Page 6 of 8
Posted: Wed Jan 10, 2007 12:56 am
by MrMat
The password is visible in memory at some point (begins with v, 6 letters) so it doesn't need any cracking, step through it with a debugger and read it off the screen. If it worked with just one character at a time so that the entire password was never stored decoded in mem it might be harder, but generally i guess no-one would bother working out the password - they'd patch the check instead, so that part needs heavy virtualisation.
Posted: Wed Jan 10, 2007 4:51 pm
by thefool
MrMat wrote:The password is visible in memory at some point (begins with v, 6 letters) so it doesn't need any cracking, step through it with a debugger and read it off the screen. If it worked with just one character at a time so that the entire password was never stored decoded in mem it might be harder, but generally i guess no-one would bother working out the password - they'd patch the check instead, so that part needs heavy virtualisation.
There goes my student
sorry couldn't help it..
Ricardo; as i said no matter what you do, always encrypt the password.
However as MrMat also said, code virtualisation is all about preventing patches, not hiding the contents in memory.
Hm; I still think a memory patch at the right time could work, but that would be too hard for a beginner.
Posted: Wed Jan 10, 2007 5:54 pm
by MrMat
thefool wrote:There goes my student
*bows down to the master*
Posted: Wed Jan 10, 2007 7:15 pm
by ricardo
thefool wrote:
Ricardo; as i said no matter what you do, always encrypt the password.
However as MrMat also said, code virtualisation is all about preventing patches, not hiding the contents in memory.
Ok, i understand the lesson.
One more time, thanks!
Posted: Fri Jan 12, 2007 12:37 am
by localmotion34
Regarding EXEcryptor, SND team has posted quite a few tutorials and Olly scripts to unpack it and find the OEP.
Sorry, but there isnt a protection system that SND hasnt beaten.
Thunderpwr from ARteam has successfully attacked, cracked, and unpacked ASProtect 2.3 SKE, even with a required activation key in memory.
Whiterat from ICU has successfully unpacked Armadillo 4.48 with ALL the protection options enabled too.
Hmm, TheFool sounds like he knows alot, maybe too much.
Still, i definitely have a copy of the SND modified OllyDbg that has yet to be caught by any anti-debugger check, at all. Wonder if the fool has a copy of OllyICU, or better yet, a translated version of OllyDbg 2.0?
Posted: Fri Jan 12, 2007 7:59 am
by utopiomania
Regarding EXEcryptor, SND team has posted quite a few tutorials and Olly scripts to unpack it and find the OEP.
What exactly does unpack it and find the 'OEP' mean?
Sorry but not all of us are wannabe hackers.
Have the SND team ever managed to crack a program protected by ExeCryptor? And if they did, how?
By 'simply' working their ass off to reverse engineering the obfuscated machine code, or do they claim to be
able to reverse the algorithms behind the code morphing?
Posted: Sat Jan 13, 2007 2:35 am
by CherokeeStalker
utopiomania wrote:
What exactly does unpack it and find the 'OEP' mean? :? Sorry but not all of us are wannabe hackers.
OEP = Original (program) EntryPoint
unpack = decompress and/or decrypt
Posted: Sat Jan 13, 2007 12:21 pm
by thefool
localmotion34 wrote:Regarding EXEcryptor, SND team has posted quite a few tutorials and Olly scripts to unpack it and find the OEP.
Sorry, but there isnt a protection system that SND hasnt beaten.
Thunderpwr from ARteam has successfully attacked, cracked, and unpacked ASProtect 2.3 SKE, even with a required activation key in memory.
Whiterat from ICU has successfully unpacked Armadillo 4.48 with ALL the protection options enabled too.
Hmm, TheFool sounds like he knows alot, maybe too much.
Still, i definitely have a copy of the SND modified OllyDbg that has yet to be caught by any anti-debugger check, at all. Wonder if the fool has a copy of OllyICU, or better yet, a translated version of OllyDbg 2.0?
Armadillo should be a piece of cake from what i've heard. HEARD! not seen!
I might know a lot about this but i am not a cracker
Im interested in how to stop them though. And before you can stop them, you have to be able to crack!
I don't have ollydbg2.0, but i have been talking to the developer and he is working on it. Can't wait
I just have OllyAdvanced, which helps to avoid some of the standard problems.
Im not dangerous. Oh well i am; but not to you
Posted: Sat Jan 13, 2007 3:31 pm
by ricardo
TheFool, one question:
If you call a website from your app is easy to use the host file to redirect that call if you use a domain name, but i think that using an IP is not that easy. Im right?
Adds some secutiry to use that call to you site, per example to check against a databse that the user is a registered one?
Any advice on this area?
Thanks in advance
Posted: Sat Jan 13, 2007 4:39 pm
by thefool
Don't be sure anyone wants to redirect it; why not just remove the check?
Well it would add some security but i would like to say that it can be ANNOYING. What if the server is down? What if the user doesn't have an internet connection? What if they are on dial up, and it tries to connect everytime they use it?
Posted: Sat Jan 13, 2007 4:50 pm
by ricardo
thefool wrote:Don't be sure anyone wants to redirect it; why not just remove the check?
Well it would add some security but i would like to say that it can be ANNOYING. What if the server is down? What if the user doesn't have an internet connection? What if they are on dial up, and it tries to connect everytime they use it?
If i encrypt some part and virtualize that part of the code, trying to avoid that they can remove the check.
About the annoying... is possible to make it 'tolerant' in case they can't connect to internet. But usually sooner or later user get connected and if he is using cracked version will be catched and program disabled.
What i mean is, when possible, maybe the online cheacking could be one good stuff to avoid cracks.
Posted: Sat Jan 13, 2007 5:15 pm
by thefool
That is true. But the problem with making it tolerant: They just disable internet access for the program, and it wont check
Posted: Sat Jan 13, 2007 5:31 pm
by ricardo
thefool wrote:That is true. But the problem with making it tolerant: They just disable internet access for the program, and it wont check
1.- Maybe we don't tell the users that verify it
2.- Give some tolerant value, lets say allow 5 times to works without connectiing
Another question my friend:
How to take count of number of times run in a difficult to crack way?
I was thinking on write it encrypted to some executable, per example, but they can always replace to the first one, like no runs yet.
Posted: Sat Jan 13, 2007 8:46 pm
by thefool
ricardo wrote:thefool wrote:That is true. But the problem with making it tolerant: They just disable internet access for the program, and it wont check
1.- Maybe we don't tell the users that verify it
2.- Give some tolerant value, lets say allow 5 times to works without connectiing
Another question my friend:
How to take count of number of times run in a difficult to crack way?
I was thinking on write it encrypted to some executable, per example, but they can always replace to the first one, like no runs yet.
1) Pff; its so easy to tell that it connects to the internet.
2) Nah won't be good enough
I just thought of a slightly better way: Add autoupdates to your app. When updating, be sure to send the crc and the username of the exe or so. If someone using an illegal version, store their ip and username, so you can look up the e-mail address or so. Then it would be disguised, and you would catch the ones doing autoupdates.
lol
Posted: Wed Jan 17, 2007 5:23 am
by Sabour
this is nice , execryptor site blocking all access from my country ip (indonesia) redirect into a page titled "Invalid Request" and with bunch of piracy 'lesson',wtf ?? it's new kind of stereotyping? lol they loose 1 potential customer.i will e-mail them
i have tried 2 isp in here,BOTH of them got blocked so i assume all of my country!,when trying use the proxy works fine :/
this is bad for business