What is this?? [Archive] - RCE Messageboard's Regroupment

crUsAdEr

February 26th, 2002, 21:20

Alright, i find it very weird, could someone explain to me what is going on...

OK, i was cracking this program, then at the end of the key checking routine here is what happen

test eax, eax
jz Error_MessageBox ; Invalid key etc...
push 04
push FFFFFFFF
call GetProcAddress ; what is this doing here????
-snippet- then here is the funny bit
push 10
push edi ; edi points to half of the serial I entered
call EAX ; the proc address of the address ealier??

Of course eax was a nice '00000000' so i get lots of error message, nopping the instruction let the program run but features are disabled still.

i am just wondering what Procedure is this trying to call
here? and what procedure that can make appropriate changes to the program?? to make it fully registered?

Thanx a lot

Solomon

February 26th, 2002, 22:32

Let me guess:

The shareware author has 2 different versions of the same DLL. One is full version, which has a specific function. The other is trial version, which has no such function, so GetProcAddress returns 0.

I saw such protection in Microangelo(w*w.impactsoftware.com). A DLL is missing in the the crippled demo version, so LoadLibraryA returns 0, then it shows the NAG.

Hope I'm not wrong

crUsAdEr

February 26th, 2002, 22:54

Well, techinically the program say that it can be fully registered with a serial number!!!

but maybe i will look into that... sounds liek a good idea to check out the dll :>...

thanx for the help

Hmm... no luck... it uses normal windows dll, filemon din turn up with anything special either... maybe CRC...

CTRL-D

February 27th, 2002, 08:17

very weird code.

__snip____
push 04
push FFFFFFFF
call GetProcAddress ; what is this doing here????
___snap

normally you call Getprocaddress this way:
Getprocaddress(dll_handle,"exported function"

;

neither of the pushes is a handle nor a pointer to a string, so eax has to be 0.

or is there another function for getprocaddress but getting an address for en dll-export ?

CTRL-D

February 27th, 2002, 09:06

Hi

this code :

push 04
push FFFFFFFF
call 'ASprotect' GetProcAddress
(GetProcAddress entry is redirected)

is used in proggy to get Asprotect Uncrypt Address !

After this code you could found something like

push 'key lenght'
push 'key offset'
call 'Asprotect Uncrypt Address '

If it return 1 an al, decrypt code is well done !!!

Of course, when your exe is rebuilded, you can't found this address

Regards SV

crUsAdEr

February 27th, 2002, 09:30

Yup, you are right....

just found that it really call a routine in AsProtect itself... so 'FFFFFFFF' refers to itself as teh module?

Hmm, loks like patching aint gonan work, and keygen this is hell difficult... guess it must be.. after all it's Elcomsoft:>

Thanx a lot sv for the tip...

shall have to do homework in the next month :>... beofre i come back to attempt a bruteforcer on this...

Solomon

February 27th, 2002, 10:03

oh yeah, I didn't notice the FFFFFFFF