Page 1 of 3 123 LastLast
Results 1 to 15 of 39

Thread: DVDXcopy 3.1 Removing "Features"

  1. #1
    cHeCksUm
    Guest

    DVDXcopy 3.1 Removing "Features"

    Hello,
    Finally I had some time to practice some cracking and found (or rather bought) an interesting target; DVDXcopy. The program is packed but I cannot for my life figure out what program the author used... not that it mattered a great deal. Anyhow I have come as far as I can with this target until I have read more about PE format and such so that then I maybe can unpack it. This is what I have found so far if someone else is interested in looking at the target.

    Well first of all I bought this program to try it out and I must admit it works quite well except for a certain number of annoying "features". First of all the program appends some silly text to the copied DVD... this I do not like. Second it will not let you copy the copy... of course I would NEVER do such a thing ... but it annoyed me none the less. And last but not least it has an irritating nag.

    So I loaded up my favorite debugger and started working. It was clear from the begining that the exe is packed. This wasn't much of a problem (at first) since I used the live approach to cracking it. Anyhow looking through the code I found all the licensing crap... but not the things I was after. So I traced around in the code and finally, a multitude of program restarts and many breakpoints later, I stumbled/arrived at the code I wanted. Seeing as how I am a newbie, I am not sure about this statement, but the program seems to be "double packed" or it only unpacks certain parts at a time. Could someone elborate on exactly how this target is packed should you or have you worked on it. Anyhow once inside the right code the DVD backup copy crap and annoying text could be quickly removed. Now since all I ahve to learn is memory patching and I'll be set ... until then I guess I'll have to use some ready made loader/memory patcher. Actually I think memory patching will be the next thing I look at. Well if anyone needs help with this target feel free to ask and I will help as much as I can. Like I said above if anyone could elaborate on the packing method (or even just the name so I can read up on it) please post here. Thanks.

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Not sure what packer was used on this file, and whatever it was, it's got some kind of anti-dump protection which renders progs like LordPE unusable.

    Does not seem to have anti-debug protection however, and so it's quite easy to dump the unpacked program using OllyDbg, fixup the IAT, and then begin working on the unpacked program.

    I downloaded the "registered users only update" from there website, so hopefully this is the same version as you have. Just need to write some kind of keygen for it now as I aint a registered user...


    Edit:


    Seems like this is no packer, but a license manager that adds it's 180Kb stub onto the program to be protected. Anti-Dump and Anti-SoftIce, but not Anti-OllyDbg

    Until a valid registration code is entered, I don't know the original entry point of the actual program, or have the correct import table, but I'm sure it can't be too hard to reverse the algo or patch the LM to find those...
    Last edited by squidge; January 25th, 2003 at 16:17.

  3. #3
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815

    interesting.

    I'll be looking at this for a little while just for the enjoyment.

    Here's a report from Commview 4.0, which I also just finished

    After you press the register button.

    Code:
    GET /solo/unlock/getcode.asp?LicenseID=2147483647&CustomerPW=YELLOW&code1=311097607&code2=4620484 HTTP/1.0
    HOST: activate.321studio.com
    
    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.0
    Date: Sat, 25 Jan 2003 23:08:58 GMT
    Connection: Keep-Alive
    Content-Length: 478
    Content-Type: text/html
    Cache-control: private
    
    <html>
    <head>
    <title>Customer Service | Unlock Key Results</title>
    </head>
    <script language="JavaScript">
    <!--
    function setfieldfocus(work)
    {
    
    }
    //-->
    </script>
    
    <body bgcolor="#FFFFFF" onload="setfieldfocus()" link="#663399" alink="#663399" vlink="#663399" text="#000000">
    <center><img src="../images/solo/customer_top_01.gif">
    <p><h2>Invalid Data Entered!<h2><p><input type=hidden value="Error Response = 100" id=hidden3 name=hidden3></center>
    </body>
    </html>
    hehe. Might be able to just hack this by editing hosts file for name resolution and feed it your own web page. Just thinkin' outside the box like I like to do. Haven't tried it tho.

    Also, click "Phone registration" and enter a password - the password must be 7 chars long. 8 chars is "invalid password". (7 is "incorrect password")

    -nt20
    Last edited by nikolatesla20; January 25th, 2003 at 18:17.

  4. #4

    ???

    Hiya,
    version I did was sometime in dec 2002 so may have been updated
    oeip 00443648.
    iat 00[4]48000
    Seem to recall bp on dialogparama or one of dialogbox calls where you are asked to enter a code before it will even start, exit's if you select cancel but returns to main code if you just use the close gadget so next time don't enter that call, I'm fairly sure a bp on Getprocaddress was enough to see where the api's are being redirected and easily fixed. I know its a bit sketchy but I didn't make many notes on this one. I got a working dump out of it and could maybe dig out the rv resolved text if it helps though obviously not allowed to post it here.

  5. #5
    yup, been updated since then.

    to be honest, not looked at this proggy till cHeCksUm posted about it. Seems that it could be pretty useful after it's had a few features removed

    Don't know how it worked back in december, but it seems now that when the program loads up, it allocated a piece of memory, which then contains the license manager part of it, and it is this code that calls the original OEP. Only spent about 5 - 10 minutes on it so far, so stopped at the point where it calls the win32 dialog procedure.

    Will take a look at the phone and web methods, and see if I can get it to go past the "enter your license" part, then hopefully will have a good OEP and IAT to play with

    Must say though, I love how it uses SEH to move between the protection dialogs and check your activation codes

    This is almost a proper license manager, none of that Crypkey crap
    Last edited by squidge; January 25th, 2003 at 19:12.

  6. #6

    Re: interesting.

    Originally posted by nikolatesla20
    hehe. Might be able to just hack this by editing hosts file for name resolution and feed it your own web page. Just thinkin' outside the box like I like to do. Haven't tried it tho.

    Also, click "Phone registration" and enter a password - the password must be 7 chars long. 8 chars is "invalid password". (7 is "incorrect password")

    -nt20
    Seems like the password length is variable - If you enter a single "1" for the password without a license ID, you get the "Enter activation code" rather than "Invalid/Incorrect Password". Entering another "1" in both boxes gets you "Invalid activation". So it's seems everything is variable, and a single character is best to bypass most of the checks

  7. #7
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    hehe

    dang can't concentrate on this right now - did 3 programs last night.

    Well whatevah - tried a few eax edits and jump redirects, no where just yet.

    -nt20

  8. #8
    To crash or not to crash
    Join Date
    Dec 2001
    Posts
    120
    I passed through the license manager onto the OEP at 450114, could rebuild IAT but I fail to get a correct dump. Maybe someone here can help me on how to get a valid dump?

  9. #9
    Well, I've digged up some information on this program from some foolish debugging strings that were left in the license manager. I suppose they thought it was ok to leave them in considering the code is compressed afterwards - do they think we don't check for this kind of stuff? Anyway...

    This program is protected with SoftWareKey's ProtectionPlus system. You can download a demo of there software from there website, and the SDK manual is available for viewing online I don't know if the demo is actually the SDK or not as I've not managed to connect to the ftp site as yet

    The documentation alone however has told me what a number of the functions inside the manager are doing however, which should be handy when it comes to keygen time - and it doesn't seem that difficult ! However, I think the best approach is to strip the program of this LM completely. Then we can start removing the features we don't want from it.

    Ok, typical license manager. Replace the checking routine with "MOV EAX, 1; RET" and the program registers itself and never bothers you again with the "please register" nag screen. I thought this was going to be better than Crypkey for a minute then as well, but it turns out worse than some shareware programs
    Last edited by squidge; January 25th, 2003 at 22:53.

  10. #10
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    havent found the place for that mov eax,1 yet but I did find this string whilst memory fishing

    nowizdatymeferallgudmenstocumtwodaateofdarekuntry


    pretty funny huh

    -nt20

  11. #11
    Doesn't make a whole lot of sense, but pretty funny none the less!

    The place to put the MOV EAX, 1; RETN is in the SEH handler after the DialogBoxParamA call and the call to pp_tcode. Basically I've looked at the SDK docs, and this function needs to return a valid number in EAX between 1 and 50 to say the activation number and license you entered is valid, and a zero return is invalid. So just make it return 1 in your debugger (no need to modify the exe on disk) and it'll register itself forever. The code doesn't seem to be ever called again after the first run

    So hopefully today I can easily find the OEP and reconstruct the import table, then patch this muther

  12. #12
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    DVDxcopy 3.1 ????

    version 3.1 wtf

    u mean 1.31 ? :-

    DvdXcopy v1.3.1 *INCL KEYMAKER* Cracked by....: tam Release-Name..: CR-DV131.ZIP
    Supplied......: CORE
    Release-Date..: 01/08/2003

    don't waste yer time lads....

    Also isn't this DVDx another 'front end' for a load of old beta softs (divx, tmpeg, cdburner aspi from roxio/nero, dvd ripper) to make a DVD rip 'suite' like 'Replicant coded in VB6 !!!!' How can they have the nerve to 'sell' such shiiiiite.... and ppl pay $99 for it !!!!

    bwaaaa.

    Squidge I am interested in CrapKey6 detail.......

    wtf did u do with their *lame* API name scrambler and wtf did u do about *rally lame* Int3 debug/debugee Armadillo clone.

    All done, had a busy weekend .....now /me bored waiting for PElock 1.07....cumon bart wotsit :P
    Last edited by +SplAj; January 26th, 2003 at 08:30.
    Carve my name into your arm :)

  13. #13

    Re: DVDxcopy 3.1 ????

    Originally posted by +SplAj
    version 3.1 wtf

    u mean 1.31 ? :-

    DvdXcopy v1.3.1 *INCL KEYMAKER* Cracked by....: tam Release-Name..: CR-DV131.ZIP
    Supplied......: CORE
    Release-Date..: 01/08/2003

    don't waste yer time lads....
    +SplAj,

    Registering the program seems to be the easy part. I now want to remove the license manager from the code completely, so we can change a few things in the way it operates. I think the version released by Core is just a keygen/hack ?


    Also isn't this DVDx another 'front end' for a load of old beta softs (divx, tmpeg, cdburner aspi from roxio/nero, dvd ripper) to make a DVD rip 'suite' like 'Replicant coded in VB6 !!!!' How can they have the nerve to 'sell' such shiiiiite.... and ppl pay $99 for it !!!!
    Apparantly this version is "all our own work". Apart from they use Nero and Gear DLLs. No shareware/freeware apps here. Or so they say...

    Squidge I am interested in CrapKey6 detail.......

    wtf did u do with their *lame* API name scrambler and wtf did u do about *rally lame* Int3 debug/debugee Armadillo clone.
    There name scrambler is just a simple XOR which I wrote a builder prog for descrambling. It finds the two parts of the import table, combines them together and then decrypts the names using simple XOR. The resulting file can then be placed into the program.

    There Armadillo clone INT 3 stuff was even easier - when the program is unpacked, there's a load of data before the exe, this contains pointers and lengths to each part of the program - so my prog just grabs all of them and combines them together. Since these are unpacked onto a layer of INT 3 calls, my prog simply overwrites all the INT 3's with the original code. The result is that you don't need the loader anymore

    After that, it was a simple matter of generating a sig file, and replacing the crypkey functions so the program was authorised without having to reg it.

    If you want my name descrambler and/or prog builder, just ask. They are by no means standalone, and you still need to do a fair amount of debugging and the like yourself - I don't think think there are enough programs out there yet to make it all in one.

    All done, had a busy weekend .....now /me bored waiting for PElock 1.07....cumon bart wotsit :P
    Yup, waiting for a prog with some real protection eh?
    Last edited by squidge; January 26th, 2003 at 09:16.

  14. #14
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373

    thanks...

    Squidge

    yup, did that, coded a simple app to 'decrypt' the .code section from debug dump (with nice array of pointer buffered with 00 / 01 ) and paste to dumped exe and also xor the api names....I thought about selling it....maybe $999 but maybe your version is cheaper

    Yup the core is just a keymaker... did not try it yet .... i'm gonna take the stuff home..

    later

    Spl/\j

    btw (*)(*) free pron at woodmanns ....
    Carve my name into your arm :)

  15. #15
    cHeCksUm
    Guest
    @+SplAj
    >Also isn't this DVDx another 'front end' for a load of old beta >softs (divx, tmpeg, cdburner aspi from roxio/nero, dvd ripper) to >make a DVD rip 'suite' like 'Replicant coded in VB6 !!!!' How can >they have the nerve to 'sell' such shiiiiite.... and ppl pay $99 for >it !!!!

    No actually they have the author of Ifoedit working on the program now. Before it was seriously bloated at like 24MB but as soon as they hired him they got it down to the size it is now.... makes you wonder what the hell they did in the first place . It works rather well except for the annoying "features" I mentioned before... but they are gone now. The program never uses DivX or the like as the DVD is copied not ripped and compressed, hence no loss in quality etc. It keeps it in MPEG2.0. However the price is steep... but hey what can one do.

    About the keygen. I saw it too... but didn't really meet my needs as I am licensed... I wouldn't ever looked at the target if it wasn't for the annoying "Cannot copy a copy" crap they have added to the program. You want to know the really funny thing? They argued in their defece (to MPAA) that it could not be used to pirate DVD's becasuse the copies of the original would be encrypted... hahahaha... yeah right... only silly check which is easily bypassed and your homefree to copy the backup... and it's backup and on and on... well you get the point .

    Back to the target. I have installed the thing on another computer to crack it from virgin condition without registration. I'll post my findings later as I am in a bit of a hurry.

    @nikolatesla20

    >nowizdatymeferallgudmenstocumtwodaateofdarekuntry

    Hehe... that is quite funny.


    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. how to generat "1" instead of "uncounted" license
    By joyung in forum The Newbie Forum
    Replies: 38
    Last Post: April 10th, 2012, 03:57
  3. Replies: 4
    Last Post: May 28th, 2009, 13:02
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. Removing the Call Home "feature" in vBulletin 3.0?
    By Cumulous in forum The Newbie Forum
    Replies: 10
    Last Post: March 24th, 2004, 20:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •