Download IDA v4.9 keyfile by CW2K

IDA 4.9 - LocalLock Fix
=======================

This patch requires UNPACKED ida*.exe and ida*.wll.
Use syd ASPR-Stripper 2.07 or CASPR to do the job !
->[http://doom.scene-gods.de/unpacker.htm]                                                                                           http://antiwpa.ru.org


About the patch:
ZWT released a version that was lock to russian only.
(you needed to set your timeszone to GMT+3 (Russian)
DVT released an fix. But it was improper it only patched
away MessageBox+Quit, but later many functions & modules don't load.
This patch will set the 'correct' value for the timezone right after the API - instead of trying to patch every jz.

In case you get "The processor module is prohibited by the key" use the included ida.key file
It unlocks Module 1..50 (50..64 is zero and probably for future use) what is seem to be
enough since there are only 33 loaderModuls in current version.

As bonus patch the stupid about box at startup is removed so
IDA will start 3 seconds faster.
If you don't like the bonus remove(rename) idau64.exe, apply and
click on 'no' to stop the patch sequence.


Since this is a search'n'replace patch it might also work
for future versions of IDA!
However in the first place it was made & test with version 4.9


[email protected] - http://antiwpa.ru.org


































Here's a docu about UDP 23945 to clean up IDA undercover myths

This refers to post
http://www.datarescue.com/ubb/ultimatebb.php?/topic/1/490.html


Since some ppl were complaining about that this feature is not well documented here we go:
It's all depending on the data inside ida.key (-> Details added blow)
Idag.exe scan inside the registered-to text for the string "user" and gets the number above it.
If "user" is not found at all or found at position 0..3 or the number is above 1 the networkcheck is not started.
Note: Changing the "user" inside ida.key is a good idea but changing it inside idag.exe (-> CASPR 1.100 will do a good job in unpacking) will of course do the trick.  :D
But back to the docu...
The check is performed within an extra thread (CreateThreadA!) whichs runs all the time beside the mainthread.
From the entired registered-to text a 128 bit MD5-CheckSum is created and submitted together with some other ID values like CurrentProcessId
as a 40-byte UDP broadcast packet on port 23945. (See below for details).
But before submit it tries to adds itself to the windows Firewall to avoid to get blocked
by calling win_fw.windows_firewall_enable_app dll inside IDA Dir.
	win_fw.dll!#1 (0,"The Interactive Disassembler","C:\IDA\idag.exe")
	Note: the 0 stands for Enable and 1 for Block traffic
	->Btw nice small dll that can be easy be reused in other pojects ;)
Some quick look into it reveals that it uses the COM-Interface of [Windows]\SYSTEM32\HNETCFG.DLL
just as windows to open ports...
	CreateObject("HNetCfg.FwMgr")
	hnetcfg.FwMgr::get_LocalPolicy
	hnetcfg.FwPolicy::get_CurrentProfile
	hnetcfg.FwProfile::get_FirewallEnabled
	hnetcfg.FwAuthApps::Item ... 

But again back to the UDP broadcast request. That is how it is performed in real.
So that should be also some good skeleton in case you want to implement some
simular check in you app.

Socket= WSOCK32.socket(
	Family = AF_INET,
	Type = SOCK_DGRAM,
	Protocol = IPPROTO_IP)

WSOCK32.bind(Socket,
	pSockAddr=23945,
	AddrLen = 0x10 )

WSOCK32.setsockopt(Socket,
	Level = SOL_SOCKET,
	Option = SO_BROADCAST,
	Data,	DataSize = 4)

WSOCK32.send(Socket,
	 Data, DataSize = 0x28 (40 Bytes),
	 Flags = 0 )
(Note: WSOCK32 is just a wrapper dll nearly all calls are redirect directly to WS2_32)

After that IDA switches into receivemode and listen for any incoming UDP-data on port 23945 which is
 40 byte long and starts with "IDA" and is not the paket it has sent (CurrentProcessId).
 which don't match with it's own. (Have a look 'Format of IDA Data Package' below now)

WSOCK32.recvfrom(Socket,
	 Data, DataSize = 0x28 (40 Bytes),
	 Flags = 0 )

If it receive a packet whose type is 0 (=Reply) it will compare the MD5-CheckSum with its own one and
if it matches will display a Message that someone else is also running IDA on the Network and quit.
Else (received a packet is a Request (type=1)) it will send it's will set Type=0(Reply) and the own packet again
after that it will enter the receiveloop again.


Format of IDA Data Package:

Offset  ExampleData  description
$+0	  00414449		Const Signature "IDA."
$+4     00000001		Type (0=Reply, 1=Request)

:SessionID
$+8     FDE74450		Result of Kernel32!GetCurrentProcess
$+C     010C481B		Result of Kernel32!GetCurrentProcessId
$+10    FF79D115		Result of Kernel32!GetCurrentThread
$+14    00433A7D		Result of Kernel32!GetCurrentThreadId xor 'more'
Note: 'more' = (((((GetTickCount XOR GetCurrentProcess) <<1) XOR GetCurrentProcessId) <<1) XOR GetCurrentThread) <<1)

:Serial
$+18    FFFFFFFF  	128-bit MD5-Checksum(=0x10 Byte value)
		  FFFFFFFF			of registered-to text
		  FFFFFFFF
		  FFFFFFFF
$+28

Ok thatz it so far!
--------------------------------------------------------------

Appendix:
What's inside IDA.Key


ida.Key
00000000h: 0D 0A 3C 49 44 41 20 50 72 6F 20 6B 65 79 20 66 ; .....xx
00000020h: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ; xxxxxxxxxxxxxxxx
00000030h: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ; xxxxxxxxxx 1 use
00000040h: 72 2C 20 73 74 64 2C 20 xx xx 2F 32 30 30 xx 00 ; r, std, xx/200x.
00000050h: 0D 0A 0D 0A 0D 0A 0D 0A 00 8D 2E 3D DC B6 A2 5A ; .........ì.=▄╢óZ
00000060h: FE 82 DC D3 F5 12 4A 71 D8 21 AA 1B 7D 38 6D 6D ; ■é▄╙⌡.Jq╪!¬.}8mm
00000070h: 26 3F 2B B2 CA B9 83 38 B8 9C 1B 87 7B E2 F9 73 ; &?+▓╩╣â8╕£.ç{Γ∙s
00000080h: D6 41 78 5F AE F7 3D B7 A7 FA 94 88 1C 09 49 DC ; ╓Ax_«≈=╖º·öê..I▄
00000090h: 91 4E 0A 4F 9F 94 84 06 A6 95 66 AF ED 2A 05 33 ; æN.Oƒöä.ªòf»φ*.3
000000a0h: F8 63 27 95 29 3B AB FC 5D 4B 0A C4 E2 9D 12 46 ; °c'ò);½ⁿ]K.─Γ¥.F
000000b0h: 0A 25 A3 9E A0 DC 7D 8C E3 AA 9B 09 99 E7 03 50 ; .%ú₧á▄}îπ¬¢.Öτ.P
000000c0h: 0E D0 08 B0 D6 FA F6 6E 47 AC 71 69 20 68 66 F4 ; .╨.░╓·÷nG¼qi hf⌠
000000d0h: 64 45 00 43 37 B8 5E B8 68 00 00 00 00 00 00 00 ; dE.C7╕^╕h.......
000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000f0h: 00 00 00 00 00 00 00 00 00 80 6B 8D 2D 52 5D 5B ; .........Çkì-R][
00000100h: D2 8D 0A C1 79 F1 FA 5D 6D 9D B3 39 F0 B4 F9 27 ; ╥ì.┴y±·]m¥│9≡┤∙'
00000110h: 73 13 EB D4 20 E1 EB E7 E4 2D B0 A5 86 6B E6 6A ; s.δ╘ ßδτΣ-░Ñåkµj
00000120h: 99 7A 6A A8 7C E6 DE 4B DB 7B B8 93 DF 1E 78 D1 ; Özj¿|µ▐K█{╕ô▀.x╤
00000130h: FB C7 9D 6F 3C 2F 05 CF 3B 0F D9 10 E1 63 54 30 ; √╟¥o.......
00000180h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000190h: 00 00 00 00 00 00 00 00 00                      ; .........
{Note: encrypted data slightly modified}

As you see it consists of three parts
	Unencrypted Header
	Part1 	Encrypted SerialData
	Part2 	Encrypted SerialData Backup

Unencypted Part1 and Part2 are nearly identical expect that in part 2
'Bitarray for licensed Processore modules' must be fill with 00
The file is accessed from the End of File. One Part is 0xA0 Byte big
with is 0x7f userdata and a gap of 0x21 Bytes.
So for ex part 2 of ida.Key  would be:
part2 =(filelength - (7f+21))

Offset   Part 2   Accii     Part 1   Accii
00     00001DF7    ≈b..   00001DB8    ╕a..	 Timestamp Milliseconds ?
04     4236E49B    ¡τ┤?+  4236E49B    ¡τ┤?	 Timestamp 15.03.2005 13:35:23 (GMT 0)
08     00000000    ....   447B2FEF    ∩/{D    Bitarray for licensed Processore modules 0..32
0C     00000000    ....   00000901     ...    Bitarray for licensed Processore modules 32..64
10    B5FE02 3D    =  Ñ  B5FE02 3D    =  Ñ	 3D=Marker to check whether decryption succeed
14     xxxxxxxx    Anon   xxxxxxxx    Anon    Regname
18     xxxxxxxx    ymou   xxxxxxxx    ymou
		 ....
7C     00000033    3...   00000033    3...
80

Discussion:
Timestamp:	Is a 32Bit Timestamp in Unix C-Time (Seconds since 1.1.1970)
				not used in the program so far - maybe good for future timelimited keys
				Note: The timestamp is simular to the filecreation time

Bitarray for licensed Processor modules:
				Well this 64-bits Array has room for 64 processor moduls
				so if the bit is set(1) the use is allowed if clear it is not.
				implentation details ins ida.wll above reference to String
				"The processor module is prohibited by the key"

Marker		The lowbyte of the Dword should be 3D to dectect if decryption succeed
				The rest of 3 bytes is not used and the meaning is unclear

Regname		The name that apprears in the about box
				It is checked if Regname in the header in Part1 and Part2 matches
				until ida.wll!#xx returns it to idag.exe

So far to the documentation.
If you've enough time IDA is not only good to find out how other programs work (or why they don't) ,
it's also good for to explorer it itself.
It's the best and only all in one solution for all kinds of executable code.
PE32, and PE64 For AMD54 or IA64 Windows, Java, CLR(.NET), old 16-Bit Windows 3.11 NE-Exe, Handy & Playstationroms and even with that Z80 Rom for my TI83 Calculator.
On unknow Assemblers the auto comments you can enable in options helps a lot.



BTW what happend to the Freewareversion of IDA, which was discontinued and disappeared years ago.
The installationpacked was really small and it were very good
So for remote on-the-fly of analyse of computer problems I use Ollydebug



|.  BA 01000000   MOV     EDX, 1
|.  E8 BC3B0100   CALL    ;  procmodul
|.  85C0          TEST    EAX, EAX
|.  74 27         JE      SHORT 

	|.  8B50 08       MOV     EDX, [EAX+8] 	get BitField1
	|.  8B48 0C       MOV     ECX, [EAX+C] 	get BitField2
	|.  A1 2C9B0C10   MOV     EAX, []	get ProcNumber
	|.  83F8 20       CMP     EAX, 20			if ProcNumber < 20
	|.  7C 05         JL      SHORT 10024E89  Use BitField1
		|.  83E8 20       SUB     EAX, 20		if ProcNumber > 20
		|.  8BD1          MOV     EDX, ECX		Use BitField2
	|>  83F8 20       CMP     EAX, 20			if ProcNumber > 40
	|.  7D 18         JGE     SHORT 		goto OK

		|.  8BC8          MOV     ECX, EAX(ProcNumber)
		|.  B8 01000000   MOV     EAX, 1
		|.  D3E0          SHL     EAX, CL		Eax = (01 << ProcNumber)
		|.  85D0          TEST    EAX, EDX		Test if Bit in Array is set
		|.  75 0B         JNZ     SHORT 
forbidden 68 395F0B10   PUSH    100B5F39                ;  ASCII "The processor module is prohibited by the key"
		|.  E8 1B21FEFF   CALL    10006FC0
		|.  59            POP     ECX
ok  68 675F0B10   PUSH    100B5F67                ; /Arg1 = 100B5F67 ASCII "OK
"
|.  E8 7CCFFEFF   CALL    10011E2C                ; \ida.10011E2C



447B2FEF
   4    4    7    B    2    F    E    F
0100 0100 0111 1011 0010 1111 1110 1111
1098 7654 3210 9876 5432 1098 7654 3210


00000901
   0    0    0    0    0    9    0    1
0000 0000 0000 0000 0000 1001 0000 0001
1098 7654 3210 9876 5432 1098 7654 3210

Decryption:

$ ==>  >FDED0000  ..φ²
$+4    >78F95C42  B\∙x
$+8    >11896E54  Tnë 
$+C    >43845822  "XäC
$+10   >0514576C  lW  
$+14   >CF0B6525  %e ╧
$+18   >0EE8BF6E  n┐Φ 
$+1C   >1DFBC5DB  █┼√ 
$+20   >664C8FE6  µÅLf
$+24   >2EB29CC2  ┬£▓.
$+28   >8A7868B6  ╢hxè
$+2C   >BBABB0FC  ⁿ░½╗
$+30   >58448071  qÇDX
$+34   >890F814B  Kü ë
$+38   >22DFCD70  p═▀"
$+3C   >5DF78573  sà≈]
$+40   >1DD9DD5D  ]▌┘ 
$+44   >7A93184F  O ôz
$+48   >B283AA08   ¬â▓
$+4C   >2DD1498C  îI╤-
$+50   >05752EC9  ╔.u 
$+54   >9E8038BB  ╗8Ç₧
$+58   >BD0FBD91  æ╜ ╜
$+5C   >B16A2E2F  /.j▒
$+60   >0C3CE3D2  ╥π<.
$+64   >DDBDD555  U╒╜▌
$+68   >BFE88E47  GÄΦ┐
$+6C   >F3CE5F84  ä_╬≤
$+70   >299D2BC8  ╚+¥)
$+74   >1FB7EC29  )∞╖ 
$+78   >B93D1B4D  M =╣
$+7C   >7A8E3A6E  n:Äz -Y last 6bayts
$+80   >000093AF  »ô..

ida.wll!#16 -> MD5_init
ida.wll!#18 -> MD5_update
ida.wll!#15 -> MD5_Final

The blacklistarray just followed after the string "REG_0x%x"
in version 4.6 there are 8 blacklisted Names stored here
100B7B20     47455200    .REG
100B7B24     2578305F    _0x%
100B7B28     00300078    x.0.
100B7B2C     00006425    %d..

Start of Array blacklisted[0..8] of MD5_Checksum
100B7B30     C85FAEFC    ⁿ«_╚
100B7B34     4B10E1BA    ║ß K


Update for version 4.9

Blacklist area looks like that
$-40     >64 62 0F 10 00 00 00 00 DC FF FF FF 43 6F 6D 70  db  ....▄   Comp
$-30     >69 6C 69 6E 67 20 66 69 6C 65 20 27 25 73 27 2E  iling file '%s'.
$-20     >2E 2E 0A 00 45 78 65 63 75 74 69 6E 67 20 66 75  ....Executing fu
$-10     >6E 63 74 69 6F 6E 20 27 25 73 27 2E 2E 2E 0A 00  nction '%s'.....
$ ==>    >FC AE 5F C8 BA E1 10 4B E1 26 E5 D1 28 9A 0A 81  ⁿ«_╚║ß Kß&σ╤(Ü.ü
$+10     >05 E5 6A 38 8C 7D A2 A4 AB 09 99 59 B8 05 22 E2   σj8î}óñ½.ÖY╕ "Γ
$+20     >FB                                               √
There and there are 19 black listed MD5_Checksum stored

keyfile
0..50


The struggle with localisation:

Prob: russian IDA will refuse to run elsewere...

005C85D3    E8 76680000     CALL    


$ ==>    >FFFFFF4C  (-180)					LONG Bias

$+4      >00750052  Russische Normalzeit	WCHAR StandardName[32]

$+44     >000A0000  						SYSTEMTIME StandardDate;
$+48     >00050000  . 
$+4C     >00000003   .
$+50     >00000000  ..

$+54     >00000000  ..						LONG StandardBias
$+58     >"Russische Sommerzeit",0			WCHAR DaylightName[32]

$+98     >00030000  . 						SYSTEMTIME DaylightDate;
$+9C     >00050000  . 
$+A0     >00000002   .
$+A4     >00000000  ..

$+A8     >FFFFFFC4  (-180)					LONG DaylightBias;


(DaylightBias==0) or (DaylightDate.month==0) -> flag1=0
DaylightBias :
Bias value to be used during local time translations that occur during daylight saving time.
This member is ignored if a value for the DaylightDate member is not supplied.
This value is added to the value of the Bias member to form the bias used during daylight saving time.
In most time zones, the value of this member is -60.


GMT=(Bias+StandardBias)*60

Bias:
Current bias for local time translation on this computer, in minutes.
The bias is the difference, in minutes, between Coordinated Universal Time (UTC)
and local time. All translations between UTC and local time are based on
the following formula: 	UTC = local time + bias

StandardBias
Bias value to be used during local time translations that occur during
standard time. This member is ignored if a value for the StandardDate
member is not supplied. This value is added to the value of the Bias
member to form the bias used during standard time. In most time zones,
the value of this member is zero.

GMT=(-180+0)*60 = -10800 [FFFFD5D0]

Later in Programm

(GMT / 3600) Lower or Equal -2 -> Errormsg & Quit

100A896C   /75 6C           JNZ     SHORT 100A89DA
100A896E   |54              PUSH    ESP                 54              PUSH    ESP
100A896F   |E8 62D70300     CALL    
100A8974   |66:83BC24 9A000>CMP     [WORD ESP+9A], 0    66:83BC24 9A000>CMP     [WORD ESP+9A], 0
100A897D   |75 0A           JNZ     SHORT 100A8989      75 0A           JNZ     SHORT 005D2C35
100A897F   |33D2            XOR     EDX, EDX            33D2            XOR     EDX, EDX
100A8981   |8915 080D1010   MOV     [10100D08], EDX     8915 70266200   MOV     [622670], EDX

100A8987   |EB 14           JMP     SHORT 100A899D      EB 14           JMP     SHORT 005D2C49
100A8989   |83BC24 A8000000>CMP     [DWORD ESP+A8], 0   83BC24 A8000000>CMP     [DWORD ESP+A8], 0
100A8991   |0F95C1          SETNE   CL                  0F95C1          SETNE   CL
100A8994   |83E1 01         AND     ECX, 1              83E1 01         AND     ECX, 1
100A8997   |890D 080D1010   MOV     [10100D08], ECX     890D 70266200   MOV     [622670], ECX
100A899D   |8B0424          MOV     EAX, [ESP]          8B0424          MOV     EAX, [ESP]
100A89A0   |034424 54       ADD     EAX, [ESP+54]       034424 54       ADD     EAX, [ESP+54]
100A89A4   |8BD0            MOV     EDX, EAX            8BD0            MOV     EDX, EAX
100A89A6   |C1E2 02         SHL     EDX, 2              C1E2 02         SHL     EDX, 2
100A89A9   |8D1452          LEA     EDX, [EDX+EDX*2]    8D1452          LEA     EDX, [EDX+EDX*2]
100A89AC   |8D1492          LEA     EDX, [EDX+EDX*4]    8D1492          LEA     EDX, [EDX+EDX*4]
100A89AF   |8915 040D1010   MOV     [10100D04], EDX     8915 6C266200   MOV     [62266C], EDX
100A89B5   |8B0D 0C0D1010   MOV     ECX, [10100D0C]     8B0D 74266200   MOV     ECX, [622674]                    ; idag64.00632FBC; ida.10115434
100A89BB   |BE 170D1010     MOV     ESI, 10100D17       BE 7F266200     MOV     ESI, 0062267F
100A89C0   |8BF9            MOV     EDI, ECX            8BF9            MOV     EDI, ECX
100A89C2   |8BC7            MOV     EAX, EDI            8BC7            MOV     EAX, EDI
100A89C4   |A4              MOVS    [BYTE ES:EDI], [BYT A4              MOVS    [BYTE ES:EDI], [BYTE ESI]

timzone
EB ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 95 ?? 83 ?? 01 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 E0 FE FF FF 90 90

bonuspatch
75 07 8A ?? ?? 84 ?? 74 04 33 C0 EB 05 B8 01 00 00 00 E8 ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 90 90 90 90