The reason I made this tutorial is because all the Protection Plus tutorials I already wrote deal with a actual exe being protected, in this tutorial we go over unpacking a dll and also go over cracking the main exe to bypass the dll (protection plus) check..  This was far too easy.. The author left too much room for modifications.. aside from using a protection that has been defeated too easy, he made it even easier to just patch the main exe.  So to start out we will unpack the dll.. and crack it to be registered (in this case unlike the others, we have to patch it a bit).  The check is way too easy to see.. Simple tracing would land you in the correct area of patching.  So we at ARTeam hope you enjoy this tutorial and take no responsibility for any action you take when/after reading this tutorial.

Like I said this isn't packed...  So we must figure out exactly what we need to do.. For this tutorial we will pretend we don't already know a dll is packed... So lets run the app and see what we get...

AHA!.. the classic Protection Plus NAG!

  So we see what our goal is right now...  Now we must figure out exactly why we get this nag.. lets hit F12, then hit "ALT+K"..

Okay.. we see that we are probably being triggered by "KeyLib32.dll" 

Does everyone agree?  Lets try and find where this driver resides... hit "ALT+E" to bring up our exe mods, and then we can see the path it is at..

Okay we see that our driver is located in our Windows System folder... now that we have some basic information on this.. lets go open up the driver and see what we get...

So start up Olly (if its not still?) and then open up the driver we just found in our system folder..

Okay!.. we know this one.. Protection Plus v4.x.... but this time its a dll... well any other tutorial would help you on this one.. but in a way its a bit different..

  I shall explain the differences..

1. By unpacking it we do NOT remove the nag...

2. The IAT is a bit different.. but still the same trick works.. (JA -> JMP)

  That's about it.. we reach the OEP the same way.. using the stack.. like before...

  Okay so our goal here is simple.. unpack it.. but it has to run... So lets start out by:

Hit F7 till we execute the PUSHAD... and then follow ESP in Dump...

Then select the first 2 bytes. and set a BP HW on Access Word...

Now we will run the driver till we break on our "Signature Pre-OEP"  Like so... (so hit F9)

Our signature pre-OEP instructions..... So execute the RETN...

and........

OEP!...

Now we will dump it using Olly dump.. make sure you uncheck the "rebuild imports" option at the bottom....

And then save it as whatever..

Now lets try and find out Import table, or our messed up import table, so we can fix it...

instead of just searching for "FF25" like before we will use our own brains here... so trace with F7 till we reach here:

Enter this call and then we will see what we want..

But take good note of this CALL...

Okay a API.. :)

Follow this pointer in dump and then lets see what we have..

Wow... that's a really fucked up table... lets scroll up till we find the start of this..

Ok.. great the start of the table is the beginning of this section...  that's okay.. lets set a BP HW on Write DWORD for this first pointed offset.. (in other words 078ED000)..

Okay once we do this.. we can restart it...

RESTART!!!!!

(NOTE: if you break on HW BP's before the actual OEP, just use F9 and get passed them), as we aren't interested in this until we actually hit the main driver...

Okay.. lets hit F9 and land on our HW BP for our Import Table...

Hit F9 till we break here:

Now hit F9 once (or twice) more.. you should be here:

Remember this?  Same shit here guys..

lets go into that CALL above where we broke, and see what we got going on here..

WOW!.. even easier.. remember the JA..?  well instead of being a bit farther down the road.. its right here at the beginning of the call... so.. lets set a BP HW on EXECUTION on the JA..

And now we can restart it again.. we can also remove our previous BP's if you like (DO NOT REMOVE THE ACCESS WORD BP.. for the OEP), if not.. no big deal...

RESTART!!!!
 

Hit F9 till we break on the JA.. (as many times as it takes).. make sure the first break is where you stop, and not after the first one..

Now we change the JA -> JMP

this will repair the whole Import Table for us this time...

And now we can run it till we reach the OEP again.. (be sure to remove the BP on the JA first or else we break for a long time)

Now lets see the CALL we looked at before.. Trace with F7 till we reach it...

Now lets see what the CALL does this time (check out the Table)

Okay lets follow it in dump and see..

Now that's a very nice table :)

So now use IMPREC and lets recover our imports... BUT first we must fix the Anti-Dump feature of Protection Plus... Where our last sections size is wiped .. Its a easy fix... we are just gonna copy the original (packed) driver's section and paste it to our dumped (before we repair IAT).

So start up Lord-PE...

Using the PE Editor (click the PE Editor button) and then select our original dll..

Now click the Sections button..

And our last section is the one we will take note of...  see the Raw Size is "F200"?

remember this...

Now open up our dumped driver...

same thing... PE Editor, then Sections..

You see the last section is 00's?

What we are gonna do is change this from 00's to what the original dl says.. "F200"  But make the Virtual Size and Raw Size equal this..

so.. look below...

right click the section and select "edit section header"

Than change the Virtual size and Raw Size from 00's to "F200"

Now just save the changes.. and then we can safely attach the IAT to the dumped driver...

So start up IMPREC...

Now.. since we are debugging a DLL.. we must do something different than just attach to the exe.. Watch below.. to see what I do..

You see I attach to the Driver loader in Olly...... Now see the button "Pick DLL"?  click that button..

Now do you see the DLL? :)

select it then click the "OK" Button...  Then enter in our details.. (the OEP)

Hold up!!!!!!

why am I entering in "16995" instead of something like "074E6A4D".. well the last number I got from subtracting the exe's image base (00400000).. we don't want that....our image base here is ....

078D0000.. so we subtract this from our OEP.. which equals.... "00016995".. you see?

Okay now hit the "IAT Autosearch" button..,

Remember our IAT starts here..

so enter this into the RVA field... or using our minds... 078D0000 - 078ED000 = CRAZY NUMBER... :)

reverse it please...

078ED000 - 078D0000 = 0001D000

enter this into the RVA field..

Now change the size to 1000..

Then click the "Get Imports" button..

Lets cut our invalid thunks..

And then attach this to our dumped driver .. and then go ahead and rename it to the real name "KEYLIB32.DLL".. and then lets start messing with the actual exe, and see what's going on..

Please take a break.. and be back in 5...

Here we are at the EP again..

We will hit F9 till we are nagged again..

Now like before lets check our call stack and see what we got..

hit F12, then hit "ALT+K"

So lets follow this last call in the disassembler... and then you will see that we are in the USER32.dll.... this is okay.. simply set a BP under the call that we land on.. like so..

And then hit the F9 key again so we run, then select the "Evaluate" option then click "Continue"

Now lets back trace this a bit.. so hit F8 till we return to some nice user code..

And we are back in the main exe.. :)  (oh and BTW.. you could easily just set a BP on code section of main exe , then click the continue button to get here as well.. but I wanted to broaden your horizons) :)

now.. Somehow this Call is the one we want.. anyone agree?

so.. lets set a BP on it.. then restart it.. then we can find out exactly when/where we hit the driver... and the nag..

So far so good.. no nag.. and we broke....

lets trace into this nag.. somehow we need to know if our Driver is even loaded yet.. so.. lets check it out..

hit "ALT+E" to see our exe mods..

DAMN!!!
we see its not even loaded yet.. we need to somehow get it loaded then we can enter into it...

Anyone got any idea's?  well what API's deal with loading?  its sorta similar to what I just said.. hmmm... LoadLibraryA.. anyone..

lets try this..

set a BP on LoadLibraryA

then run it..

There.. we see its getting loaded...

Now hit "ALT+F9".. yes i know you will be in a lost area.. (no code...)

Hit F9 again.. now we should see this in the stack..

Now hit "ALT+E" to see our exe mods again..

:)

We see its loaded.. now for the next trick..

Hit "ALT+M" to see our memory map... and then we will set a BP in the code section of the driver...

Now run it...

And we break here.. now.. since this is a simple nag.. we must only find the caller.. then we can work from there...

so .... lets continue to trace with F8 till our nag is displayed...

You have traced into a few RETN's... keep it going.. don't stop till we see the nag.. or some sort of hint to it...

We remember these from the other tutorials.. the License Manager checks...?

Keep tracing with F8..

You'll get here like so.. and get a error about a section ..blah blah.. just set a BP under it like I did and break..

Seems we are getting close.. see the calls?  references to EXPIRED & VALIDATE.

See these strings?

And this call is the one.. our nag is displayed...

so lets do like before... select the "Evaluate" option then click "Continue".

and then lets back trace this again..

And now we are back here again.. :(

okay.. obviously we missed it...remember the strings I showed you?  the strings that the dialog would hold?

Well that's what we have to patch... well around that area... so do the same again.. lets break inside the driver again... you should be here after the first break on the call then the BP LoadLibraryA, then the break on the driver on code section..

now lets trace with F8 really slow.. first off we can safely exit this section.. meaning go to the RETN and then execute it.. you should be here..

Now we can safely trace though the RETN again.. you should be here:

Now it gets tricky.. well not really... continue to trace with F8..  execute the RETN again (last time)

you are here:

Okay.. now.. scroll up a bit....

see this:

OK.. we have now found our starting point.. this is where we enter the "registered" check... so set a HW BP on EXECUTION on this offset (the PUSH EBP).. then restart it.. when we break....

set the BP.. then restart it..

we break on this...

(the HW BP that is)

Now.. all we need to do here is........a bit tricky..

okay listen up..

scroll down till the end.. you see this:

Okay in order for our program not to crash we must keep the registers exactly what they need to be.. We see that EBX is moved into EAX.. so lets see what EBX would equal..

Okay so in order to NOT crash EAX must equal 1..

so we can do this.. and we would be okay...

So now the app thinks it displayed the nag.. but in all actuality .. we never saw it...

MAKE SENSE?

so now lets run it...

did you see a nag?

fuck no :)

Okay.. That's objective one completed of the second part.. we now will patch the main exe, to do the same exact thing.. except the driver.. can even be packed.. it doesn't matter since we will simply bypass it.. this is why where the author messed up.. made it even easier to patch the exe than the driver.. I only showed you the driver.. because.... to broaden your horizons... :)

So don't hate me for it.. hopefully you learned something new...

So now you can save the changes if you'd like.. or you can just simply follow along.. but remember to keep either the un-patched or still packed driver in the system folder so we can go on to objective #2....

please take another 5 minute break...

Okay!... break over...

Now we last learned about patching the driver after its unpacked.. now we are gonna learn to patch the main exe... we will use similar BP's.. so do we remember the last ones we had?

Okay... now lets use our brains here.. somehow there has to be a way to bypass this call as its the NAG call... Any idea's?

Lets try scrolling up a bit and see if there's any way out of this call...

if we hit this JMP we will bypass the nag.. so somehow above this we jump over this JMP.. lets look up a bit more...

Now if we jump here on the JE we will go over the JMp (BAD) we do not want to jump...

we see the algo that determines if we jump or not.. in retard terms... we make ECX equal 0, then test EAX ... if EAX is not 1 then we will not set CL.... obviously EAX is equal to 0.. somehow we need to make CL set... any idea's?

how about this:

Now we set CL.. but try and run it....(so restart it.. make this change.. then run it)

OUCH!

Okay seems we need a little more patching.. any idea's?

Well if you trace it out a bit.. we see this string.. :)

Well lets look before it and see if we can get around this somehow....

You see this?

Lets make the JNZ -> JMP...

So restart it, then make the first change so we set CL, then make this one jump... and then run it...

RUNS!!!!!!!

so save the changes.. now you just learned to patch the main exe..

Well we here at ARTeam have hoped you enjoyed this tutorial...

Remember if you like the program you should buy it...

Until next time I remain..

MaDMAn_H3rCuL3s

1. You learned how to unpack a Driver and patch it, plus patch the exe to achieve the same goal..

2. ARTeam still remains your #1 Source for your reversing needs....

[MAIN TEAM]
[Nilrem] [JDog45] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr] [Eggi] [EJ12N] [JohnWho] [Condzero] [Stickman 373] [Bone Enterprise] [Release Team]

[TSRH] [Exetools] [RCE Forums] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0] [C0n3r0n3] [ILCH] [And any others I missed]