanced Crackme
    By XFlorian in forum Mini Project Area
    Replies: 10
    Last Post: January 28th, 2005, 12:29
  5. Which OS to learn on?
    By ptsdmaker in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: March 9th, 2002, 08:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •