IntelliSecure R2
Another readymade protection dies
Written by xOANON [UCF/CLASS]
Introduction |
Hi again Fravia+! Probably you can't believe your eyes.... another essay from +Xoa after less than a month! :) Am i mad maybe? Or i've run out of women and fun in this hot summer and i have nothing better instead of staying here sitting at the PC writing essays ? Who knows.... ehehhehe :) xOANON ran out of women... impossible :) I just found some free time, that's all :) See, in reality <== xOANON is actually not a +cracker, he's a +playboy ! (Don't care too much of this rambling, please it's very hot down here and this grasp our minds, we all get a little bit mad :)
Anyway... this time i'll present to your readers another readymade protection, very very crappy in my opinion. Nothing compared to VBox and Timelock, they are wrappers... This instead act only as a "crypter". But you will understand better reading the essay.
Another thing i want to say: the programmer (maybe knowing how fool the protection is) have released IntelliSecure R2 as freeware (you can find it on http:/www.dataet.com/products/isr2, get it coz it's required for complete understanding of the protection). This is good, at least he doesn't ask anything for his (crappy) work. PreviewSoftware (VBox & Timelock) asks instead thousands $$$ for their protections.... bah. Shareware programmers please , -OPEN YOUR EYES- !
Tools required |
SoftIce
W32D/ASM
Your favourite HexEditor
Cigarettes (i think i will be bugged soon by anti-smokers...
anyway, i think smoking while cracking is quite relaxing. Don't
take it like "i wanna be a kewl cracker so i'll start
smoking", coz smoking it's quite dangerous for health (you die sooner)...
It's just my personal 'controcorrente' opinion, nothing more :)
A fan (to face this warm summer)
Some good grunge music (Nirvana, Stone Temple Pilots, etc...)
Not so optional: a blond/red/black/blue/green/orange/violet haired girl
next to you to keep the cracking more amusing... crackers need love! :)
Target's URL/FTP |
Intellisecure R2 from DataEt software
Program History |
I don't know any other versions of IntelliSecure... maybe more to come after this essay :)
Essay |
Well, let's start as always... load SoftICE, light your cigarettes, sip your drinks, etc....
But first of all get Intellisecure R2 and apply it to an executable file of your choice. After applied, you notice some other files appeared in the directory. They are:
1) EULA1.RTF <== End user license
agreement 1 (don't care of it)
2) EULA2.RTF <== End user license agreement 2
(don't care of it)
3) REGISTER.RTF <== Registration form(don't
care of it)
4) CAPTIONS.DAT <== Used for the localization
of the Intellisecure module (don't care of it)
5) REPORT.TXT <=== Just a report file which
contains number of executions of the file, state
(locked/unlocked), etc... Don't care of it too.
6) xxxxxx.xxx <==== The key created using
Intellisecure Lock Configuration utility after the lock. In the
intention of the programmer, this must kept only by the producer
of the locked software and used in combination with the USER-ID
given by the locked module to obtain a valid serial number....
Amazing :) But don't care of it too.....
7) ISR2RT.DAT <== Interesting
8) xxxxx.EXE <=== Your .EXE file ....
hmmm.... it's length is changed... what the hell is happened?
It's packed? It's crypted? It's wrapped with something ? We'll
see later...
(xxxxxx = names you choose)
Let's start thinking now.... we notice immediately ISR2RT.DAT
have **THE SAME** length of your original file. What does it
means?
Easy.... IntelliSecure simply does this: Encrypt your file,
rename it to ISR2RT.DAT then create a loader with the same name
of your .EXE file. This loader is universal (always same
structure and same length of 371633 bytes) and it's used to
control the time/executions expiration. So what i tought in the
beginning was to make an "universal crack" for it,
according to my tradition of universal cracks as for Timelock and
VBox. Very easy.....
Just load your locked .EXE, choose "Unlock Software", enter a name (min. 6 char) and an unlocking code you want. Now enter in SoftICE, put a BPX on HMEMCPY and click on "Unlock Application". You will land after various PRETs and stepping in this code:
{ At this point, a result mask is already computed from your name/serial combination }
mov eax, dword ptr [eax+00000264]
call 13AD4
mov eax, dword ptr [ebp-48]
mov al, byte ptr [eax+05]
xor byte ptr [ebp-1A], al
cmp bl, byte ptr [ebp-0E] <== start comparing
jne 35355 <=== are you trying to crack my routine ? ma per cortesia...... SHUT UP!
......
There are some other JNE simply avoiding them we land here
lea edx, dword ptr [ebp-4C] <=== here starts the unlocking routine
xor eax, eax
E883D9FCFF call 027C4
mov eax, dword ptr [ebp-4C]
lea edx, dword ptr [ebp-44]
call 05C44
lea eax, dword ptr [ebp-44]
mov edx, 35484
call 0350C
mov eax, dword ptr [ebp-44]
..........................
Nothing more to say, just change the JNE 35355 into JMP 34E37
will do the work without wasting time to analyze
the serial routine. And this work fine, the program is correctly
decrypted and the ISR2 screen will not appear anymore. As i said,
since the loader is universal, you can do an universal patch
which change at offset 213469 (dec) the JNE 35355 in JMP 34E37
and this will work with every IntelliSecured program.
NB: Loader is universal means it has the same
structure but it's not completely the same in every program. This
means you must do a simple patch like "Enter IntelliSecured
filename: ", you can't obviously use the same loader for
every IntelliSecured program.
Just this prove the weakness of this protection... The file is decrypted simply changing a jump, no other checks are made after the program is executed again. For a weird case, i noticed (bug in ISR2) the unlocked program sometimes just load then exit immediatly if it resides in the same directory as the ISR2 package is installed... bah :) But i can assure you this crack would works every time (i tried many times).
After this funny "prologue" about the weakness of this protection, i start my Marigold emulator and i present you the true essay: (NDB: hey Fravia+, why the hell did you accept this guy in the HCU... he's totally mad!) :)
IntelliSecure R2: Virginity
restored
by xOANON [UCF/CLASS] powered with Marigold Emulator
Hi guys! It's me again (xOANINO) this time in Marigold (TM) emulation. As xOANON i couldn't do better than a simple universal patch.... but with my brand,new,amazing Marigold (TM) emulator i can go further: Virginity restoration!
First of all, why virginity restoration if the program is already unlocked with the universal crack? Simple: i don't like the loader, and since the original executable is only crypted, why waste our precious HD space with 300+ kbytes of loader, stupid .RTF,.DAT and .TXT files? Just throw'em out!
Well, light another cigarette now and start thinking: the IRS2RT.DAT must be accessed somewhere by the loader, to be decrypted. So, load it in our HexEditor and write down the first few bytes... just locate them in memory when it's accessed. Then, lock another file with IntelliSecure, run it, set a BPX CREATEFILEA (used to access the file) and choose "Continue Execution" from the IntelliSecure screen.
Once located when it pushes ISR2RT.DAT as the filename before the call to CREATEFILEA, set another BPX on READFILE and..... bingo! You'll land here (as always, i will not show you the relevant codelocations, you should be able to trace and locate them yourself, on your own legally obtained copy of this ineffective protection using SoftICE):
{ISR2RT.DAT is readed with READFILE in steps of $2000 bytes}
lea edx, dword ptr [ebp+FFFFDFEC] <== location which will hold the bytes
read
mov ecx, 00002000 <=== bytes read
mov eax, dword ptr [ebp-10]
call 05A54 <== read $2000 bytes from ISR2RT.DAT using READFILE api
mov edi, eax
xor eax, eax
mov al, byte ptr [ebp-09]
<== hmmm... EBP-09 holds something like a "magic
numbers" table...
mov dword ptr [38030], eax <=== first of 5 bytes magic table moved to 438030
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC] <== at ESI dwell the $2000 bytes read
mov eax, 00000100
call 0293C
----------------------------------------------------------------------------------------------------------------------------
Code at 0293C (this is where the "magic table" enters the game)
imul edx, dword ptr [38030], 08088405 <== uses the magic value, edx is $2000
inc edx
mov dword ptr [38030], edx <=== move the result to 438030
mul edx
mov eax, edx <== result in EAX
ret
----------------------------------------------------------------------------------------------------------------------------
xor byte ptr [esi], al <== decrypt first byte
inc esi <== next byte
dec ebx <== decrement the counter set to $2000 bytes read
jne 2FC43 <= until all $2000 bytes read are decrypted
xor eax, eax
{ the following code does exactly the same, the file have 5 layers of encryption based on the 5 magic numbers}
:2FC55 8A45F8 mov al, byte ptr [ebp-08] <==
2nd magic number
mov dword ptr [38030], eax
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC]
mov eax, 00000100
call 0293C
xor byte ptr [esi], al
inc esi
dec ebx
jne 2FC68
xor eax, eax
mov al, byte ptr [ebp-07] <== 3d magic number
mov dword ptr [38030], eax
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC]
mov eax, 00000100
call 0293C
xor byte ptr [esi], al
inc esi
dec ebx
jne 2FC8D
xor eax, eax
mov al, byte ptr [ebp-06] <== 4th magic number
mov dword ptr [38030], eax
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC]
mov eax, 00000100
call 0293C
xor byte ptr [esi], al
inc esi
dec ebx
jne 2FCB2
xor eax, eax
mov al, byte ptr [ebp-05] <== 5th (last) magic number
mov dword ptr [38030], eax
mov ebx, 00002000
lea esi, dword ptr [ebp+FFFFDFEC]
mov eax, 00000100
call 0293C
xor byte ptr [esi], al
inc esi
dec ebx
jne 2FCD7
lea edx, dword ptr [ebp+FFFFDFEC] <== d EDX now to see the first $2000 bytes of the file decrypted. You
can finally see the "MZ" indicating the beginning of
the file is decrypted.
mov ecx, edi
mov eax, dword ptr [ebp-14]
call 05A80 <== read next $2000 bytes now
cmp edi, 00002000 <== Reached end of file ?
je 2FC19 <== no ? restart from beginning
Pheeeeeew.... it took really a long to me to
write all this :) But we haven't finished yet.... It's time for
another cigarette? bah..... yes :)
Now, we have 99% of the things needed to code a decrypter. Only
thing we miss is the magic table... it's always the same for all
the locked files ? Well, i tried and ... no, the programmer was
so smart to change it everytime (wow ! :)).
So... Where this magic table is located ? It's something about
the key file created by the IntelliSecure Lock Configuration
utility ? again, NO!
(what the hell xOA.... tell us where that crap magic table is!!!!)
Ehehehehhe.... calm down :) Since i haven't had
better ideas, i've written down the bytes found here and
started to search them inside the
files we have handy : the loader and the RS2RT.DAT . Surprisingly
(how stupid commercial programmers are.....) they are hardcoded even without
encryption in the loader at offset 371200 (dec).
Trying locking other files, produced the same results.... the
magic table is ALWAYS stored in the loader at such offset.
So guys, now we have all for the decrypter. Here
is the Delphi code (you may say it's an overbloated language, but
i like it a lot... so don't bug me! :)
Of course this decrypter has been
written and is being published only in order to demonstrate how utterly useless are this kind of
protection schemes, try it out onto the target and/or modify and ameliorate
it if you find it worth...
{ this obviously need his forms to work... so don't think you can use it only by cutting&pasting}
----------------------------------------------------------------------------------------------------------------------------
unit isec;
interface
uses Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls, ExtCtrls, ComCtrls;
type TForm1 = class(TForm) Edit1: TEdit; Button1: TButton; Label1: TLabel; Button2: TButton; Label2: TLabel; Label3: TLabel; Bevel1: TBevel; Image1: TImage; Image2: TImage; Image3: TImage; Button3: TButton; pbar: TProgressBar; progress: TStaticText; Button4: TButton; procedure Button1Click(Sender: TObject); procedure Button2Click(Sender: TObject); procedure Button3Click(Sender: TObject); procedure Button4Click(Sender: TObject); private { Private declarations } public { Public declarations } end;
var Form1: TForm1; var infile,outfile:tfilestream; magic:dword; magic1,magic2,magic3,magic4,magic5:byte; buflength,flength:longint; buf:array [1..$3000] of byte; temp,nameoffile:string; filetorape,file2:file of byte; implementation
uses dirbox, Unit3, Unit4;
{$R *.DFM}
procedure decrypt; // main decryption asm routine label keepon,alldone; begin asm pushad mov edx,buflength cmp edx,$0 jz alldone mov ebx,edx lea esi,buf keepon: mov eax,$100 imul edx,dword ptr [magic],$8088405 inc edx mov dword ptr [magic],edx mul edx mov eax,edx xor byte ptr [esi],al inc esi dec ebx jne keepon xor eax,eax alldone: popad end; end; procedure TForm1.Button1Click(Sender: TObject); begin form2.show; end;
procedure TForm1.Button2Click(Sender: TObject); begin if edit1.text='' then showmessage ('Please select a .EXE file to be unwrapped!') else begin nameoffile:=edit1.text; nameoffile:=strupper (pchar (nameoffile)); assignfile (filetorape,nameoffile); if fileexists (nameoffile) then // check if the file exists begin reset (filetorape); // now checks if the .EXE file selected is a valid ISR2 file by comparing the length with the standard length of the loader (371633 bytes
if (filesize (filetorape) <> 371633) then showmessage (nameoffile+' isn''t a valid IntelliSecured file!'); if (filesize (filetorape) = 371633) then begin progress.show; pbar.show; // get the magic values from the loader application.processmessages; seek (filetorape,371200); read (filetorape,magic1); read (filetorape,magic2); read (filetorape,magic3); read (filetorape,magic4); read (filetorape,magic5); closefile (filetorape); temp:=extractfilepath (nameoffile); temp:=temp+'isr2rt.dat'; try infile:=tfilestream.Create (temp,fmopenread); pbar.max:=infile.size; outfile:=tfilestream.create (nameoffile,fmcreate); buflength:=$2000; pbar.step:=buflength; // begin the decryption at $2000 bytes per time while buflength <> 0 do begin buflength:=infile.read (buf,$2000); magic:=magic1;decrypt; magic:=magic2;decrypt; magic:=magic3;decrypt; magic:=magic4;decrypt; magic:=magic5;decrypt; outfile.Write (buf,buflength); pbar.stepit; end; progress.caption:='Deleting files'; // The End (my only friend, the end <== The Doors... aaargh i'm goin' really mad tonight :))Well... delete unnecessary files now (.DAT,.RTF,etc..) pbar.position:=0; pbar.max:=6; pbar.step:=1; outfile.free; infile.free; temp:=extractfilepath (nameoffile); filesetattr (temp+'eula2.rtf',faarchive); deletefile (temp+'eula2.rtf'); pbar.stepit; filesetattr (temp+'eula1.rtf',faarchive); deletefile (temp+'eula1.rtf'); pbar.stepit; filesetattr (temp+'captions.dat',faarchive); deletefile (temp+'captions.dat'); pbar.stepit; filesetattr (temp+'register.rtf',faarchive); deletefile (temp+'register.rtf'); pbar.stepit; filesetattr (temp+'isr2rt.dat',faarchive); deletefile (temp+'isr2rt.dat'); pbar.stepit; filesetattr (temp+'report.txt',faarchive); deletefile (temp+'report.txt'); pbar.stepit; pbar.Hide; progress.caption:=nameoffile+ 'has been succesfully unwrapped!'; except showmessage ('Sorry... i can''t find ISR2RT.DAT'); pbar.hide; progress.hide; end; end; end else begin showmessage (nameoffile+' not found!'); pbar.hide; progress.hide; end; end; end;
procedure TForm1.Button3Click(Sender: TObject); begin form3.show; end;
procedure TForm1.Button4Click(Sender: TObject); begin form4.show; end;
end.
----------------------------------------------------------------------------------------------------------------------------
THE END
(c) xOANINO [UCF/CLASS] 1998
Final Notes |
Finally... it tooks me like 3 hours to write this essay ! :) Hope you liked it... and again shareware programmers "OPEN YOUR EYES" ! Ask crackers if you don't know how to code a decent protection, but please don't give your money to those vampires! Hope this is the last time i write an essay on readymade protections but..... as we always knew... stupid's mothers are always pregnant :))
Ciao Fravia+, Tot ziens! Bis zum nΣchsten Mal! Alla prossima!
Ob Duh |
I wont even bother explaining you that you should BUY all relevant target programs if you intend to use them for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find anything on the Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse
engineering, choose your way out:
Programmers' corner
homepagelinks search_forms+ORCstudents' essaysacademy
database
reality crackinghow to searchjavascript wars
toolsanonymity
academy cocktailsantismut CGI-scriptsmail_fravia+
Is reverse engineering legal?