Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #41  
Old 04-21-2010, 11:51 PM
calvin calvin is offline
Senior Member
 
Join Date: Feb 2010
Posts: 50
Default

@Git

Nice insight.
Thank you for your effort!

regards,
Reply With Quote
  #42  
Old 04-22-2010, 11:48 AM
mantovano mantovano is offline
Member
 
Join Date: Dec 2008
Posts: 5
Default

@ Git
Sorry Git, the code to put into registry file is (0x14 cell)
0x4F01E29F -->after set MSb --> 0xCF01E29F
Not?


How can I find out where's descriptor array?
In my version is something like that:

CALL lic.?ProfileId@CAtollKeyProfile@@QAEKXZ <-- CALL 00404B10
AND EAX,3
LEA EAX,DWORD PTR DS:[EAX+EAX*8]
LEA EAX,DWORD PTR DS:[EAX*4+411198]

Thanks in advance
BR

Last edited by mantovano : 04-22-2010 at 04:20 PM. Reason: Added another question
Reply With Quote
  #43  
Old 04-22-2010, 05:31 PM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

I can't tell you what value to put in cell 0x14 because I don't know what your PID is. Correct about setting the MSbit, I mentioned in the first post and then forgot it in the next. Now corrected.

> AND EAX,3

val = PID & 3;

> LEA EAX,DWORD PTR DS:[EAX+EAX*8] // val + val*8 = val*9

val *= 9; // LEA is often used just to do a sum, nothing to do with pointers

> LEA EAX,DWORD PTR DS:[EAX*4+411198]

val*4 because the table has an entry every 4 bytes. Looks to me very like it starts at 0x411198 don't you think?. That is the address where the data is loaded when run. If for any reason you want to find out where it is in the file, go to that address in IDA and hover the mouse pointer over the address. The lower status bar will show the address and the file offset.

Git
Reply With Quote
  #44  
Old 04-23-2010, 05:05 AM
bassem_16 bassem_16 is offline
Senior Member
 
Join Date: Feb 2010
Posts: 66
Default

@ Git

Am I near somewhere ?

Code:
00402A68  |. 68 34944600    PUSH lic.00469434                        ; |Key = "65C99B26-9A43-44B8-8B9B-4E7334F28FF7"
00402A6D  |. 68 28944600    PUSH lic.00469428                        ; |Section = "AtollKey"
Reply With Quote
  #45  
Old 04-23-2010, 07:13 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

You're near somewhere but <insert deity> knows what. What is it you are looking for exactly?. I've already posted every last scrap of information you need. Try 470120. I just found that in 2 minutes by doing this :

Code:
1) load new lic.exe into IDA
2) We know first table entry is 0xE29F4F01, so do a "Search for sequence 
    of bytes" and look for "01 4F 9F E2"
3) IDA finds one entry at 0x00470120. Jump to that address, keep hitting 
    'd' until the data at that address shows as dword 0E29F4F01h. 
4) Hit keypad '*' to make an array. Set up as follows :

number of elements = 36
Items on a line = 1
Element width = -1
Use "dup" construct : NO
Signed elements : NO
Display indexes : your choice
Create as array : YES
You should now recognise that list of numbers as being the array of candidate descriptors.

While the cursor is on the address 470120, hit 'n' and give it the new name 'descriptorArray'. With the cursor on the label 'descriptorArray' now hit 'x' to find cross references to that address. IDA will find just one at 40A420. Double click the xref it found to go to that address. You should recognise that line and the two lines above as the code to look up descriptorArray[(pid & 3)*9]

.
Code:
.text:0040A41A                 and     eax, 3
.text:0040A41D                 lea     ecx, [eax+eax*8]
.text:0040A420                 mov     ebx, descriptorArray[ecx*4]
You will also need to put the WritePassword in the Reg file. You can find it with IDA, but in-case you miss it, it is 0x5191.

Git

Last edited by Git : 04-23-2010 at 07:21 AM.
Reply With Quote
  #46  
Old 04-23-2010, 11:09 AM
bassem_16 bassem_16 is offline
Senior Member
 
Join Date: Feb 2010
Posts: 66
Default

Hello Git

I did choose a PID
Code:
92b987ee
, anding this with 3 = 2, then * 9 = 18 then I will use number 18 in the 36 array table which is
Code:
67FFC3F0
then swaping
Code:
C3F067FF
Here the Msb is already set to 1 (C = 1100)

so C3F067FF is the PID which should be hardcoded into the reg file

the WP i got it when i first PVA the dng file (brute WP) and its 5191

Anyway its in here as well 00407BCF

dates will be starting 23/4/2010 and ending 31/12/2030

Question: How to deactivate the time bomb in the reg :'(

Last edited by bassem_16 : 04-23-2010 at 12:08 PM.
Reply With Quote
  #47  
Old 04-23-2010, 12:22 PM
sparpacillon sparpacillon is offline
Senior Member
 
Join Date: Aug 2007
Posts: 210
Default

At word 0x0E of your reg you will find timebomb expiration .) change date into your reg and restart the emul.
Do again your homeworks changing the reg giving the right algos .)
Reply With Quote
  #48  
Old 04-23-2010, 12:29 PM
bassem_16 bassem_16 is offline
Senior Member
 
Join Date: Feb 2010
Posts: 66
Default

@sparpacillon

I know that, I'm not talking about changing date for time bomb

if you go back to the images set by Git, you will find him deactivating the check box for time bomb (as if no time bomb exists)

This should be reflected in the reg file somehow

setting 0x0E to 00 00 wont do the trick
any idea ?
Reply With Quote
  #49  
Old 04-23-2010, 01:10 PM
mantovano mantovano is offline
Member
 
Join Date: Dec 2008
Posts: 5
Default

@bassem16

hey!! index starts at "0"
If you set/unset time bomb PID changes

@Git
Is sufficent if I unset time bomb and I use this PID?



Thank you Git, a very pleasure to find out other dimension of this stuff when iluminated by you

Last edited by mantovano : 04-23-2010 at 01:34 PM.
Reply With Quote
  #50  
Old 04-23-2010, 01:24 PM
bassem_16 bassem_16 is offline
Senior Member
 
Join Date: Feb 2010
Posts: 66
Default

I absolutely know that if time bomb was unset then PID changes

I want to unset it (which means uncheck the box of time bomb) and reflect it into the registry

And then work with the new PID
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.