ReD_AnT
October 28th, 2000, 11:08
Hi Friends,
First of all I am thankful to +Sandman, +tsehp for maintaining this wonderful place in spite of all odds. I hope that now we don't have to move again for a long time...
I am a newbie reverser and in need of some help.
I am trying to crack MerakMail for windows 9x version : 2.10.340 (not the pro version)
(URL : www.icewarp.com or www.merakmail.com).
I have found that the main protection is located in the files config.exe and control.exe.
I disassembled config.exe,looked for the relevant strings, found quite a few, was trying to look the conditional jumps just before the error messages........
Now I am facing a peculiar problem.....Some of the jumps point to the middle of an instruction... (i hope I am making myself clear!).
Given below is the relevant piece of code :-
---------------The Jumps------------------
:004A2591 7373 jnb 004A2606 ---> while 5 byte instruction begins at 04A2605
:004A2593 66756C jne 004A2602
:004A2596 2E004572 add byte ptr cs:[ebp+72], al
:004A259A 726F jb 004A260B
:004A259C 7200 jb 004A259E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A259C(C)
|
:004A259E 0000 add byte ptr [eax], al
:004A25A0 52 push edx
:004A25A1 65 BYTE 065h
-------The locations pointed to by jumps---------
:004A25FE 8B00 mov eax, dword ptr [eax]
:004A2600 E847D9FAFF call 0044FF4C
:004A2605 6830200000 push 00002030
* Possible StringData Ref from Code Obj ->"Warning"
|
:004A260A 681C264A00 push 004A261C
* Possible StringData Ref from Code Obj ->"Your trial version has expired."
|
:004A260F 6824264A00 push 004A2624
:004A2614 6A00 push 00000000
WinDasm gives an error while trying to execute these jumps..... Call/Jumps unsuccessful.
There r many such jumps....
I couldn't understand this at all... what is happening?
Is the code there just to fool the crackers ?
or some runtime patching is happening ?
or some anti-disassembler is there ?
I tried to see what happens at these jumps at runtime. So I loaded Softice and ran the program.
The program runs fine but when I click the register button (which remains enabled) nothing happens....... When softice is NOT loaded, then on clicking the register button a box with a filled up reference key and 2 blank text boxes comes-up (which r meant to input the licence no.)
So there is some debugger detection inside the program....
How to find which type of detection is there? How to get to it ? and how to disable it ?
Please guide me! I am a newbie and please don't flame me for asking such silly questions...
(Maybe i have picked up a real tough proggie... But I think it is great opportunity to learn...)
Thanks a lot in advance and sorry for such a long post...
ReD_AnT ???
First of all I am thankful to +Sandman, +tsehp for maintaining this wonderful place in spite of all odds. I hope that now we don't have to move again for a long time...
I am a newbie reverser and in need of some help.
I am trying to crack MerakMail for windows 9x version : 2.10.340 (not the pro version)
(URL : www.icewarp.com or www.merakmail.com).
I have found that the main protection is located in the files config.exe and control.exe.
I disassembled config.exe,looked for the relevant strings, found quite a few, was trying to look the conditional jumps just before the error messages........
Now I am facing a peculiar problem.....Some of the jumps point to the middle of an instruction... (i hope I am making myself clear!).
Given below is the relevant piece of code :-
---------------The Jumps------------------
:004A2591 7373 jnb 004A2606 ---> while 5 byte instruction begins at 04A2605
:004A2593 66756C jne 004A2602
:004A2596 2E004572 add byte ptr cs:[ebp+72], al
:004A259A 726F jb 004A260B
:004A259C 7200 jb 004A259E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A259C(C)
|
:004A259E 0000 add byte ptr [eax], al
:004A25A0 52 push edx
:004A25A1 65 BYTE 065h
-------The locations pointed to by jumps---------
:004A25FE 8B00 mov eax, dword ptr [eax]
:004A2600 E847D9FAFF call 0044FF4C
:004A2605 6830200000 push 00002030
* Possible StringData Ref from Code Obj ->"Warning"
|
:004A260A 681C264A00 push 004A261C
* Possible StringData Ref from Code Obj ->"Your trial version has expired."
|
:004A260F 6824264A00 push 004A2624
:004A2614 6A00 push 00000000
WinDasm gives an error while trying to execute these jumps..... Call/Jumps unsuccessful.
There r many such jumps....
I couldn't understand this at all... what is happening?
Is the code there just to fool the crackers ?
or some runtime patching is happening ?
or some anti-disassembler is there ?
I tried to see what happens at these jumps at runtime. So I loaded Softice and ran the program.
The program runs fine but when I click the register button (which remains enabled) nothing happens....... When softice is NOT loaded, then on clicking the register button a box with a filled up reference key and 2 blank text boxes comes-up (which r meant to input the licence no.)
So there is some debugger detection inside the program....
How to find which type of detection is there? How to get to it ? and how to disable it ?
Please guide me! I am a newbie and please don't flame me for asking such silly questions...
(Maybe i have picked up a real tough proggie... But I think it is great opportunity to learn...)
Thanks a lot in advance and sorry for such a long post...
ReD_AnT ???