Download IDA v4.9 v2 keyfile by CW2K

Added to site2006-05-20
Rating70/100
Votes2


idav4.9v2keyfilecw2k.zip (63684 bytes)

namesizecompressed
IDA.4.9_V2_CW2K.exe 65024 47845
ida.key 422 399
info.txt 40258 13751
source/ 0 0
source/IDA 4.9.dUP2 5296 1167

info.txt

IDA 4.9 - LocalLock Fix V2
==========================

This patch requires UNPACKED ida*.exe and ida*.wll.
Use CASPR or syd's ASPR-Stripper 2.07 to do the job !
->[http://doom.scene-gods.de/unpacker.htm]                                                                                           http://antiwpa.ru.org

I advice to use CASPR - if you use ASPR-Stripper press
ctrl+end to scroll down to the notes on the end of this doc.

About the patch:
ZWT released a version that was lock to russian only.
(you needed to set your timeszone to GMT+3 (Russian)
DVT released an fix. But it was improper it only patched
away MessageBox+Quit, but later many functions & modules don't load.
This patch will set the 'correct' value for the timezone right after the API - instead of trying to patch every jz.

In case you get "The processor module is prohibited by the key" use the included ida.key file
It unlocks Module 1..50 (50..64 is zero and probably for future use) what is seem to be
enough since there are only 33 loaderModuls in current version.

The Patch removes the blacklist so you can you use your old IDA.Key
(Background for this was that IDA.Key is stored inside the database.
So when you opened an older database containing blacklisted keydata
you get "Database corrupted" and it won't open)

As bonus patch the stupid about box at startup is removed so
IDA will start 3 seconds faster.
If you don't like the bonus remove(rename) idau64.exe, apply and
click on 'no' to stop the patch sequence.

Additional bonuspatches are the "Sorry, this database format is unsupported" fix
You normally get this message if you open an IDA 4.5 database and newer ones.
(IDA 4.3 and older works)

A more comprehensive "Database corrupted" patch than only blacklisted patch.
Now keydata can be missing or be 'corrupted' it doesn't matter anymore.
(+Patch Database is not save on close if key is invalid)

Since this is a search'n'replace patch it might also work
for future versions of IDA!
However in the first place it was made & test with version 4.9


[email protected] - http://antiwpa.ru.org


































Here's a docu about UDP 23945 to clean up IDA undercover myths

This refers to post
http://www.datarescue.com/ubb/ultimatebb.php?/topic/1/490.html


Since some ppl were complaining about that this feature is not well documented here we go:
It's all depending on the data inside ida.key (-> Details added blow)
Idag.exe scan inside the registered-to text for the string "user" and gets the number above it.
If "user" is not found at all or found at position 0..3 or the number is above 1 the networkcheck is not started.
Note: Changing the "user" inside ida.key is a good idea but changing it inside idag.exe (-> CASPR 1.100 will do a good job in unpacking) will of course do the trick.  :D
But back to the docu...
The check is performed within an extra thread (CreateThreadA!) whichs runs all the time beside the mainthread.
From the entired registered-to text a 128 bit MD5-CheckSum is created and submitted together with some other ID values like CurrentProcessId
as a 40-byte UDP broadcast packet on port 23945. (See below for details).
But before submit it tries to adds itself to the windows Firewall to avoid to get blocked
by calling win_fw.windows_firewall_enable_app dll inside IDA Dir.
	win_fw.dll!#1 (0,"The Interactive Disassembler","C:\IDA\idag.exe")
	Note: the 0 stands for Enable and 1 for Block traffic
	->Btw nice small dll that can be easy be reused in other pojects ;)
Some quick look into it reveals that it uses the COM-Interface of [Windows]\SYSTEM32\HNETCFG.DLL
just as windows to open ports...
	CreateObject("HNetCfg.FwMgr")
	hnetcfg.FwMgr::get_LocalPolicy
	hnetcfg.FwPolicy::get_CurrentProfile
	hnetcfg.FwProfile::get_FirewallEnabled
	hnetcfg.FwAuthApps::Item ... 

But again back to the UDP broadcast request. That is how it is performed in real.
So that should be also some good skeleton in case you want to implement some
simular check in you app.

Socket= WSOCK32.socket(
	Family = AF_INET,
	Type = SOCK_DGRAM,
	Protocol = IPPROTO_IP)

WSOCK32.bind(Socket,
	pSockAddr=23945,
	AddrLen = 0x10 )

WSOCK32.setsockopt(Socket,
	Level = SOL_SOCKET,
	Option = SO_BROADCAST,
	Data,	DataSize = 4)

WSOCK32.send(Socket,
	 Data, DataSize = 0x28 (40 Bytes),
	 Flags = 0 )
(Note: WSOCK32 is just a wrapper dll nearly all calls are redirect directly to WS2_32)

After that IDA switches into receivemode and listen for any incoming UDP-data on port 23945 which is
 40 byte long and starts with "IDA" and is not the paket it has sent (CurrentProcessId).
 which don't match with it's own. (Have a look 'Format of IDA Data Package' below now)

WSOCK32.recvfrom(Socket,
	 Data, DataSize = 0x28 (40 Bytes),
	 Flags = 0 )

If it receive a packet whose type is 0 (=Reply) it will compare the MD5-CheckSum with its own one and
if it matches will display a Message that someone else is also running IDA on the Network and quit.
Else (received a packet is a Request (type=1)) it will send it's will set Type=0(Reply) and the own packet again
after that it will enter the receiveloop again.


Format of IDA Data Package:

Offset  ExampleData  description
$+0	  00414449		Const Signature "IDA."
$+4     00000001		Type (0=Reply, 1=Request)

:SessionID
$+8     FDE74450		Result of Kernel32!GetCurrentProcess
$+C     010C481B		Result of Kernel32!GetCurrentProcessId
$+10    FF79D115		Result of Kernel32!GetCurrentThread
$+14    00433A7D		Result of Kernel32!GetCurrentThreadId xor 'more'
Note: 'more' = (((((GetTickCount XOR GetCurrentProcess) <<1) XOR GetCurrentProcessId) <<1) XOR GetCurrentThread) <<1)

:Serial
$+18    FFFFFFFF  	128-bit MD5-Checksum(=0x10 Byte value)
		  FFFFFFFF			of registered-to text
		  FFFFFFFF
		  FFFFFFFF
$+28

Ok thatz it so far!
--------------------------------------------------------------

Appendix:
What's inside IDA.Key


ida.Key
00000000h: 0D 0A 3C 49 44 41 20 50 72 6F 20 6B 65 79 20 66 ; .....xx
00000020h: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ; xxxxxxxxxxxxxxxx
00000030h: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ; xxxxxxxxxx 1 use
00000040h: 72 2C 20 73 74 64 2C 20 xx xx 2F 32 30 30 xx 00 ; r, std, xx/200x.
00000050h: 0D 0A 0D 0A 0D 0A 0D 0A 00 8D 2E 3D DC B6 A2 5A ; .........ì.=▄╢óZ
00000060h: FE 82 DC D3 F5 12 4A 71 D8 21 AA 1B 7D 38 6D 6D ; ■é▄╙⌡.Jq╪!¬.}8mm
00000070h: 26 3F 2B B2 CA B9 83 38 B8 9C 1B 87 7B E2 F9 73 ; &?+▓╩╣â8╕£.ç{Γ∙s
00000080h: D6 41 78 5F AE F7 3D B7 A7 FA 94 88 1C 09 49 DC ; ╓Ax_«≈=╖º·öê..I▄
00000090h: 91 4E 0A 4F 9F 94 84 06 A6 95 66 AF ED 2A 05 33 ; æN.Oƒöä.ªòf»φ*.3
000000a0h: F8 63 27 95 29 3B AB FC 5D 4B 0A C4 E2 9D 12 46 ; °c'ò);½ⁿ]K.─Γ¥.F
000000b0h: 0A 25 A3 9E A0 DC 7D 8C E3 AA 9B 09 99 E7 03 50 ; .%ú₧á▄}îπ¬¢.Öτ.P
000000c0h: 0E D0 08 B0 D6 FA F6 6E 47 AC 71 69 20 68 66 F4 ; .╨.░╓·÷nG¼qi hf⌠
000000d0h: 64 45 00 43 37 B8 5E B8 68 00 00 00 00 00 00 00 ; dE.C7╕^╕h.......
000000e0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000f0h: 00 00 00 00 00 00 00 00 00 80 6B 8D 2D 52 5D 5B ; .........Çkì-R][
00000100h: D2 8D 0A C1 79 F1 FA 5D 6D 9D B3 39 F0 B4 F9 27 ; ╥ì.┴y±·]m¥│9≡┤∙'
00000110h: 73 13 EB D4 20 E1 EB E7 E4 2D B0 A5 86 6B E6 6A ; s.δ╘ ßδτΣ-░Ñåkµj
00000120h: 99 7A 6A A8 7C E6 DE 4B DB 7B B8 93 DF 1E 78 D1 ; Özj¿|µ▐K█{╕ô▀.x╤
00000130h: FB C7 9D 6F 3C 2F 05 CF 3B 0F D9 10 E1 63 54 30 ; √╟¥o.......
00000180h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000190h: 00 00 00 00 00 00 00 00 00                      ; .........
{Note: encrypted data slightly modified}

As you see it consists of three parts
	Unencrypted Header
	Part1 	Encrypted SerialData
	Part2 	Encrypted SerialData Backup

Unencypted Part1 and Part2 are nearly identical expect that in part 2
'Bitarray for licensed Processore modules' must be fill with 00
The file is accessed from the End of File. One Part is 0xA0 Byte big
with is 0x7f userdata and a gap of 0x21 Bytes.
So for ex part 2 of ida.Key  would be:
part2 =(filelength - (7f+21))

Offset   Part 2   Accii     Part 1   Accii
00     00001DF7    ≈b..   00001DB8    ╕a..	 Timestamp Milliseconds ?
04     4236E49B    ¡τ┤?+  4236E49B    ¡τ┤?	 Timestamp 15.03.2005 13:35:23 (GMT 0)
08     00000000    ....   447B2FEF    ∩/{D    Bitarray for licensed Processore modules 0..32
0C     00000000    ....   00000901     ...    Bitarray for licensed Processore modules 32..64
10    B5FE02 3D    =  Ñ  B5FE02 3D    =  Ñ	 3D=Marker to check whether decryption succeed
14     xxxxxxxx    Anon   xxxxxxxx    Anon    Regname
18     xxxxxxxx    ymou   xxxxxxxx    ymou
		 ....
7C     00000033    3...   00000033    3...
80

Discussion:
Timestamp:	Is a 32Bit Timestamp in Unix C-Time (Seconds since 1.1.1970)
				not used in the program so far - maybe good for future timelimited keys
				Note: The timestamp is simular to the filecreation time

Bitarray for licensed Processor modules:
				Well this 64-bits Array has room for 64 processor moduls
				so if the bit is set(1) the use is allowed if clear it is not.
				implentation details ins ida.wll above reference to String
				"The processor module is prohibited by the key"

Marker		The lowbyte of the Dword should be 3D to dectect if decryption succeed
				The rest of 3 bytes is not used and the meaning is unclear

Regname		The name that apprears in the about box
				It is checked if Regname in the header in Part1 and Part2 matches
				until ida.wll!#xx returns it to idag.exe

So far to the documentation.
If you've enough time IDA is not only good to find out how other programs work (or why they don't) ,
it's also good for to explorer it itself.
It's the best and only all in one solution for all kinds of executable code.
PE32, and PE64 For AMD54 or IA64 Windows, Java, CLR(.NET), old 16-Bit Windows 3.11 NE-Exe, Handy & Playstationroms and even with that Z80 Rom for my TI83 Calculator.
On unknow Assemblers the auto comments you can enable in options helps a lot.



BTW what happend to the Freewareversion of IDA, which was discontinued and disappeared years ago.
The installationpacked was really small and it were very good
So for remote on-the-fly of analyse of computer problems I use Ollydebug



|.  BA 01000000   MOV     EDX, 1
|.  E8 BC3B0100   CALL    ;  procmodul
|.  85C0          TEST    EAX, EAX
|.  74 27         JE      SHORT 

	|.  8B50 08       MOV     EDX, [EAX+8] 	get BitField1
	|.  8B48 0C       MOV     ECX, [EAX+C] 	get BitField2
	|.  A1 2C9B0C10   MOV     EAX, []	get ProcNumber
	|.  83F8 20       CMP     EAX, 20			if ProcNumber < 20
	|.  7C 05         JL      SHORT 10024E89  Use BitField1
		|.  83E8 20       SUB     EAX, 20		if ProcNumber > 20
		|.  8BD1          MOV     EDX, ECX		Use BitField2
	|>  83F8 20       CMP     EAX, 20			if ProcNumber > 40
	|.  7D 18         JGE     SHORT 		goto OK

		|.  8BC8          MOV     ECX, EAX(ProcNumber)
		|.  B8 01000000   MOV     EAX, 1
		|.  D3E0          SHL     EAX, CL		Eax = (01 << ProcNumber)
		|.  85D0          TEST    EAX, EDX		Test if Bit in Array is set
		|.  75 0B         JNZ     SHORT 
forbidden 68 395F0B10   PUSH    100B5F39                ;  ASCII "The processor module is prohibited by the key"
		|.  E8 1B21FEFF   CALL    10006FC0
		|.  59            POP     ECX
ok  68 675F0B10   PUSH    100B5F67                ; /Arg1 = 100B5F67 ASCII "OK
"
|.  E8 7CCFFEFF   CALL    10011E2C                ; \ida.10011E2C



447B2FEF
   4    4    7    B    2    F    E    F
0100 0100 0111 1011 0010 1111 1110 1111
1098 7654 3210 9876 5432 1098 7654 3210


00000901
   0    0    0    0    0    9    0    1
0000 0000 0000 0000 0000 1001 0000 0001
1098 7654 3210 9876 5432 1098 7654 3210

Decryption:

$ ==>  >FDED0000  ..φ²
$+4    >78F95C42  B\∙x
$+8    >11896E54  Tnë 
$+C    >43845822  "XäC
$+10   >0514576C  lW  
$+14   >CF0B6525  %e ╧
$+18   >0EE8BF6E  n┐Φ 
$+1C   >1DFBC5DB  █┼√ 
$+20   >664C8FE6  µÅLf
$+24   >2EB29CC2  ┬£▓.
$+28   >8A7868B6  ╢hxè
$+2C   >BBABB0FC  ⁿ░½╗
$+30   >58448071  qÇDX
$+34   >890F814B  Kü ë
$+38   >22DFCD70  p═▀"
$+3C   >5DF78573  sà≈]
$+40   >1DD9DD5D  ]▌┘ 
$+44   >7A93184F  O ôz
$+48   >B283AA08   ¬â▓
$+4C   >2DD1498C  îI╤-
$+50   >05752EC9  ╔.u 
$+54   >9E8038BB  ╗8Ç₧
$+58   >BD0FBD91  æ╜ ╜
$+5C   >B16A2E2F  /.j▒
$+60   >0C3CE3D2  ╥π<.
$+64   >DDBDD555  U╒╜▌
$+68   >BFE88E47  GÄΦ┐
$+6C   >F3CE5F84  ä_╬≤
$+70   >299D2BC8  ╚+¥)
$+74   >1FB7EC29  )∞╖ 
$+78   >B93D1B4D  M =╣
$+7C   >7A8E3A6E  n:Äz -Y last 6bayts
$+80   >000093AF  »ô..

ida.wll!#16 -> MD5_init
ida.wll!#18 -> MD5_update
ida.wll!#15 -> MD5_Final

The blacklistarray just followed after the string "REG_0x%x"
in version 4.6 there are 8 blacklisted Names stored here
100B7B20     47455200    .REG
100B7B24     2578305F    _0x%
100B7B28     00300078    x.0.
100B7B2C     00006425    %d..

Start of Array blacklisted[0..8] of MD5_Checksum
100B7B30     C85FAEFC    ⁿ«_╚
100B7B34     4B10E1BA    ║ß K


Update for version 4.9

Blacklist area looks like that
$-40     >64 62 0F 10 00 00 00 00 DC FF FF FF 43 6F 6D 70  db  ....▄   Comp
$-30     >69 6C 69 6E 67 20 66 69 6C 65 20 27 25 73 27 2E  iling file '%s'.
$-20     >2E 2E 0A 00 45 78 65 63 75 74 69 6E 67 20 66 75  ....Executing fu
$-10     >6E 63 74 69 6F 6E 20 27 25 73 27 2E 2E 2E 0A 00  nction '%s'.....
$ ==>    >FC AE 5F C8 BA E1 10 4B E1 26 E5 D1 28 9A 0A 81  ⁿ«_╚║ß Kß&σ╤(Ü.ü
$+10     >05 E5 6A 38 8C 7D A2 A4 AB 09 99 59 B8 05 22 E2   σj8î}óñ½.ÖY╕ "Γ
$+20     >FB                                               √
There and there are 19 black listed MD5_Checksum stored

00  >FC AE 5F C8 BA E1 10 4B E1 26 E5 D1 28 9A 0A 81  ⁿ«_╚║ß Kß&σ╤(Ü.ü
01  >05 E5 6A 38 8C 7D A2 A4 AB 09 99 59 B8 05 22 E2   σj8î}óñ½.ÖY╕ "Γ
02  >FB AB 17 CB 47 22 FB 91 D0 39 E0 50 EC 1F 46 AC  √½ ╦G"√æ╨9αP∞ F¼
03  >BE 18 AC E9 89 31 CD 20 E8 12 B7 31 D7 A6 20 0D  ╛ ¼Θë1═ Φ ╖1╫ª .
04  >82 CA 4E 6D 6A 70 7B 6E 9F DF 7F 06 75 EE 45 8C  é╩Nmjp{nƒ▀ uεEî
05  >95 C3 E8 C2 57 49 81 96 43 EE C4 BA BC FE 87 83  ò├Φ┬WIüûCε─║╝■çâ	Thomas Wright, DVDMods, 1 user, special
06  >30 25 04 2F 5E 3B 92 9D 92 3F 93 C5 80 96 CB 10  0% /^;Æ¥Æ?ô┼Çû╦ 
07  >5C 27 59 14 B5 FC 3D 15 56 17 96 CD DC 14 84 84  \'Y ╡ⁿ= V û═▄ ää
08  >22 0F 75 C7 08 34 90 EE 61 AA B9 72 1C 02 06 CB  " u╟ 4Éεa¬╣r   ╦
09  >C2 B9 16 4B E8 AB E4 D5 7A D9 75 2A AB 19 81 15  ┬╣ KΦ½Σ╒z┘u*½ ü  	Michael Wolski - Personal Use (1-user Standard 07/2003)
0A  >95 FF D0 62 EC 59 37 18 7C CF 7C FB 45 2E EE 7D  ò ╨b∞Y7 |╧|√E.ε}
0B  >25 8B CB A0 86 C5 1E 9E BC FC AE 03 3F 69 92 E3  %ï╦áå┼ ₧╝ⁿ« ?iÆπ
0C  >9A 44 66 DE DB CC 2D B1 86 1A A7 B9 10 50 07 34  ÜDf▐█╠-▒å º╣ P 4
0D  >4E 72 D5 8F A3 7B 97 DB 2C CC 1C E0 ED 91 C0 28  Nr╒Åú{ù█,╠ αφæ└(	Lennart Reus, 1 user, std, 07/2003
0E  >4A 2A C8 0A 38 0E D1 F6 BE C5 C6 79 BF DF 78 29  J*╚.8 ╤÷╛┼╞y┐▀x)
0F  >24 48 D6 40 13 74 02 01 48 68 F0 B4 D4 53 7F 5A  $H╓@ t  Hh≡┤╘SZ
10  >3F 08 ED 6A F2 F4 16 A6 BE 0B EF 7D 22 AD 67 A1  ? φj≥⌠ ª╛ ∩}"¡gí
11  >D4 1D 8C D9 8F 00 B2 04 E9 80 09 98 EC F8 42 7E  ╘ î┘Å.▓ ΘÇ.ÿ∞°B~
12  >00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    >
?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? FF 53 E8 ?? ?? ?? 00 59 ?? ?? 8D ?? ?? 08 50 E8 31 97 FD FF 54
8D 54 24 5C 52 E8 F6 97 FD FF 33 DB 6A 10 8B C3 C1 E0 04 81 C0 C4 62 0F 10 50 8D 54 24 60 52 E8
A8 25 04 00 83 C4 0C 85 C0 75 04 B0 01 EB 08 43 83 FB 13 72 D7 33 C0 83 C4 68 5B C3


100389C8    55              PUSH    EBP           10059398  /$  53                 PUSH    EBX
100389C9    8BEC            MOV     EBP, ESP      10059399  |.  83C4 98            ADD     ESP, -68
100389CB    83C4 98         ADD     ESP, -68      1005939C  |.  8BD8               MOV     EBX, EAX
100389CE    53              PUSH    EBX           1005939E  |.  54                 PUSH    ESP                              ; /Arg1
100389CF    8BD8            MOV     EBX, EAX      1005939F  |.  E8 1497FDFF        CALL                            ; \MD5Init
100389D1    8D45 A8         LEA     EAX, [EBP-58] 100593A4  |.  53                 PUSH    EBX
100389D4    50              PUSH    EAX           100593A5  |.  E8 A2240400        CALL    <_strlen>
100389D5    E8 3E400700     CALL    #16           100593AA  |.  59                 POP     ECX
100389DA    53              PUSH    EBX           100593AB  |.  50                 PUSH    EAX                              ; /Arg3
100389DB    E8 E0F50200     CALL    10067FC0      100593AC  |.  53                 PUSH    EBX                              ; |Arg2
100389E0    59              POP     ECX           100593AD  |.  8D4424 08          LEA     EAX, [ESP+8]                     ; |
100389E1    50              PUSH    EAX           100593B1  |.  50                 PUSH    EAX                              ; |Arg1
100389E2    53              PUSH    EBX           100593B2  |.  E8 3197FDFF        CALL                          ; \MD5Update
100389E3    8D55 A8         LEA     EDX, [EBP-58] 100593B7  |.  54                 PUSH    ESP                              ; /Arg2
100389E6    52              PUSH    EDX           100593B8  |.  8D5424 5C          LEA     EDX, [ESP+5C]                    ; |
100389E7    E8 5C400700     CALL    #18           100593BC  |.  52                 PUSH    EDX                              ; |Arg1
100389EC    8D4D A8         LEA     ECX, [EBP-58] 100593BD  |.  E8 F697FDFF        CALL                           ; \MD5Final
100389EF    51              PUSH    ECX           100593C2  |.  33DB               XOR     EBX, EBX
100389F0    8D45 98         LEA     EAX, [EBP-68] 100593C4  |>  6A 10              /PUSH    10                              ; /Arg3 = 00000010
100389F3    50              PUSH    EAX           100593C6  |.  8BC3               |MOV     EAX, EBX                        ; |
100389F4    E8 1F410700     CALL    #15           100593C8  |.  C1E0 04            |SHL     EAX, 4                          ; |
100389F9    33DB            XOR     EBX, EBX      100593CB  |.  81C0 C4620F10      |ADD     EAX, 100F62C4                   ; |
100389FB    6A 10           PUSH    10            100593D1  |.  50                 |PUSH    EAX                             ; |Arg2 = 100F62C4
100389FD    8BC3            MOV     EAX, EBX      100593D2  |.  8D5424 60          |LEA     EDX, [ESP+60]                   ; |
100389FF    C1E0 04         SHL     EAX, 4        100593D6  |.  52                 |PUSH    EDX                             ; |Arg1
10038A02    81C0 307B0B10   ADD     EAX, 100B7B30 100593D7  |.  E8 A8250400        |CALL    <_memcmp>                       ; \IDA.1009B984
10038A08    50              PUSH    EAX           100593DC  |.  83C4 0C            |ADD     ESP, 0C
10038A09    8D55 98         LEA     EDX, [EBP-68] 100593DF  |.  85C0               |TEST    EAX, EAX
10038A0C    52              PUSH    EDX           100593E1  |.  75 04              |JNZ     SHORT 100593E7
10038A0D    E8 E6F60200     CALL    100680F8      100593E3  |.  B0 01              |MOV     AL, 1
10038A12    83C4 0C         ADD     ESP, 0C       100593E5  |.  EB 08              |JMP     SHORT 100593EF
10038A15    85C0            TEST    EAX, EAX      100593E7  |>  43                 |INC     EBX
10038A17    75 04           JNZ     SHORT 10038A1D100593E8  |.  83FB 13            |CMP     EBX, 13
10038A19    B0 01           MOV     AL, 1         100593EB  |.^ 72 D7              \JB      SHORT 100593C4
10038A1B    EB 08           JMP     SHORT 10038A25100593ED  |.  33C0               XOR     EAX, EAX
10038A1D    43              INC     EBX           100593EF  |>  83C4 68            ADD     ESP, 68
10038A1E    83FB 08         CMP     EBX, 8        100593F2  |.  5B                 POP     EBX
10038A21  ^ 72 D8           JB      SHORT 100389FB100593F3  \.  C3                 RETN
10038A23    33C0            XOR     EAX, EAX
10038A25    5B              POP     EBX
10038A26    8BE5            MOV     ESP, EBP
10038A28    5D              POP     EBP
10038A29    C3              RETN

?? ?? ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? 53 E8 ?? ?? ?? ?? 59 ?? ?? 8D
33 C0 C3 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
Open DB with blackliste names

keyfile
0..50


The struggle with localisation:

Prob: russian IDA will refuse to run elsewere...

005C85D3    E8 76680000     CALL    


$ ==>    >FFFFFF4C  (-180)					LONG Bias

$+4      >00750052  Russische Normalzeit	WCHAR StandardName[32]

$+44     >000A0000  						SYSTEMTIME StandardDate;
$+48     >00050000  . 
$+4C     >00000003   .
$+50     >00000000  ..

$+54     >00000000  ..						LONG StandardBias
$+58     >"Russische Sommerzeit",0			WCHAR DaylightName[32]

$+98     >00030000  . 						SYSTEMTIME DaylightDate;
$+9C     >00050000  . 
$+A0     >00000002   .
$+A4     >00000000  ..

$+A8     >FFFFFFC4  (-180)					LONG DaylightBias;


(DaylightBias==0) or (DaylightDate.month==0) -> flag1=0
DaylightBias :
Bias value to be used during local time translations that occur during daylight saving time.
This member is ignored if a value for the DaylightDate member is not supplied.
This value is added to the value of the Bias member to form the bias used during daylight saving time.
In most time zones, the value of this member is -60.


GMT=(Bias+StandardBias)*60

Bias:
Current bias for local time translation on this computer, in minutes.
The bias is the difference, in minutes, between Coordinated Universal Time (UTC)
and local time. All translations between UTC and local time are based on
the following formula: 	UTC = local time + bias

StandardBias
Bias value to be used during local time translations that occur during
standard time. This member is ignored if a value for the StandardDate
member is not supplied. This value is added to the value of the Bias
member to form the bias used during standard time. In most time zones,
the value of this member is zero.

GMT=(-180+0)*60 = -10800 [FFFFD5D0]

Later in Programm

(GMT / 3600) Lower or Equal -2 -> Errormsg & Quit

100A896C   /75 6C           JNZ     SHORT 100A89DA
100A896E   |54              PUSH    ESP                 54              PUSH    ESP
100A896F   |E8 62D70300     CALL    
100A8974   |66:83BC24 9A000>CMP     [WORD ESP+9A], 0    66:83BC24 9A000>CMP     [WORD ESP+9A], 0
100A897D   |75 0A           JNZ     SHORT 100A8989      75 0A           JNZ     SHORT 005D2C35
100A897F   |33D2            XOR     EDX, EDX            33D2            XOR     EDX, EDX
100A8981   |8915 080D1010   MOV     [10100D08], EDX     8915 70266200   MOV     [622670], EDX

100A8987   |EB 14           JMP     SHORT 100A899D      EB 14           JMP     SHORT 005D2C49
100A8989   |83BC24 A8000000>CMP     [DWORD ESP+A8], 0   83BC24 A8000000>CMP     [DWORD ESP+A8], 0
100A8991   |0F95C1          SETNE   CL                  0F95C1          SETNE   CL
100A8994   |83E1 01         AND     ECX, 1              83E1 01         AND     ECX, 1
100A8997   |890D 080D1010   MOV     [10100D08], ECX     890D 70266200   MOV     [622670], ECX
100A899D   |8B0424          MOV     EAX, [ESP]          8B0424          MOV     EAX, [ESP]
100A89A0   |034424 54       ADD     EAX, [ESP+54]       034424 54       ADD     EAX, [ESP+54]
100A89A4   |8BD0            MOV     EDX, EAX            8BD0            MOV     EDX, EAX
100A89A6   |C1E2 02         SHL     EDX, 2              C1E2 02         SHL     EDX, 2
100A89A9   |8D1452          LEA     EDX, [EDX+EDX*2]    8D1452          LEA     EDX, [EDX+EDX*2]
100A89AC   |8D1492          LEA     EDX, [EDX+EDX*4]    8D1492          LEA     EDX, [EDX+EDX*4]
100A89AF   |8915 040D1010   MOV     [10100D04], EDX     8915 6C266200   MOV     [62266C], EDX
100A89B5   |8B0D 0C0D1010   MOV     ECX, [10100D0C]     8B0D 74266200   MOV     ECX, [622674]                    ; idag64.00632FBC; ida.10115434
100A89BB   |BE 170D1010     MOV     ESI, 10100D17       BE 7F266200     MOV     ESI, 0062267F
100A89C0   |8BF9            MOV     EDI, ECX            8BF9            MOV     EDI, ECX
100A89C2   |8BC7            MOV     EAX, EDI            8BC7            MOV     EAX, EDI
100A89C4   |A4              MOVS    [BYTE ES:EDI], [BYT A4              MOVS    [BYTE ES:EDI], [BYTE ESI]

timzone
EB ?? 83 ?? ?? ?? ?? ?? ?? ?? 0F 95 ?? 83 ?? 01 89 ?? ?? ?? ?? ?? 8B ?? ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? B8 E0 FE FF FF 90 90

bonuspatch (no about at startup)
75 07 8A ?? ?? 84 ?? 74 04 33 C0 EB 05 B8 01 00 00 00 E8 ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 90 90 90 90


corrupted DB fix
Offset 
....
10018B59                 |.  84C9          |TEST    CL, CL
10018B5B                 |.^ 75 ED         \JNZ     SHORT 10018B4A
10018B5D                 |>  8A00          MOV     AL, [EAX]
10018B5F                 |.  84C0          TEST    AL, AL
10018B61                 |.  74 0B         JE      SHORT 10018B6E
10018B63                 |>  68 6AC80E10   PUSH    100EC86A                           ;  ASCII "Database is corrupt"
10018B68                 |.  E8 ABA0FEFF   CALL    
10018B6D                 |.  59            POP     ECX

No Corrupted DB if KeyIsMissing or inv.
84 ?? 75 ?? 8A ?? 84 ?? 74 0B 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 90 90 90 90 90 ??



Important codeparts:

Way to Corrupted DB check...

1001A02B     |> \BB 1A890110     MOV     EBX, 
1001A030             |.  EB 05           JMP     SHORT 1001A037
1001A032     |>  BB B78A0110     MOV     EBX, 
1001A037             |>  8A45 C7         MOV     AL, [EBP-39]
1001A03A             |.  84C0            TEST    AL, AL
1001A03C             |.  75 0F           JNZ     SHORT 1001A04D
	1001A03E             |.  E8 15020000     CALL    term_database
	1001A043             |.  B8 01000000     MOV     EAX, 1
	1001A048             |.  E9 65010000     JMP     1001A1B2

Check timezone
1001A04D             |>  E8 92E80800     CALL    
1001A052             |.  A1 040D1010     MOV     EAX, [10100D04]
1001A057             |.  B9 100E0000     MOV     ECX, 0E10
1001A05C             |.  99              CDQ
1001A05D             |.  F7F9            IDIV    ECX
1001A05F             |.  83F8 FE         CMP     EAX, -2
1001A062             |.  7E 16           JLE     SHORT 
1001A064             |.  8D85 C0FBFFFF   LEA     EAX, [LOCAL.272]
1001A06A             |.  56              PUSH    ESI
1001A06B             |.  8BF0            MOV     ESI, EAX
1001A06D             |.  BF 9C191110     MOV     EDI, OFFSET inf
1001A072             |.  B9 30000000     MOV     ECX, 30
1001A077             |.  F3:A5           REP     MOVS [DWORD ES:EDI], [DWORD ESI]
1001A079             |.  5E              POP     ESI

The IDC-Script call check
1001A07A |>  8BD6            MOV     EDX, ESI
1001A07C             |.  8BC3            MOV     EAX, EBX
1001A07E                 E8 49F50300     CALL    
1001A083             |.  8BD8            MOV     EBX, EAX
1001A085             |.  81FB 009CDA01   CMP     EBX, 1DA9C00
1001A08B             |.  7E 0B           JLE     SHORT 1001A098
1001A08D             |.  68 9C050000     PUSH    59C                                ;  expit demo
1001A092             |.  E8 FDF7FFFF     CALL    
1001A097             |.  59              POP     ECX
1001A098             |>  85DB            TEST    EBX, EBX
1001A09A             |.  7F 0B           JG      SHORT 1001A0A7
1001A09C             |.  68 9A050000     PUSH    59A                                ;  Something is wrong with IDA.KEY
1001A0A1             |.  E8 EEF7FFFF     CALL    


100595CC /$  53              PUSH    EBX
100595CD                |.  56              PUSH    ESI
100595CE                |.  81C4 C4FEFFFF   ADD     ESP, -13C
100595D4                |.  8BF2            MOV     ESI, EDX
100595D6                |.  8BD8            MOV     EBX, EAX
100595D8                |.  33C0            XOR     EAX, EAX
100595DA                |.  8D9424 04010000 LEA     EDX, [ESP+104]
100595E1                |.  C68424 2C010000>MOV     [BYTE ESP+12C], 2
100595E9                |.  898424 2D010000 MOV     [ESP+12D], EAX
100595F0                |.  C602 01         MOV     [BYTE EDX], 1
100595F3                |.  6A 00           PUSH    0
100595F5                |.  68 38650F10     PUSH    OFFSET <"ida.key">
100595FA                |.  68 04010000     PUSH    104
100595FF                |.  8D4C24 0C       LEA     ECX, [ESP+C]
10059603                |.  51              PUSH    ECX
10059604                |.  E8 F36FFDFF     CALL    getsysfile
10059609                |.  898424 05010000 MOV     [ESP+105], EAX
10059610                |.  8D8424 11010000 LEA     EAX, [ESP+111]
10059617                |.  8D9424 1E010000 LEA     EDX, [ESP+11E]
1005961E                |.  C600 02         MOV     [BYTE EAX], 2
10059621                |.  899C24 12010000 MOV     [ESP+112], EBX
10059628                |.  C602 02         MOV     [BYTE EDX], 2
1005962B                |.  8B0D F4630F10   MOV     ECX, [isregd]
10059631                |.  89B424 1F010000 MOV     [ESP+11F], ESI
10059638                |.  85C9            TEST    ECX, ECX
1005963A                |.  74 07           JE      SHORT 
1005963C                |.  BE 41650F10     MOV     ESI, OFFSET 
10059641                |.  EB 07           JMP     SHORT 
10059643    |>  8DB424 04010000 LEA     ESI, [ESP+104]
1005964A        |>  B9 0D000000     MOV     ECX, 0D
1005964F                |.  A0 40650F10     MOV     AL, []
10059654                |.  84C0            TEST    AL, AL
10059656                |.  75 1B           JNZ     SHORT 
10059658                |.  33D2            XOR     EDX, EDX
1005965A                |.  8BC6            MOV     EAX, ESI
1005965C                |.  EB 0A           JMP     SHORT 
1005965E      |>  8A1D 40AE1010   /MOV     BL, []
10059664                |.  3018            |XOR     [EAX], BL
10059666                |.  42              |INC     EDX
10059667                |.  40              |INC     EAX
10059668      |>  3BCA             CMP     ECX, EDX
1005966A                |.^ 77 F2           \JA      SHORT 
1005966C                |.  C605 40650F10 0>MOV     [BYTE ], 1
10059673       |>  51              PUSH    ECX
10059674                |.  56              PUSH    ESI
10059675                |.  6A 03           PUSH    3
10059677                |.  68 4E650F10     PUSH    OFFSET <"_idainit">
1005967C                |.  E8 F3ACFFFF     CALL    set_idc_func_body
10059681                |.  6A 00           PUSH    0
10059683                |.  6A 00           PUSH    0
10059685                |.  8D8424 34010000 LEA     EAX, [ESP+134]
1005968C                |.  50              PUSH    EAX
1005968D                |.  8D9424 10010000 LEA     EDX, [ESP+110]
10059694                |.  52              PUSH    EDX
10059695                |.  6A 03           PUSH    3
10059697                |.  68 4E650F10     PUSH    OFFSET <"_idainit">
1005969C                |.  E8 53B9FFFF     CALL    
100596A1                |.  8B8424 2D010000 MOV     EAX, [ESP+12D]
100596A8                |.  81C4 3C010000   ADD     ESP, 13C
100596AE                |.  5E              POP     ESI
100596AF                |.  5B              POP     EBX
100596B0                \.  C3              RETN

OFFSET 

00B13854                  AA0000A5  Ñ..¬
00B13858                  4980CE71  q΀I
00B1385C                  0111A1A9  ⌐í  
00B13860                  000000AF  »...
00B13864                  6164695F  _ida
00B13868                  74696E69  init

Interpreted:

A5 00 00 	Functionstart (00 00)???
AA 			???
71 			???
CE 			??? ... VartoLong...
80 49 A9 	invoke Call 49 ->"_call" (aftercall a9)
A1 0111		Set Return Value
AF 00 00 00 Return	(00 00 00 are probably fillbytes)

Decompiled:

_idainit(a,fnid,b) {
// ???
_call(fnid);
return 0x111; }

The Call:

_idainit(?,,?)


DB is not Save on close fix:
1001A131             |. /7E 16           JLE     SHORT 
1001A133             |. |8D85 C0FBFFFF   LEA     EAX, [LOCAL.272]
1001A139             |. |E8 DAF30300     CALL    
1001A13E             |. |85C0            TEST    EAX, EAX
1001A140             |. |74 07           JE      SHORT 
1001A142             |. |8325 58D30F10 F>AND     [DWORD database_flags], FFFFFFFE
7E ?? 8D ?? ?? ?? ?? FF E8 ?? ?? ?? ?? 85 C0 74
EB 0F ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??

"Sorry, this database format is unsupported" fix (if version < 4.1)

10096AA3             |> \66:833D 9F19111>CMP     [WORD ], 29
10096AAB                 0F85 94000000   JNZ     
10096AB1             |.  84DB            TEST    BL, BL
10096AB3             |.  75 21           JNZ     SHORT 
10096AB5             |.  68 E0010000     PUSH    1E0                          ; /Arg4 = 000001E0
10096ABA             |.  6A 29           PUSH    29                           ; |Arg3 = 00000029
10096ABC             |.  68 3C050000     PUSH    53C                          ; |Arg2 = 0000053C
10096AC1             |.  6A 01           PUSH    1                            ; |Arg1 = 00000001
10096AC3             |.  E8 042FF8FF     CALL                            ; \IDA.100199CC
10096AC8             |.  83C4 10         ADD     ESP, 10
10096ACB             |.  85C0            TEST    EAX, EAX
10096ACD             |.  7F 07           JG      SHORT 
10096ACF             |.  33C0            XOR     EAX, EAX
10096AD1             |.  E9 01020000     JMP     

10096AD6   |>  66:C705 9F19111>MOV     [WORD ], 2A
10096ADF             |.  6A 00           PUSH    0                            ; /Arg4 = 00000000
10096AE1             |.  6A 00           PUSH    0                            ; |Arg3 = 00000000
10096AE3             |.  C605 591A1110 0>MOV     [BYTE 10111A59], 2           ; |
10096AEA      |.  68 5AE30F10     PUSH    100FE35A                     ; |Arg2 = 100FE35A ASCII "$ segs"
10096AEF             |.  C605 5A1A1110 0>MOV     [BYTE 10111A5A], 4           ; |
10096AF6             |.  8D4424 20       LEA     EAX, [ESP+20]                ; |
10096AFA             |.  C605 5B1A1110 0>MOV     [BYTE 10111A5B], 8           ; |
10096B01                 C605 EB191110 0>MOV     [BYTE ], 1      ;  0
10096B08             |.  50              PUSH    EAX                          ; |Arg1
10096B09             |.  B3 01           MOV     BL, 1                        ; |
10096B0B             |.  E8 A8A4FAFF     CALL    netnode_check                ; \netnode_check
10096B10             |.  6A 00           PUSH    0                            ; /Arg3 = 00000000
10096B12      |.  68 61E30F10     PUSH    100FE361                     ; |Arg2 = 100FE361
10096B17             |.  8B5424 1C       MOV     EDX, [ESP+1C]                ; |
10096B1B             |.  52              PUSH    EDX                          ; |Arg1
10096B1C             |.  E8 4FA6FAFF     CALL    netnode_rename               ; \netnode_rename
10096B21             |.  6A 00           PUSH    0                            ; /Arg4 = 00000000
10096B23             |.  6A 00           PUSH    0                            ; |Arg3 = 00000000
10096B25      |.  68 6FE30F10     PUSH    100FE36F                     ; |Arg2 = 100FE36F ASCII "$ segs sarray"
10096B2A             |.  8D4C24 24       LEA     ECX, [ESP+24]                ; |
10096B2E             |.  51              PUSH    ECX                          ; |Arg1
10096B2F             |.  E8 84A4FAFF     CALL    netnode_check                ; \netnode_check
10096B34             |.  6A 00           PUSH    0                            ; /Arg3 = 00000000
10096B36      |.  68 7DE30F10     PUSH    100FE37D                     ; |Arg2 = 100FE37D
10096B3B             |.  8B4424 20       MOV     EAX, [ESP+20]                ; |
10096B3F             |.  50              PUSH    EAX                          ; |Arg1
10096B40             |.  E8 2BA6FAFF     CALL    netnode_rename               ; \netnode_rename

The check (=0 [due  < 2A ] will give error)
10096B45 |>  8A15 EB191110   MOV     DL, []
10096B4B             |.  80FA 01         CMP     DL, 1
10096B4E         74 0B           JE      SHORT 

10096B50                 68 92E30F10     PUSH    OFFSET <"Sorry, this databas>;  ASCII "Sorry, this database format is unsupported"
10096B55             |.  E8 BEC0F6FF     CALL    
10096B5A             |.  59              POP     ECX

Next Update...
10096B5B |>  66:833D 9F19111>CMP     [WORD ], 2A
10096B63             |.  75 30           JNZ     SHORT 
E8 2B A6 FA FF 8A 15 EB 19 11 10 80 FA 01 74 0B 68 92 E3 0F 10 E8
E8 ?? ?? ?? ?? 8A 15 ?? ?? ?? ?? 80 ?? 01 74 ?? 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? ??
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 E9 56 FF FF FF



IDA64
100923FF               A0 67031110       MOV     AL, [10110367]
10092404               3C 01             CMP     AL, 1
10092406               74 0B             JE      SHORT 10092413
10092408               68 2EC20F10       PUSH    100FC22E                     ; ASCII "Sorry, this database format is unsupported"
1009240D               E8 F208F7FF       CALL    10002D04
10092412               59                POP     ECX
10092413               66:833D EB021110 >CMP     [WORD 101102EB], 2A
1009241B               75 30             JNZ     SHORT 1009244D
1009241D               84DB              TEST    BL, BL
1009241F               75 21             JNZ     SHORT 10092442
10092421               68 E0010000       PUSH    1E0


A0 ?? ?? ?? ?? 3C 01 74 0B 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? 59
?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 59 E9 66 FF FF FF

old "Sorry, this database format is unsupported" fix (if version < 4.1)

10096AA3             |> \66:833D 9F19111>CMP     [WORD ], 29
10096AAB             |.  0F85 94000000   JNZ     10096B45
10096AB1             |.  84DB            TEST    BL, BL
10096AB3             |.  75 21           JNZ     SHORT 
66 83 3D ?? ?? ?? ?? 29 0F 85 94 00 00 00 84 DB 75 21
?? ?? ?? ?? ?? ?? ?? ?? EB 04




Attention when usings ASPR-Stripper 2.07 on ida*.wll

There is a small bug in ASPR-Stripper 2.07 which might cause
problems on dll's.
Size+VA of Base Relocation Directory in the PE-OPTIONAL HEADER
is not set. Manually edit PE-Header after unpacking.
Copy va + Vsize from .reloc section to Relocation Directory in the PE-OPTIONAL HEADER.
(Set both values in Reserved Directory to 0)


# 0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z