Hi there,

I'm trying to crack an old software (2002), that one is harder than expected !
Peid found no pack.

Here is the Registration Box.
http://img34.imageshack.us/img34/9297/63810981.jpg ("http://img34.imageshack.us/img34/9297/63810981.jpg")

So I entered something into it, set a breakpoint on Softice :

Closed Softice and click "ok".

Softice immediatly appeared, I try :



Something was found here : 0023:0017D7A8

So I set a new breakpoint on memory access


What should I do next ?
Thanks in advance.

This software return no error strings when entering a wrong code.
It is just starting with many bugs.

what tutorials have you read so far on this subject matter?

Hello,

Here : http://pifoman.free.fr/cours_cracking/cours_cracking.htm
(In French).

you're read all 81 tutorials on that site?

No, just some of them.

Try setting breakpoints on GetDlgItemText(...) and GetWindowText(...) to see where the string is read in. Then trace through to see what code is operating on the input.

Softice can't recognize those BP's, what's wrong ?

tape in Sice:
exp GetDlg*

see http://msdn.microsoft.com/en-us/library/cc500321.aspx

Hi Guys !

Thanks for your tips, I set a BP (getwindowinfo) and saw my computer ID and my wrong registration key, but I have some troubles to follow the code...

Is there anyway to compare a cracked exe file to a clean exe file to see the differences between them ?

http://lmgtfy.com/q=compare+binary+files

also the Eeye software is very handy for a more analytical comparison of software disassemblies.

Great! thanks.
By the way, I can't find the Eeye software.

(except there : http://www.eeye.com/html/downloads/index.html)

I am referring to the binary diffing software found at

http://research.eeye.com/html/home/index.html

inside the site you already found. (it used to be linked in the face page).

And I assume that neither of the 28 tools of the CRCETL category "Diff Tools" and its subcategories weren't satisfactory...

http://www.woodmann.com/collaborative/tools/Categoryiff_Tools

Thanks.
I think my software is packed.

Why ?

Crack's zize is bigger than original file,
Peid recognize crack file as Visual Basic 5.0-6.0
Peid can't recognize the original file...

Must be pretty hard to find a VB unpacker, no?

If you actually want to know whether it is "pretty hard to find a VB unpacker" then YOU put something such as "VB unpacker" (without the quotes) in YOUR favorite search engine and YOU do the research you want! That's what is required by our Rules in the FAQ, which you did read, didn't you???

Regards,

Hello,

I've already searched for that and nothing was found, except "VB6 native" , I tried smartcheck it doesn't work with it but it does with the cracked file.
So that's why I was saying it must be hard to get an unpacker for VB 6.

Thanks anyway.

So unpack it manually . If it is indeed packed at all that is.

The OEP is 00008A04. (I checked the cracked file with Peid).

I tried it in REConstructor but it gets me : "Could not find anything good at this OEP".

What's wrong ?
Thanks.

What's wrong is that you're trying to run random tools that you don't understand, in order to perform a complex task that you must learn a bunch of things to be able to do properly.

Now, go start at the right end, and read some of the gazillion articles and tutorials on the basics of manual unpacking. Then come back with some worthy questions.

or save yourself the reading and just take a course in manual unpacking: http://www.blackhat.com/html/bh-usa-09/train-bh-usa-09-sl-advmal.html

Ok thanks !

Hi,

00401759 |. E8 B7FAFFFF CALL pfd.00401215
0040175E |. 59 POP ECX
0040175F |. 59 POP ECX
00401760 |. 8B85 C4FDFFFF MOV EAX,DWORD PTR SS:[EBP-23C]
00401766 |. 8B40 10 MOV EAX,DWORD PTR DS:[EAX+10]
00401769 |. 0385 BCFDFFFF ADD EAX,DWORD PTR SS:[EBP-244]
0040176F |. 8985 CCFDFFFF MOV DWORD PTR SS:[EBP-234],EAX
00401775 |. 8B85 CCFDFFFF MOV EAX,DWORD PTR SS:[EBP-234]
0040177B \. FFE0 JMP EAX // <--it seems to jump to the OEP

So I press F8 and jumped here :

7FF33B20 |. 55 PUSH EBP

7FF33B20-00400000=7FB33B20

I tried it in ImportREC, but it doesn't work again !

Thanks for helping me.

that's not the oep

Ok, the OEP must begin to 0040 ?

i wouldn't say it must be, but it is probably of the form 0x004?????

Okey thanks.

Hi,

I found TS_LOADER followed by GetEnvironmentVariableA, Thinstall was probably used to pack this no ?