i downloaded this software from cjkware.com

"KeyTip chinese", it is a full featured free-trial no time limit for reading chinese text.

the only problem is that, it MUST connect to it's server on auth.cjkware.com port 12345 (looking on the 'DEAD LISTING')
and do some 'authentication' then it will create a file called 'KEYH2P.DLL', once successfull, the program is ready to run.

it will delete the .DLL once closed, and recreate again after the 'authentication' process.

I tried to modify to .EXE file but it terminate itself once the file CRC is changed.

can anyone help me??

Hello WoZX !

I've three problems. The first one is that the site (cjkware.com) is not existing, the next one is that google cache can't show me the page and at last that I don't speak chinese.

I wouldn't call that a very tricky protection. If you can look at the dead listing, you have probably unassembled it. So it is not encrypted and you should find the CRC algorithm somewhere.
Do you know if a real .DLL is written to your harddisc? Can you save it before it's deleted?
Is the protection used in a wrapper or linked to the application? If it's a wrapper and unencrypted you could just change the OEP and IAT to there original values and the protection would be gone.
Is the application complete or are some bytes missing at the OEP?

I dont understand the protection in this app. The DLL it creates is for keyboard hooking.
As for deadlisting? well you can enter any email you want anyway? it allows you to use any email address you want also (from what iv seen)
The program is in no way restricted is it not?

Darkie: the site does exsist as i downloaded it

ThrawN

thanks, so far this is my analysis:

when program starts, it will:

1. probably checks for CRC
2. connect to internet at auth.cjkware.com:12345
3. exchange data (but dunno what data is being exchanged)
4. if authentication OK, create KEYH2P.DLL(yes, i can copy the DLL file)
5. once program closes, deletes the .DLL file.

the program is a full-featured trial, no time limit whatsoever, it is the protection that i'm interested, that is after 'authentication' then the program will run, or it will close.

there are lots of 'nop' in the program, seems like it gets data from its server and place it on to it's code and then execute, but i could be wrong.

Hello WoZX !

Don't you want to use a debugger? You could bypass the CRC check simply (in most cases). You could set some WinSock/WinSock2 breakpoints and simply see what data is sent and see what data is returned. If you don't want to send anything, you should look for the SocketHandler and serach for the FD_READ message. There you should be able to guess the format of the data supposed to be returned.

Is the .DLL included somewhere in the program (.code, .data, .rsrc, ...) or is it created from the authentication data or decrypted with help of it?


If you are only interested in the protection's authentication, you can easy build such a thing by your self (or use one of the available systems). Just set up an internet server with a program listening for connections. If a connection is made, check if the incomming data is "MyProtection$1.0$Full$MyProtectedApp$" and if yes, then send back "Auth$OK$", else "Auth$Failed$".

nope, i have used API monitor to get socket info on 'send' and 'receive', data is encrypted.

it receive about 1 MB of data (according to the API monitor from the parameter of winsock 'receive' call), so i guess the DLL is created from the data.

i have check that the DLL is always the same size and content, so what i want to do is to bypass the authentication and jump over to loading of it's DLL.(maybe someone can help me??)

btw, if i'm not wrong, the program also communicate at certain period to tom.cjkware.com:12345, and somehow it stop working after a while.

i really need help here.

thanks.

Hello WoZX !

Here is my advice:

Find the CRC check and remove it.
Save a copy of the .DLL somewhere.
Find the createfile function and patch it to open the file instead of create it.
Find where the .DLL is deleted after execution and patch it too.
Copy the .DLL to the directory that it is downloaded normally.
If the program still works as it should, find the authentication procedure and patch it so no data is send and it thinks that some usable data is received and written to the .DLL.
After that, have fun.

BTW, I don't understand you, I think. One time you write "it is the protection that i'm interested, that is after 'authentication' then the program will run, or it will close" and the other time "so what i want to do is to bypass the authentication and jump over to loading of it's DLL". So one time you're not interested in the program but only in the protection, the other time you want to have the program cracked and are not interested in the protection.

isn't this forum about software protection and teaching newbies like me to learn their protection and how to crack it?

Hi woz,
well i'vent checked the prog myself so i'm writing here just a little thought i had reading the thread:
if thrawn is right and dll contains keyboard hooking code
and u said the proc is going comunicating with the
site 4 sometimes after the auth has happened u think that it should send some of ur keyb logs to the site ?
This is a strange behaviour 4 such a prog

See ya
NikDH

Strange........

The company appears legit (I will check further)
The tom.cjkware.com is best known as a chess server
address.

The "key" access is where the server needs to download
Chineese, japaneese and Korean fonts and other stuff so you can
do whatever you need to do in Asian.


Peace, Woodmann

no, u got it wrong, i never said that the prog will send our keystroke log to the site, and i never even ever mentioned that the DLL is a keyboard hook (trhawn find out about it not me).

i only say it's a KEYH2P.DLL is created and after the prog running for sometimes, it will contact tom.cjware.com:12345 for something else which i have no idea of right now.

hi all,
I think since the first post everyone got lost in what the prog should do, it all got mixed up so much that even the author of this thred mixed up ;P
but as DakienDX said,
try kicking the CRC or even reCalculate the CRC checksum after modifying the Executable file,
than just kill/avoid the deletion of the DLL file procedure so the connection to the net wont be effective, i think this sceme type is also used in acdsee (can't rememebr which version excactly)
anyway, i hope u succeed in ur mission,
over out.

Hello WoZ !

OK, I'll try to help you.

Find the CRC check and remove it.
-> The most common method is CRC-32 with PKZip-Poly (EDB88320h). So you can search for the value somewhere. This should be the CRC-Table-Generation-Routine. The other possibility is that the CRC-Table is alread pre-generated, so serach for a block starting with: 00000000h, 77073096h, EE0E612Ch. (this sould be enough) Then search for any call pointing to the function or the table and you are somewhere near the CRC-32 routine. It could also use hash-functions, so you must look for their specific values.
Save a copy of the .DLL somewhere.
-> This shouldn't be difficult, since you've alredy done it.
Find the createfile function and patch it to open the file instead of create it.
-> Look for a function which creates the .DLL. This could be CreateFileA/CreateFileW or _lcreat. Replace the parameter of CreateFile(A/W) from CREATE_NEW or CREATE_ALWAYS to OPEN_EXISTING or replace the _lcreat function with _lopen.
Find where the .DLL is deleted after execution and patch it too.
-> You should look for DeleteFileA (or DeleteFileW because it's possibly an UNICODE program)
Copy the .DLL to the directory that it is downloaded normally.
-> I think you can do this without my help.
If the program still works as it should, find the authentication procedure and patch it so no data is send and it thinks that some usable data is received and written to the .DLL.
-> A bit more tricky, but if you've succeded until here, you should also get this one. Look at some WinSock/Winsock2 exports. Most time the send/recv /TCP) or the sento/recvfrom (UDP) functions are a good hint.
After that, have fun.
-> I don't need to tell you how, do I?

hi, thanks for the info on the CRC thingy, really appreciate it.

as for the CreateFileA, i can change to OPEN_EXISTING.

backup the DLL, should be no problem.

patching the code to think that connection is successful and 'authenticated' is a tough one, still checking though.

thanks a lot.