|
|
|
|
#1
03-22-2004, 02:25
|
|||
|
|||
|
please help
hello all, I have a progie that writes two dll's to the temp folder and I have determend the one that holds all of the reg stuff. I dont know what type of protect this is and have no idea how to break on mem in olly. there is no lstrcmp, there is lstrlena and getwindowtext. It also deletes the dll's after closing the progie. please help!!
|
|
#2
03-22-2004, 02:31
|
|||
|
|||
|
Try breaking on LoadLibrary, since your program must load these .DLLs to use them at some point.
Regards, Satyric0n
|
|
#3
03-22-2004, 02:45
|
|||
|
|||
|
thanks Satyric0n, is this somthing you have encountered before? It seems like all of the ascii that I see for the window messages are created in memory:
$-1AEC > 00424710 /CALL to GetDlgItem from BC878DE0.0042470A $-1AE8 > 005C03A0 |hWnd = 005C03A0 ('Software Registration',class='#32770',parent=008F018C) $-1AE4 > 000003FE \ControlID = 3FE (1022.) $-1AE0 > 00428DA1 RETURN to BC878DE0.00428DA1 from BC878DE0.004246FC $-1224 >|003A5F38 ASCII "[email protected]" $-1220 >|003A5B78 ASCII "1212121212" $-121C >|003A56C8 ASCII "jdogrulz" $-1218 >|003A5E98 ASCII "User Name:" $-1214 >|003A5858 ASCII "Email:" $-1210 >|003A5DA8 ASCII "Registration Key:" $-120C >|0012EAB0 Pointer to next SEH record $-1208 >|0042B3E1 SE handler $-B18 > 0012FB98 ASCII "ac2cbb51-7846-4c5f-ba52-e4d5405f1d1f" $-7A4 > 00A70478 ASCII "This copy will expire in 10 days. To try Visual Pipes, click the 'Continue' button. $-7A0 > 003A5678 ASCII "Evaluation period: 3/19/2004 to 3/29/2004." $-79C > 003A5D08 ASCII "PRODUCT ID: 17124-2274-26267" $-50 >|003A6168 ASCII "Software Registration" $-48 >|003ACB20 ASCII "uh019h9c514u6bb" $-44 >|003ACBC0 ASCII "12kz" $-38 >|003A58A8 ASCII "PRODUCT ID: " $-34 >|003A5948 ASCII "Evaluation period: d1 to d2." $-30 >|003AA808 ASCII "YOUR EVALUATION PERIOD HAS EXPIRED! You must register this copy to continue..." $-2C >|003AA898 ASCII "TRIAL SUSPENDED: recent changes to system clock detected. Please try again after reboot or contact" $-28 >|003A59E8 ASCII "&Info" $-24 >|003A5A88 ASCII "&Continue..." $-20 >|003A5B28 ASCII "&Register" $-1C >|003A5BC8 ASCII "User Name:" $-18 >|003A5C68 ASCII "Email:" $-14 >|003A5DA8 ASCII "Registration Key:" $-10 >|003A5E48 ASCII "OK" $-C >|003A5EE8 ASCII "Cancel" $-8 >|003A5F88 ASCII "Software Registration" $-4 >|003A6450 ASCII "Registration Failed - your registration key has not been accepted. You may have typed it incorrectly. If you continue to receive this error, please contact technical support. $ ==> >|00A70478 ASCII "Thank you for choosing , the industry's most user-friendly software! This copy will expire in 10 days. To try , click the 'Continue' button. If you have purchased , unlo"... $+4 >|003A4F98 ASCII "C:\DOCUME~1\jdog\LOCALS~1\Temp\7248A087.DLL" I have all of this neat info here but have no clue how to trace it!!
|
|
#4
03-22-2004, 02:50
|
|||
|
|||
|
Try following (or at least reading) my tutorial on cracking Winamp 5.02.
Once you understand usage of the call stack, when an error/registration dialog is showing in the application you are working on, take a look at the call stack to find the relevant piece of code that deals with registration checking. Regards, Satyric0n
|
|
#5
03-22-2004, 03:04
|
|||
|
|||
|
thanks again Satyric0n, im on it. ill read it right now...
|
|
#6
03-22-2004, 04:44
|
|||
|
|||
|
hey satyric0n, I didnt have any such luck. The call is coming from one of the temp dll's. sh_t! any ideas?= check it out:
Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012DACC 77D43C53 Includes 7FFE0304 USER32.77D43C51 0012DB00 0012DAD0 77D4B3F2 USER32.WaitMessage USER32.77D4B3ED 0012DB00 0012DB04 77D4D9A0 USER32.77D4B265 USER32.77D4D99B 0012DB00 0012DB2C 77D6AE8E USER32.77D4D8EC USER32.77D6AE89 0012DB28 0012DDE4 77D6A911 ? USER32.SoftModalMessageBox USER32.77D6A90C 0012DD6C 0012DF2C 77D6AFD5 ? USER32.77D6A7D7 USER32.77D6AFD0 0012DEB4 0012DF84 77D6B0BD USER32.MessageBoxTimeoutW USER32.77D6B0B8 0012DF80 0012DFB8 77D6B04A ? USER32.MessageBoxTimeoutA USER32.77D6B045 0012DFB4 0012DFD8 77D6B02E ? USER32.MessageBoxExA USER32.77D6B029 0012DFD4 0012DFDC 0003041A hOwner = 0003041A ('Software Registration',class='#32770',parent=0003 0012DFE0 003A6450 Text = "Registration Failed - your registration key has not been acce 0012DFE4 003A3ED0 Title = "" 0012DFE8 00000030 Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL 0012DFEC 00000000 LanguageID = 0 (LANG_NEUTRAL) 0012DFF0 00428B04 ? USER32.MessageBoxA 6D79C0BD.00428AFE /6d79c0bd (6d79c0bd.dll) is on of the two elusive dll��s that are written in C:\Documents and Settings\jdog\Local Settings\Temp and then deleted!! 0012DFF4 0003041A hOwner = 0003041A ('Software Registration',class='#32770',parent=0003 0012DFF8 003A6450 Text = "Registration Failed - your registration key has not been acce 0012DFFC 003A3ED0 Title = "" 0012E000 00000030 Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL thanks, Jeff
|
 |
|
|
Hybrid Mode
