Page 5 of 5 FirstFirst 12345
Results 61 to 74 of 74

Thread: 30 day trial license

  1. #61
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    KS and SIgInt:

    I have been doing some deep code diving to get to this point, but hey

    Look at this code. It is invoked every time you ask for a service (Click a button or pick a service form the menu) and works OK except with the Analyzer

    Code:
    6241FAA3  /> 55             PUSH EBP
    6241FAA4  |. 8BEC           MOV EBP,ESP
    6241FAA6  |. 83EC 10        SUB ESP,10
    6241FAA9  |. 53             PUSH EBX
    6241FAAA  |. 8B5D 10        MOV EBX,DWORD PTR SS:[EBP+10]
    6241FAAD  |. 56             PUSH ESI
    6241FAAE  |. 8B75 08        MOV ESI,DWORD PTR SS:[EBP+8]
    6241FAB1  |. 8323 00        AND DWORD PTR DS:[EBX],0
    6241FAB4  |. 57             PUSH EDI
    6241FAB5  |. 85F6           TEST ESI,ESI
    6241FAB7  |. BF 05400080    MOV EDI,80004005
    6241FABC  |. 74 4B          JE SHORT XXXXXXX.6241FB09
    6241FABE  |. 66:833E 00     CMP WORD PTR DS:[ESI],0
    6241FAC2  |. 74 45          JE SHORT XXXXXXX.6241FB09
    6241FAC4  |. 56             PUSH ESI                                 ; /String = "{7E9DCADA-2B97-419B-94A6-F414C92087BB}"  This is the Analizer COM CLSID
    6241FAC5  |. FF15 D0055162  CALL DWORD PTR DS:[<&KERNEL32.lstrlenW>] ; \lstrlenW ;Check the size if the string 
    6241FACB  |. 3D FF000000    CMP EAX,0FF
    6241FAD0  |. 73 33          JNB SHORT XXXXXXX.6241FB05
    6241FAD2  |. 66:833E 7B     CMP WORD PTR DS:[ESI],7B ; Make sure it starts with the right bytes
    6241FAD6  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]
    6241FAD9  |. 50             PUSH EAX
    6241FADA  |. 56             PUSH ESI
    6241FADB  |. 75 08          JNZ SHORT XXXXXXX.6241FAE5
    6241FADD  |. FF15 8C165162  CALL DWORD PTR DS:[<&ole32.CLSIDFromStri>;  ole32.CLSIDFromString;  And turns it into binary CLSID pointed by ESI  at [EBP-10]
    6241FAE3  |. EB 06          JMP SHORT XXXXXXX.6241FAEB
    6241FAE5  |> FF15 90165162  CALL DWORD PTR DS:[<&ole32.CLSIDFromProg>;  ole32.CLSIDFromProgID
    6241FAEB  |> 8BF8           MOV EDI,EAX
    6241FAED  |. 85FF           TEST EDI,EDI
    6241FAEF  |. 7C 14          JL SHORT XXXXXXX.6241FB05
    6241FAF1  |. 53             PUSH EBX
    6241FAF2  |. 8D45 F0        LEA EAX,DWORD PTR SS:[EBP-10]; Loads CLSID address into EAX
    6241FAF5  |. FF75 0C        PUSH DWORD PTR SS:[EBP+C]; This is where the handle to the Class will be returned: 00 if the class refuses to load
    6241FAF8  |. 6A 15          PUSH 15
    6241FAFA  |. 6A 00          PUSH 0
    6241FAFC  |. 50             PUSH EAX ; Push First parameter for the CoCreateInstance API, the CLSID
    6241FAFD  |. FF15 A8165162  CALL DWORD PTR DS:[<&ole32.CoCreateInsta>;  ole32.CoCreateInstance
    6241FB03  |. 8BF8           MOV EDI,EAX;  EAX returns 00 on success, 80004005 when the COM mod is protected and refuses to load
    6241FB05  |> 8BC7           MOV EAX,EDI
    6241FB07  |. EB 02          JMP SHORT XXXXXXX.6241FB0B
    6241FB09  |> 33C0           XOR EAX,EAX
    6241FB0B  |> 5F             POP EDI
    6241FB0C  |. 5E             POP ESI
    6241FB0D  |. 5B             POP EBX
    6241FB0E  |. C9             LEAVE
    6241FB0F  \. C3             RETN

    I have, for instance, replaced the the CLSID string {7E9DCADA-2B97-419B-94A6-F414C92087BB} with the string associated with soem of the other COM objects invoked by other buttons, and it loads seamlessly the other COM object.
    Ergo the Analyzer COM itself is guilty of refusing to load.

    Now, where is the file that contains the code associted with this COM module?
    If we look in the registry for {7E9DCADA-2B97-419B-94A6-F414C92087BB}

    We find that this CLSID is associated with a dll named XX_XXXpack.dll

    actually if I trace the code above until right before the instruction
    6241FAFD |. FF15 A8165162 CALL DWORD PTR DS:[<&ole32.CoCreateInsta>; ole32.CoCreateInstance
    and turn on the Break in new module DLL option in OLLY, the Debugger breaks and you can see that XX_XXXpack.dll module being loaded during the CoCreateInstance execution.

    I traced inside the ole32.CoCreateInstance call for a little while and found so far that
    Code located at 64539BB9 inside XX_XXXpack.dll gets invoked from within ole32.CoCreateInstance. This and/or the dll entrypoint code probably determine the good boy/bad boy status of the app.

    Now I am going to trace that XX_XXXpack.dll while it is being loaded in the good app and the expired app in parallel and look for differences
    Last edited by naides; January 21st, 2006 at 15:11.

  2. #62
    ksbrace
    Guest
    At this point, I'm basically just trying to do whatever you guys post and follow your lead. This is the most complex protection scheme I've ever played with and don't really know how to lend a hand.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #63
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I've been tied up all day - but ksbrace, if this is a pure dongle protection scheme, usually reversing it by patching is difficult if not impossible - most turn to using an emulator - however the fact that we've gotten this far is really encouraging - don't know if I'll have a chance tonight - but if I do I'll report back.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  4. #64
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by sigint33
    I've been tied up all day - but ksbrace, if this is a pure dongle protection scheme, usually reversing it by patching is difficult if not impossible - most turn to using an emulator - however the fact that we've gotten this far is really encouraging - don't know if I'll have a chance tonight - but if I do I'll report back.

    SiGiNT
    Yes and No SigInt:
    At least while the program is in Demo, during the 30 days trial, it runs without a dongle. . .
    All the code is here,
    And doubt the dongle holds some irreplaceble key tht is not present at the app during the demo period.

    So I think there is hope.

  5. #65
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    naides,

    Absolutely, and a couple of posts back I mentioned trying to renew the trial, and make it "never endeng", unfortunately, I deviated from that - while you are deep in that weird-ass dll, I'll be exploring that possibility - that .dll does have a external time function.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  6. #66
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Victory at last!

    I finally found the code in XX_XXXpack.dll that prevents itself from loading in the expired status.

    It took some systematic diving into the code, but it was not all that difficult, just boring
    Remeber
    Code:
    6241FAFD  |. FF15 A8165162  CALL DWORD PTR DS:[<&ole32.CoCreateInsta>;  ole32.CoCreateInstance
    6241FB03  |. 8BF8           MOV EDI,EAX;  EAX returns 00 on success, 80004005 when the COM mod is protected and refuses to load
    So I traced In to the call, right inside OLE32 module and kept and Eye on EAX.
    Every time some call returned 80004005 in EAX, or the code moved that bad boy flag in EAX, I studied the code and traced into the call that was responsible. Simultaneously, I had the fresh app installed in a VM so I could check the code bahavoir when App was OK.

    Eventlually OLE32 performs an undirect call into XX_XXXpack.dll leading to address 64539989 inside the dll.

    I kept doing the same thing, tracing into calls that return the bad boy in EAX
    until I landed at some code about 12 levels of calls away from the main app code

    |
    Code:
    :64517DA8 51 push ecx
    :64517DA9 51 push ecx
    :64517DAA 81C1B5020000 add ecx, 000002B5
    :64517DB0 8BC4 mov eax, esp
    :64517DB2 89642404 mov dword ptr [esp+04], esp
    :64517DB6 68A8255C64 push 645C25A8
    :64517DBB 832000 and dword ptr [eax], 00000000
    :64517DBE E8AE94FEFF call 64501271
    :64517DC3 85C0 test eax, eax
    :64517DC5 7D07 jge 64517DCE
    :64517DC7 B805400080 mov eax, 80004005
    :64517DCC 59 pop ecx
    :64517DCD C3 ret
    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:64517DC5(C)
    |
    :64517DCE 33C0 xor eax, eax
    :64517DD0 59 pop ecx
    :64517DD1 C3 ret
    Right there! force EAX to return 00000000 instead of 80004005 and Viola,

    OR if you are a purist, find out what that call 64501271 does. It needs to return 0 in EAX
    Last edited by naides; January 22nd, 2006 at 14:30.

  7. #67
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Naides,

    Excellent work!! - kudos!!

    I'm still going to investigate the endless trial just for fun - my wife chained me to the living room sofa last night and forced me to watch a movie, but, I did find out that the days remaining is stored in a cslid that is located in documents and settings/all users/application data/<target>/<target> as well as in the registry in at least 1 place, maybe more.

    ksbrace,

    That dll is actually XX_XXXXXPACK.DLL where the third X after the underscore is part of the name - you can either force the JGE or change test eax, eax to xor eax, eax - doesn't matter - now we need you, (since you are familiar with this <target> to let us know if it's fully functional - before you pop the cork and don't forget to have a toast to naides!

    SiGiNT

    Oh and just for giggles I expired my one still good demo and applied everything, and all is well, when the demo period reaches 0 it rolls over to 364 days.
    Last edited by SiGiNT; January 22nd, 2006 at 19:04.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  8. #68
    ksbrace
    Guest
    Ok, I'm looking to apply all of the patches and give it a test, but I'm not sure what is ruled out and what patches are needed. If you don't mind, would you tell me which of the following edits are needed? Also, I'm not sure as to which XX_XXXXXPACK.DLL file needs to be touched. I do see a lot of dll's in the C:/Program Files/Target/Target software/bin directory, but there are several that fits the xx_xxxpack.dll.Thanks in advance!
    (Post #40):
    1a. 6243962C changed it from 0F87 to 0F84 (time tamper)
    1b. 624389B1 changed it from 0F84 to 0F85 (expired)
    1c. 62439DE8 changed it from 7D to 7C (dongle)
    (Post #45):
    2. 6243896C (sigint's change for time tamper)
    (Post #49):
    3. the call to 62404719 is to a jump which shows calls from several different addresses - if you go to those addresses, every one, (except one which it never breaks on), is immediately followed by a test eax,eax changing all of these to xor eax,eax fixes everything that I can find - switch and create identities and other stuff, EXCEPT the analysis option.
    (Post #66):
    4. B805400080 mov eax, 80004005
    force EAX to return 00000000 instead of 80004005
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #69
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Quote Originally Posted by sigint33
    Almost there.......

    the call to 62404719 is to a jump which shows calls from several different addresses - if you go to those addresses, every one, (except one which it never breaks on), is immediately followed by a test eax,eax changing all of these to xor eax,eax fixes everything that I can find - switch and create identities and other stuff, EXCEPT the analysis option.
    This plus the change test eax,eax to xor eax, eax at 624389AF in addition to naides chabge to XX_XXXXXpack.dll, (the third X from the underscore is a valid letter, only 1 dll matches this criteria), is how I'm running this. to find the addresses called at the jump that 62404719 hit enter at 62404719 then click on the addresses shown below the cpu window and right click you can go to them one at a time. I would have changed the sub that the jump goes to so that it returns 000000000 in eax but I didn't see a way that I was comfortable with.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  10. #70
    ksbrace
    Guest
    well, there are actually 2 that fit the criteria. There is one with an Upper case X, which is the one I was looking at, and the one you are talking about, which is lower case. making the changes momentarily. Thanks,

    Nevermind, there is only one that fits the criteria. It's monday!!!!
    Last edited by ksbrace; January 23rd, 2006 at 12:04.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #71
    ksbrace
    Guest
    Ok, everything seems to be working like it should, but I am at work and don't have my video cam to be sure about the import options. I will grab it during lunch and give it a test.

    Ok, I made 3 changes in total:
    1. 6243D8C2 : mov EAX, ESI
    to
    6243D8C2 : xor EAX,EAX

    2. 624389B1 changed it from 0F84 to 0F85 to get rid of the time trial nag.

    3. in external dll file:
    :64517DC7 B805400080 mov eax, 80004005
    change to
    :64517DC7 B805400080 mov eax, 00000000

    All in all, it was a great tutorial. I wish I could have been more of a player than a spectator, but I'm sure I will get my time, soon enough. Anyway, thanks again for all of the help and some great tips for the next target.

    In order for you to figure out that the external dll was of interest, what did you do...just keep stepping into every call?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #72
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    I'm pretty sure thats how naides did it - quite time consuming, but there are some shortcuts, when you are in a system dll hit CTL F9 then F7 at the return, another clue, would have been watching the executables window, the .dll in question, is added to the list when you try to invoke the analyzer. This also would have made finding the dll easy after naides posted the code the base address and length in the executables window, matched the line numbers that naides posted.

    SiGiNT
    Last edited by SiGiNT; January 23rd, 2006 at 13:51.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  13. #73
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by ksbrace
    In order for you to figure out that the external dll was of interest, what did you do...just keep stepping into every call?
    Well no. . .

    It was a brutal force attack, but not all that brutish

    I learned the functionality of the CoCreate API, and figured the meaning of the CLSID that were being passed into the function.

    The Registry told me what .dll file this COM module was contained in.

    If you trully trace into each call, you would spend the rest of your useful life tracing through system code, some times repeatedly. That was not what I did.

    I had a clear goal, the first time the XX_XXXXXpack.dll code got invoked,
    and a gauge for the right path: If 80004005 value was passed into EAX, I had missed my call to trace into.

    I also had the most important element, which is based on a method that Kayaker described a few years ago.
    I simul-traced in the non-expired app and the expired app
    and stopped when their behavoir diverged. . .

    As of time consuming, It took me about 1/2 hour to set up everything in the VM and OLLY, then about 70 mins to hit gold

    I am sure most of this process could be automated using run-trace F7 and conditional break-points.

    SO

    It was not all that time consuming or brute force as it seems
    Last edited by naides; January 23rd, 2006 at 17:13.

  14. #74
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    naides,

    I found out very early this app would detrect that it was being debugged if I did a run trace - and terminate with a message from hide debugger that it was unable to evade detection and prevent termination.

    SiGiNT
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

Similar Threads

  1. 30 day trial -- WM_QUIT
    By riptide in forum The Newbie Forum
    Replies: 1
    Last Post: February 2nd, 2007, 17:56
  2. trial protection
    By _d_ in forum Off Topic
    Replies: 3
    Last Post: June 22nd, 2005, 07:26
  3. minute trial
    By TrainingDay in forum The Newbie Forum
    Replies: 6
    Last Post: April 22nd, 2004, 15:45
  4. 30 day trial
    By erty in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 26th, 2001, 00:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •