how to edu newest ex4 files?
Very easy task
1) receive decryption key from file header
2) extract main ex4 "body" - linked blocks
3) decrypt all blocks
4) decrypt code block and decompress it
5) find where protection located and change it via byte-hack
now reverse direction
1) compress code
2) reconstruct code block and fix checksum
3) insert code block and other stuff in main ex4 body
4) crypt body
5) fix ex4 hashsum
As you can see it's very easy for skilled person (like me) who is very familiar with hex-edit, symmetric and asymmetric encryption algorithms and assembler code.
IDA Pro and ollydbg for debug mt4 terminal, any favorite hexeditor, any programming language IDE for you own decryption tools;
Anyone who already very familiar with software research heard about this software. You ask me about software? Bad news for you - all this software will be useless for you, because you will not understand what you see without strong 10-24 months learning process.
Let me show difference between noob and pro researcher:
- Any average PC user can download "reflector" "byteme" and other dotnet stuff from Internet and press few buttons for decompile dotnet assembly. This is very easy and doesn't requires some deep knowledge about dotnet internals
- Good researcher can download official MS datasheet about IL code and build his own tools for parsing assemblies, #strings #blob , other parts of .net exe, etc
- Pretty good researcher even can understand how IL code was parsed by .net machine without ANY documentation, ANY source code only via deep assembler code tracing of .net binaries in real time
So, your level (according to your words) is download some easy to use tools and press few buttons. And I'm talking about level when you can imagine and build your own tools from scratch (parsing dotnet for example)
step 1: you must able to load EA in terminal (smiling face in upper right corner) In other words use one valid license for ea to break protection. if you cant load - nothing to break.
step 2: Softice - RIP. all the time i'm using ollydbg with strong OD plug. sometimes i'm using ida pro.
step 3: guardinan hook kernel32.ReadFile function. you can see that in kernel32.ReadFile API entry point
step 4: after few calls kernel32.ReadFile from terminal process you able to find addresses where loads ex4 files.
step 5: when EA decrypted inside guardian(if you have license), returned buffer will contain decrypted ea. just dump data and save as ex4 file. exact size for our new 'clean' ex4 calculated from corresponding parameter of kernel32.ReadFile func.
www.isohunt.com to find "idra pro"
I use IDA pro 6.1 and notepad++ as hex editor, I successfully made my first edu ea... first unpack dll and convert to pseudo C then after analyze the code I found the function that check license and I simply patched the return of this function to always return the correct value for activate the ea, no matter wich value code you insert.... and it works, I patched the hex value with notepad++
1) fresh brain
2) decompiled by somebody ex4 file(s)
3) debug: ida pro 5.5 + ida internal debugger + idastealth plugin for hide from vmprotected mt4 terminal.exe and sometimes for hide from EA dlls.
4) hexeditor: hiew
5) dump exe or dll: LordPE
6) import fix: imprec
7) pe editor: CFF explorer or\and LordPE
8) .NET targets: Reflector 7, de4dot, Simple Assemply Explorer, dotnet dumper.