Go to footer

Inlining ACProtect v1.32

Articles regarding Reversing and Software Protections.

Inlining ACProtect v1.32

Postby H_T_P » Sun Aug 08, 2010 8:30 pm

In this article we take a close look to ACProtect v1.32 and we manage to write our own inline function inside its code in order to bypass the checks of the license system of the packer.


Download: Inlining ACProtect v1.32


Enjoy,

H_T_P
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
User avatar
H_T_P
Site Admin
 
Posts: 84
Joined: Mon Mar 01, 2010 7:41 pm


Re: Inlining ACProtect v1.32

Postby newhak » Mon Dec 27, 2010 11:16 pm

Thanks mate this is really great artic.

keep coming

I have one question, I tried to apply the tut. It works fine for the version you used but it dose not for the new version

The code still same just small changes in addresses. When you injected your code and run the prog. it works and close so is that because of crc please help
newhak
 
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm


Re: Inlining ACProtect v1.32

Postby H_T_P » Wed Dec 29, 2010 3:09 am

I am sorry, but I don't have the time to check what you are asking for.

However, if you are sure that this is because of a CRC check then, you should take a look at the stack window as soon as the process terminates and use the info regarding the last calls to trace back and find the point where the CRC check is done.

I have to point out, that there was a reason why in my inline function I have added some more lines in order to restore back the original code where the first part of the inline function has written some jumps.
I had noticed that the next time the function regarding the activation status is called, the EBX value must not be changed to 1, otherwise the program terminates, and that's why we restore back the original code and remove the jumps to our code cave.

Probably this is your case too, so check those things first. :O)
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
User avatar
H_T_P
Site Admin
 
Posts: 84
Joined: Mon Mar 01, 2010 7:41 pm


Re: Inlining ACProtect v1.32

Postby newhak » Wed Dec 29, 2010 5:33 pm

Thanks for your reply. I did think that no body will care.
Your efforts are really appreciated.

In regard of the injection code you made for the old version, it works fine as there is no crc I beleive. Also if you set bp on the first jmp to the code cave and another bp on part where you want a value of one to be moved to ebx you'll notice that the code will pass through the first loop three times or so then will move to the part of (move eax,ebx) which became a jump to the cave and never go back to the previous loop. This means you do not need the two lines you wrote in the injection code:
006D7CCB C705 01729400 8>MOV DWORD PTR DS: [947201], 18246C8D
006D7CD5 C605 05729400 5>MOV BYTE PTR DS: [947205], 5E

unless you want to return that part to its original as well.

For the new version, it seems that they notice this and make a crc which will terminate the progii as soon as a change is detected.

Anyway, i'll try to trace back the crc hope I find something useful.
newhak
 
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm


Re: Inlining ACProtect v1.32

Postby H_T_P » Thu Dec 30, 2010 1:20 am

This means you do not need the two lines you wrote in the injection code:
006D7CCB C705 01729400 8>MOV DWORD PTR DS: [947201], 18246C8D
006D7CD5 C605 05729400 5>MOV BYTE PTR DS: [947205], 5E

unless you want to return that part to its original as well.



That's exactly what we want. After the first time we go to the 2nd part of our inline function we *have* to restore back the code where there is the jump that brings as here.
Otherwise, later on the process will terminate and that's why there is another check later on that actually wants to take 0 as a result and not 1.
I think maybe this is your case. Make sure that you have correctly added these 2 lines.
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
User avatar
H_T_P
Site Admin
 
Posts: 84
Joined: Mon Mar 01, 2010 7:41 pm


Re: Inlining ACProtect v1.32

Postby newhak » Thu Dec 30, 2010 3:11 pm

That's exactly what we want. After the first time we go to the 2nd part of our inline function we *have* to restore back the code where there is the jump that brings as here.
Otherwise, later on the process will terminate and that's why there is another check later on that actually wants to take 0 as a result and not 1.
I think maybe this is your case. Make sure that you have correctly added these 2 lines.



That's ok, I understood what you mean from the beginning. Due to the fact that I do not like apply some techniques or ideas that I do not know how they work and therefore I traced every single point in your inline code. This code is applicable to the version you used but for the later version I think a revison should be made as I tried to apply it fruitless.

I do beleive that the crc is behind the problem. Upto now I could not locate it in the code ): but still trying

On the other hand, have you made any such inline tut's on the other protectors such as armadillio or asprotect etc...
The reason behind my question is that most of available tut's are not clear to follow.
newhak
 
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm


Re: Inlining ACProtect v1.32

Postby H_T_P » Thu Dec 30, 2010 4:04 pm

Maybe I will take a look at the new version, just in case.

Regarding other inline tutorials, I haven't written much..., the truth is that I don't even have the time anymore, but I will do something more in the future. 8-)
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
User avatar
H_T_P
Site Admin
 
Posts: 84
Joined: Mon Mar 01, 2010 7:41 pm


Re: Inlining ACProtect v1.32

Postby newhak » Thu Dec 30, 2010 4:55 pm

Please don’t think I am here just to download and ask people to crack staffs. I do want to learn.
Without any compliment, I found your inline tut the most useful one I have ever read out. It is really beneficial as it presenting the idea in a very simple way. Thus, I asked about the other inline tut’s.

I am very keen on MUP and inline patching so I hope that you carry on……

In regard of our target I’ll keep you updated if I achieve some thing new and pls do so
newhak
 
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm


Re: Inlining ACProtect v1.32

Postby H_T_P » Thu Dec 30, 2010 7:40 pm

Don't worry man I don't think that you are here just for asking other people to crack something for you.

In any case, if you believe in your self and keep on trying you will achieve your goals in the end.

I am not a great unpacker or inliner either, but that's alright because at least I know that everything I do I know why I do it and I don't keep just copying stuff.

I am sure you are the same...,so just go for it and everything will be fine.
I have Inlined Truth into Well-Packed lies. (Hack_ThE_PaRaDiSe)
User avatar
H_T_P
Site Admin
 
Posts: 84
Joined: Mon Mar 01, 2010 7:41 pm


Re: Inlining ACProtect v1.32

Postby newhak » Thu Dec 30, 2010 10:36 pm

That's true, I am not here for this reason. I was googling and found one of your tut's so I came to this fourm :D

Anyway, I cannot beleive you're not good inliner cause the way you wrote the inline code is professional

I have read several inline tut's and beleive or not 90% of which are rubbish as the authors either wanted to hide some thing or they are not sure (just copy and paste).

I really do want you to carry on so pls whenever you have spare time be generous to share what you have


Thanks again and so sorry for bothering you
newhak
 
Posts: 5
Joined: Sat Dec 25, 2010 3:18 pm

Next

Return to Board index

Return to Reversing - General Articles

Who is online

Users browsing this forum: No registered users and 1 guest