Thursday, January 22, 2009

Protection ID v6.1.6 (18th jan 2009) - Mixed New Reverse Engineering Stuff

Protection ID 6.1.6

Core Code changes:

- new: enabled the PE Stuff dialog (still in early stages)
- new: smbios reporting added (misc tools portion)
- update: pid entrypoint code optimised
- update: updated resizing core, and squashed a few bugs
- update: false positive with some anti virus programs is now fixed (gdata and avast)
- update: folderwatch, task manager, cd/dvd filter driver report, services report and folder
locations all have right click context menus allowing the data to be saved to file
- update: uninstaller code tweaked - various fixes on some entries that would not uninstall
- update: update portion is now tweaked, a bit better and more futureproof
- update: windows 7 is now detected right and everything is functional (we are windows 7 compatible)

- bugfix: gui issue when run from context menu (log window will be shown)
- bugfix: file open doing nothing bug fixed - happened on WinXP with no service packs
- bugfix: folderwatch - bugfix in window handler, could have caused a lockup in 9x/me systems

detection additions / changes

- new: check_protectdisc.asm - added ProtectDisc exact v9.0.0, v9.1.0 & v9.2.0 detection
- new: check_g4wl.asm - added Games for Windows Live detection (xlive)
- new: check_steam.asm - added Steam (basic stub) detection
- new: check_activemark.asm - added ActiveMARK v6.50.767 detection

- new: check_breakpointcrypter.asm - added Breakpoint Crypter v0.0.79 detection
- new: check_expressor.asm - added exPresor v1.6.1 (Pro) detection
- new: check_fearzcrypter.asm - added fEaRz Crypter v2.2.0 detection
- new: check_hellcrypter.asm - added HellCrypter v1 detection
- new: check_kratoscrypter.asm - added Kratos Crypter detection
- new: check_npack.asm - added nPack v1.1.800.2008 + unknown version detection
- new: check_obsidium.asm - added Obsidium v1.3.6.1 detection
- new: check_pespin.asm - added PeSpin v0.1 (x64) detection
- new: check_rdgpack.asm - added RDG Pack Lite Edition v0.4 detection
- new: check_roguepack.asm - added RoguePack v4.0 Beta 1 detection
- new: check_rlpack.asm - added RLPack v1.21 detection
- new: check_simplecrypter.asm - added Simpl3 CrYpT3R detection
- new: check_xcrypter.asm - added X-Crypter v2.01 detection
- new: check_zprotect.asm - added in *generic* ZProtect detection

- new: dongle_softdog.asm - added SoftDog Dongle detection

- update: check_protectdisc.asm - removed protection level output (basic/pro) when detecting v9
(this version is all 'Pro', no more 'Basic' v9 games)
- update: check_activemark.asm - ActiveMark v6.1.335 detection rewritten
(thx Nacho_dj for reporting a bug in American McGee's Grimm Bundle)

CD/DVD/Image file/sector scan

- update: sector scan updated to handle various movie protections
(css/cpmm, cprm, aacs hddvd, aacs bd), this code is still in the experimental stage,
and needs testing, but seems to work

[I] Init cd/dvd sector scan for Drive O
[i] Detected CSS / CPMM Protection! (0x00000001)
[i] Region Lock Detected -> RegionBitMask: 00000002
[.] Region(s) allowed : 2 (Drive region will need to be changed, you have 2 changes remaining,
your current region is : 1)
- Scan Took : 0.828 Second(s)

- bugfix: fixed bug in cddvd sector scanning code (register got trashed) - not critical..

Homepage: -

Mirror DDL:


Themida - Winlicense ID 1.1 Support EXE / DLL / OCX
Author: goldsun

Supported versions: - or higher

Detects exact Themida-Winlicense version.
How to use: drag a themida protected file and drop it over the exe or use the PEiD plugin.



TheMida - WinLicense Info Script
, Show me the infos!

Author : LCF-AT
Environment : WinXP, OllyDbg V1.10, OllyScript v1.65.4
Date : 2009-20-01

========WILLST DU SPAREN,DANN MUßT DU SPAREN!=============

Hello together,

today I wanna share a new written script by me about to get some useful infos about TheMida / WinLicense protected targets.
-This script can get the exact version release year and the protection
-I also added to get the right section name,VA and name of the file summarized in nice message box for the user.
-Included diffrent search methods to get this informations for all TM / WL targets.


Download: TheMida - WinLicense Info Script.txt 5.60 KB
DDL: - WinLicense Info Script.txt


Exeinfo PE ver. by A.S.L 470 sign 2009.01.10


compare gfx 3D RWA / Virtual Size section
added eof check - picture PNG format ( EOF ok - multi file scanner ) many similar info added ….
gfx rippers added ( BMP GIF JPG PNG )
overlay detector doc/msi/xls added [ ripper not included :-( ]
Header info Directory - new window added ( value bigger then 0000 are BOLD font )
many bug fixed , hints , copyClip fixed

470 signatures :

456. Free Pascal Lazarus Project v0.9.26 beta 2008-10-05 -
457. DRPU Setup Creator v. ( C++ ) - www.setupcreator *ACM
458. ST Ultra Pack 2 v0.6s (2008.10.30) Created by Silent Software & Silent Shield - *ACM
459. Ionic Wind Software Compiler *EXE (Aurora 1.0 / Emergence Basic v1.67 ) - www.ionicwind.
460. Ionic Wind Software Compiler *DLL (Aurora 1.0 / Emergence Basic v1.67 ) - www.ionicwind.
461. Armadillo ver.4.20 min. compress - www.siliconrealms (exe)
462. GoAsm.Exe Version 0.56.4m - Copyright Jeremy Gordon 2001/9 - www.GoDevTool (exe)
463. Mew 10 packer v1.0 Coded by Northfox 2004.03.06 ( AVir : malicious packer ) - http://northfox.uw *ACM
464. www.elefun-games GameWrapper ( MSV C++ 8.0 ) v.
465. RDG Tejon Crypter v0.4 ( MS VB 6.1 ) - www.rdgsoft.8k *ACM
466. NonstandarD - Microsoft Visual Basic 5.0 -6.x
467. DCrypt v.0.9b - drmist ( cryper )
468. HipACryp - 0.0.1 Coded By Departure! ( 2008.11.08 ) - www.Cheesydoodle *ACM
469. Armadillo ver.4.xx min. compress - Generic Detector - www.siliconrealms
470. Hying's PE-Armor v0.75 -


IDA 5.4 beta
In addition to numerous small and not that small improvements, the new version will have hree debugger modules: bochs, gdb, and windbg, selectable on the fly (the active debugger session will be closed, though wink1.gif)

* With the bochs debugger, we offer three different worlds: run-any-code-snippet facility, windows-like-environment for PE files, and any-bochs-image bare-bone machine emulation mode. You can read more about this module in our blog:
* With gdb, x86 and arm targets are supported. Among other things, it is possible to connect IDA to QEMU or debug a virtual machine inside VMWare. We tried it iPhone as well. However, while it works in some curcimstances, there were some problems on the gdbserver side. With windbg, user and kernel mode debugging is available. The debugger engine from Microsoft, which is currently the only choice for driver and kernel mode debugging, can be used from IDA. It can automatically load required PDB files and populate the listing with meaningful names, types, etc. Speaking of PDB files, IDA imports more information from them: local function variables and types are retrieved too, c++ base classes are handled, etc.

The gdb and windbg debugger modules support local and remote debugging. We tried to make the debugger modules as open as possible: target-specific commands can be sent to all backend engines in a very easy and user-friendly way.

As usual, better analysis and many minor changes have been made. If you spend plenty of time analyzing gcc generated binaries, you’ll certainly appreciate that IDA handles its weird way of preparing outgoing function arguments. Now it can trace and find arguments copies to the stack with mov statements.

The new IDA will support Python out of box, thanks to Gergely Erdelyi, who kindly agreed the Python plugin to be included in the official distribution. In fact, the main IDA window will have a command line to enter any python (or other language) expressions and immediately get a result in the message window.

We will prepare the detailed list of improvements later this week.



ProtectionID_v6.1.6_2k9.rar 372.33 KB 19.46 KB 534.44 KB

No comments:

Post a Comment