I have been trying to reverse this program called “Design 2 Fab 5” it’s a sheet metal layout program. It has a protector called “CrypKey 6.x”. With this protector there is a self-debugger protection that comes along with it. It is a cksX.tmp file that gets loaded into your temporary folder when you double click on the executable for your program. This cksX.tmp file is actually .exe that acts like a debugger so you can’t attach another debugger like ollydbg to it.

So, the question I need to have answered here is, how do I attach a debugger to a process that already has a debugger attached to it?   

Well I read a few good articles about this and one of them is:

The Art of Unpacking
by: Mark Vincent Yason

Since the protected process is already being debugged, attaching a debugger via kernel32!DebugActiveProcess() will fail since the corresponding native API, ntdll!NtDebugActiveProcess() will return STATUS_PORT_ALREADY_SET. Internally, the failure of NtDebugActiveProcess() is due to the DebugPort field of the EPROCESS kernel structure being already set.

In order to attach a debugger to the protected process, a solution posted on several reversing forums involves invoking kernel32!DebugActiveProcessStop() in the context of the parent process. This can be done by attaching a debugger on the parent process, and setting a breakpoint inside kernel32!WaitForDebugEvent(), once the breakpoint is hit, a code to invoke DebugActiveProcessStop(ChildProcessPID) is then injected and executed, once the call succeeds, a debugger can be attached to the protected process.

Well from this article it states:

1.        Invoke Kernal32!DebugActiveProcessStop() in the parent process.

The only way I know of doing this now is to open up our target in olly, which makes olly the parent and then open up another instance of olly and attach it to the 1st instance with our target.
Now we can debug or invoke “DebugActiveProcessStop()”.

2.        Setting a bp inside the WaitForDebugEvent().

Well we can do this inside our 2nd instance of olly. Once the bp is hit. We have to inject our own code into it somewhere. The tutorials I’ve read don’t really give a good indication on where this should be. But lets use there location. Here is there location:

00439622   68 C0040000	  PUSH 4C0
00439627   E8 650D427C	  CALL kernel32.DebugActiveProcessStop
0043962C   90			   NOP

This will override the VA at 00439622 with these opcodes 68 C0 04 00 00 E8 65 0D 42 7C 90
Well when I put these opcodes inside olly I am already at the VA 00439622.  How will I know if these brand new lines of code will work? For somereason my ollydbg seems to lock up at this point and either say running or just doesn’t respond.

Step_5 - Detach CrypKey Debugger from Example.exe

        14. BP WaitForDebugEvent <--- Tried this on the cksX.tmp instance and got this error                
                    0013FEEC   00403080  ASCII "There was an error starting the program."

I seem to be getting it with this tutorial by CrypKey with Self-Debugger.
I guess the trick is this:

   1. Open target.exe and edit file like steps above
   2. Open cksX.tmp and edit file like steps above
   3. Attach cksX.tmp
   4. Attach ollydbg.exe to ollydgb.exe that has target.exe open in it :D <-- thats the sweet spot there.

so, this is how you debug a process that is already being debugged. :D But now I have that error now I have to get rid of.

Ok got past that step up above.

Here is a snippet from the tutorial I'm following:

Buffer in dump:

0012FF40 03 00 00 00 C0 04 00 00 A0 04 00 00 BC 07 00 00 ................
0012FF50 C0 07 00 00 C4 07 00 00 00 00 40 00 00 00 00 00 ..........@.....
0012FF60 00 00 00 00 00 F0 FD 7F 00 00 00 00 00 00 00 00 ................

This buffer holds event information. Check MS reference to understand it. My idea was to place conditional breakpoint, that will stop the program when CC byte (that I have placed instead OEP jump) is triggered. I have placed this conditional bp:

DWORD[edi+18]==00414C91

EDI points to buffer when WaitForDebugEvent is executed, and on +18 from that buffer start is address where exception occurred:

$ ==> >01 00 00 00 C0 04 00 00 A0 04 00 00 03 00 00 80 ................
$+10 >00 00 00 00 00 00 00 00 91 4C 41 00 03 00 00 00 .........LA.....

Now I know that all crypkey code in Example.exe is executed and OEP should be reached.

Here is my dump output at this point:

0013FF40  40 44 1B 89 00 44 1B 89 F0 F2 55 02 48 8C C3 B1  @D‰.D‰ðòUHŒÃ±
0013FF50  67 21 4E 80 B8 44 1B 00 80 69 67 FF FF FF FF FF  g!N€¸D.€igÿÿÿÿÿ
0013FF60  00 00 00 00 E8 44 1B 89 43 14 50 80 40 44 1B 89  ....èD‰CP€@D‰
0013FF70  6C 8C C3 B1 00 00 00 00 78 46 83 E8 00 00 00 00  lŒÃ±....xFƒè....
0013FF80  E0 EF A0 85 E0 1F 00 00 00 44 1B 89 78 4A 83 E8  àï …à...D‰xJƒè
0013FF90  01 00 00 00 00 00 00 00 08 04 00 00 00 00 00 00  
.............
0013FFA0  0C 00 00 00 00 00 00 00 00 00 00 00 B5 B9 58 80  ............µ¹X€
0013FFB0  9C DC 90 7C 64 70 81 00 48 0E 00 00 F0 FF 13 00  œÜ|dp.H..ðÿ.
0013FFC0  05 10 40 00 67 70 81 7C 18 00 00 00 10 00 00 00  @.gp|......
0013FFD0  00 E0 FD 7F FA 12 55 80 C8 FF 13 00 20 70 62 89  .àýúU€Èÿ. pb‰
0013FFE0  FF FF FF FF C0 9A 83 7C 70 70 81 7C 00 00 00 00  ÿÿÿÿÀšƒ|pp|....
0013FFF0  00 00 00 00 00 00 00 00 00 10 40 00 00 00 00 00  .........@.....

how do i find this spot DWORD[edi+18]==00414C91 in the dump?

I know this is all in the wrong area of this forum but i can't read chinese at all and I'm american and it seems like you guys know what you are doing on this forum so i would like to get some help from you guys.

I can't access other parts of this forum so can you please keep this topic here??

Programs protected by CryptKey can be easily keygened if you can find the userkey and master key, which you can get by searching the main exe file name (which is usually the case) in the process memory.

I have taken a look at the exe it self, the problem tho is that it hangs if i try to break point anything. Because there is a self-debugger attached.

No i can use this method to look at the .tmp file

1. open target in olly. and modify
2. open .tmp file in olly. then modify and close.
3. then attach .tmp.
4. then attach first olly.exe with target open in it. <--which detachs the debugger.

then I'm able to look thru the code on the .tmp...

but at this point the first ollydbg. is not responding.

Did you look for Master and user key?
That would be a good starting point.
Can you look at the site key?
I'll try to put this into my test machine and have a look.

I've looked at every file and dll and exe in the installed folder. I can't find anything. Mostly because the .exe is being self-debugged. It can not run under ollydbg. The only way you can step thru it is if you detach the self debugger. I havn't figured out how to do this yet. Actually I have, but when I detach it. The .exe hangs and I'm able to step thru the .tmp file instead.

I've been working on this project for a week now. I've been thru alot.

The other thing i have is ;

REG CODE:  C256 7D58 B9AE 8FB2C3
SITE CODE: 48C2 9051 DBF4 85D4 4159 2248CD

Now I guess this is what was used to register the programs older version not this one.
I don't know if we can use this or not.

The site key is a hidden file usually in documents and settings file.
You might have to search for it but it's somewhere on your computer.
The original site key would be very useful, after expiration it changes
Go to tools, folder options and view, then show hidden files and folders.

ya, thats not it.. I always run my computer with hidden files shown.. But ive been over alot of the exe and do not see any text that would be a key or master key. So, i thru the project and stepped on it and kicked it and poured water on it lmao :D

i just can't find it.

Installed on test box.
Searched the main .exe and not found user or master key.
I did notice that I generate a .key file it accepts but then says
don't move file not authorized.
I just need to get the parameters correct, this would take some more research.
The .key file is just in the main folder.
Did you request a trial? That .key would give us some good information.

The regcode and sitecode are for the trail. I dont see a .key file inside the program folder. Also I dont see the .key file in the temporary folder. Is this something that gets generated when you run the program. If it is I will have to take a look at the .key file itself.

Hi guys;
really busy hope this helps
could you finish this off Dr Pete

Trial Site Key
==============

C:\>ckinfo/sitekey 48C2 9051 DBF4 85D4 4159 2248 CD
CrypKey Copy Protection Information v1.12
(C)2001-2005 thewd, thewd@hotmail.com

Parsing Key    - 48C2 9051 DBF4 85D4 4159 2248 CD
Decrypting Key - 0000 01CB 7803 0000 0015 80B1 93 [0x1B:0x13]
Key Validation - OK
Formatting Key :
                      00 00 01 CB78 03000000 1580 B193
                      ╠╝ ╚╝ ╚╣ ╠══╝ ╠══════╝ ╠══╝ ╠══╝
                      ╚═══╗  ║ ║    ║        ║    ╚══════════ Key CRC - 0xB193
  Add To Licence? - No ═══╝  ║ ║    ║        ╚════ Limited Licence (Days) - 21
  Number Of Licences - 1 ════╣ ║    ╠══ Key Level - 3
  Network Licence? - No ═════╝ ║    ╚══ Key Options - 0
  Easy Licence? - No ══════════╩═══════ User Key Hash - 0x78CB

Site Code
=========

C:\>ckinfo/sitecode C256 7D58 B9AE 8FB2 C3
CrypKey Copy Protection Information v1.12
(C)2001-2005 thewd, thewd@hotmail.com

Parsing Code    - C256 7D58 B9AE 8FB2 C3
Decrypting Code - 0002 3D0E 1FF3 FF5B A2 [0x1B:0x13]
Code Validation - OK
Formatting Code :
                            02 3D 0E1F F3FF 5BA2
                            ╚╣ ╚╣ ╠══╝ ╠══╝ ╠══╝
                             ║  ║ ║    ║    ╚═══════════════ Code CRC - 0x5BA2
  Allow Add Licence? - No ═══╣  ║ ║    ╠════════ User Key Hash (Seed) - 0xFFF3
  Allow Easy Licence? - Yes ═╝  ║ ║    ╚═════ Drive Serial Number (Error) - 13
  CrypKey Libraries - v6.1 ═════╝ ╠═ Account Number - 782
                                  ╠═ Application Id - 7
                                  ╚═ Company Number - 7956782

Master Key
===========

C:\>ckinfo/masterkey 1ed4e47ee8f0407f66f5f71a2c07d48fb45c4b94be943317113396d5c47602b5053f88d49c00bd2
e98a99e44dad80731b9aa7915f71061ec865c277beecb8f659f6150ca02d90848d9ef3ba2aee7d64be8d372ec10da3c9776a
58827bb6e8eac8abd6db1809a5b81cb65cac768a410c356acc5baa1907722fc6b22254e02216b
CrypKey Copy Protection Information v1.12
(C)2001-2005 thewd, thewd@hotmail.com

Parsing Key    - 1ED4 E47E E8F0 407F 66F5 F71A <..> 7722 FC6B 2225 4E02 216B
Decrypting Key - DAFE 0000 0E1F 0000 0000 0046 0300 0000 0100 0100 0000 0000
                 0000 0000 0000 0000 0000 0000 0000 4432 4635 2E4C 4943 0000
                 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
                 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
                 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 B41E
Key Validation - OK
Formatting Key :
                 0000 0E1F 00460300 443246352E4C4943000000000000 B41E
                 ╚══╣ ╠══╝ ╠══════╝ ╠══════════════════════════╝ ╠══╝
  ╔═ Allow Modules ═╝ ║    ║        ╚═══════ Filename - D2F5.LIC ╚═ Key CRC ═╗
  ╠═ WinNT16? - Yes   ║    ╠══ Use Static Key? - No                  0xB41E ═╝
  ╠═ WinNT32? - Yes   ║    ╚══ Use USBKey? - No
  ╚═ Network? - Yes   ╠═══ Account Number - 782
                      ╠═══ Application Id - 7
                      ╚═══ Company Number - 7956782

UserKey
=======

C:\>ckinfo/userkey DE0C E7D9 E895 CC5E D9
CrypKey Copy Protection Information v1.12
(C)2001-2005 thewd, thewd@hotmail.com

Parsing Key    - DE0C E7D9 E895 CC5E D9
Decrypting Key - 0808 0909 0A09 0A09 09
Key Validation - OK
Formatting Key :
                 0809090A090A0909
                 ╠══════════════╝
                 ╠═══ Password - GNNWNWNN
                 ╠═══ Password Number - 1360164348
                 ╠═══ User Key Hash (1) - 0x49
                 ╚═══ User Key Hash (2) - 0x78CB

I dont understand where you got the master key and user key from. Where these generated or did they come from the file?

He found them in the program!
Mozzie is much better at finding stuff than me, he is
the teacher and I the student.

Good to see you again Mozzie, I'll take it from here.
BTW, what file is the "stuff" in?

With this information we can generate the information for good keys.
I'll test on my machine and report back.

The .key file is just sitting in the main program directory.
It probably won't do you any good if over 21 days since you installed it.
We don't need it any longer thou.

I'll test in the morning and report back.

xcryptox,
You want to remove the crypkey wrapper or just get the program to work?
Post your site code and I'll generate a key for you.
Or learn with the information and do it yourself.
You can license crypkey to generate keys for your program with this information.

the master key and user key are hard coded in one file (usually the main exe file) and you can use memory editors such as winhex to get them

No i didnt find the master and user key.
I remember this program either same version
or another version posted a long time ago.

Someone found the keys and i kept them in my
box of crypkey stuff.

I just dont have time to run program .

However here is useful utility that shows the keys
when other typical methods fail (ie debuggers).

Run proc mon; then start your target and see what new
applications are running => then explore these with
proc mon; often the keys will be in the strings memory
or in main exe image.

71fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4u0S2M7r3W2V1M7$3S2S2M7X3g2Q4x3X3g2U0L8$3#2Q4x3V1k6X3K9h3I4W2M7#2)9J5c8U0t1@1y4K6f1H3y4e0R3&6x3g2)9J5c8W2m8J5L8$3y4W2M7%4y4y4L8$3&6A6N6r3!0J5i4K6u0W2P5X3W2H3

I would like to remove the crypkey wrapper and generate a key :D

I would like to know how to generate a key with this information so a little tutorial would be nice. Being that there isn't one around. Its just a few 100 posts around this site lol. I've seen them all. Someone needs to make a little whitepaper or pdf on this so its easy.

Here is my site code : 3146 1DA8 F4D5 6C08 70

Can you explain the steps taken to generate a working key?

My original post, I was trying to remove the protection all together and unpack it. That knowledge is what i'm really after. I know I was really close.

Thanks again guys.. I've been working on this program along time now. I'm not going to give up on it either till I fully understand what you guys are doing :D

Your site key is: 8720 E7F8 AB31 AA86 0D81 8BCE C6

Maybe after you license the program you can better try to remove the wrapper.
If I can find some time I'll write up a tutorial on licensing crypkey.

Once you get your head around it very easy. I licensed the generator for this app.
In this case program wanted a certain level to run so was just easier for me to license skg.

If you don't have it already grab from this forum crypkey skg v7.1 from here:
http://bbs.pediy.com/showthread.php?t=58022&highlight=crypkey

Thanks I grabbed it. If you wanted to send me a few pointers on how to do the process you can always pm me the link to the tutorial or post your tutorial here :D.

DrPete:

If I can find some time I'll write up a tutorial on licensing crypkey.

Would be nice if you could just write a few things on it and throw it on the forum or send it to me in a pm?

That way I can get this project out of the way :D

@DrPete

If you don't have it already grab from this forum crypkey skg v7.1 from here:
http://bbs.pediy.com/showthread.php?t=58022&highlight=crypkey

there isn't a readme in this thing.. i dont know what i'm suppose to do with this program..

@Mozzie

process monitor has these buttons :

show registry activity
show file system activity
show network activity
show process and thread activity
show profiling events

-------------------------------------------------

It would be nice to know what i'm looking for lmao
Do i scroll and just look thru the information for the userkey and masterkey
Or do I right click these lines and look at the stack information?

wow, 3 days no answer to my questions. :(