Reverse Engineering Team
Unregistered, You must accept the Forum Rules below to be able to use some forum functions.

Read forum rules below...

1. All posts must be written in English.
2. Don't spam/abuse any other member via E-mail or Private Messages.
3. Have phun!

For breaking above rules you may be warned/banned appropriately!

Deobfuscated site code??

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 3:20 am

Team,

I was able to find the User/Master key in a DLL file CK VERSION: 7.1 Build 7305 using CKINFO, however the site code is 32 characters, when it should be 18.

How do we  Deobfuscated site code?

I found a few tools (Blowfish) online but they ask for a key???!!

Any Ideas?

Thank you.

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by BfoX on Sat Jul 15, 2017 3:32 am

site code show to you by software. tell us the software name

BfoX

Posts : 931
Points : 1220
Reputation : 229
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 3:47 am

AR


Last edited by sinbadon on Sat Jul 15, 2017 4:53 pm; edited 1 time in total

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 3:49 am

I found the ngn file, would that help?

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 5:48 am

This is what i am getting for sitecode: 6C0B 57FA 2153 05A5 4F


Last edited by sinbadon on Sat Jul 15, 2017 5:21 pm; edited 1 time in total

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 11:27 am

Help please, I managed to find everything except KEY LEVEL??? when using ckinfo

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by hasp on Sat Jul 15, 2017 11:51 am

show your .ngn file

hasp

Posts : 444
Points : 599
Reputation : 147
Join date : 2011-12-16

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 12:13 pm

Thank you hasp
Here it is: http://www.mediafire.com/file/2cd0fub5drgplqu/crp32002.zip

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by hasp on Sat Jul 15, 2017 12:41 pm

dump the xxx.ngn file with petools this to upload.

hasp

Posts : 444
Points : 599
Reputation : 147
Join date : 2011-12-16

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 12:45 pm

http://www.mediafire.com/file/uzq5ie89v65u09i/Dumped.zip

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by hasp on Sat Jul 15, 2017 1:00 pm

key:


sitecode 5C61 0749 605B E1C3 9D

userkey C4B96B56D79B2CF9A64892881F

masterkey A560EB66B81BBB3F9CB879C74B9967DBD149DF06BD09969B71D2E263C34816C8225BD4A1043740DC057B0E618AEC97F0624BF5A7AFC0946486C6A0A5F3E1517EB97E8A8A98C7D3D3F60C32ACA898772B9E0B5DD64A72EC2F4F270D83ED5844CCD6A9A92C348068E056D66B6397F8B988321BB3E78D8CFEB5CB14145DC4F30CBD

hasp

Posts : 444
Points : 599
Reputation : 147
Join date : 2011-12-16

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 1:04 pm

Thanks hasb, thats what i have.

I tried the sitecode but ckinfo 1.14 did not accept it

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 1:07 pm

CrypKey Copy Protection Information v1.14+ modified by raduga_fb

Key Information...
+ Site Code            : 5C61 0749 605B E1C3 9D
  Decrypt Failed - Trying v6.00 Decryption...

Error #16: Error occurred decrypting the Site Code - Encryption Keys Not Found

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by hasp on Sat Jul 15, 2017 1:09 pm

Code:
Parsing Code    - 5C61 0749 605B E1C3 9D
Decrypting Code - 0002 47FB 0DB7 5463 1E [0x13:0x07]
Code Validation - OK
Formatting Code :
                            02 47 FB0D B754 631E
                            ╚╣ ╚╣ ╠══╝ ╠══╝ ╠══╝
                            ║  ║ ║    ║    ╚═══════════════ Code CRC - 0x631E
  Allow Add Licence? - No ═══╣  ║ ║    ╠════════ User Key Hash (Seed) - 0x54B7
  Allow Easy Licence? - Yes ═╝  ║ ║    ╚══════════ Drive Serial Number - 21687
  CrypKey Libraries - v7.1 ═════╝ ╠═ Account Number - 507
                                  ╠═ Application Id - 3
                                  ╠═ Company Number - 7956507

hasp

Posts : 444
Points : 599
Reputation : 147
Join date : 2011-12-16

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 1:13 pm

what version of ckinfo are u using?

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 1:22 pm

ok i guess 1.09

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 1:23 pm

Thank you Hasp ,okso i got that far, how do u know "key level" and "Key options"

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by BfoX on Sat Jul 15, 2017 1:29 pm

digging software only or demo site key
all sweet in the ngn-file. you need attach and try to search it


Last edited by BfoX on Sat Jul 15, 2017 2:05 pm; edited 2 times in total

BfoX

Posts : 931
Points : 1220
Reputation : 229
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 1:53 pm

I am still digging, could it be in a DLL file?

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sat Jul 15, 2017 5:10 pm

Thanks Bfox, what am I looking for.  I have attached to Ollydbg and only could fine the 3 keys but cant seem to locate any level keys??
Am I looking for ASCII code?
I will apreciate any help or hints

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sun Jul 16, 2017 3:38 am

Well i tried and i cant find any functions calls that says:  GetAuthorization, GetLevel, GetOption



I have examined EXE files and DLL and no luck. 



And last  the user manual from thewd :

"Levels and options allow different features of the product to be authorised
and can be used to distinguish between product versions or editions. There are
a number of ways to obtain the correct levels and options, but they may not
work will all protected applications."

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by hasp on Sun Jul 16, 2017 4:20 am

read carefully as Bfox said all sweet data in side the ngn file.

hasp

Posts : 444
Points : 599
Reputation : 147
Join date : 2011-12-16

Back to top Go down

Re: Deobfuscated site code??

Post by hasp on Sun Jul 16, 2017 4:45 am

olly:

CPU Disasm
Address   Hex dump          Command                                  Comments
0040CCA2  /> /55            PUSH EBP
0040CCA3  |. |8BEC          MOV EBP,ESP
0040CCA5  |. |83EC 10       SUB ESP,10
0040CCA8  |. |8D45 FC       LEA EAX,[EBP-4]
0040CCAB  |. |50            PUSH EAX
0040CCAC  |. |8D45 F8       LEA EAX,[EBP-8]
0040CCAF  |. |50            PUSH EAX
0040CCB0  |. |8D45 F0       LEA EAX,[EBP-10]
0040CCB3  |. |50            PUSH EAX
0040CCB4  |. |8D45 F4       LEA EAX,[EBP-0C]
0040CCB7  |. |50            PUSH EAX
0040CCB8  |. |E8 B3E7FFFF   CALL 0040B470
0040CCBD  |. |83C4 10       ADD ESP,10
0040CCC0  |. |85C0          TEST EAX,EAX
0040CCC2  |. |75 1E         JNZ SHORT 0040CCE2
0040CCC4  |. |8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
0040CCC7  |. |48            DEC EAX                                  ; Switch (cases 1..3, 4 exits)
0040CCC8  |. |74 15         JZ SHORT 0040CCDF
0040CCCA  |. |48            DEC EAX
0040CCCB  |. |74 0D         JZ SHORT 0040CCDA
0040CCCD  |. |48            DEC EAX
0040CCCE  |. |74 05         JZ SHORT 0040CCD5
0040CCD0  |. |83C8 FF       OR EAX,FFFFFFFF                          ; Default case of switch CRP32002.40CCC7
0040CCD3  |. |C9            LEAVE
0040CCD4  |. |C3            RETN
0040CCD5  |> |8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]             ; Case 3 of switch CRP32002.40CCC7
0040CCD8  |. |C9            LEAVE
0040CCD9  |. |C3            RETN
0040CCDA  |> |8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]             ; Case 2 of switch CRP32002.40CCC7
0040CCDD  |. |C9            LEAVE
0040CCDE  |. |C3            RETN
0040CCDF  |> |8B45 F4       MOV EAX,DWORD PTR SS:[EBP-0C]            ; Case 1 of switch CRP32002.40CCC7
0040CCE2  |> |C9            LEAVE
0040CCE3  \. |C3            RETN
0040CCE4  /> |68 48DB4600   PUSH OFFSET 0046DB48                     ; /Arg1 = ASCII "GetOption"
0040CCE9  |. |E8 39E7FFFF   CALL 0040B427                            ; \CRP32002.0040B427
0040CCEE  |. |85C0          TEST EAX,EAX
0040CCF0  |. |59            POP ECX
0040CCF1  |. |75 38         JNZ SHORT 0040CD2B
0040CCF3  |. |8B4424 08     MOV EAX,DWORD PTR SS:[ESP+8]
0040CCF7  |. |3B4424 04     CMP EAX,DWORD PTR SS:[ESP+4]
0040CCFB  |. |7F 2B         JG SHORT 0040CD28
0040CCFD  |. |85C0          TEST EAX,EAX
0040CCFF  |. |7E 27         JLE SHORT 0040CD28
0040CD01  |. |64:8B15 2C000 MOV EDX,DWORD PTR FS:[2C]
0040CD08  |. |6A 20         PUSH 20
0040CD0A  |. |59            POP ECX
0040CD0B  |. |2BC8          SUB ECX,EAX
0040CD0D  |. |33C0          XOR EAX,EAX
0040CD0F  |. |40            INC EAX
0040CD10  |. |D3E0          SHL EAX,CL
0040CD12  |. |8B0D 2C744800 MOV ECX,DWORD PTR DS:[]
0040CD18  |. |8B0C8A        MOV ECX,DWORD PTR DS:[ECX*4+EDX]
0040CD1B  |. |2381 6C020000 AND EAX,DWORD PTR DS:[ECX+26C]
0040CD21  |. |F7D8          NEG EAX                                  ; Converts EAX to boolean
0040CD23  |. |1BC0          SBB EAX,EAX
0040CD25  |. |F7D8          NEG EAX
0040CD27  |. |C3            RETN
0040CD28  |> |83C8 FF       OR EAX,FFFFFFFF
0040CD2B  \> |C3            RETN
0040CD2C  /$ |68 54DB4600   PUSH OFFSET 0046DB54                     ; /Arg1 = ASCII "GetLevel"
0040CD31  |. |E8 F1E6FFFF   CALL 0040B427                            ; \CRP32002.0040B427
0040CD36  |. |85C0          TEST EAX,EAX
0040CD38  |. |59            POP ECX
0040CD39  |. |75 28         JNZ SHORT 0040CD63
0040CD3B  |. |8B4C24 04     MOV ECX,DWORD PTR SS:[ESP+4]
0040CD3F  |. |83F9 1F       CMP ECX,1F
0040CD42  |. |77 1D         JA SHORT 0040CD61
0040CD44  |. |64:8B15 2C000 MOV EDX,DWORD PTR FS:[2C]
0040CD4B  |. |A1 2C744800   MOV EAX,DWORD PTR DS:[]
0040CD50  |. |8B0482        MOV EAX,DWORD PTR DS:[EAX*4+EDX]
0040CD53  |. |8B80 6C020000 MOV EAX,DWORD PTR DS:[EAX+26C]
0040CD59  |. |83CA FF       OR EDX,FFFFFFFF
0040CD5C  |. |D3EA          SHR EDX,CL
0040CD5E  |. |23C2          AND EAX,EDX
0040CD60  |. |C3            RETN
0040CD61  |> |33C0          XOR EAX,EAX
0040CD63  \> |C3            RETN
0040CD64  /$ |55            PUSH EBP                                 ; CRP32002.0040CD64(guessed Arg1)
0040CD65  |. |8DAC24 9CFEFF LEA EBP,[ESP-164]
0040CD6C  |. |81EC E0010000 SUB ESP,1E0
0040CD72  |. |A1 E4214800   MOV EAX,DWORD PTR DS:[4821E4]
0040CD77  |. |33C5          XOR EAX,EBP
0040CD79  |. |8985 60010000 MOV DWORD PTR SS:[EBP+160],EAX
0040CD7F  |. |53            PUSH EBX
0040CD80  |. |8B9D 6C010000 MOV EBX,DWORD PTR SS:[EBP+16C]
0040CD86  |. |68 60DB4600   PUSH OFFSET 0046DB60                     ; /Arg1 = ASCII "KillLicense"
0040CD8B  |. |E8 97E6FFFF   CALL 0040B427                            ; \CRP32002.0040B427
0040CD90  |. |85C0          TEST EAX,EAX
0040CD92  |. |59            POP ECX
0040CD93  |. |75 1D         JNZ SHORT 0040CDB2
0040CD95  |. |A1 2C744800   MOV EAX,DWORD PTR DS:[]
0040CD9A  |. |64:8B0D 2C000 MOV ECX,DWORD PTR FS:[2C]
0040CDA1  |. |56            PUSH ESI
0040CDA2  |. |8B3481        MOV ESI,DWORD PTR DS:[EAX*4+ECX]
0040CDA5  |. |83BE 60100000 CMP DWORD PTR DS:[ESI+1060],0
0040CDAC  |. |74 1A         JE SHORT 0040CDC8
0040CDAE  |. |6A FE         PUSH -2
0040CDB0  |. |58            POP EAX
0040CDB1  |> |5E            POP ESI
0040CDB2  |> |8B8D 60010000 MOV ECX,DWORD PTR SS:[EBP+160]
0040CDB8  |. |33CD          XOR ECX,EBP
0040CDBA  |. |5B            POP EBX
0040CDBB  |. |E8 0A020400   CALL 0044CFCA
0040CDC0  |. |81C5 64010000 ADD EBP,164
0040CDC6  |. |C9            LEAVE
0040CDC7  |. |C3            RETN
0040CDC8  |> |57            PUSH EDI
0040CDC9  |. |E8 C099FFFF   CALL 0040678E
0040CDCE  |. |8D45 5C       LEA EAX,[EBP+5C]
0040CDD1  |. |50            PUSH EAX                                 ; /Arg3
0040CDD2  |. |BF 34CD4600   MOV EDI,OFFSET 0046CD34                  ; |ASCII "key"
0040CDD7  |. |57            PUSH EDI                                 ; |Arg2 => ASCII "key"
0040CDD8  |. |FFB6 5C100000 PUSH DWORD PTR DS:[ESI+105C]             ; |Arg1
0040CDDE  |. |E8 5275FFFF   CALL 00404335                            ; \CRP32002.00404335
0040CDE3  |. |8D45 5C       LEA EAX,[EBP+5C]
0040CDE6  |. |6A 06         PUSH 6                                   ; /Arg2 = 6
0040CDE8  |. |50            PUSH EAX                                 ; |Arg1
0040CDE9  |. |E8 AA270400   CALL 0044F598                            ; \CRP32002.0044F598
0040CDEE  |. |83C4 14       ADD ESP,14
0040CDF1  |. |85C0          TEST EAX,EAX


hasp

Posts : 444
Points : 599
Reputation : 147
Join date : 2011-12-16

Back to top Go down

Re: Deobfuscated site code??

Post by sinbadon on Sun Jul 16, 2017 11:10 am

Wow, Thanks.  I am not sure how i missed that.

sinbadon

Posts : 40
Points : 48
Reputation : 2
Join date : 2013-10-29

Back to top Go down

Re: Deobfuscated site code??

Post by BfoX on Sun Jul 16, 2017 1:01 pm

just disassemble ngn-file =)

BfoX

Posts : 931
Points : 1220
Reputation : 229
Join date : 2012-04-18
Location : Earth

Back to top Go down

Re: Deobfuscated site code??

Post by Sponsored content


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum