Iris v2.00 build 14
|
|||
|
|||
Subject: Cracking |
|||
This essay is for knowledge purposes only!! Software developers spend much time in making their programs. They live from the money we give them! Please buy good software!! published by +Tsehp march 2001 |
|||
I. Introduction | |||
Welcome again to the world of unpacking. With all the fuss
around ASProtect, some people may have forgotten about other wrapping protections.
In this essay we'll unwrap a PCGuard-wrapped
application. After that we'll crack it too. This program is a very nice packetanalyzer, but costs way too much: 1745$. I mailed the author about it, and he told (quote): "The right price is the one that market is willing to pay for something. Iris is targeted for corporations and they can pay that money without remorse. If IRIS helps them solve a 2000$ problem ( and this is nothing speaking of consulting fees) then is well worth it." As you and I are no company we deserve a little cheaper product anyway....... |
|||
II. About the protection | |||
Wrapped with PCGuard: you 'll know this when looking to the sections of a protected .exe. It uses the same importtable trick as ASProtect. Also has some basic anti-softice. Quote from the PC Guard website: "Security envelope consist of large number of encryption layers and anti-debugging, anti reverse engineering code and contains all protection functions. Protected application becomes encrypted after protection and is distributed in encrypted state. You can put more then one protection layer around your application for better security. This makes protected application highly secure and safe from tampering." Nice said....'easily' disproven. |
|||
III. Cracking it | |||
In this essay I 'm going to use this approach: I. Unwrapping 1. Finding OEiP II. Cracking Let's begin! I. Unwrapping 1. Finding the OEiP This is about always the first step for unpacking programs: finding the
Original Entrypoint. I already explained in previous unpacking essays
how to do this, but I'll repeat it for you with some more details and
an alternative method.
Table 1: OEiP To find the OEiP for Iris, run IceDump (to hide SoftICE for the basic
anti-softice), set a breakpoint on GetProcAdress. Now run the program,
SoftICE should popup. Press F5 three times (you can press it more too).
Now...from there on you're on your own. Just trace, set breakpoints to
get out of loops, and don't get nuts of the annoy-cracker instructions. 2. Dumping You still on that instruction? Now enter: "/dump 400000 130000 c:\progra~1\iris\dumped.exe"
. The 400000 is the Image Base, the 130000 is the Image Size. You can
get both of these values in PE Editor when loading the original Iris.exe
in it. Now you have to fix the sections by equalizing the Raw Size to
the Virtual Size (Raw Size=Virtual Size) and the Raw Offset to the Virtual
Offset (Raw Offset=Virtual Offset). In PE Editor, this can be quickly
done by right clicking on every section in the "Sections" menu
and click on "Dumpfixer". Start from the first section and work
your way down to the last. 3. ReVirgin When Iris wants to execute an API it works like this: or: 472000 call [4BA48C] You can't find the original IAT before all this is generated at first, because it doesn't exist anymore, so you can't use procdump or a IAT rebuilder to make the app work, you have to rebuild everything this time. We *could* do this manually, but that would take a lot of time. Nowadays we have a new utility to reconstruct a *damaged* importtable. It's coded by +tsehp and is named ReVirgin. We 'll use this program to rebuild our importtable: Run ReVirgin and take a look at it. This util is not a "push-the-button-and-i'll-do-everything-for-you". It is a Fravia's tool that needs understanding before you can use it. Some explanation of the editboxes you have to fill in yourself:
How they can be found: 1. Run the program with a breakpoint on UpdateWindow (or another one), when SoftICE breaks, press F12 until you are back in Iris maincode. Then trace into every call you come across until you turn out to be in the jump table. A jump table looks like this: Start partial code 015F:004469D8 JMP [004BAF4C] End partial code Now, scroll through the jump table and try to find the lowest jump offset
(i.e. find the JMP xxxxxxxx where xxxxxxxx is the lowest value in the
whole jumptable). Note that this jump table can be divided by a lot of
other instructions, so you'll have to scroll to make sure you saw the
whole jumptable. 2. For the length of this table I usually choose a random (but big) value, like 2000 or something. This may not always work. In that case use the scroll-down method in the datawindow to find the end of the importtable. The length in our case is 1308 3. Most of the time, we will insert the new importtable at the end of the file in a new section. Just fill in the offset of the end of the dumped file (image size), which is in our case 130000. Now run the original Iris.exe, refresh the application list in ReVirgin. Click on the Iris.exe process in ReVirgin. It should tell you that the importtable is invalid. Now, with all values filled in, push the "IAT Resolver" button. When it's finished push "Resolve again". Voila, now you should see our newly created importtable. Push "IAT Generator" and save the importtable under the file IT.BIN. Note the IT Length (which is 194 in our case). You can see the resolved importtable here and the it.bin here. You can leave ReVirgin now and exit Iris. Next thing to do is to prepare our dumped.exe for the new importtable:
Now open dumped.exe with a hexeditor, goto the very end of the
file and insert IT.BIN into it. Save the changes. Run the finally fixed
dump and it runs! 4. Another unwrapping way There is another way of unwrapping this protection which is much much easier and much much shorter than the previous one. Then why making it difficult when it is easy? Because this method doesn't work most of the time with such protections. You will be able to use this method to break all PCGuard protections, but it won't work with ASProtect. Anyway, how does it work? First of all, find the OEiP.
When you're AT the OEiP with SoftICE and IceDump loaded, type: /pedump
400000 44717C c:\progra~1\iris\iris_dump.exe. Okay, last thing to do....cracking it..... II. Cracking Iris There's a 15-day limit and a nagscreen. I tried removing the nag by setting breakpoints on UpdateWindow and SendMessageA, but it didn't work out quite well (it did, but I found a better and much easier way). Just disassemble your dumped/fixed file and search for any ", 0Fh" occurence. You should see this: Start partial code 004308AF loc_4308AF: ; CODE XREF: sub_430730+16Bj End partial code This is where our time trial is checked. We could patch this, but the nag won't be gone and the program will display it's a demo version. Although it's a demo version it can be registered, so there must be a 'registered-or-not-flag'. If that flag is set to 'registered', the piece of code above is _never_ executed. So let's take a look where the program jumps to the 'check-trial' routine above (@ 0043089B = 430730 + 16B) Start partial code 00430890 loc_430890: ; CODE XREF: sub_430730+148j End partial code Whatever we'll do here, we will still end-up at the time-trial check. Let's go to the jump that jumps to this code (@ 00430878= 430730+148) Start partial code 00430868 loc_430868: ; CODE XREF: sub_430730+134j End partial code Pretty obvious now: just nop out the jz short loc_430890 with your favorite hexeditor. When done, run your dumped/fixed/cracked file and it works, without the nag, without the time trial! To make it registered to your name and company, change following keys: HKEY_CURRENT_USER\Software\eEye Digital Security\Iris\User\Nume (note
that this is not a typo) This is (of course) easily found with RegMon. That's it, we're done! |
|||
IV. In the end | |||
Lots of work on this essay, even tho it's quite short. Been working about 3 hours on it. Sometimes it's hard to remember all things I did when cracking it.....anyway.....Thx goto +tsehp for ReVirgin and help on using it, +Splaj and Risc for help on unpacking and PE structure. Please report bugs in this essay as soon as possible @ cracking(at)softhome.net
and don't even think about requesting a crack/serial! greets The Blackbird aka BlackB |
|||
Essay written by The Blackbird © 1999-2001 This essay can be freely distributed/ published/ printed etc... as long as no modifications are made in any way. |