[Warning Boxes] Freebies reverse, cracks around us. - GSM-Forum

VickFirtzh · 01-29-2015, 19:05

#1 No need to be a smart to reverse.
IDA is too far away and is unaffordable. Understand Olly, and that's it. Free.

#2 No need to be expert on Olly as well, since there are tons of kiddo one click plugins spread on the net.

There are so many LAZY gsm boxes coder that event don't know how to protect their application. Just count on compressor / packer + silly enveloper provided from token factory they think it's safe... no it is NOT.

This is a serious issue who invest their money to buy box.. because i see some where, people sale "CRACK MEGA PACK in ONE dongle"

Yes, like this click here
http://usbtuyul.b l o g s p o t.com/2014/10/dongle-pse.html
url given is just an example, don't mean else

Suggestion to box producers:
Pay good attention on DEBUGGING and RAM injection.
This is the ONE-TWO-THREE method om RAM injection

1. Change app attrib on the fly

Code:

if CreateProcess(PChar('your-exe-target'), nil,nil,nil,FALSE,0,nil,nil,sz,proc) = true then

2. Read such routines + sub on ram

Code:

ReadProcessMemory(proc.hprocess,Pointer($POINTARGET),@  oldbyte,length(oldbyte),readbyte);

3. Redirect steps 2 on RAM.

Code:

WriteProcessMemory(proc.hProcess, Pointer($POINTARGET), oldbyte,length(oldbyte),readbyte);

dest · 01-29-2015, 20:10

Quote:

Originally Posted by VickFirtzh

#1 No need to be a smart to reverse.
IDA is too far away and is unaffordable. Understand Olly, and that's it. Free.

#2 No need to be expert on Olly as well, since there are tons of kiddo one click plugins spread on the net.

There are so many LAZY gsm boxes coder that event don't know how to protect their application. Just count on compressor / packer + silly enveloper provided from token factory they think it's safe... no it is NOT.

This is a serious issue who invest their money to buy box.. because i see some where, people sale "CRACK MEGA PACK in ONE dongle"

Yes, like this click here
http://usbtuyul.b l o g s p o t.com/2014/10/dongle-pse.html
url given is just an example, don't mean else

Suggestion to box producers:
Pay good attention on DEBUGGING and RAM injection.
This is the ONE-TWO-THREE method om RAM injection

1. Change app attrib on the fly

Code:

if CreateProcess(PChar('your-exe-target'), nil,nil,nil,FALSE,0,nil,nil,sz,proc) = true then

2. Read such routines + sub on ram

Code:

ReadProcessMemory(proc.hprocess,Pointer($POINTARGET),@  oldbyte,length(oldbyte),readbyte);

3. Redirect steps 2 on RAM.

Code:

WriteProcessMemory(proc.hProcess, Pointer($POINTARGET), oldbyte,length(oldbyte),readbyte);

I am not sure if you personally have cracked some box software, but I can tell you its either impossible or extremely hard.

The packers that are used cannot be cracked by any public script, unless an older version is used. Packers have a some anti-debug enabled, that can be bypassed but not by anyone. You also have to understand the packer before you can even being the debugging.

Also, the cards in the boxes have a lot of algos for software function. So the software is useless without the box as it is missing certain functions.

I am speaking from experience and I haven't researched anything about boxes for over 2 years, so I may be wrong.

VickFirtzh · 01-29-2015, 21:21

Hi,
Yes, we are aware about any complex routines on smartcard. But if we are talking about ram injection, then say goodbye to the complexity.

Those people, who make the crack is for business purpose.
They bought original stuffs, doing sniff, and then build the injector. They DOES NOT TOUCH the original exe. What they make is RAM redirection for targeted exe. They sold the cracks. This is insane.

Again, it's depend on how the coder implement the protection. Because today we see so many cracked professional stuffs.

Please try build your own test program. 1 form, 1 button, 1 radio button - all disabled. Pack it with your favorite packer, obfuscate it. Run the old bad boy 'enforcer.exe'. You will be shocked. - Just example. Event today, i saw many gsm program can not avoid this style.

sergeymkl · 01-30-2015, 02:09

Quote:

Originally Posted by VickFirtzh

Please try build your own test program. 1 form, 1 button, 1 radio button - all disabled. Pack it with your favorite packer, obfuscate it. Run the old bad boy 'enforcer.exe'. You will be shocked. - Just example. Event today, i saw many gsm program can not avoid this style.

Then they DESERVES it, really, because it raises assumption, that programmer doesn't understand much about custom classes or threads (or MVC design...) and simply (ab-)used the button event handlers to implement complete program logic. Most often, it will have duplicated, hard-to-read and/or inefficient code.

**Victor** · 01-31-2015, 14:10

Thema is interesting ...

Yes lot of peoples compiling src for boxes not know how to protect stuff.

...but 2-3 small questions to VickFirtzh:

1. How will see RVA "without touching" exe?

2. Do you ever try this on packed exe simple with VMPROTECT?

Regards: Victor

p.s.

VickFirtzh ... don't use PCHAR

... world go to Unicode PANSICHAR.

VickFirtzh · 01-31-2015, 22:38

Quote:

Originally Posted by sergeymkl

Then they DESERVES it, really, because it raises assumption, that programmer doesn't understand much about custom classes or threads (or MVC design...) and simply (ab-)used the button event handlers to implement complete program logic. Most often, it will have duplicated, hard-to-read and/or inefficient code.

Yes true, they deserves "free" course about protection.

Quote:

Originally Posted by Victor

Thema is interesting ...

Yes lot of peoples compiling src for boxes not know how to protect stuff.

...but 2-3 small questions to VickFirtzh:

1. How will see RVA "without touching" exe?

2. Do you ever try this on packed exe simple with VMPROTECT?

Regards: Victor

p.s.

VickFirtzh ... don't use PCHAR

... world go to Unicode PANSICHAR.

Thank you. I insist to stay on D7. Seems too hard to me to leave this baby IDE. Love the mature one.

1, no touch yes, in plain language. The original exe is left untouched.
RVAs , yes, It is modified

, we are talking about SEH chain...

2, It is harder if such app uses multi layer packer. Anything single is easier than the multi layer.

Regards,

01-29-2015, 19:05	#1 (permalink)
VickFirtzh Junior Member Join Date: Feb 2007 Posts: 14 Member: 448308 Status: Offline Thanks Meter: 1	[Warning Boxes] Freebies reverse, cracks around us. #1 No need to be a smart to reverse. IDA is too far away and is unaffordable. Understand Olly, and that's it. Free. #2 No need to be expert on Olly as well, since there are tons of kiddo one click plugins spread on the net. There are so many LAZY gsm boxes coder that event don't know how to protect their application. Just count on compressor / packer + silly enveloper provided from token factory they think it's safe... no it is NOT. This is a serious issue who invest their money to buy box.. because i see some where, people sale "CRACK MEGA PACK in ONE dongle" Yes, like this click here http://usbtuyul.b l o g s p o t.com/2014/10/dongle-pse.html url given is just an example, don't mean else Suggestion to box producers: Pay good attention on DEBUGGING and RAM injection. This is the ONE-TWO-THREE method om RAM injection 1. Change app attrib on the fly Code: if CreateProcess(PChar('your-exe-target'), nil,nil,nil,FALSE,0,nil,nil,sz,proc) = true then 2. Read such routines + sub on ram Code: ReadProcessMemory(proc.hprocess,Pointer($POINTARGET),@ oldbyte,length(oldbyte),readbyte); 3. Redirect steps 2 on RAM. Code: WriteProcessMemory(proc.hProcess, Pointer($POINTARGET), oldbyte,length(oldbyte),readbyte);

01-31-2015, 14:10	#5 (permalink)
Victor Moderator Join Date: May 1999 Location: Blagoevgrad, Bulgaria Age: 52 Posts: 1,056 Member: 73 Status: Offline Thanks Meter: 537	Thema is interesting ... Yes lot of peoples compiling src for boxes not know how to protect stuff. ...but 2-3 small questions to VickFirtzh: 1. How will see RVA "without touching" exe? 2. Do you ever try this on packed exe simple with VMPROTECT? Regards: Victor p.s. VickFirtzh ... don't use PCHAR ... world go to Unicode PANSICHAR. __________________ You'll die as you lived in a flash of the blade, in a corner forgotten by no one You lived for the touch for the feel of the steel One man, and his honor.

01-29-2015, 21:21	#3 (permalink)
VickFirtzh Junior Member Join Date: Feb 2007 Posts: 14 Member: 448308 Status: Offline Thanks Meter: 1	Hi, Yes, we are aware about any complex routines on smartcard. But if we are talking about ram injection, then say goodbye to the complexity. Those people, who make the crack is for business purpose. They bought original stuffs, doing sniff, and then build the injector. They DOES NOT TOUCH the original exe. What they make is RAM redirection for targeted exe. They sold the cracks. This is insane. Again, it's depend on how the coder implement the protection. Because today we see so many cracked professional stuffs. Please try build your own test program. 1 form, 1 button, 1 radio button - all disabled. Pack it with your favorite packer, obfuscate it. Run the old bad boy 'enforcer.exe'. You will be shocked. - Just example. Event today, i saw many gsm program can not avoid this style.