Jump to content
  • 0

Change HGUARD IP/Domain from unpacked Fire.dll


CubAfull

Question

1 answer to this question

Recommended Posts

  • 0

Ok, I'm going to continue with this because I really want the client HWID and the basic protection from this DLL.

Maybe others with the same need and more knowledge or wanting to help can join in this crusade :laughing:

 

This is what I have/found.

https://mega.nz/file/MMtAzKTK#uUsTz_QDuiqXrk2UR9UnWlUKuZ2zbT8F0TiD52kTGyw

 

This contain 5 files:

Fire_U.dll - Unpacked. Found in RUS forum.
Fire_P1.dll - Packed. Same file as Fire_U.dll but Packed.
Fire_U1.dll - Unpacked Fire_P1.dll by me.
Fire_P2.dll - Packed. Another version.
Fire_U2.dll - Unpacked Fire_P2.dll by me.

 

If you use Fire_U.dll (rename to Fire.dll in your system) the client show you an error after loading the dll:

 

Runtime error 216 at 1314421A

 

All the unpacked files throw the same error and the error happen here.

 

.text:131441F0 loc_131441F0:                           ; CODE XREF: System::__linkproc__ StartLib(void)+44j
.text:131441F0 mov     dword_1319C63C, ecx
.text:131441F6 mov     eax, offset j_RaiseException
.text:131441FB mov     dword_1319C014, eax
.text:13144200 mov     eax, offset j_RtlUnwind
.text:13144205 mov     dword_1319C018, eax
.text:1314420A call    unknown_libname_67              ; BDS 2005-2007 and Delphi6-7 Visual Component Library
.text:1314420F mov     eax, [ebp+0Ch]
.text:13144212 inc     eax                             ; Increment by 1
.text:13144213 mov     byte_1319C658, al
.text:13144218 dec     eax                             ; Decrement by 1
.text:13144219 pop     ecx
.text:1314421A mov     edx, [ecx]                      ; Error: Runtime error 216 at 1314421A
.text:1314421C mov     dword_1319C654, edx
.text:13144222 jz      short loc_1314422B              ; Jump if Zero (ZF=1)
.text:13144224 cmp     al, 3                           ; Compare Two Operands
.text:13144226 jge     short loc_1314422B              ; Jump if Greater or Equal (SF=OF)
.text:13144228 call    dword ptr [ecx+eax*4]           ; Indirect Call Near Procedure

 

Pseudocode:

 

int __userpurge System::__linkproc__ StartLib@<eax>(int *a1@<eax>, int a2@<edx>, int a3@<ecx>, int a4@<ebx>, int a5@<ebp>, int a6@<edi>, int a7@<esi>, void (__cdecl *a8)(int *))
{
  int v8; // ecx
  int v9; // eax
  int v10; // eax
  int *v11; // ecx
  int v12; // eax
  int *v15; // [esp-4h] [ebp-4h]

  qmemcpy((void *)(a5 - 60), &dword_1319C630, 0x2Cu);
  dword_1319C650 = a6;
  dword_1319C64C = a7;
  dword_1319C644 = a5;
  dword_1319C648 = a4;
  dword_1319C638 = (int)a1;
  dword_1319C640 = a2;
  dword_1319C630 = a5 - 60;
  v8 = 0;
  if ( !*(_DWORD *)(a5 + 12) )
    v8 = *a1;
  dword_1319C63C = v8;
  dword_1319C014 = (int)j_RaiseException;
  dword_1319C018 = (int)j_RtlUnwind;
  unknown_libname_67((_EXCEPTION_REGISTRATION_RECORD *)a5);
  v9 = *(_DWORD *)(a5 + 12) + 1;
  byte_1319C658 = *(_BYTE *)(a5 + 12) + 1;
  v10 = v9 - 1;
  v11 = (int *)a3;
  dword_1319C654 = *(_DWORD *)a3; // The error happen here
  if ( v10 && (char)v10 < 3 )
    (*(void (**)(void))(a3 + 4 * v10))();
  v15 = v11;
  if ( a8 )
    a8(v11);
  v12 = *(_DWORD *)(a5 + 12);
  if ( (char)v12 >= 3 )
    ((void (*)(void))v15[v12])();
  if ( !dword_1319C02C )
    byte_1319C034 = 1;
  if ( *(_DWORD *)(a5 + 12) != 1 )
    System::__linkproc__ Halt0(a8);
  return System::_16705();
}

 

This is all for the moment. I update the post when have more info :)

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.


×
×
  • Create New...