|
please help
hello all, I have a progie that writes two dll's to the temp folder and I have determend the one that holds all of the reg stuff. I dont know what type of protect this is and have no idea how to break on mem in olly. there is no lstrcmp, there is lstrlena and getwindowtext. It also deletes the dll's after closing the progie. please help!! :(
|
Try breaking on LoadLibrary, since your program must load these .DLLs to use them at some point.
Regards, Satyric0n |
thanks Satyric0n, is this somthing you have encountered before? It seems like all of the ascii that I see for the window messages are created in memory:
$-1AEC > 00424710 /CALL to GetDlgItem from BC878DE0.0042470A $-1AE8 > 005C03A0 |hWnd = 005C03A0 ('Software Registration',class='#32770',parent=008F018C) $-1AE4 > 000003FE \ControlID = 3FE (1022.) $-1AE0 > 00428DA1 RETURN to BC878DE0.00428DA1 from BC878DE0.004246FC $-1224 >|003A5F38 ASCII "[email protected]" $-1220 >|003A5B78 ASCII "1212121212" $-121C >|003A56C8 ASCII "jdogrulz" $-1218 >|003A5E98 ASCII "User Name:" $-1214 >|003A5858 ASCII "Email:" $-1210 >|003A5DA8 ASCII "Registration Key:" $-120C >|0012EAB0 Pointer to next SEH record $-1208 >|0042B3E1 SE handler $-B18 > 0012FB98 ASCII "ac2cbb51-7846-4c5f-ba52-e4d5405f1d1f" $-7A4 > 00A70478 ASCII "This copy will expire in 10 days. To try Visual Pipes, click the 'Continue' button. $-7A0 > 003A5678 ASCII "Evaluation period: 3/19/2004 to 3/29/2004." $-79C > 003A5D08 ASCII "PRODUCT ID: 17124-2274-26267" $-50 >|003A6168 ASCII "Software Registration" $-48 >|003ACB20 ASCII "uh019h9c514u6bb" $-44 >|003ACBC0 ASCII "12kz" $-38 >|003A58A8 ASCII "PRODUCT ID: " $-34 >|003A5948 ASCII "Evaluation period: d1 to d2." $-30 >|003AA808 ASCII "YOUR EVALUATION PERIOD HAS EXPIRED! You must register this copy to continue..." $-2C >|003AA898 ASCII "TRIAL SUSPENDED: recent changes to system clock detected. Please try again after reboot or contact" $-28 >|003A59E8 ASCII "&Info" $-24 >|003A5A88 ASCII "&Continue..." $-20 >|003A5B28 ASCII "&Register" $-1C >|003A5BC8 ASCII "User Name:" $-18 >|003A5C68 ASCII "Email:" $-14 >|003A5DA8 ASCII "Registration Key:" $-10 >|003A5E48 ASCII "OK" $-C >|003A5EE8 ASCII "Cancel" $-8 >|003A5F88 ASCII "Software Registration" $-4 >|003A6450 ASCII "Registration Failed - your registration key has not been accepted. You may have typed it incorrectly. If you continue to receive this error, please contact technical support. $ ==> >|00A70478 ASCII "Thank you for choosing , the industry's most user-friendly software! This copy will expire in 10 days. To try , click the 'Continue' button. If you have purchased , unlo"... $+4 >|003A4F98 ASCII "C:\DOCUME~1\jdog\LOCALS~1\Temp\7248A087.DLL" I have all of this neat info here but have no clue how to trace it!! |
Try following (or at least reading) my tutorial on cracking Winamp 5.02.
Once you understand usage of the call stack, when an error/registration dialog is showing in the application you are working on, take a look at the call stack to find the relevant piece of code that deals with registration checking. Regards, Satyric0n |
thanks again Satyric0n, im on it. ill read it right now...
|
hey satyric0n, I didnt have any such luck. The call is coming from one of the temp dll's. sh_t! any ideas?= check it out:
Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012DACC 77D43C53 Includes 7FFE0304 USER32.77D43C51 0012DB00 0012DAD0 77D4B3F2 USER32.WaitMessage USER32.77D4B3ED 0012DB00 0012DB04 77D4D9A0 USER32.77D4B265 USER32.77D4D99B 0012DB00 0012DB2C 77D6AE8E USER32.77D4D8EC USER32.77D6AE89 0012DB28 0012DDE4 77D6A911 ? USER32.SoftModalMessageBox USER32.77D6A90C 0012DD6C 0012DF2C 77D6AFD5 ? USER32.77D6A7D7 USER32.77D6AFD0 0012DEB4 0012DF84 77D6B0BD USER32.MessageBoxTimeoutW USER32.77D6B0B8 0012DF80 0012DFB8 77D6B04A ? USER32.MessageBoxTimeoutA USER32.77D6B045 0012DFB4 0012DFD8 77D6B02E ? USER32.MessageBoxExA USER32.77D6B029 0012DFD4 0012DFDC 0003041A hOwner = 0003041A ('Software Registration',class='#32770',parent=0003 0012DFE0 003A6450 Text = "Registration Failed - your registration key has not been acce 0012DFE4 003A3ED0 Title = "" 0012DFE8 00000030 Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL 0012DFEC 00000000 LanguageID = 0 (LANG_NEUTRAL) 0012DFF0 00428B04 ? USER32.MessageBoxA 6D79C0BD.00428AFE /6d79c0bd (6d79c0bd.dll) is on of the two elusive dll��s that are written in C:\Documents and Settings\jdog\Local Settings\Temp and then deleted!! 0012DFF4 0003041A hOwner = 0003041A ('Software Registration',class='#32770',parent=0003 0012DFF8 003A6450 Text = "Registration Failed - your registration key has not been acce 0012DFFC 003A3ED0 Title = "" 0012E000 00000030 Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL thanks, Jeff |
I'm sorry, it appears I misunderstood what you were asking for. I thought you were having trouble finding the code in the dynamically created .DLL that is checking your registration status.
So what you are actually asking is how the .DLL is stored in the original .EXE, so that you can modify the .DLL before it is extracted (and crack the code in the .DLL that checks your registration status, etc)? If that is the case, I'm not sure I can help you... Without knowing what packer/protector is being used to encapsulate those .DLLs, or which specific application you are working on, I have too little information to go on to even hazard a guess. Sorry I couldn't be of any real help. :( Regards, Satyric0n |
Satyric0n check your pm...
|
Satyric0n check your pm...again ;)
|
anyone else have any ideas??
|
dll patching - read people, read :)
There is no problem (as always :) ).
First of all you have to discover how the dll communicate with the base (exe or other dll). Generally there are two possibilities: 1. The dll is physically extracted at runtime to TEMP folder and then communicate via usual way. If you encounter this one then it is more than easy - all you have to do is to find the place where this dll is extracted and make a backup during usual program execution. Then you can dance and make yourself "feel good". 2. The dll is dynamically hooked at the runtime via loader (which can be executed as part of a packer) and it is being hidden during usual program execution. You can't see it because all API calls and dll initialization moment is being handled by the loader. In this case you have more work (about 20 minutes) because you need to extract the dll at its initialization moment, thus you need to verify if import table does need rebuilding. Bla bla... Anyway, you can always prepare direct attack on the dll - no matter how much layers it uses. Just look at the latest Paradox SwishMax 2004.02 crack - they did fuck**g good job (as the only one). Probably you can learn a lot from this crack (multiloader). Best regards, dyn!o |
thanks dyno ill read it also.
|
dyno, where do i find this tut at??? I searched this forum, nothing, did a yahoo search, nothing...
thanks, jdog |
Patching dynamic modules at runtime.
Oops... I didn't say there is a tutorial available :(
I said that you should look at SwishMax 2004.02 and try to crack it - it's very good challange. If you fail then get Paradox relase and analyze their job since they've cracked it properly as the only one. Good luck. dyn!o |
ok, will do. thanks
|
dyn!o
it appears that my progie is #1 of your examples, an i have found the piece of code in the dll that it creates in my temp folder, and can just nop it and it goes to "thank you for your registration" no prob, but this wont help because the dll is allways deleted after the progie is shut down, and it does not look to see if a dll is there or not when you start it up. :( Im lost so could some one please help? thanks, jdog |
I just found this in the windows box in olly, while i did a bp on my point-h:
Protected by: Geeworks TrialMaster Standard Edition Web: hxxp://xxx.geeworks.com went to their site and found this: TrialMaster Shipping software just got Faster, Easier, Cheaper. Why waste weeks or even months to research, design, implement and test the perfect software distribution system? Get TrialMaster. In just a few mouse clicks, TrialMaster transforms your unprotected software product into a time-limited trial software ready for distribution. No coding required. Get it now. And Ship your product Today! STEALTH32 -- Software Protection Technology Stealth32 is a patent-pending technology. It's designed by ex-Microsoft Windows NT developers who know the ins-and-outs of the Windows operating system. With Stealth32, you can be sure your intellectual property is safely distributed and tried before they're purchased. Features Latest encryption technology: compress and encrypt your executable. In most cases, your EXE will load faster because of the smaller file size. BIOS-Locking: an advanced feature that prevents your customers from sharing their registration key with others. Anti-rollback system clock: Stealth32 can determine the correct date/time from the BIOS directly prevent your trial users from renewing their software by rolling back the system clock. Anti-debugging: to maximize protection against hackers, Stealth32 empties the process memory when a debugger is attached to the protected software. Require no changes to your code: Stealth32 works directly with the Win32 Portable Executable (PE) format so you don't need to change your source code. No source code needed: you don't even need to have the source code around. Stealth32 injects itself directly into your executable to give you transparent protection. Check Registration Status at Runtime: With a few simple calls, you can tell whether your app has been registered and enable/disable certain features accordingly. Works with any Windows Win32 applications. Tested for 95/98/Me/NT/2000/XP: so you know your protected software will work everywhere. anyone familare with this?? thanks, jdog |
Did you see the other eCommerce software they make?
Code:
PowerBlaster |
yea right!! this company was started by Peter Chiu, an ex-Microsoft Windows NT developer, check this out:
hxxp://wwww.geeworks.com/about.shtml |
Jdogrulz: Sorry, I was temporaly unavailable.
Anyway, it seems you have really easy stuff, no matter what your skills are. I propose to break on DeleteFileA from Kernel32 and extract this dll. Then you can rename it and its name in the exe and have lots of other solutions - just think about it. I bet you will force it. Best regards and Happy Easter to everyone :) dyn!o |
| All times are GMT +8. The time now is 20:58. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX