VBA-M

Post by **Nach** » Mon May 19, 2008 9:03 am

Okay mudlord, the app is ready. Meet me on IRC for it.

You include a .h file, link against a .c file, and call a function internally inside the app, which you use to make the app fail if it doesn't return success.

Once compiled, you now run my program to "sign" the binary. Once signed, they can't make any changes to the binary, even compressing it, otherwise it'll bomb out when trying to run.

For them to bypass my signing, they'd need to:
A) Figure out how it's signed, and replicate the signing, which odds are, not happening.
B) Hack the code in the binary to skip over the protection routines, possible, but these people don't seem up to that, we'll see. If they bypass it like this, we can toughen it up a bit.
C) Compile from source. As we all know, this is near impossible, and they'd never do that. Why if they do this, we'll just have to let them continue with their stupid hacks

Oh and BTW, the signatures written into the binary are also covered by signatures, and unless you have my algorithms, you won't be able to modify any of them and keep the others in sync, since they all cover each other. Man, I love reading up PhD thesis crypto papers that everyone ignores

mudlord · Post by **mudlord** » Mon May 19, 2008 9:33 am

Awesome, and I was hoping of getting a small MFC GUI build update out. Perfect opportunity to see what they do eh?

AamirM · Post by **AamirM** » Mon May 19, 2008 10:57 am

Hi,

I implemented AES some time ago and if you guys need it in protecion I can put it up for you.

stay safe,

AamirM

mudlord · Post by **mudlord** » Mon May 19, 2008 12:48 pm

Thanks for the offer Aamir but I think our current ideas are more than enough. I think though AES is for pros, and since we aren't dealing with warez groups here, we don't need that level of binary protection.

Still, its very nice of you to want to help

DEFIANT · Post by **DEFIANT** » Tue May 20, 2008 3:26 am

I am sorry to say it but it looks like they cracked it.

http://www.freewebs.com/laterza/index.htm

I.S.T. · Post by **I.S.T.** » Tue May 20, 2008 3:50 am

Quote from their change log:

-fixed Direct3D/DirectDraw sequences

*Ahem*

BULLSHIT

Directdraw was removed quite a while ago. They're lying out their ass.

Edit: Oh, and they deleted their forums again.

mudlord · Post by **mudlord** » Tue May 20, 2008 4:13 am

I am sorry to say it but it looks like they cracked it.

I beg to differ, they are re-reshacking old releases.

Shame.

neo_bahamut1985 · Post by **neo_bahamut1985** » Tue May 20, 2008 4:13 am

Uh, can we say "moron"? What're they trying to do, ruin VBA-M!?

mudlord · Post by **mudlord** » Tue May 20, 2008 4:16 am

Seems like it, or they just want me to quit.

I know several people that hate my guts and would do such a thing, just to get to me...

Post by **Nach** » Tue May 20, 2008 4:18 am

Well, it seems they don't even have the skill to bypass a protection.

Repackaging an old release, that's nice and original.

On the other hand, byuu did bypass the protection within 10 minutes, that's what real developers do.

On the bright side, we now know for any new builds we have with new features we add, they won't be able to put out a ripped off version.

I.S.T. · Post by **I.S.T.** » Tue May 20, 2008 4:20 am

Nach wrote:On the other hand, byuu did bypass the protection within 10 minutes, that's what real developers do.

Don't you know? byuu is the god of emulation.

>.>

Deathlike2 · Post by **Deathlike2** » Tue May 20, 2008 4:22 am

The proof is in the pudding... as they say.

mudlord · Post by **mudlord** » Tue May 20, 2008 4:28 am

On the other hand, byuu did bypass the protection within 10 minutes, that's what real developers do.

Not bad...though if you have some reversing skill, it shouldnt be hard at all.

I'm interested with what byuu can do with Starforce, could take 10 hours, 10 days, 10 months (Splinter Cell 3 with SF lasted a year uncracked)....

byuu · Post by **byuu** » Tue May 20, 2008 5:14 am

MIDIs on a webpage? Is it still 1997?

Yeah, Nach asked me to test his protection earlier today. I gave him some suggestions that I strongly recommend you try for hardening things up a bit, but it's always 100x harder to protect an EXE than it is for someone with reverse engineering skills to crack it. You really shouldn't waste your time with these people.

I'm interested with what byuu can do with Starforce, could take 10 hours, 10 days, 10 months (Splinter Cell 3 with SF lasted a year uncracked)....

Starforce 3 bested me.

I hijacked the program entry point with a LoadLibrary call, eg DLL injection. From here, I patched back over the entry point so the program would pass its own initial checksum test. I also patched out IsDebuggerPresent, and then hooked Advapi32 calls to block the SoftICE check.

After that, I wrote my own single stepping debugger to let the program decrypt the first payload, and then successfully dumped the process memory to reveal the decrypted program.

From here, it tested to see if two .sys kernel-level drivers were installed, and if not, it would spawn them from the EXE, install them, and then activate them. For Win9x, it'd install VXDs. Scary when you realize those two kernel drivers run 24/7 on your PC.

I had the ability to patch these kernel drivers before they were created, and I could disassemble the drivers, albeit with no heuristics (kernel function call names and such), but I couldn't actively debug them, even with SoftICE. I would basically need a kernel-level debugger to continue, and that requires two machines.

At that point, I realized I was pretty much in over my head, and I really didn't care that much to continue. Could I have cracked it if I kept at it? Probably not. Still, it was a fun learning experience.

DEFIANT · Post by **DEFIANT** » Tue May 20, 2008 6:55 am

mudlord wrote:
I am sorry to say it but it looks like they cracked it.
I beg to differ, they are re-reshacking old releases.

Shame.

So their release is not a cracked version of 515? My bad. I was just pointing out what they had said on their site. Good to know your protection works. Hopefully what their doing won't discourage you from working on VBA. WE all know who has put the real time and effort into it. Many thanks to the VBA-M Team, from me as well, I'm sure, most of the emulation community.

DancemasterGlenn · Post by **DancemasterGlenn** » Tue May 20, 2008 8:00 am

DEFIANT wrote:Hopefully what their doing won't discourage you from working on VBA. WE all know who has put the real time and effort into it. Many thanks to the VBA-M Team, from me as well, I'm sure, most of the emulation community.

Gladly seconded. We really appreciate your hard work.

Tallgeese · Post by **Tallgeese** » Tue May 20, 2008 7:30 pm

I doubt something like this would discourage him. He sure doesn't look like Nightwolve.

I.S.T. · Post by **I.S.T.** » Tue May 20, 2008 7:32 pm

Nightwolve, the guy who did the hacking on a few Ys translations?

Tallgeese · Post by **Tallgeese** » Tue May 20, 2008 7:33 pm

He threw a massive tantrum when his near-complete Ys 6 patch he was giving to donators was leaked.

I.S.T. · Post by **I.S.T.** » Tue May 20, 2008 7:45 pm

He killed the translation? that sucks.

Then again, it is time honored tradition in the emulation world...

Post by **grinvader** » Tue May 20, 2008 7:46 pm

Wasn't that the one asking for the smashed original disk ?

funkyass · Post by **funkyass** » Tue May 20, 2008 9:24 pm

mudlord, you should give this cloud duds credit for exemplar specimens of internet stupidity

I.S.T. · Post by **I.S.T.** » Tue May 20, 2008 9:31 pm

And it's down now. freewebs must have found out about the GPL violations...

neo_bahamut1985 · Post by **neo_bahamut1985** » Tue May 20, 2008 11:01 pm

I.S.T. wrote:And it's down now. freewebs must have found out about the GPL violations...

Serves them right for trying to screw the VBA-M users over!

Post by **Nach** » Tue May 20, 2008 11:29 pm

I'm still able to access this page just fine.
http://www.freewebs.com/laterza/index.htm