Page 3 of 3 FirstFirst 123
Results 31 to 40 of 40

Thread: Challenge

  1. #31
    ive dumped a Trymedia protect game just yesterday..

    i dumped at the licence layer entry point..
    fixed imports with imprec..
    found the GetModuleHandleA call in the licence layer EP..

    traced into the call under it..

    Code:
    00BB0723   FF15 E841BD00    CALL DWORD PTR DS:[BD41E8] ; kernel32.GetModuleHandleA
    00BB0729   50               PUSH EAX
    00BB072A   E8 EF2BF2FF      CALL .00AD331E

    u see
    Code:
    00AD331E   B8 D431BC00      MOV EAX,.00BC31D4
    00AD3323   E8 08D30D00      CALL .00BB0630
    00AD3328   51               PUSH ECX
    00AD3329   83EC 18          SUB ESP,18
    00AD332C   53               PUSH EBX
    00AD332D   56               PUSH ESI
    00AD332E   57               PUSH EDI
    00AD332F   8965 F0          MOV DWORD PTR SS:[EBP-10],ESP
    00AD3332   8365 EC 00       AND DWORD PTR SS:[EBP-14],0
    00AD3336   8365 FC 00       AND DWORD PTR SS:[EBP-4],0
    00AD333A   FF75 08          PUSH DWORD PTR SS:[EBP+8]
    00AD333D   FF75 10          PUSH DWORD PTR SS:[EBP+10]
    00AD3340   E8 EE9F0000      CALL .00ADD333
    00AD3345   59               POP ECX
    00AD3346   59               POP ECX
    00AD3347   8945 D8          MOV DWORD PTR SS:[EBP-28],EAX  - i made this jump to OEP.. dump crashed on the PUSHAW below.. (didnt crash on any other trymedia i tried)
    00AD334A   837D D8 00       CMP DWORD PTR SS:[EBP-28],0
    00AD334E   74 49            JE SHORT .00AD3399  -  this jump = on to exitprocess
    00AD3350   813D 709BAC00 54>CMP DWORD PTR DS:[AC9B70],416E6454
    00AD335A   75 2F            JNZ SHORT .00AD338B
    00AD335C   6A 00            PUSH 0
    00AD335E   FF15 E841BD00    CALL DWORD PTR DS:[BD41E8]               ; kernel32.GetModuleHandleA
    00AD3364   8B0D 7C9BAC00    MOV ECX,DWORD PTR DS:[AC9B7C]
    00AD336A   03C8             ADD ECX,EAX
    00AD336C   890D 0869A600    MOV DWORD PTR DS:[A66908],ECX
    00AD3372   8B25 0069A600    MOV ESP,DWORD PTR DS:[A66900]
    00AD3378   A1 0469A600      MOV EAX,DWORD PTR DS:[A66904]
    00AD337D   64:A3 00000000   MOV DWORD PTR FS:[0],EAX
    00AD3383   66:61            POPAW
    00AD3385   FF25 0869A600    JMP DWORD PTR DS:[A66908]      get modified above.. and jumps to OEP 
    00AD338B   6A 00            PUSH 0
    00AD338D   68 686AA600      PUSH .00A66A68                    ; ASCII "Everything OK!"
    after this the dump runs fine.

    when i switch to fullscreen.. it crashes because somthing in ddraw.dll .. go figure :P

    ive only dumped and cracked this one exe, and i think its older trymedia..
    yet to work on some other exes..
    bad technique?

  2. #32
    Mephisto I am working on an activemark game as well. And I am pretty much at the same area you are.
    Here's what I've done so far:

    -Set HW BP on OEP (found OEP using PEID and verified by dumping the file and searching for for "TdnA" and counting 13 bytes, including TdnA)
    -Run program till we hit OEP.
    (you have to hit play free trial)
    -Analyze program
    -you will be here:
    Code:
    20003BC4  /. 55             PUSH EBP
    20003BC5  |. 8BEC           MOV EBP,ESP
    20003BC7  |. 6A FF          PUSH -1
    20003BC9  |. 68 F0810020    PUSH XXXX.200081F0
    20003BCE  |. 68 204E0020    PUSH XXXX.20004E20           ;  SE handler installation
    20003BD3  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
    20003BD9  |. 50             PUSH EAX
    20003BDA  |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
    20003BE1  |. 83EC 58        SUB ESP,58
    20003BE4  |. 53             PUSH EBX
    20003BE5  |. 56             PUSH ESI
    20003BE6  |. 57             PUSH EDI
    20003BE7  |. 8965 E8        MOV DWORD PTR SS:[EBP-18],ESP
    20003BEA  |. FF15 24F21720  CALL NEAR DWORD PTR DS:[2017F224];  kernel32.GetVersion
    20003BF0  |. 33D2           XOR EDX,EDX
    20003BF2  |. 8AD4           MOV DL,AH
    20003BF4  |. 8915 2CCE0020  MOV DWORD PTR DS:[2000CE2C],EDX
    20003BFA  |. 8BC8           MOV ECX,EAX
    20003BFC  |. 81E1 FF000000  AND ECX,0FF
    20003C02  |. 890D 28CE0020  MOV DWORD PTR DS:[2000CE28],ECX
    20003C08  |. C1E1 08        SHL ECX,8
    20003C0B  |. 03CA           ADD ECX,EDX
    -Now dumping and fixing the imports did not work for me so I set a BP on the first .bss section. and continued running
    - I then broke here:
    Code:
    2009A3BE   B8 D99D0920      MOV EAX,XXXX.20099DD9
    2009A3C3   E8 B0110C00      CALL XXXX.2015B578  ****STEP OVER***
    2009A3C8   83EC 20          SUB ESP,20
    2009A3CB   E9 CB0B0000      JMP XXXX.2009AF9B
    2009A3D0   E8 BDD50800      CALL XXXX.20127992  ***STEP INTO***
    2009A3D5   8B45 D8          MOV EAX,DWORD PTR SS:[EBP-28]
    2009A3D8   E9 5C0B0000      JMP XXXX.2009AF39
    2009A3DD   AF               SCAS DWORD PTR ES:[EDI]
    2009A3DE   A9 0F8238FC      TEST EAX,FC38820F
    -Step into the second call and you are here:
    Code:
    20127992   B8 88EB1620      MOV EAX,XXXX.2016EB88
    20127997   E8 DC3B0300      CALL XXXX.2015B578  ***STEP INTO***
    2012799C   81EC 74010000    SUB ESP,174
    201279A2   53               PUSH EBX
    201279A3   56               PUSH ESI

    -Step into that call and you are here:
    Code:
    2015B578   6A FF            PUSH -1
    2015B57A   50               PUSH EAX
    2015B57B   64:A1 00000000   MOV EAX,DWORD PTR FS:[0]
    2015B581   50               PUSH EAX
    2015B582   8B4424 0C        MOV EAX,DWORD PTR SS:[ESP+C]
    2015B586   64:8925 00000000 MOV DWORD PTR FS:[0],ESP
    2015B58D   896C24 0C        MOV DWORD PTR SS:[ESP+C],EBP
    2015B591   8D6C24 0C        LEA EBP,DWORD PTR SS:[ESP+C]
    2015B595   50               PUSH EAX
    2015B596   C3               RETN
    Scroll down and we see the beginning of something:
    Code:
    2015B597   55               PUSH EBP
    2015B598   8BEC             MOV EBP,ESP
    2015B59A   6A FF            PUSH -1
    2015B59C   68 E80B0820      PUSH XXXX.20080BE8
    2015B5A1   68 70191620      PUSH XXXX.20161970
    2015B5A6   64:A1 00000000   MOV EAX,DWORD PTR FS:[0]
    2015B5AC   50               PUSH EAX
    2015B5AD   64:8925 00000000 MOV DWORD PTR FS:[0],ESP
    2015B5B4   83EC 58          SUB ESP,58
    2015B5B7   53               PUSH EBX
    2015B5B8   56               PUSH ESI
    2015B5B9   57               PUSH EDI
    2015B5BA   8965 E8          MOV DWORD PTR SS:[EBP-18],ESP
    2015B5BD   FF15 24F21720    CALL NEAR DWORD PTR DS:[2017F224]; kernel32.GetVersion
    2015B5C3   33D2             XOR EDX,EDX
    2015B5C5   8AD4             MOV DL,AH
    2015B5C7   8915 7C9D1720    MOV DWORD PTR DS:[20179D7C],EDX
    2015B5CD   8BC8             MOV ECX,EAX
    2015B5CF   81E1 FF000000    AND ECX,0FF
    2015B5D5   890D 789D1720    MOV DWORD PTR DS:[20179D78],ECX
    2015B5DB   C1E1 08          SHL ECX,8
    2015B5DE   03CA             ADD ECX,EDX
    2015B5E0   890D 749D1720    MOV DWORD PTR DS:[20179D74],ECX
    2015B5E6   C1E8 10          SHR EAX,10
    -So this is around where you are as well.
    -I set a hardware BP on 2015B597 and then restarted the program. I ran until we reached it. I then dumped fixed the imports using this as my OEP
    - Running the program brings about immediate exitprocess, however if you look at the call stack in Olly you can trace it back to the same code you posted:
    Code:
    200827F8   51               PUSH ECX
    200827F9   83EC 18          SUB ESP,18
    200827FC   53               PUSH EBX
    200827FD   56               PUSH ESI
    200827FE   57               PUSH EDI
    200827FF   8965 F0          MOV DWORD PTR SS:[EBP-10],ESP
    20082802   8365 EC 00       AND DWORD PTR SS:[EBP-14],0
    20082806   8365 FC 00       AND DWORD PTR SS:[EBP-4],0
    2008280A   FF75 08          PUSH DWORD PTR SS:[EBP+8]
    2008280D   FF75 10          PUSH DWORD PTR SS:[EBP+10]
    20082810   E8 2B820000      CALL XXXX.2008AA40  ****SETS UP BROWSER WINDOW, CHECKS LICENSE ETC***
    20082815   59               POP ECX
    20082816   59               POP ECX
    20082817   8945 D8          MOV DWORD PTR SS:[EBP-28],EAX
    2008281A   837D D8 00       CMP DWORD PTR SS:[EBP-28],0
    2008281E   74 49            JE SHORT XXXX.20082869 ***IF BROWSER, LICENSE ETC IS OKAY THEN CONTINUE ELSE ExitProcess***
    20082820   813D C0900720 54>CMP DWORD PTR DS:[200790C0],416E6454
    2008282A   75 2F            JNZ SHORT XXXX.2008285B
    2008282C   6A 00            PUSH 0  ***CONTINUE EXECUTION***
    2008282E   FF15 CCF11720    CALL NEAR DWORD PTR DS:[2017F1CC]  ; kernel32.GetModuleHandleA
    20082834   8B0D CC900720    MOV ECX,DWORD PTR DS:[200790CC]
    2008283A   03C8             ADD ECX,EAX
    2008283C   890D E8680120    MOV DWORD PTR DS:[200168E8],ECX  ***MOVES OUR OEP INTO 200168E0***
    20082842   8B25 E0680120    MOV ESP,DWORD PTR DS:[200168E0]
    20082848   A1 E4680120      MOV EAX,DWORD PTR DS:[200168E4]
    2008284D   64:A3 00000000   MOV DWORD PTR FS:[0],EAX
    20082853   66:61            POPAW
    20082855  -FF25 E8680120    JMP NEAR DWORD PTR DS:[200168E8]   ;***WILL JUMP TO OUR OEP*** 
    2008285B   6A 00            PUSH 0
    2008285D   68 486A0120      PUSH XXXX.20016A48             ; ASCII "Everything OK!"
    20082862   E8 F78C0000      CALL XXXX.2008B55E
    20082867   59               POP ECX
    20082868   59               POP ECX
    20082869   EB 6E            JMP SHORT XXXX.200828D9
    2008286B   8365 EC 00       AND DWORD PTR SS:[EBP-14],0
    2008286F   B8 D9280820      MOV EAX,XXXX.200828D9
    20082874   C3               RETN
    - This jump here:
    Code:
    20082855  -FF25 E8680120    JMP NEAR DWORD PTR DS:[200168E8]   ;***WILL JUMP TO OUR OEP***
    will jump to the OEP we found with PEID
    -Basically it seems that the program goes into CALL XXXX.2008AA40.
    -This call sets up browser etc, and sets stuff up depending on if you choose "Continue Trial" or just close the browser box. If you continue the trial the rest of the program is initialized. Otherwise nothing is init. My trial has run out so I have to close the window.
    -I tried reversing this jump in my dumped file:
    Code:
    2008281E   74 49            JE SHORT XXXX.20082869 ***REVERSED THIS JUMP SO IT WOULD ALWAYS CONTINUE***
    20082820   813D C0900720 54>CMP DWORD PTR DS:[200790C0],416E6454
    2008282A   75 2F            JNZ SHORT XXXX.2008285B
    - HOWEVER, You get this error when running:
    "Unable to load Movie Playlist. Does the INI file exist? It must contain a section [Movies] with an entry..."
    - So I tried on my real executable. I cannot run the game part so I have to choose close on the browser window. That JE SHORT XXXX.20082869 is never reached instead we go straight to ExitProcess. Setting a BP on Exit Process I found that it was called by this section of code:
    Code:
    200828D9   834D FC FF       OR DWORD PTR SS:[EBP-4],FFFFFFFF
    200828DD   E8 D5810000      CALL XXXX.2008AAB7
    200828E2   FF75 EC          PUSH DWORD PTR SS:[EBP-14]
    200828E5   FF15 28F11720    CALL NEAR DWORD PTR DS:[2017F128]   ; kernel32.ExitProcess
    200828EB   8B4D F4          MOV ECX,DWORD PTR SS:[EBP-C]
    200828EE   64:890D 00000000 MOV DWORD PTR FS:[0],ECX
    200828F5   5F               POP EDI
    200828F6   5E               POP ESI
    200828F7   5B               POP EBX
    200828F8   C9               LEAVE
    -So I set a HW BP on the beginning of that little section. When I broke, I tried changing my origin to:
    Code:
    2008282C   6A 00            PUSH 0  ***CONTINUE EXECUTION***
    2008282E   FF15 CCF11720    CALL NEAR DWORD PTR DS:[2017F1CC]   ; kernel32.GetModuleHandleA
    20082834   8B0D CC900720    MOV ECX,DWORD PTR DS:[200790CC]
    2008283A   03C8             ADD ECX,EAX
    2008283C   890D E8680120    MOV DWORD PTR DS:[200168E8],ECX
    20082842   8B25 E0680120    MOV ESP,DWORD PTR DS:[200168E0]
    20082848   A1 E4680120      MOV EAX,DWORD PTR DS:[200168E4]
    2008284D   64:A3 00000000   MOV DWORD PTR FS:[0],EAX
    20082853   66:61            POPAW
    20082855   FF25 E8680120    JMP NEAR DWORD PTR DS:[200168E8]    ; XXXX.2015B597
    -This brought about the same error I recieved when running the dumped file. So somewhere in that program is determined if we chose continue trial or just closed the window. And depending on what we pick it will initilize the rest of the program. At least that is what happens in my target; Activemark version 5.31.1140
    -So at this point I am stuck; but at least I know that I am in the right area.

  3. #33
    gabri3l / MEPHiST0,

    The questions you raise, and the means to circumvent the protection
    would require a Tutorial. The problem you may both be running into can
    be any one of the following:

    1) The application utilizes the Macromedia Flash Projector as in the case of
    gabri3l.
    2) The application has packed/encrypted resources. You will generally get some sort of error when the app loads a particular data file resource. You can easily identify these by opening them up in a hex editor. If you find the string "TMSAMV0H" in the header, it's packed.
    3) The application originated on CD/DVD. For this, Activemark will setup a temp path in your registry. Sometimes, you can identify and change (the app's path) this reference in your registry to a more static one, i.e. a reference to the program's directory where the data is physically located. You may have to change a DWORD reference in the program to look for your new registry change. This is unscientific.

    If your lucky enough to have a normal program, then I would recommend
    dumping the app at the first EP, which is usually like below:

    Code:
    00EB12D8 >  66:60                    PUSHAW
    00EB12DA    8925 F048E400            MOV DWORD PTR DS:[E448F0],ESP
    00EB12E0    64:A1 00000000           MOV EAX,DWORD PTR FS:[0]
    00EB12E6    A3 F448E400              MOV DWORD PTR DS:[E448F4],EAX
    00EB12EB    6A 00                    PUSH 0
    00EB12ED    FF15 FC21FB00            CALL DWORD PTR DS:[FB21FC]               ; kernel32.GetModuleHandleA
    00EB12F3    A3 F848E400              MOV DWORD PTR DS:[E448F8],EAX
    00EB12F8    A1 F848E400              MOV EAX,DWORD PTR DS:[E448F8]
    00EB12FD    0305 687BEA00            ADD EAX,DWORD PTR DS:[EA7B68]            ; xxxxxx.00B8E577
    00EB1303    A3 F848E400              MOV DWORD PTR DS:[E448F8],EAX
    00EB1308    FF25 F848E400            JMP DWORD PTR DS:[E448F8]
    00EB130E    B8 0411FA00              MOV EAX,Xxxxxx.00FA1104
    00EB1313    E8 40D20D00              CALL Xxxxxx.00F8E558
    00EB1318    51                       PUSH ECX
    00EB1319    83EC 18                  SUB ESP,18
    00EB131C    53                       PUSH EBX
    00EB131D    56                       PUSH ESI
    00EB131E    57                       PUSH EDI
    00EB131F    8965 F0                  MOV DWORD PTR SS:[EBP-10],ESP
    00EB1322    8365 EC 00               AND DWORD PTR SS:[EBP-14],0
    00EB1326    8365 FC 00               AND DWORD PTR SS:[EBP-4],0
    00EB132A    FF75 08                  PUSH DWORD PTR SS:[EBP+8]
    00EB132D    FF75 10                  PUSH DWORD PTR SS:[EBP+10]
    00EB1330    E8 EE9F0000              CALL Xxxxxx.00EBB323
    00EB1335    59                       POP ECX
    00EB1336    59                       POP ECX
    00EB1337    8945 D8                  MOV DWORD PTR SS:[EBP-28],EAX
    00EB133A    837D D8 00               CMP DWORD PTR SS:[EBP-28],0		<< change 0 to 1
    00EB133E    74 49                    JE SHORT Xxxxxx.00EB1389
    00EB1340    813D 607BEA00 54646E41   CMP DWORD PTR DS:[EA7B60],416E6454
    00EB134A    75 2F                    JNZ SHORT Xxxxxx.00EB137B
    00EB134C    6A 00                    PUSH 0
    00EB134E    FF15 FC21FB00            CALL DWORD PTR DS:[FB21FC]               ; kernel32.GetModuleHandleA
    00EB1354    8B0D 6C7BEA00            MOV ECX,DWORD PTR DS:[EA7B6C]
    00EB135A    03C8                     ADD ECX,EAX
    00EB135C    890D F848E400            MOV DWORD PTR DS:[E448F8],ECX
    00EB1362    8B25 F048E400            MOV ESP,DWORD PTR DS:[E448F0]
    00EB1368    A1 F448E400              MOV EAX,DWORD PTR DS:[E448F4]
    00EB136D    64:A3 00000000           MOV DWORD PTR FS:[0],EAX
    00EB1373    66:61                    POPAW
    00EB1375    FF25 F848E400            JMP DWORD PTR DS:[E448F8]
    00EB137B    6A 00                    PUSH 0
    00EB137D    68 584AE400              PUSH Xxxxxx.00E44A58                     ; ASCII "Everything OK!"
    00EB1382    E8 64750000              CALL Xxxxxx.00EB88EB
    00EB1387    59                       POP ECX
    00EB1388    59                       POP ECX
    00EB1389    EB 6E                    JMP SHORT Xxxxxx.00EB13F9
    Load your favorite import rec utility to rebuild and add an IAT to the above
    dump.

    Make the above noted change to your code, and see if the app runs. If it flames, it will probably be due to one of the items I listed above.

    A few points. ActiveMark, does a CRC check on your newly created unpacked file. You can follow the logic after (usually in more newer versions) the 2nd CREATEFILE in the program. If it fails this check you immediately kick out, with the BAD EAX value of '0', referenced in code above where I make note of a change.

    After this it does the license check. Sets the appropriater status, then if you're not licensed, it will CREATEFILE all the data files in your ALL USERS
    or PROGRAM FILES\TRYMEDIA directories where it keeps track of your usage (Time limitations). There are also (4) registry keys:

    HKEY_LOCAL_MACHINE, "SOFTWARE\\Classes\\CLSID\\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" identifed by the subkey "Implemented Categories". There are usually a bunch of ascending encrypted subkeys (maybe as many as 7).

    You can find the (4) registry keys by running your dumped program looking at the REGOPENKEY functions or by using a registry snapshot utility before and after running the program.

    The program will then build the all too familiar browser screen.

    The program will reset the above temp data files and registry keys after
    getting LOCALTIME/SYSTEMTIME.

    The program will then set a timer (SETTIMER) with an elapsed time of 60 seconds to keep track of your program usage every minute on the minute.
    So when you're time is up, the program will kick out with the no time left
    browser screen.

    So, if you're not up to writing a custom loader to apply the necessary changes to the program's memory, you can delete the data files and registry keys and get back your time and run the app, knowing you can run if for no more than the allowable time before having to re-delete the files/keys again.

    I can offer more, but not here. Active minds, pardon the pun, are watching these threads.

    Good Luck,

    condzero

  4. #34
    UPucker
    Guest
    This is exactly the thread I was looking for. An explanation of what I am currently working on. Its nice to get experienced explanations in addition to the tutorials. The idea of live tutorials alone makes this forum invaluable.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #35
    hi condzero

    2) The application has packed/encrypted resources. You will generally get some sort of error when the app loads a particular data file resource. You can easily identify these by opening them up in a hex editor. If you find the string "TMSAMV0H" in the header, it's packed.
    yes, almost all the data files an encrypted..
    i dump from the 2nd layer (and near the first where you mentioned.. )
    the game runs fine in windowed mode, crashes after 5 or 10 minutes tho.
    (my point, the file is decrypting the data files properly so the game is playable.)
    Full screen however runs and starts, crashes while doing somthing with ddraw.dll..
    yet to figure that out.. maybe where i dump?


    as for the other tips, thanks, ill check it out

  6. #36
    psunlock
    Guest
    latest games from that web are packed with weird packer and need intrnet to register can anyone identify the packer please so i can start on the reg process cheers
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #37
    curVV
    Guest
    ActiveMark?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #38
    latest games from that web are packed with weird packer and need intrnet to register can anyone identify the packer please so i can start on the reg process cheers
    Wait right there, the bus is coming for you

    Woodmann

  9. #39
    Hello:

    As I have been handling all the games you have been talking about with, I would like to tell you that you can find all of them in another URL:
    http://www.zylom.com

    and they are using different protection of that of ActiveMARK.

    Just try it...

    Cheers

    Nacho_dj

  10. #40
    The zylom games use softwrap as a protection.
    Most of them can be unpacked following the directions here:
    http://intechhosting.com/~access/forums/index.php?showtopic=607

    There are a few games that cannot be unpacked with this method. Some of the newer games use a copymem feature. If you dump the dll you will notice some NOP's at the OEP. By breaking on WriteProcessMemory you can recover those Bytes. I'm pretty sure there are some more bytes that need to be recovered as well. I haven't played around with it long enough to make a correct dump. But doesn't seem to hard.

Similar Threads

  1. Challenge
    By Kayaker in forum Off Topic
    Replies: 5
    Last Post: February 18th, 2013, 12:28
  2. Trebuchet Challenge
    By Kayaker in forum Off Topic
    Replies: 2
    Last Post: July 31st, 2006, 16:45
  3. Mind Challenge...(or not?!)
    By xfze in forum RCE Cryptographics
    Replies: 7
    Last Post: December 5th, 2003, 00:13
  4. My Challenge To You
    By KSR0x2b in forum Mini Project Area
    Replies: 25
    Last Post: February 21st, 2002, 22:33
  5. Rsa Challenge
    By int21hex in forum RCE Cryptographics
    Replies: 10
    Last Post: January 29th, 2002, 12:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •