Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Reverse Engineering Team Blog

06.08.05

Strongbit Execryptor Hardkey License Manager

Posted in General Posts at 11:23 am by andreageddon

I was working on execryptor and the relative license manager, based on Hardkey4, an asymmetric algorithm. The packer itself is nice, the polmorphic engine is wonderful, there are several anti-debugging tricks:
PEB.BeingDebugged
PEB.NtGlobalFlag
Static tls callbacks
Crc on exe file (not image)
CheckRemoteDebuggerPresent (only >xpsp1)
FindWindow (searches for ollydebug registered class name)
Olly Exe exports (searches in every running process the ET to find olly api exports)
Format string bof (OutputDebugString with a %s%s%s%s… string, crashes olly)
Redundant LOCK prefixes which interfer with olly (LOCK INT1, LOCK INT3)
Also anti filemon, regmon, ida etc tricks are present
Finding OEP is really difficult, since the packer makes a lot of jumps in code section before reaching oep. When the app is running, still some portions of the exe are encrypted, and decrypted only at runtime if valid serial is present.
In my program a unique ID is generated for the pc in which its executed, and you need a valid serial corresponding to such ID to register the program. However if you already have a valid ID / Serial information (for example you have a valid serial on your pc, and you want to run the program your laptop) you can easily fool execryptor: i simply made these steps:
save my valid ID / Serial information
run with olly the program in another pc, that has another ID (lets call it ID2)
during this execution, i search in memory where the string ID2 is located
it seems ONLY ONE location is important to keep the ID2 string, so i restart the process and bpm on it
once the program writes in that location the ID2, i replace it with ID ( well i replace EVERY occurrence of ID2 in memory with ID smile )
once this is done, the program runs and if you insert the valid serial you have for ID, the program accepts it smile
Now i must test if the program FULLY works, or if somewhere he can find my trick smile
This is a really easy way to bypass an otherwise hard protection scheme!
Every comment to add information on this protection system is welcome
Bye
AndreaGeddon

–ps thanx stingduk for his suggestion that made me go faster in reversing execryptor, and his wonderful plugin NtGlobalFlag which makes you handle tls and a lot of other things easily!
(http://www.reversing.be/article.php?story=20050603193932184)
–pps i fooled the FindWindow trick with Crudd’s RePair, nice work Crudd!!! You can find the tool in the tools section

3 Comments »

  1. swed said,

    February 3, 2007 at 11:26 am

    At work we bought a new retail prog RETAIL PRO with a hardkey protection. Before we had our activation kode I kopied the hole program and pasted it in my comp at home… and it works except it won’t update the date… but if I copy all the .dat, .ix, and other files at work the date works again for a while… could u plz direct me to more knowledge about this issue…

  2. Xacker said,

    February 3, 2007 at 11:26 am

    is there any current information about reversing (deprotecting!) execryptor?

  3. Matias said,

    February 3, 2007 at 11:26 am

    hi i have a .exe protected by themida 1.0.0.5 o xprotector im run xprotectorsrtipper but not unprotect the file sad please anybody helpme thanks

Leave a Comment