Techsmith Products Hook
 

Techsmith Products

Products: Camtasia/Snagit v2023/v2024

OS: Windows

Site: www.techsmith.com

Techsmith software like camtasia/snagit as very good if you want to record the screen/desktop or to make tutorials for reverse engineering or anything.

Download: (HOOK ONLY) Not any products check website for that

https://pixeldrain.com/u/6dbfVB5a

Comments: extract hook dll to installation folder.

Happy recording/teaching/tutorial

Thanks! What about audiate?

other source binded it with a virus
 

It took me some time to track down this forum, I would like to thank you for your work. I first downloaded this hook from another source (downloadly.ir) it was working fine, but it seems it has been bundled with a virus and gave me some red flags so I did some digging and eventually found the source of this hook. Below some information about the dirty version.dll.

hybrid analysis red flags: http://www.hybrid-analysis.com/sample/d6670efa10094a946cba5e9e1b8f585836a8e545f854a0b7dcef475db91ccc6a/6527c6fe8727fe055a050a58
SHA265: d6670efa10094a946cba5e9e1b8f585836a8e545f854a0b7dcef475db91ccc6a

I uploaded this assumed VIRUS here, maybe handy for analysis
https://pixeldrain.com/u/qd61uDj3 (watch out virus, only download for analysis)

I would like to know what exactly is added, any tips on how to find this out?

kind regard, T

I usually post on tsrh team forums and thats the only legitimate site to get my releases, have no time to check

https://www.virustotal.com/gui/file/e4f32d000f0d02380aadbf91785650ca8baee1519baf6becc439b7293d7b4f0b

trojan.scarletflash/themida

Alibaba Packed:Win64/Themida.5b4b1a04
ESET-NOD32 A Variant Of Win64/Packed.Themida.L Su

Com'on!
From what I could tell the file is protected by Themida so this is why is flagged.

Thank you for your reply and checking out the file, The version I had downloaded before differs from the original version (This topic). I searched if Jasi2169 released a different version of this hook before, this does not seem to be the case so I assume the version I had downloaded before is bundled with something else. I can't think of a good reason to pack a perfectly functioning hook with something other then a virus.

Thanks Jasi2169 I'll have to check out "tsrh team forums", (I'm not finished reading topics on this forum yet, reserve engineering and patching is very interesting to me, I may have found a new hobby :D )

Plus leaked themida we all use in scene i guess, i never checked though

"We all" ? No... Most crackers do not use such leaked packers since they get blacklisted on most of modern windows systems. You can check if you don't believe me.

I dnt know abt ur experience, since last decade i have seen, the releases are packed most of the time, to save its integrity , no one will purchase or use purchased protectors own copies on cracks and stuff.

Some might use open source as well, but once the release is packed most AV companies just mark it as virus false positive without taggent or know publisher tag.

Even mine purchased eazfuscator and it was marked as virus on packed a simple file, just a signature based games

> only legitimate site to get my releases
Present company excluded, of course.

It seems likely that @jasi2169 protected the dll files with Themida to preserve his credits popup and prevent modification of the dll. I could not access the Iran site but I looked at the file posted here and it merely cracked the software. It is likely that since I was using a virtual machine the payload, whatever it supposedly is, did not activate. The "dirty" version.dll did not have a popup message from jasi2169 so I'm not sure it was meant to impersonate and abuse his reputation to spread malware, or not. Another consideration is that sometimes Themida itself causes detection in virus scanners. I am not saying this other version is clean but it is an interesting puzzle.

The crack is very simple, forcing a response value of "1" from TSCLicensing::LicenseType (multi-user perpetual license) and could be accomplished in several different ways. It doesn't require a loader. This is true for Camtasia and Snagit, which are native code and use this licensing dll method. I understand that the point of the jasi2169 dll was convenience. Also, for people using this software, you should change these default settings: In the File menu, Capture Preferences, and uncheck "automatically check for updates" and "send anonymous usage data". Still, whether you are using the loader or not, the software sends telemetry to my.nalpeiron.com/shafer2.asmx. This seems to be related to "Zentitle" cloud licensing.

TmC asked about "audiate" which is another Techsmith product. That it is a Electron (NodeJS) application and does not use the same method. It might be that in index.js the variable "activated" needs to be set, I don't actually know I only looked at it briefly.

Thats true using electron framework for cross platform node javascript, but the file is 150+mb standalone, doesnt load for me waited 15minutes still loading and also in xdbg dont knw why it freezes and then closed it maybe less patience and sometime think my hardware needs upgrade :/ , but i dont use audiate, only camtasia and snagit usually. Well index.js is where everything starts but unfortunately too big in one single exe.