Page 3 of 3 FirstFirst 123
Results 31 to 39 of 39

Thread: DVDXcopy 3.1 Removing "Features"

  1. #31
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002

    First we want to get the program's OEP. But of course first it has to run! So the first task was to get the program to run, which I finally did *durr to me*.

    Then we want to get OEP. Notice that the program is MFC program (imports mfc42.dll). All MFC programs start with __set_app_type after the OEP. So we can put a breakpoint on that routine and run the program. After the license manager runs and jumps to the real program, we will land on our breakpoint.

    Now we are about 6 lines down from the OEP (by the way, write down the OEP for later use), no major code has taken place. In other words, there haven't been any variables initialized, etc. So we can dump right from here. In SoftICE we can assemble the current instruction so it loops on itself ("a eip <enter> jmp eip <enter>"). Now the program is frozen in an infinite loop. Make sure you write down what the 2 bytes are at EIP's location first, so you can restore them later, after dumping. (do a "db eip" and write down the first two bytes you see).

    Exit SoftICE and fire up LordPE and select the DVDXCopy process. When you do so, notice one small "error". DVDXCopy reports its image size as 1000. That's wrong. It's a trick. Right click and select "correct ImageSize". LordPE will fix it. Now do a full dump. Remember that infinite loop you made? You have to go in with a Hex Editor later and restore those bytes you overwrote. (2 bytes)

    Now we have to fix 2 things about the dump. Notice it does not have an icon. This is because the last section is incorrect. Open up the dumped.exe in LordPE or PEditor and go to the section editor. The last section shows 00000000 as the RawSize and VirtualSize. This is wrong. Fix it (ImageSize says 7D000, last section's size should be 1A000 for both Raw and Virtual). Hey, your icon is back now

    Now you get to restore the imports.

    How do we know where they are in the program when in memory? Easy. Disasm the dumped.exe you have now. Go to the entry point. Remember, about 6 - 10 lines down is the __set_app_type call. This is an import, so you will see the call dword ptr [xxxxxxxx]. The xxxxxxxx is where the first thunk is, which can never change. Which means in memory the IAT is in this area!

    Run the program again and go into SoftICE and go to the IAT area. Scroll up and down both and get the IAT start and what you think the length is. Write it down.

    Fire up ImpREC and select the process, type in the OEP, the IAT start, and IAT length and "Get Imports", and then "Autotrace". ImpREC gets almost everything in one pass, just like 14 or so not done yet. YOu can do these manually in SoftICE by going to the memory area the ImpREC says the import is at and "u <import address>" to see what the code says. I found most of them were simple "mov eax, GetDlgItemInt ; push eax, ret". So there you have your import. Depending on how good your guess was at the IAT length, you might end up with junk thunks on the end of the tree. You can cut these off. You'll know if they are junk if they don't reference a higher memory area like the other unresolved calls do.

    Leave "add a section" checked and press "Fix Dump" and wallah you are done.

    Last edited by nikolatesla20; January 28th, 2003 at 13:32.

  2. #32
    To crash or not to crash
    Join Date
    Dec 2001
    Man! Have I learned something! Now it works perfectly, thanks nikolatesla20. I've tried everything to get the dump working, but I failed to notice the last section was incorrectly sized. DUH!!! It works now so I can delete it. Nice practice.

  3. #33
    Thanks you very much. A thurough explanation. I had got so far as to get the OEP... that wasn't a problem, I simply traced with Ollydbg until it gave an "error message" noted the call I was on and then did that again this time breaking on the call and so forth until I got to the OEP (this is how I cracked the "cannot copy copy crap and the file it places on the DVD). I then read two tutes (+HCU tute and one more on manual unpacking) and managed to dump each section using ollydbg, but they dumped into .mem files (although I changed them to exe) and I wasn't sure how to go about rebuilding them (is that even possible!?). I will read through your comments again and see if I can do the same using other tools (mainly thinking of using Olly instead of softice) that way I at least have to engage my brain a little and not just be spoon fed .... Anyhow I REALLY appreciate the help. Thanks.

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #34
    To make an exe file with Olly - save each memory block as a .mem file. Combine them together with the dos command copy:

    copy /b part1.mem + /b part2.mem + /b part3.mem prog.exe

    where prog.exe is the output file and the rest are your inputs.

    Now you need to fix PE header (rs=vs, etc) and generate a valid import table.

    Overall, it's much easier to pause the program with olly, and then dump it with LordPE. But the olly way is good to learn - as lordpe may not always work.

  5. #35
    To crash or not to crash
    Join Date
    Dec 2001
    There is also a plugin for olly called ollydump. Works good.

  6. #36
    For anyone who found the last version challanging and would like to take the next step 1.5 is out. A little more effort on the authors part (more anti-debugging)yet still allot same same. Good practice anyhow. It almost seems as if they read our posts on this board and then changed the protection scheme... I mean like not prompting for non-backup disk etc. hehe. The authors seem to be spending a little to mcuh time concentrating on the protection when they should be ironing out the bugs... I mean I paid 99USD for a program to backup my DVD's... not for cracking practice on how to remove unwanted features . Oh well.. c'set la vie. Time to get fresh with networker 7... wonder if they bothered updating their protection scheme, and then I need to look at cluster server for Solaris, and samfs. and.... and... well I got my weekend all mapped out (no really I do have a life). Later boys and girls... and happy cracking to all.

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #37
    Heh, happy cracking cHeCksUm, seems like you got your weekend all sorted out

    Myself, I'm moving away from cracking and doing more RE work and finding out exactly how things work, and also putting a lot more effort into my own tools for that very job.

    Really can't be bothered to do the latest version as I don't like using two disks per film, so I just use a hacked up version of dvd95copy that'll put every film onto a single DVD-R rather than 2 (I've no interest in the extras, see).

  8. #38
    I think I'll stick to cracking until I am a bit more experianced. Then I might look at RE in a more general sense. I started looking more at programming again though, mainly perl but I am planning on dusting off the old ASM books . Maybe I'll also look at C again but 99% of my work is on ?nix (and mosly constitute text-filtering of some sort) so Perl really fits the bill and that is my main language of choice.

    I really don't care that much about the extras either but I like the one button simplicity of DVDXcopy. Most of all I am just pissed that the programmers are trying to restrict what dvd's I can or cannot copy... that I do not like .

    Well good luck witht he tools... maybe we'll see, and use, some of them on the net .

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #39

    i have an application that is supposed to be protected by
    Protection Plus.
    I suppose its the same target, but there wasn't any License Manager part in it. Just the wrapper Apparently.
    Or its another product from the same company.

    Its basically the same than Asprotect, but easier
    If anyone want to try his hand on it (its NOT the site of the company, some guy host it on his personal web site because he is studying the protection on a forum)
    here is the url:


    Have fun
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. how to generat "1" instead of "uncounted" license
    By joyung in forum The Newbie Forum
    Replies: 38
    Last Post: April 10th, 2012, 03:57
  3. Replies: 4
    Last Post: May 28th, 2009, 13:02
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. Removing the Call Home "feature" in vBulletin 3.0?
    By Cumulous in forum The Newbie Forum
    Replies: 10
    Last Post: March 24th, 2004, 20:23


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts