Inlining ACProtect v1.32

Articles regarding Reversing and Software Protections.
User avatar
H_T_P
Site Admin
Posts: 83
Joined: Mon Mar 01, 2010 7:41 pm

Inlining ACProtect v1.32

Post by H_T_P »

In this article we take a close look to ACProtect v1.32 and we manage to write our own inline function inside its code in order to bypass the checks of the license system of the packer.


Download: Inlining ACProtect v1.32


Enjoy,

H_T_P
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
newhak
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm

Re: Inlining ACProtect v1.32

Post by newhak »

Thanks mate this is really great artic.

keep coming

I have one question, I tried to apply the tut. It works fine for the version you used but it dose not for the new version

The code still same just small changes in addresses. When you injected your code and run the prog. it works and close so is that because of crc please help
User avatar
H_T_P
Site Admin
Posts: 83
Joined: Mon Mar 01, 2010 7:41 pm

Re: Inlining ACProtect v1.32

Post by H_T_P »

I am sorry, but I don't have the time to check what you are asking for.

However, if you are sure that this is because of a CRC check then, you should take a look at the stack window as soon as the process terminates and use the info regarding the last calls to trace back and find the point where the CRC check is done.

I have to point out, that there was a reason why in my inline function I have added some more lines in order to restore back the original code where the first part of the inline function has written some jumps.
I had noticed that the next time the function regarding the activation status is called, the EBX value must not be changed to 1, otherwise the program terminates, and that's why we restore back the original code and remove the jumps to our code cave.

Probably this is your case too, so check those things first. :O)
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
newhak
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm

Re: Inlining ACProtect v1.32

Post by newhak »

Thanks for your reply. I did think that no body will care.
Your efforts are really appreciated.

In regard of the injection code you made for the old version, it works fine as there is no crc I beleive. Also if you set bp on the first jmp to the code cave and another bp on part where you want a value of one to be moved to ebx you'll notice that the code will pass through the first loop three times or so then will move to the part of (move eax,ebx) which became a jump to the cave and never go back to the previous loop. This means you do not need the two lines you wrote in the injection code:
006D7CCB C705 01729400 8>MOV DWORD PTR DS: [947201], 18246C8D
006D7CD5 C605 05729400 5>MOV BYTE PTR DS: [947205], 5E

unless you want to return that part to its original as well.

For the new version, it seems that they notice this and make a crc which will terminate the progii as soon as a change is detected.

Anyway, i'll try to trace back the crc hope I find something useful.
User avatar
H_T_P
Site Admin
Posts: 83
Joined: Mon Mar 01, 2010 7:41 pm

Re: Inlining ACProtect v1.32

Post by H_T_P »

This means you do not need the two lines you wrote in the injection code:
006D7CCB C705 01729400 8>MOV DWORD PTR DS: [947201], 18246C8D
006D7CD5 C605 05729400 5>MOV BYTE PTR DS: [947205], 5E

unless you want to return that part to its original as well.

That's exactly what we want. After the first time we go to the 2nd part of our inline function we *have* to restore back the code where there is the jump that brings as here.
Otherwise, later on the process will terminate and that's why there is another check later on that actually wants to take 0 as a result and not 1.
I think maybe this is your case. Make sure that you have correctly added these 2 lines.
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
newhak
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm

Re: Inlining ACProtect v1.32

Post by newhak »

That's exactly what we want. After the first time we go to the 2nd part of our inline function we *have* to restore back the code where there is the jump that brings as here.
Otherwise, later on the process will terminate and that's why there is another check later on that actually wants to take 0 as a result and not 1.
I think maybe this is your case. Make sure that you have correctly added these 2 lines.

That's ok, I understood what you mean from the beginning. Due to the fact that I do not like apply some techniques or ideas that I do not know how they work and therefore I traced every single point in your inline code. This code is applicable to the version you used but for the later version I think a revison should be made as I tried to apply it fruitless.

I do beleive that the crc is behind the problem. Upto now I could not locate it in the code ): but still trying

On the other hand, have you made any such inline tut's on the other protectors such as armadillio or asprotect etc...
The reason behind my question is that most of available tut's are not clear to follow.
User avatar
H_T_P
Site Admin
Posts: 83
Joined: Mon Mar 01, 2010 7:41 pm

Re: Inlining ACProtect v1.32

Post by H_T_P »

Maybe I will take a look at the new version, just in case.

Regarding other inline tutorials, I haven't written much..., the truth is that I don't even have the time anymore, but I will do something more in the future. 8-)
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
newhak
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm

Re: Inlining ACProtect v1.32

Post by newhak »

Please don’t think I am here just to download and ask people to crack staffs. I do want to learn.
Without any compliment, I found your inline tut the most useful one I have ever read out. It is really beneficial as it presenting the idea in a very simple way. Thus, I asked about the other inline tut’s.

I am very keen on MUP and inline patching so I hope that you carry on……

In regard of our target I’ll keep you updated if I achieve some thing new and pls do so
User avatar
H_T_P
Site Admin
Posts: 83
Joined: Mon Mar 01, 2010 7:41 pm

Re: Inlining ACProtect v1.32

Post by H_T_P »

Don't worry man I don't think that you are here just for asking other people to crack something for you.

In any case, if you believe in your self and keep on trying you will achieve your goals in the end.

I am not a great unpacker or inliner either, but that's alright because at least I know that everything I do I know why I do it and I don't keep just copying stuff.

I am sure you are the same...,so just go for it and everything will be fine.
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
newhak
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm

Re: Inlining ACProtect v1.32

Post by newhak »

That's true, I am not here for this reason. I was googling and found one of your tut's so I came to this fourm :D

Anyway, I cannot beleive you're not good inliner cause the way you wrote the inline code is professional

I have read several inline tut's and beleive or not 90% of which are rubbish as the authors either wanted to hide some thing or they are not sure (just copy and paste).

I really do want you to carry on so pls whenever you have spare time be generous to share what you have


Thanks again and so sorry for bothering you
Post Reply