Jump to content
Tuts 4 You

[unpackme] Unpack Me (My protector) -Level- Unknown


Exidous

Recommended Posts

Unpack my protector. I compiled & protected a hello world.This will drop a 1.exe (vb6) this is just for the injection module to inject into (Not malware drop) -analyze the file-This protector will protect x64 x32 .net & non .net software ;) Ya thats right :)The protector was written in C#.This protector has a hwid license check & server check ;)Good luck!Download:http://www.mediafire.com/?8m8cnwo22vg904c

or

UnpackMe1.rarValid License Response "hello world" (Screenshot):http://pokit.org/get/?e6068708cb95ab...d560744d6d.png

  • Like 1
Link to comment

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment

Hi,

My research:

- The unpackme uses the 'RC4Str' function to decrypt base64 strings to a readable format.

- The unpackme uses the 'RC4' function to decrypt "ProtectionDll.dll", which actually is the protected file

- The password used in this unpackme is "Exodious"

1) The unpackme goes to the server address "http://totalviruscheck.com/SoftwareProtection/insert.php?HWID=" to do a license check. This check is easily bypassed with a small php script: http://codepad.org/0Gb7UFAD (just redirect totalviruscheck.com to 127.0.0.1)

2) The data returned from the server is put through the 'CleanHwid' function. This function takes the string directly after "<body>". This data is uppercased and compared with the uppercased HWID to pass the license check.

3) The "ProtectionDll.dll" is decrypted using the RC4 function.

4) OEP and the HWID are sent to the server: "?HWID2=[Hwid]]http://totalviruscheck.com/SoftwareProtection/insert.php?OEP=[buildNumber]?HWID2=[Hwid]"

5) OEP Bytes in hex format are retrieved from the server (you cannot know the OEP bytes in this way, smart but with one valid license you're screwed)

6) OEP Bytes are written to memory and file is executed in memory

Luckily this is VB5 so it's quite easy to retrieve the OEP bytes (They match with the included 'invoke.exe', which is embedded in the resources)

I attached my dumps, php scripts and used tools(+source), I liked the challenge :)

Greetings,

Mr. eXoDia

PS Level would be 1-3 don't know exactly

dumps_php_tools.rar

Edited by Mr. eXoDia
  • Like 3
Link to comment

Damn, Nice.. Im almost done w/ a stronger version (Imports are gone now) & The RC4 Private Key will be sotored in the db.


 


Im actually kinda shocked it got cracked :S

Edited by Exidous2008
Link to comment

@Exodious: plz include a valid license with your unpackme. It should also be hard when you have a valid license, without one I cannot test certain features, especially when you store RC4 keys on the server.

Greetings

Link to comment

I can do that :)


 


Thank you for taking the time to help me w/ improving my software protection methods.


 


Apparently im headed in the right direction :P


Edited by Exidous2008
  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...