Tweak XP Pro 3.04

[BetaMaster]

@mtw, I really appreciated your comments in this thread, but when I read your comments, it's like that you tell us that you have worked every thing, I am not having that impression by illusions, and secondly, this is a discussion and I suppose you had some discussions before.I also like to remind you that I didn't ask for your help to bypass the registration routines or the demo limitations, actually I have a full version and a key.

@Crk, the crash that is supposed to be after a crc invalidation is in kernel32.dll, just try to change the txp3.val or make a little change to the file tweak-xp.exe and see it. I guess there is something wrong with the dump.

any help is really appreciated.

[mtw]

Quote:

Originally Posted by BetaMaster

@mtw, I really appreciated your comments in this thread, but when I read your comments, it's like that you tell us that you have worked every thing, I am not having that impression by illusions, and secondly, this is a discussion and I suppose you had some discussions before.I also like to remind you that I didn't ask for your help to bypass the registration routines or the demo limitations, actually I have a full version and a key.

Quote:

Originally Posted by BetaMaster

and I also hope that mtw share with us a working solution to this proggy, not that I like the program itself, but rather to show it tp TotalIdea.I think they deserve it.

If you didnt ask for a solution to bypass it then why make this comment, sorry for my reply's, Im done with this thread. And yes I do have a fully working dumped DEMO copy.

Place for Full version --> hxxp://forum.andr.net/viewtopic.php?t=42283

[BetaMaster]

you're a strange guy, you want to help, but words don't come out off your mouth "enough", as if you're afraid to uncover critical information.I guess if that was the general case, then this forum would have never seen the light, and people who have some knowledge now, wouldn't have aquired that knowledge in the first place.

I really liked some help on this topic, as I don't consider myself unpacker at all (perhaps only some simple packers like upx, aspack, pecompact, thinstall, and some cases of asprotect and svkp), not to mention of course that I don't see any tool to disassemble vb6, or any intermediate/advanced tutorial on the subject.

I am sorry that you felt that way towards me, and I apologize if I hurt your feelings. I was just trying to learn something I don't know from someone who seemed to know better than me.

Thanks again, and peace.

relax guys .. we all are here to learn from each other something new every day...

keep the knowledge and sharing spirit alive!

Regards

[mtw]

@Crk: LOL. I am relaxed all the time, if you get frustrated just by a thread, then there is no point in going through miles of code in a debugger, as this is more frustrating.

@BetaMaster: No I dont have feelings to get hurt, and no Im not hiding anything, I just told you how to get past the protection check.

Now for dumping the Demo version:
Get rid of S-ice and fire up olly.
You know the drill, hide the debugger, and at all times dont use F9 use Shift+F9 to run the app.

Now when its loaded goto MemoryMap and Press F2 on the Resources section and Press "Shift+F9"
When it breaks set goto options a set Break On new DLL load. Press Shift+F9 and watch the DLL's second Shift+F9 you will see it loads the VB runtime DLL.
Now select the runtime DLL and select "View Names". Find the ThunRTMain, and double click it, you will be back in the CPU window. Select the PUSH EBP and press F2. Remove the "Break on new DLL load". Then Shift+F9.

When you break your in the veryfirst call from this app, the initialization of the VB "Native Code" app, which is the ThunRTMain.

Before you go on look at the second line in your stack window. "Picture include so you know what Im talking about".You'll see a line like this
0012FFC0 00401A68 ASCII "VB5!6&*"
that 401A68 (or whatever yours is) is the push 00401A68 before the call to ThunRTMain. This is the first line from the stolen bytes (all those NOPS "90h" at the OEP. The second line (of the NOPS) is the call to ThunRTMain (second line of stolen bytes). Now in the CPU window Press CTRL-G and put in 401364 for the address to jmp to. you'll be looking at an NOP. Press Ctrl+A.

Now you will see all the MSVBVM60 calls, where that first 90 is, is your OEP, now that address I said to look at in the stack window (mine 00401A68) starts here so highlight that first 90h and press space bar enter

Push (your address) (like I said mine was 00401A68), and then
Call (the address for the first JMP before the NOP's) (mine is 40135E)
That is the call to ThunRTMain.
Now you can fire up LordPE, CorrectImageSize and dump it.
Fire up ImpRec and put your OEP here (mine is 00001364),
select IAT AutoSearch then GetImports.

You will notice it gets them all except for 1 which is DLLFunctionCall.
Make this one DLLFunctionCall then fix your dump.

Now you can do traces etc with that dll, now memory might change from machine to machine, like all apps do. I run XP SP1 so you know.

Now load the dumped.exe into olly and set a bp on the DLLFunctionCall, you'll see the veryfirst call is to the special.dll, but if its not there it makes an exception. So from here you can see what the protection does (not the registration code) but the checks for the modified.exe

[BetaMaster]

now that you told the complete story, it worked and 100%.

Thanks a lot mtw, much appreciated.

since i don't run Olly by now.. maybe i'll get some free time to start using and learning Olly very soon ..... please someone attach here working Dumped file .. i hate SVKP and its debugger detection crap
thanksssssss mtw for all info. given!