Armadillo DLL unpacked but...

[taos]

Hi!
I've unpacked (succesfully ?) an armadillo 3.xx DLL.
OEP is ok, IAT is ok too. It's a Visual Basic DLL ocx.
When I use this DLL in a VB executable file it shows:
"You do not have an appropriate license to use this functionality" in my native language and this DLL is in english.
This is a Visual Basic message, not from DLL.
If I run this DLL with a VC++ executable then it only exits and don't do nothing.

any idea?

BTW:Regsvr32 was used to register it.

[peleon]

Hmm, interesting...

Maybe you can share that unpacked DLL and the caller EXE, so we can test it an understand that strange issue?

[taos]

Quote:

Originally Posted by peleon

Hmm, interesting...

Maybe you can share that unpacked DLL and the caller EXE, so we can test it an understand that strange issue?

Attached, unpacked DLL, original & caller VB exe.
Best Regards.
BTW: It's a ocx to hide folder & files to system, DOS windows and boot safe too.

[t4d]

Eltima guys use GetEnvironmentVariableW

ALTUSERNAME
DAYSLEFT
EXPIRED

which are fired by ArmAccess.DLL

If not catched than bye, bye. Check this.

BTW. Your DLL cannot be registered on my system. Maybe some relocation problem. Do you use RELOX to finish your job on dynamic libs ?

[taos]

Quote:

Originally Posted by t4d

Eltima guys use GetEnvironmentVariableW

ALTUSERNAME
DAYSLEFT
EXPIRED

which are fired by ArmAccess.DLL

If not catched than bye, bye. Check this.

BTW. Your DLL cannot be registered on my system. Maybe some relocation problem. Do you use RELOX to finish your job on dynamic libs ?

Hi!
First thing is: THANK YOU TO ALL.

The job is done now

t4d gave me the right tip. I had to crack some bytes in DLL to bypass ArmAccess.DLL.
So unpack was succesfully and now has been cracked too.

Thanks to ALL again for your help.

Info:
Open an exe loader that uses this DLL/OCX in Olly.
bp GetEnvironmentVariableW
When breaks press F8 until you be in main.exe
Press CTRl+F9. Press F8 again only one time.
You have to change this jmp:
10013CEA JNE SHORT 10013CF2 to JE or JMP
and this too:
10013CFD JNE 10013D98 to JE or JMP


Did it!

[Maximus]

OCX controls can be 'licensed' using standard m$ licensing. It's a key (sometime embedded in the exe, sometime included as .LIC file).
Read this:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon98/html/vbconlicensingissuesforolecontrols.asp

[Naides]

May be this can be of help:

OCX, after registering, get assigned a a unique registry key
that looks something like 1234f-756b45463465-476464648389309

searching the registry with your dll name will give you the unique key for your OCX.

They get loaded by your app using the API:

ole32.CoCreateInstance

which takes the reg key as one of the parameters pushed into the stack. In olly you can by choosing brake in new module, you can catch it loading your dll.
If you locate the area of your main exe code that load your OCX .dll you can figure out the validation/registration mechanism and neutralize it.

In my case, loading an authorized OCX returned 1 in EAX, after ole32.CoCreateInstance API returns. otherwise a weird value, 800000A1 returned in EAX