Exidous Posted February 1, 2013 Posted February 1, 2013 Unpack my protector. I compiled & protected a hello world.This will drop a 1.exe (vb6) this is just for the injection module to inject into (Not malware drop) -analyze the file-This protector will protect x64 x32 .net & non .net software Ya thats right The protector was written in C#.This protector has a hwid license check & server check Good luck!Download:http://www.mediafire.com/?8m8cnwo22vg904c or UnpackMe1.rarValid License Response "hello world" (Screenshot):http://pokit.org/get/?e6068708cb95ab...d560744d6d.png 1
Teddy Rogers Posted February 1, 2013 Posted February 1, 2013 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
mrexodia Posted February 2, 2013 Posted February 2, 2013 (edited) Hi, My research: - The unpackme uses the 'RC4Str' function to decrypt base64 strings to a readable format. - The unpackme uses the 'RC4' function to decrypt "ProtectionDll.dll", which actually is the protected file - The password used in this unpackme is "Exodious" 1) The unpackme goes to the server address "http://totalviruscheck.com/SoftwareProtection/insert.php?HWID=" to do a license check. This check is easily bypassed with a small php script: http://codepad.org/0Gb7UFAD (just redirect totalviruscheck.com to 127.0.0.1) 2) The data returned from the server is put through the 'CleanHwid' function. This function takes the string directly after "<body>". This data is uppercased and compared with the uppercased HWID to pass the license check. 3) The "ProtectionDll.dll" is decrypted using the RC4 function. 4) OEP and the HWID are sent to the server: "?HWID2=[Hwid]]http://totalviruscheck.com/SoftwareProtection/insert.php?OEP=[buildNumber]?HWID2=[Hwid]" 5) OEP Bytes in hex format are retrieved from the server (you cannot know the OEP bytes in this way, smart but with one valid license you're screwed) 6) OEP Bytes are written to memory and file is executed in memory Luckily this is VB5 so it's quite easy to retrieve the OEP bytes (They match with the included 'invoke.exe', which is embedded in the resources) I attached my dumps, php scripts and used tools(+source), I liked the challenge Greetings, Mr. eXoDia PS Level would be 1-3 don't know exactly dumps_php_tools.rar Edited February 2, 2013 by Mr. eXoDia 3
Exidous Posted February 2, 2013 Author Posted February 2, 2013 (edited) Damn, Nice.. Im almost done w/ a stronger version (Imports are gone now) & The RC4 Private Key will be sotored in the db. Im actually kinda shocked it got cracked :S Edited February 2, 2013 by Exidous2008
mrexodia Posted February 2, 2013 Posted February 2, 2013 @Exodious: plz include a valid license with your unpackme. It should also be hard when you have a valid license, without one I cannot test certain features, especially when you store RC4 keys on the server. Greetings
Exidous Posted February 2, 2013 Author Posted February 2, 2013 (edited) I can do that Thank you for taking the time to help me w/ improving my software protection methods. Apparently im headed in the right direction Edited February 2, 2013 by Exidous2008 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now