miércoles, 15 de octubre de 2008

SunBeam End DBP

Uno de los post que mas me gusto en estos ultimos tiempos:



Before we start off, know that this is not a thread in which you would BEG for a cracked version of DBP. All I'm doing is posting info I obtained via analyzing the file, cleaning VM and patching checks. I will talk about all that in what follows, in a log-like fashion. Therefore, please, no "is this cracked?" or "I tried what you said and it still doesn't work", as this post is only INFORMATIVE and doesn't show or teach you how to crack DBP! Get your facts straight!




Okay. Now that we got rid of all the leechers around, based on the above, time to post some info for those of you that like a good reading




I managed to obtain one of the latest DBPs out there (DragonBot_4_6_08.exe) - well, at least I think it's the latest - and started playing with it. Here's what I got..




[6/9/2008]




[ #1 ] Alon uses some ****ty protection to scare nublets and trick them into thinking that unpacking his sh!t will somehow magically get the wrath of the gods on your ass. Hence this message:




leaning up the *****ic level-2 VM revealed this:


0052C6D9 - 81 bd 64 ff ff ff 80 4f 12 00 - cmp [ebp-0000009c],00124f80 //stupid_check 0052C6E3 - 0f 84 37 15 00 00 - je 0052dc20


..[ if check is OK ]..


004E4904 - c6 45 82 70 - mov byte ptr [ebp-7e],70 //p

004E4908 - c6 45 83 61 - mov byte ptr [ebp-7d],61 //a

004E490C - c6 45 84 63 - mov byte ptr [ebp-7c],63 //c

004E4910 - c6 45 85 6b - mov byte ptr [ebp-7b],6b //k

004E4914 - c6 45 86 65 - mov byte ptr [ebp-7a],65 //e

004E4918 - e9 98 0f 02 00 - jmp 005058b5


..[ etc ]..


If you watch that buffer starting with EBP-80, you'll find the string in the stack. "Unpacked it?"..


Therefore, either change the jump 52C6E3 or fake the size or what ever that check is. Didn't take time to study what the value stands for..


Later on I found this:


004027F5 - 89 45 80 - mov [ebp-80],eax

004027F8 - 8d 45 a0 - lea eax,[ebp-60]

004027FB - 50 - push eax

004027FC - 56 - push esi

004027FD - ff 15 d4 71 42 00 - call dword ptr [004271d4] : FindFirstFileA


Before this function, application calls GetModuleFileNameA with main param as NULL. So, after getting the info, it executes more VM crap and gets to the func above - 4027F5 - where it pushes a few parameters and calls FindFirstFileA. The buffer that holds the information:


0012FABC 0012FAEC \pFindFileData = 0012FAEC


If you are to follow that buffer in dump, you'll find this, after executing the API:


0012FAEC 20 00 00 00 78 86 31 14 18 CA C8 01 C6 93 1F 80 ...x†1ÊÈÆ“€

0012FAFC 21 CA C8 01 0E 54 8D B3 18 CA C8 01 00 00 00 00 !ÊÈT³ÊÈ....

0012FB0C 00 60 17 00 20 F9 12 00 20 F9 12 00 75 6E 70 61 .`. ù. ù.unpa

0012FB1C 63 6B 65 64 2E 65 78 65 cked.exe


Nothing big, BUT. Remember what I mentioned above?


0052C6D9 - 81 bd 64 ff ff ff 80 4f 12 00 - cmp [ebp-0000009c],00124f80


Guess what, EBP-9C is 176000 (00 60 17 00), since my file is unpacked So, instead of using some gay GetFileSize compare, Alon makes use of the params returned in the struct Slick, eh? Easily patchable


-- -- -- -- -- --


[ #2 ] Program uses own mutex which can easily be traced through VM and spotted here:


0012FD38 00000000 pSecurity = NULL

0012FD3C 00000001 InitialOwner = TRUE

0012FD40 0042AF00 \MutexName = "dhgsdfhhdf"


004F92F3 FF15 18714200 CALL DWORD PTR DS:[CreateMutexA]


-- -- -- -- -- --


[ # 3 ] One wise decision would be to patch GetTickCount as it's used later on in a few more checks. Either grab a plugin or simply trace the code and patch it manually I'll post about it later on, when I study it in depth. So far I found a check where he's using FileTimeToSystemTime or similar APIs and based on those, probably checks up on the file itself lol..


-- -- -- -- -- --


[ # 4 ] Settings.dbp contains information about user's mail address used for registration. Its current context is as follows:


DBP1user_mail_here[end_char]


Of course, DBP is so stupidly made that instead of checking end-string with a 00 terminator, Alon chose to use custom chars.


Example:




So after reading the whole string, he does this:


CMP BYTE PTR [EAX+ECX-1],'M'


where eax = start address of string, ecx = size..


Not to mention the method, SHA "A_SHAFinal", "A_SHAInit" etc.. with 2x64 bytes..


-- -- -- -- -- --


[ # 5 ] Getting warmer Do I see SQL here?


0012FA00 013E01D4

0012FA04 0017FF1C UNICODE "WQL"

0012FA08 001944CC UNICODE "SELECT * FROM Win32_BaseBoard"
ok in the end: Okay, now shut up T_T..

No hay comentarios: