Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 39

Thread: DVDXcopy 3.1 Removing "Features"

  1. #16
    cHeCksUm : Well done, if you crack it from virgin PC, then there's no possibility of any watermarking features being placed in the copy. Although I think the only possible "watermarking" they do is perhaps add another file to the disk. Like they say, the video is not de/re-compressed, so can't really be watermarked can it ?

    Better be safe though really and use a bogus license key

    BTW, How did you patch the "You can't copy a copy" ? Did you use in-memory patching via a loader, or actually strip the program of it's license manager first and patch the actually exe file on disk?

  2. #17
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Well I feel retarted, I managed to get to the "Accept license agreement" dialog, but when I click accept, the main window comes up and then dissappears right away - so I apparently haven't found the right spot yet for the mov eax, 1 :P

    Some days I'm on, and other days I can't get anywhere heh. Not in code mode this weekend I guess


    -nt20

  3. #18
    big hint: to find the correct place to put the mov eax, 1, all you need to do is look for the debug text

    Actually, you don't even need to overwrite the code, just let the routine run and modify the value of eax after the call, as it seems that part of code is never run again anyway

  4. #19
    cHeCksUm
    Guest
    Originally posted by squidge
    BTW, How did you patch the "You can't copy a copy" ? Did you use in-memory patching via a loader, or actually strip the program of it's license manager first and patch the actually exe file on disk?
    Well at the moment I am using a loader. But I will try to strip the program completely as I think I could learn a lot in doing so. Finding the right place for the nag about the "Can't copy a copy" and disabling it wasn't hard. DVDXcopy adds a file to the DVD (the file is in the program directory and can be editing to ones liking). It also adds a "watermark" to this file with program name, version and date as well as a string of characters. Other than that the copy is not watermarked in any way (well that I could find... and trust me I searched for it ). Well I got home late so I don't have any time to work on it today. I'll look more at it tomorrow. Tonight it's back to another target.... legato networker... blah... I've been working on it for like three months (well not constantly but still) and I have got it to accept any activation code (that was really easy) but I still need to figure out how it generates the damn hostid to be able to make it accept keys for any machine. Then I have to do the same for the Solaris version.... hehe at least I have something to do tonight .

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    Well I backed up a DVD using the program, and notice the extra file it placed on the disk. I was going to hack it in a different way to what you mention however - instead of looking for the "you can't copy a copy" text, I was going to see how difficult it would be to get the program not to write that text file in the first place.

    Also, do you know if there is a way of getting to program to write at 1x instead of 2x to dvd media?

    Sounds like your diary however is pretty much booked up for the rest of the week to say the least

  6. #21
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    I have to say I am only interested in this program to "dump" it and practice another license manager.

    to copy DVD's I just use freeware tools :

    DVDdecrypter
    IFOEdit
    ImgTools

    And HP RecordNow with a Sony MRU500A DVD Burner.

    Works like a charm.

    Used DVD+RW Sony media, works in both XBox and PS2 dvd players.



    -nt20

  7. #22
    Must say, I'm only really interested in the protection also, but playing with it, it does seem to make doing DVD a little easier instead of using lots of different software, and I'm all for that

  8. #23
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815

    more boring facts.

    Still, I have trubble with this thing! hehehehehe I feel stoopid

    For those interested - I downloaded the demo of the SoftwareKey protection plus and ran a demo project and dumped the key dll file from mem.

    Here's pp_tcode() (This is the function that verifies the machine and user codes and entered code - it sends back a number according to the function to enable)

    Code:
                     public pp_tcode
    seg000:30D33513 pp_tcode        proc near               ; CODE XREF: seg000:30D247D4p
    seg000:30D33513                                         ; pp_eztrig1ex+19p ...
    seg000:30D33513 
    seg000:30D33513 arg_0           = dword ptr  8
    seg000:30D33513 arg_4           = dword ptr  0Ch
    seg000:30D33513 arg_8           = dword ptr  10h
    seg000:30D33513 arg_C           = dword ptr  14h
    seg000:30D33513 
    seg000:30D33513                 push    ebp
    seg000:30D33514                 mov     ebp, esp
    seg000:30D33516                 push    esi
    seg000:30D33517                 mov     esi, [ebp+arg_C]
    seg000:30D3351A                 add     esi, 34h
    seg000:30D3351D                 cmp     [ebp+arg_8], 1
    seg000:30D33521                 jge     short loc_30D3352A
    seg000:30D33523                 mov     [ebp+arg_8], 1
    seg000:30D3352A 
    seg000:30D3352A loc_30D3352A:                           ; CODE XREF: pp_tcode+Ej
    seg000:30D3352A                 mov     eax, [ebp+arg_4]
    seg000:30D3352D                 xor     edx, edx
    seg000:30D3352F                 mov     ecx, eax
    seg000:30D33531                 push    ebx
    seg000:30D33532                 sar     ecx, 0Fh
    seg000:30D33535                 mov     dh, ch
    seg000:30D33537                 mov     ecx, eax
    seg000:30D33539                 sar     ecx, 13h
    seg000:30D3353C                 mov     ebx, eax
    seg000:30D3353E                 and     ecx, 0Fh
    seg000:30D33541                 sar     ebx, 8
    seg000:30D33544                 mov     dl, al
    seg000:30D33546                 add     ecx, 1FEh
    seg000:30D3354C                 and     ebx, 1Fh
    seg000:30D3354F                 imul    ecx, 108h
    seg000:30D33555                 sar     eax, 0Dh
    seg000:30D33558                 imul    ebx, 0F3h
    seg000:30D3355E                 and     eax, 3Fh
    seg000:30D33561                 add     ecx, ebx
    seg000:30D33563                 imul    eax, 44h
    seg000:30D33566                 add     ecx, eax
    seg000:30D33568                 lea     eax, [edx+esi*2]
    seg000:30D3356B                 mov     ebx, esi
    seg000:30D3356D                 push    1
    seg000:30D3356F                 add     ebx, eax
    seg000:30D33571                 pop     eax
    seg000:30D33572                 add     ebx, [ebp+arg_8]
    seg000:30D33575                 lea     edx, [edx+ebx*2]
    seg000:30D33578                 pop     ebx
    seg000:30D33579                 add     edx, esi
    seg000:30D3357B                 lea     esi, [ecx+ecx]
    seg000:30D3357E                 imul    ecx, 1Fh
    seg000:30D33581                 add     ecx, edx
    seg000:30D33583 
    seg000:30D33583 loc_30D33583:                           ; CODE XREF: pp_tcode+83j
    seg000:30D33583                 mov     edx, ecx
    seg000:30D33585                 and     edx, 7FFFFFFFh
    seg000:30D3358B                 cmp     edx, [ebp+arg_0]
    seg000:30D3358E                 jz      short loc_30D3359A
    seg000:30D33590                 inc     eax
    seg000:30D33591                 add     ecx, esi
    seg000:30D33593                 cmp     eax, 32h
    seg000:30D33596                 jle     short loc_30D33583
    seg000:30D33598                 xor     eax, eax
    seg000:30D3359A 
    seg000:30D3359A loc_30D3359A:                           ; CODE XREF: pp_tcode+7Bj
    seg000:30D3359A                 pop     esi
    seg000:30D3359B                 pop     ebp
    seg000:30D3359C                 retn    10h
    seg000:30D3359C pp_tcode        endp
    seg000:30D3359C

    Kinda simple I guess.

    -nt20

  9. #24
    yup, so all you have to do is find code that is very similar to that and force it to return 1.

    can't describe it in too much detail, otherwise the mods will be on my back for publishing an out-and-out crack but trace through the prog until it jumps into the memory it allocates before hand. Set a breakpoint on RaiseException API call, set another breakpoint on the exception handler pointed to in the SEH entry on the stack. Continue the program and pass the exception through to it. You'll now land in the exception handling code. Shortly after the DialogBoxParamA, you see code like the code you posted above. Mod it and your done

    Can't really explain it much more than that.

  10. #25

    Re: more boring facts.

    What you post will be like the following (bit easier to follow)

    eax = edx;
    ecx = edx;
    edx = edx & 516096;
    eax = eax & 7864320;
    edx = edx / 8192;
    eax = eax / 524288;
    edx = edx + 1980;
    edx = edx * 68;
    eax = eax * 264;
    edx = edx + eax;
    eax = ecx;
    eax = eax & 7936;
    eax = eax / 256;
    eax = eax * 243;
    esi = edx + eax;
    edx = ecx;
    edx = edx & 2139095040;
    ecx = ecx & 255;
    edx = edx / 32768;
    eax = 6621511;
    edx = edx + ecx;
    edx = edx * 3;
    eax = eax * 7;
    edi = edi * 2;
    edi = edi + edx;
    edx = esi;
    ecx = edi + eax;
    edx = edx * 31;
    edi = edx + ecx;
    ecx = esi * 2;
    edx = edi;
    edx = edx & 2147483647;

    /*
    Now we add the loop to get the 3rd value.
    */

    for (int i=0; i < 3; i++) {
    edi = edi + ecx;
    edx = edi;
    edx = edx & 2147483647;
    }

    Author of that was Crackz, although I can't say which program it's for because of obvious reasons...

    Originally posted by nikolatesla20
    Still, I have trubble with this thing! hehehehehe I feel stoopid

    For those interested - I downloaded the demo of the SoftwareKey protection plus and ran a demo project and dumped the key dll file from mem.

    Here's pp_tcode() (This is the function that verifies the machine and user codes and entered code - it sends back a number according to the function to enable)

    Code:
                     public pp_tcode
    
    <<<snip>>>

    Kinda simple I guess.

    -nt20

  11. #26
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Just out of curiosity, are you using OllyDbg?


    HAAH I am using Olly now and now I see the debug strings you were talking about !


    OK I finally got it. Actually, I had it at home already too, but the main window wouldn't stay up for some reason - notice it won't let you run without a DVD drive anyway.

    -nt20
    Last edited by nikolatesla20; January 27th, 2003 at 18:09.

  12. #27
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    Since this is an MFC application,

    the first call will be to msvcrt.__set_app_type

    but a bpx on that and run it. (remember to load msvcrt.dll with symbol loader)

    Scroll up, your OEP is 00443648.



    ImpREC recovers almost all the table.

    -nt20
    Last edited by nikolatesla20; January 27th, 2003 at 18:28.

  13. #28
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815

    DONE.

    I'm done.


    It's unpacked and running like a baby. Bye bye license manager.

    I knew I could unpack it quickly ( unpacking has become my specialty lately, since I do it so much I've gotten fairly good at it) , as long as I could get the program to run, which was what I was having problems with.

    Thanks squidge.

    Anyone wants a nice unpacked file....... j/k.....or am i....

    -nt20

  14. #29
    No probs m8, I enjoy helping people that are willing to learn

    Yeah, I use OllyDbg a lot, I find it very handy for this kind of work. Must say it was kind of silly for SoftwareKey to put that piece of debug text in there, it made it slightly easier.

    I've put it aside now for the time being whilst I look at another application that I'm very interested in. The author decided to protect it with ASProtect, hopefully it won't take long to remove the ASProtect and find out how the program works itself. If it works out as good as I think it will, it could mean junking dvdxcopy.

  15. #30
    cHeCksUm
    Guest
    @nikolatesla20:

    Well done. Cracking it was easy but I am new to unpacking so I am having some troubles. Could you just post a brief description of how you went about doing it. I am not asking for anything specific just the general jist. Appreciate any help. Thanks.

    // cHeCksUm
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. how to generat "1" instead of "uncounted" license
    By joyung in forum The Newbie Forum
    Replies: 38
    Last Post: April 10th, 2012, 03:57
  3. Replies: 4
    Last Post: May 28th, 2009, 13:02
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. Removing the Call Home "feature" in vBulletin 3.0?
    By Cumulous in forum The Newbie Forum
    Replies: 10
    Last Post: March 24th, 2004, 20:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •