Hi again,

this is my second post, so bare in mind I'm not as smart as the rest of you, hehe.

Anyway, my current project has be baffled.
I have a program which reads a string and determines if the program should be valid regged or not, pretty straight forward.
What I know for certain is that the string consists of some plaintext that describes the license (date, machine id and that kind of stuff) and a (hash)code.

The two has to match up, as in: the desciptive string --> function --> hash should equal the hashcode.

My initial thought was "excellent, now I have a perfect project for toying with KANAL plugin for PEiD.

I search and get, among others, the following signatures:
"SHA1 [Compress] :: xxx :: yyy
{Big number} :: xxx :: yyy
{Big number} :: xxx :: yyy
{Big number} :: xxx :: yyy"

so, a SHA1/SHA/SEAL/RIPEMD and three big numbers (128bit).

This all seems good, and I know (from sources) that sha is used to make the hash. My problem is: How do I find where these are used?
I know it sounds like a dumb question, so let me rephrase: All the addresses (xxx' and yyy's) end up as "xxx ? [hex]" in Olly and INT3 bp's (as oppose to xxx · [hex]). I've tried bp'ing on INT3 and around the opcode, but I never break on any of them.

Any help is grately appreciated! Thanks

- James

According to your profile, this is your 7th post, not your 2nd, unless of course you mean topic

As for peid, xxx is the file offset, and yyy is the virtual offset of the found item. PEID may or may not have found references for these. If it has, you'll be able to see them by clicking the + to the left.

Also, don't assume that just because they exist, they are used in the registration routines. They could be used elsewhere (eg. file modification checks) or even red herrings.

Oh, and it's quite pointless to set a breakpoint on an INT 3, as INT 3 *is* a breakpoint of the software kind. Your debugger will typically insert INT 3 instructions in the code you are debugging (unless you told it to use hardware BPs), overwriting the code that's there previously (and also why some apps can tell you are setting breakpoints on its code just by scanning for these instructions where they don't belong).

Thanks for the reply squidge, and yes I meant thread

I know I should've made it more clear, I am not assuming, I know - from another reverser who've sucesfully found the rutine.

Still, the problem for me seems to be I don't break on the offset nor VA. can I be doing something wrong like... misinterpreting? I wouldn't think locating signatures would be a "it's in that area somewhere" (I land inbetween opcodes, not "INT3" like I mistakenly said earlier).

Maybe I just made a stupid mistake -- at least I hope so

Thanks again for the clarification

- James

So your saying that PEID is stating "The reference is above" for every found item?

Yes, that is correct.

Then you will land between opcodes, as you have stated (or even just a random place in memory). KANAL is just a pattern scanner - it can help you detect various types of Crypto, but thats really as far as it goes.