Really good protection system?

Everything else that doesn't fall into one of the other PB categories.
Post Reply
MrMat
Enthusiast
Enthusiast
Posts: 762
Joined: Sun Sep 05, 2004 6:27 am
Location: England

Post by MrMat »

The password is visible in memory at some point (begins with v, 6 letters) so it doesn't need any cracking, step through it with a debugger and read it off the screen. If it worked with just one character at a time so that the entire password was never stored decoded in mem it might be harder, but generally i guess no-one would bother working out the password - they'd patch the check instead, so that part needs heavy virtualisation.
Mat
Top
thefool
Always Here
Always Here
Posts: 5875
Joined: Sat Aug 30, 2003 5:58 pm
Location: Denmark

Post by thefool »

MrMat wrote:The password is visible in memory at some point (begins with v, 6 letters) so it doesn't need any cracking, step through it with a debugger and read it off the screen. If it worked with just one character at a time so that the entire password was never stored decoded in mem it might be harder, but generally i guess no-one would bother working out the password - they'd patch the check instead, so that part needs heavy virtualisation.
There goes my student :D
sorry couldn't help it..

Ricardo; as i said no matter what you do, always encrypt the password.
However as MrMat also said, code virtualisation is all about preventing patches, not hiding the contents in memory.

Hm; I still think a memory patch at the right time could work, but that would be too hard for a beginner.
Top
MrMat
Enthusiast
Enthusiast
Posts: 762
Joined: Sun Sep 05, 2004 6:27 am
Location: England

Post by MrMat »

thefool wrote:There goes my student :D
:lol: *bows down to the master* :D
Mat
Top
ricardo
Addict
Addict
Posts: 2438
Joined: Fri Apr 25, 2003 7:06 pm
Location: Argentina

Post by ricardo »

thefool wrote: Ricardo; as i said no matter what you do, always encrypt the password.
However as MrMat also said, code virtualisation is all about preventing patches, not hiding the contents in memory.
Ok, i understand the lesson.

One more time, thanks!
Top
localmotion34
Enthusiast
Enthusiast
Posts: 665
Joined: Fri Sep 12, 2003 10:40 pm
Location: Tallahassee, Florida

Post by localmotion34 »

Regarding EXEcryptor, SND team has posted quite a few tutorials and Olly scripts to unpack it and find the OEP.

Sorry, but there isnt a protection system that SND hasnt beaten.

Thunderpwr from ARteam has successfully attacked, cracked, and unpacked ASProtect 2.3 SKE, even with a required activation key in memory.

Whiterat from ICU has successfully unpacked Armadillo 4.48 with ALL the protection options enabled too.

Hmm, TheFool sounds like he knows alot, maybe too much.

Still, i definitely have a copy of the SND modified OllyDbg that has yet to be caught by any anti-debugger check, at all. Wonder if the fool has a copy of OllyICU, or better yet, a translated version of OllyDbg 2.0?

Code: Select all

!.WHILE status != dwPassedOut
! Invoke AllocateDrink, dwBeerAmount
!MOV Mug, Beer
!Invoke Drink, Mug, dwBeerAmount
!.endw
Top
User avatar
utopiomania
Addict
Addict
Posts: 1655
Joined: Tue May 10, 2005 10:00 pm
Location: Norway

Post by utopiomania »

Regarding EXEcryptor, SND team has posted quite a few tutorials and Olly scripts to unpack it and find the OEP.
What exactly does unpack it and find the 'OEP' mean? :? Sorry but not all of us are wannabe hackers.

Have the SND team ever managed to crack a program protected by ExeCryptor? And if they did, how?

By 'simply' working their ass off to reverse engineering the obfuscated machine code, or do they claim to be
able to reverse the algorithms behind the code morphing?
Top
CherokeeStalker
User
User
Posts: 66
Joined: Fri Oct 17, 2003 2:42 am

Post by CherokeeStalker »

utopiomania wrote:
What exactly does unpack it and find the 'OEP' mean? :? Sorry but not all of us are wannabe hackers.
OEP = Original (program) EntryPoint
unpack = decompress and/or decrypt
Top
thefool
Always Here
Always Here
Posts: 5875
Joined: Sat Aug 30, 2003 5:58 pm
Location: Denmark

Post by thefool »

localmotion34 wrote:Regarding EXEcryptor, SND team has posted quite a few tutorials and Olly scripts to unpack it and find the OEP.

Sorry, but there isnt a protection system that SND hasnt beaten.

Thunderpwr from ARteam has successfully attacked, cracked, and unpacked ASProtect 2.3 SKE, even with a required activation key in memory.

Whiterat from ICU has successfully unpacked Armadillo 4.48 with ALL the protection options enabled too.

Hmm, TheFool sounds like he knows alot, maybe too much.

Still, i definitely have a copy of the SND modified OllyDbg that has yet to be caught by any anti-debugger check, at all. Wonder if the fool has a copy of OllyICU, or better yet, a translated version of OllyDbg 2.0?
Armadillo should be a piece of cake from what i've heard. HEARD! not seen!

I might know a lot about this but i am not a cracker :) Im interested in how to stop them though. And before you can stop them, you have to be able to crack!

I don't have ollydbg2.0, but i have been talking to the developer and he is working on it. Can't wait :)

I just have OllyAdvanced, which helps to avoid some of the standard problems.

Im not dangerous. Oh well i am; but not to you :)
Top
ricardo
Addict
Addict
Posts: 2438
Joined: Fri Apr 25, 2003 7:06 pm
Location: Argentina

Post by ricardo »

TheFool, one question:

If you call a website from your app is easy to use the host file to redirect that call if you use a domain name, but i think that using an IP is not that easy. Im right?

Adds some secutiry to use that call to you site, per example to check against a databse that the user is a registered one?

Any advice on this area?

Thanks in advance :)
Top
thefool
Always Here
Always Here
Posts: 5875
Joined: Sat Aug 30, 2003 5:58 pm
Location: Denmark

Post by thefool »

Don't be sure anyone wants to redirect it; why not just remove the check?

Well it would add some security but i would like to say that it can be ANNOYING. What if the server is down? What if the user doesn't have an internet connection? What if they are on dial up, and it tries to connect everytime they use it?
Top
ricardo
Addict
Addict
Posts: 2438
Joined: Fri Apr 25, 2003 7:06 pm
Location: Argentina

Post by ricardo »

thefool wrote:Don't be sure anyone wants to redirect it; why not just remove the check?

Well it would add some security but i would like to say that it can be ANNOYING. What if the server is down? What if the user doesn't have an internet connection? What if they are on dial up, and it tries to connect everytime they use it?
If i encrypt some part and virtualize that part of the code, trying to avoid that they can remove the check.

About the annoying... is possible to make it 'tolerant' in case they can't connect to internet. But usually sooner or later user get connected and if he is using cracked version will be catched and program disabled.

What i mean is, when possible, maybe the online cheacking could be one good stuff to avoid cracks.
Top
thefool
Always Here
Always Here
Posts: 5875
Joined: Sat Aug 30, 2003 5:58 pm
Location: Denmark

Post by thefool »

That is true. But the problem with making it tolerant: They just disable internet access for the program, and it wont check :)
Top
ricardo
Addict
Addict
Posts: 2438
Joined: Fri Apr 25, 2003 7:06 pm
Location: Argentina

Post by ricardo »

thefool wrote:That is true. But the problem with making it tolerant: They just disable internet access for the program, and it wont check :)
1.- Maybe we don't tell the users that verify it

2.- Give some tolerant value, lets say allow 5 times to works without connectiing

Another question my friend:

How to take count of number of times run in a difficult to crack way?
I was thinking on write it encrypted to some executable, per example, but they can always replace to the first one, like no runs yet.
Top
thefool
Always Here
Always Here
Posts: 5875
Joined: Sat Aug 30, 2003 5:58 pm
Location: Denmark

Post by thefool »

ricardo wrote:
thefool wrote:That is true. But the problem with making it tolerant: They just disable internet access for the program, and it wont check :)
1.- Maybe we don't tell the users that verify it

2.- Give some tolerant value, lets say allow 5 times to works without connectiing

Another question my friend:

How to take count of number of times run in a difficult to crack way?
I was thinking on write it encrypted to some executable, per example, but they can always replace to the first one, like no runs yet.
1) Pff; its so easy to tell that it connects to the internet.

2) Nah won't be good enough


I just thought of a slightly better way: Add autoupdates to your app. When updating, be sure to send the crc and the username of the exe or so. If someone using an illegal version, store their ip and username, so you can look up the e-mail address or so. Then it would be disguised, and you would catch the ones doing autoupdates.
Top
Sabour
User
User
Posts: 31
Joined: Sun Apr 02, 2006 7:41 am

lol

Post by Sabour »

this is nice , execryptor site blocking all access from my country ip (indonesia) redirect into a page titled "Invalid Request" and with bunch of piracy 'lesson',wtf ?? it's new kind of stereotyping? lol they loose 1 potential customer.i will e-mail them :evil: :(
i have tried 2 isp in here,BOTH of them got blocked so i assume all of my country!,when trying use the proxy works fine :/
this is bad for business
Top
Post Reply

Return to “General Discussion”