Thursday, September 24, 2009

"Sorry, this database has been created by a pirate version of IDA Pro"

Patching ida.wll

Target: IDA Pro Version & Version 5.5

Some of you might encounter this error message before when you are trying to open an idb (ida database file) file. This will only happen if the idb is created by a pirated copy of IDA Pro like the screenshot below:

Someone from has posted the patch but only limited for those who have registered as a member. Based on the description there, it is not hard to patch the pirated message actually.

The step is fairly easy:

  1. Find ida.wll from your IDA installation directory and load it with IDA
  2. Find text string "Sorry, this database has been created by a pirate version of IDA Pro" by using Shift+F12 (Strings tab)
  3. Enter to jump to the data section
  4. You should see aSorryThisDatab attribute which is already defined with the above string
  5. Put your cursor to the attribute and press x (Cross reference) to jump to the code section that uses this data
  6. You should now jump to the code which looks like this:

  7. Notice the jz before the "call sub_10039660", double click to enter sub_10039660 function
  8. You can see the 3 exported functions MD5Init, MD5Update and MD5Final.
  9. Go to the part where it nears the retn instruction.
  10. And take note how EAX is updated because this register will determine if the hash is equal or not and return to the previous function that will do the comparison, "test al, al"
  11. From the figure above, we know that we can avoid the pirated message if EAX is zero. So we can patch "mov al,1" to something that will give us EAX=0, eg: "xor eax, eax" ;)
  12. Using any hex editor that you prefer, and jump to this address and do the modification. Done!!!

Download: ida.wll.patched


Datarescue IDA pirated .idb database --

~Signing off


Anonymous said...

or you could just convert the conditional jump to a direct jump.

Pedro Luis said...

Even easier, "nop" the "test al, al", "call sub_XXXXXX" and change the "jnz"/"jz" to "jmp", and then you can import those tasty IDBs... ;3