Jump to content
Tuts 4 You

[unpackme] lARP64Pro 1.0.3...


Teddy Rogers

Recommended Posts

Teddy Rogers

lARP64Pro 1.0.3

Remark that lARP64Pro is not just like 'any' commercial product but it is merely a 64bit project to prove it is indeed possible to create uncrackable software. To that extent, we have sent lARP64Pro itself as well as a software protected by lARP64Pro to the cracking community in september of 2008, requesting to crack either. Till this day, the cracking community have not succeeded and our conviction is that lARP64Pro will remain uncracked at least for a significant time. The project has been made available for commercial purposes and a trial version is freely downloadable from this site, however this does not mean it is sold to everyone or for every purpose. Yet, contact us in case your x64 software really needs to be super-protected.

http://tuts4you.com/...d.php?view.2815

Ted.

lARP64 Pro_Update.rar

Edited by Teddy Rogers
Updated unpackme as requested by Lena...
Link to comment

Wow I haven't had this much fun when I started reversing. ;)

I wonder what the point of this serial number refernce is.

   éqÐt¬Êt¦Ù
lea rdx, aSerialNumber ; "Serial Number"

No where near a working dump though.. not familiar yet with x64 oeps/import tables etc. but well am progressing nicely.

Got a nice dump though, with resources fixed. Imports look fairly clean.

EDIT:

Imports are not clean.. ;) High mem locations (7ffff60xxx) with obfu. (jmp 0x03. bleh... ) (Just a few are okay.)

EDIT2:

Can now trace them seems it's not quite hard.

mov rbx,rbx
mov [rsp-08],GetStringTypeExA+1
mov [rsp-04],00000000
dec [rsp-08]
jmp qword ptr [rsp-08]

hehe one wonders which import this could be. ;) But need to automate this.. Stupid lack of tools on x64. ;)

Not going to do 116 imports by hand.

atm, I don't see why this can't be unpacked within a reasonable amount of time.

Edited by quosego
Link to comment
  • 4 weeks later...

Wow I haven't had this much fun when I started reversing. wink.gif

Really? Well, I can only say that you aren't even close wink.gif

The unpackme is a protection of an old keygen that was slightly modified. I don't understand why you mention aSerialNumber which is in the main program and won't be of any help in unpacking. As far as the imports are concerned, I can only repeat that you aren't even close.

To avoid confusion with stuff that is in the main program, the unpackme in the first post was updated. Hence, it's better to concentrate on that one.

Good luck!

lena151.

[Edit] Ted, perhaps it's better to update the attachment in the first post with this unpackme?

Edited by lena151
  • Like 2
Link to comment
  • 1 month later...
  • 6 months later...

How funny that even the best unpackers/crackers have fallen for some simple diversion code. High mem locations (7ffff60xxx) ... hehe, I'm valued even more stupid than I thought ;)

I had more ideas to strengthen lARP64Pro but after over 3 years, not even this first one (see above) has been unpacked and as such, I lost all interest in it.

The project will no longer be updated, still, I'm looking forward to seeing it unpacked (the above unpackme) or seeing lARP64Pro itself cracked.

Carpe Diem.

lena151.

Link to comment

Dear Lena,

your challenge is accepted. smile.png

Last year I didn't have 64-bit OS (and even x64 CPU) to run it on. Now I do. Time to learn some x64 assembly.. ;)

Cheers,

kao.

  • Like 2
Link to comment

I see you took the homepage down, maybe you can at least make the trial version available in this forum?

Would be a shame to let it just disappear...

trial dl here: http://larp.qupis.com/download/

Dont be disappointed, x64 will come. But lots of people (especially reverser...) are still stuck with their x86 systems, and so am i.

(there is no x86 version, i suppose?)

:)

Edited by deepzero
Link to comment

There is, it got unpacked by some who are mocked in this thread. wink.png

@lena, perhaps I shall spend more than a quick glance on this.. Just to proof I will bring you down once more. biggrin.png

EDIT:

Also it wasn't confusing.. Just something I noticed.

Edited by quosego
Link to comment

(there is no x86 version, i suppose?)

Indeed, there is NO lARP64 in 32bit.

It exists however a "lARP" (32 bit) as well which is a small protector for team releases. It is not related to lARP64 in any way though.

lena151.

Link to comment

No updates? Is anyone working on this? Why not post on your efforts and share? What tools are you using? How are you getting around the anti-debugs? Dumping process? etc. I've never really debugged a 64bit app or had a really good reason to try other, non-Olly, type debuggers. I don't see much hope for me on this but I would love to learn from some more knowledgeable people. Hopefully this won't become a stagnant thread.

Link to comment

Yeah, x64 is a bugger. In just trying to debug this or even create a x64 sample app to debug I've ran into many issues. The unpackme runs fine though, I'm just having a hard time debugging. I know it checks for a small list of common x64 debuggers via windows and probably processes. Not just through the start up errors if a debugger is running but in letting the unpackme run, then dumping and looking at it. Also, in the brief time I got it to debug I seen it is like others in that it starts in the sfx segment and when it unpacks it does so in sections and performs integrity checks. Other than that useless info, nothing. I got more IDA learning. The anti-debugs are an issue for me as well. On x64 with IDA I believe you have to correct all manually because no plugins are currently compatible, at least from my little research. I'm not ready yet to disable patchguard and hide processes but is this needed? I'm sure someone has a better solution?

* after this post I have kinda been giving up. Here is a dump I was working to fix but it really needs help. Maybe it will help someone with analysis or something but don't expect it to run. And yes I know things are fuc*ed up like the OEP. I was looking for generic signs of one but gave up to later fix it. So not very helpful but its something especially since this thread is somewhat dead. I'm guessing the control panel app was never released?


/>http://www.mediafire.com/?d4bxljknw3183ja

Edited by cozofdeath
Link to comment
  • 3 weeks later...
chickenbutt

This protector protects nothing of value, but if it did, teams would just do static analyses and emulation and defeat 90% of the protection which is threaded mutations and buffer obfuscation on top of x64 NT complexities dealing with ASLR and some undocumented stuff..

She probably put in license encrypted sections and/or buffers under most of it that take too long to brute.

Link to comment
  • 1 month later...

quosego said: "I will bring you down once more"

It seems to take longer than expected to bring me down this time. Maybe you succeeded the 32 bit protector because that was only intended to hold off lame rippers and was coded in a few days?

But it is 3 1/2 years now and I want lARP64Pro to get defeated finally. So, I'm providing a new crackme that offers many different points of attack: http://tuts4you.com/download.php?view.2815

This new crackme should make it accessible for everyone because patching is allowed. The goal is to unpack either of the executables OR circumventing the program's unregistered window. Any means are allowed: patching, inlining or unpacking or whatever you can think of. I coded no trap at all in the protected unpackme and certainly not in killing the program's nag screen. It's a simple patch from a conditional jump and I have made this as simple as I can. You really can't want me to provide you with the offset to patch as well, right?

Inside the archive are two UnpackMes/CrackMes protected by lARP64Pro. It is both the same executable (64-bit-only) but once protected with an unregistered lARP64Pro (trial) and once with a registered lARP64Pro. This offers additional info because killing the unregistered messagebox in the trial-protected crackme would be a good start as well. Info: an unregistered lARP64 Pro adds an additional timely message.

I'm convinced this can only take a couple minutes now or lARP64Pro would become the strongest protection ever???? :lol: :lol: :lol: Only joking, let me know how you did it!

chickenbutt said: "This protector protects nothing of value".

Well, the new unpackme does. Beat it!

@deepzero : I have no authority over that version of lARP64Pro at qupis.com which is two years old and is certainly not the last version! The last version was 1.2.1, dated january 2012. It had many more protective features and was/is intended for combined exe/dll interactive protection, meaning that exe and dll protected/controlled each other. Programmers could also finetune the working of their program from an additional tab. But programmers are just plain stupid and prefer staying with moderately difficult protectors like Themida and Winlicense which are unpacked over and over again.

BTW, like I said before: development of lARP64Pro was stopped forever.

lena151.

Link to comment

Hi,lena151.I'm a person which learn all about reversing from yours tutorials for the beginning!I think that main problem of your protector is 64bit OS,and there isn't any 64bit Debugger like fantastic Ollydbg.This is my opinion...Yes,there is IDA,but very dificult user interface.Anything that packs,can unpack.Here there are fantastic reversers...i don't want to say names.i leave it to them...When we will see the Ollydbg in 64bit,i hope development make this for us very soon,we will see very glory days! :1a:

  • Like 1
Link to comment

Hehe, you are right, but perhaps not because of your protection.. Though I will admit it'll prolly take me a while. It's more that I'm steadily losing the capacity to spend continuous hours at cracking something. I had hoped this unpackme would spark my interest some more by taking up the challenge you pose, initially it did and got slightly cocky ;) but it didn't last.. Strangely it seems the days of cracking for me are passing, I seem to have lost the excitement. Though I had fun, I never spend more than 2 hours on this.. which isn't even enough to get the hang of x64.

Honestly I do not know if I will really take this up.. It wouldn't matter if you'd posted easier versions, it also kinda kills the legend. ;)

Edited by quosego
Link to comment

Hehe, you are right, but perhaps not because of your protection

So, you chicken out because it is too difficult huh? It is not fair to say it is perhaps not because of the protection, because it is!

For someone who said initially and I quote your first post in this thread: "Wow I haven't had this much fun when I started reversing", chickening out now is rather amusing and maybe now I myself haven't had this much fun since when I started reversing.

Be a man and continue the challenge or admit that for you, lARP64Pro is just too difficult!

No harm intended. I just poke fun at those who claim themselves to be the best ever to finally get lARP64Pro cracked ;)

lena151.

Link to comment

Honestly i would like to take this target and try to solve...but i dunno when i can get enugh time to study a beast like this.

I give up for now, anyway i don't think it's impossible. Just hard.

Personally i can't spend more than one hour a day in reversing, and this is not the case one hour is enough :)

Link to comment

@lena151: that was rather harsh response, don't you think?

The sad reality is that we all grow up or grow older. We get studies, jobs, wives/husbands, kids and dogs. Reversing, which is an amazing hobby, has lower priority than "real life" and there is not much we can do about that.

Link to comment

@lena151: that was rather harsh response, don't you think?

All those who know me somewhat also know that that response was totally unlike me. However, I do want to put lARP64Pro to the ultimate test now and it feels like I can only motivate you guys by poking fun at those who started the mockery with this commercial (at that time) project. Such people might want to prove the licitness of such actions instead of chickening out.

Again, no harm intended. I do want lARP64Pro to be defeated though and I can not make an easier target now, just crack it!

I have also put this up on exetools. Maybe someone there has the time to restore my faith in reversing. But just don't mention the time matter anymore please. Me too, I'm very limited in free time, but there's a lot of 1-hour-a-day days in 3 1/2 years and someone should already have cracked it before :o

Once more, I want to mention Kurapica for providing the lARP64Pro startup flash screen and someone else without whom this protector would never have seen daylight (a master coder who has put me back on track countless times but whose name I can't mention)

lena151.

Link to comment

Like most reversers we crack and unpack because we like it. Not because we get bullied into it. I know you don't mean any harm, but this won't get you what you want.

Link to comment

The RCE world is just not ready for x64.

You are joking, right? Because if we were not ready, it would be a total shame!

PeSpin x64 is still "uncracked" too

That's gonna be history then now :)

Sorry to disappoint you, but we are ready for x64. -> See attachment.

Regards,

lena151.

dumped.rar

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...