|
OMNIPAGE PRO 11 (Recognita 6)
Have a nice day!
|
Not Assigned
|
20.5.2002
|
by
macilaci
Published by Tsehp
|
|
|
Courtesy of Fravia's page of
reverse engineering
|
slightly edited
by tsehp |
|
There is a crack, a crack in everything
That's how the light gets in
| |
Rating
|
(X)Beginner ( )Intermediate ( )Advanced ( )Expert
| |
"Have a nice day!" stands in the header of Omnipage.exe...
OMNIPAGE PRO 11 (Recognita 6)
Have a nice day!
Written by
macilaci
It happened as usual: I wasn't looking special for this kind of software neither for this kind
of protection, but sometimes it happens. I hate these scrambled import tables and encrypted
code. I doensn't lead anywhere. It's like a revenge on cracker (or some person who don't want
to buy a protection). And this sarcastic clause: "HAVE A NICE DAY!" inside the executable....
I said: Let's have finally a nice day!
SICE,
REVIRGIN, PE dumper (Procdump or so),
IDA (not necessary),
Info on reconstructing the import table (revirgin essays), PE format overview
http://www.scansoft.com,
Omnipage - I don't know much about it's history. Just the recent information that Scansoft
bought Recognita (which was among us quite good text recognizer).
Turgid words are characteristic of dilettantism. Always. Believe.
First look on this executable told me it won't be an easy task. First I saw the import table,
second was the disassembling approach. The result was, that the executable is scrambled and
the import table too. So next step was examine which packer or wrapper was used. Doing a
bpm 54258a x on the entry point shows some home made protection:
0054258A call sub_542647 ;we start here
0054258F call sub_542824
00542594 cmp eax, 0
00542597 jnz short loc_5425A0
00542599 push 0
0054259B call sub_543B25
005425A0
005425A0 loc_5425A0: ; CODE XREF: Have:00542597j
005425A0 call ds:dword_541F49
005425A6 test eax, 80000000h
005425AB jz short loc_5425BB
005425AD push offset aCProgramFilesS ; "C:\\PROGRAM FILES\\SCANSOFT\\OMNIPAGEPRO11"...
005425B2 call sub_543B31
005425B7 or eax, eax
005425B9 jz short loc_542619
005425BB
005425BB loc_5425BB: ; CODE XREF: Have:005425ABj
005425BB push offset aCProgramFile_0 ; "C:\\PROGRAM FILES\\SCANSOFT\\OMNIPAGEPRO11"...
005425C0 call sub_543B31
005425C5 or eax, eax
005425C7 jz short loc_542630
005425C9 mov ds:dword_541CD4, eax
005425CE call ds:dword_541EC7
005425D4 mov ds:dword_541A72, eax
005425D9 push 0
005425DB call sub_543B19
005425E0 mov ds:dword_541A76, eax
005425E5 push offset aNewsecuritypro ; "NewSecurityProc"
005425EA push ds:dword_541CD4
005425F0 call sub_543B2B ;some security procedures
005425F5 cmp eax, 0
005425F8 jz short loc_542630
005425FA push ds:dword_541E16
00542600 push ds:dword_541A72
00542606 push offset unk_540000
0054260B push ds:dword_541A76
00542611 call eax ;finally check license and unwrap the exe
00542613
00542613 loc_542613: ; CODE XREF: Have:00542613j
00542613 jmp ds:off_540000 ;jump to original entry point (0x004EB405)
First I was digging inside the 542611 call but it seemed useless (some 16 bit code that I last saw
inside CDilla's Safecast).
At the location 542613 is the executable completely restored and the imports
are linked. You can dump at this location. So now do a ENTER jmp eip ENTER ENTER and hit F5.
Run Procdump or some dumping tool (PEditor is good too) and save it to disc.
Back to winice + and restore the original jump. Keep the target running. You might
close you dumping tool and run Revirgin. Choose appropriate task (Omnipage.exe). Revirgin comes up to
expectation with some found imports. Checking the disassembled dump you may see that the RVA (000FF000)
and Lenght (000020E4) values are correct, but the OEP needs to be changed to 004EB405.
Clicking on IAT Resolver we will get a demangled import table. You can check now the names
for correctness.We will now append the import table section on the dumped executable. Size of the dumped
exe is now 0x145FF0 so we will use 146000 for IT Generator.
Now fill up the fields RVA (00146000) and Lenght (000020E4) to the right.
Pressing on the generate! button, choosing the dumped executable and a name for import table (this is
stored as a copy), the program will now append the import table and fix the PE header (be sure you have
checked the Autofix sections + IT paste checkbox).
And we're done. You can check the executable with IDA. Imports are now ok, the protection shell
is apart and we have now a nice day...
I was looking at the PE header again. And I saw irony:
"Have a nice day!"
.tsehp
I wont even bother explaining you
that you should BUY this target program if you intend to use it for a
longer period than the allowed one. Should you want to STEAL this
software instead, you don't need to crack its protection scheme at all:
you'll find it on most Warez sites, complete and already regged,
farewell, don't come back.
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
search_forms
+ORC
how to protect
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse engineering legal?