Hi,
i am stuck cracking a program protected with bitarts protection. After starting the program a insXXXX.tmp File is created and started (the serial NagScreen). This Thread starts the main prog i think...

It is Softice protected, but with frogice its partly possible to set breakpoints.

I found a tutorial by lazarus, cracking bitarts fusion, it locked like fusion has the same protection as the program i want to crack...

I got 2 problems:
- The insXXXX.tmp Thread crashes every time i set breakpoints near the serial generation routine, so that it is impossible to sniff the serial out of memory :( What to do, instead of using Frogice?!

- i think there have to be plenty of tuts regarding this bitarts protection, i browsed the board and the net, but could not find the right tutorial right yet. Could anybody say what protection this is?! I did not find softlocx*.* files in any directory, the only hint i got is, that the temp File is named insXXXX.tmp (X - HexDigit i think) and in softice the Thread is named 'BitArts....'

It would be nice, if anybody could help me, what to do next...

Thanks

what is the url of the program??

I have no experience with bitarts but i would like to try :>?

Thanx,

Hi

Forget the .tmp file. This is just the 'mutant'. The real exe can be rebuilt after bpx terminatethread.

Can you see the 'registration' screen with 8 or 16 digit serial input - softlocx 4/5 ? or just an e-commerce 'flash'
style registration- titty 2

tell us your target, if it's not from bi-tarts ? - I'll show you how to slay a mutant :)

Spl/\j

The target is 'WeatherMaster' from Milieu Simulations [worldwideweb.milieusim.com]

The serial screen is with 8 digit unlock code.

I read a thread from you (Spl/\j), where you told how to 'reinitialize' the Evaluation Peroid (delete in Netdet.ini the String "[Routing.extent{CRITICAL ENTRY}] with the 0/1s. And delete within the registry a folder with the name 'weathermaster v. xxxx' with a lot of 0/1s).
It worked. The program created a new serial number in the registration screen and the evaluation was reseted.

I think that a all information i got so far. It is possible to sniff 4 digit of the registration code with softice, but the other 4 digits are calculated elsewhere, everytime i set a breakpoint there the registration screen crashes, so that i can not get them :(

Do 8 digits mean softlocx 4?! How can i rebuild the exe? Set bpx on 'terminatethread' and then?! :confused:

It would be nice, if you can show how to slay the mutants!!!

Thanks!

P.S. Oh i allthough tried to get the serial number from offset 452244 (another post from you :)) but there is only a 12 digit number that does not work.

ok i'm disappointed :(

forget I said 'forget the tmp' as the hash code IS IN the tmp file of this old protection.

this is softlox4. The 'hash key' is found at the raw offset you mentioned 52244:- 'w8er45983dhd'

you need a SL4 installation OR my old keymaker and use the above hash and make a valid key.... but don't do that. Lets kill a mutant instead.

This uses 'terminateprocess' to carry on once you click 'continue' at the registration screen. Have a go. see if you can find the 61 5D 8B 83 .......... FF E0 JMP EAX to OEiP 408??? and also the nice 'destroyed IAT'

Spl/\j

Hi all!

I've now been fighting this protection for some time...
I've attached a small crackme that I made to simplify the problem.

As you can see it shows my encryption key right in the beginning. In the non-shareware version it doesn't do that (duh). The key is then used with the serial to generate an unlock code.

My question is how to get that key without that first message box.. It doesn't create any .tmp file for me and I haven't succeeded to find the key with sice. Any ideas where to look?

Softlocx 6 SDK can be found at Tucows
Link removed <-- Can't I link to shareware???
Its needed for the crackme to run...

Sorry for a very generic question....

Does anyone rember Liutaotao - well that works fine on this program;)

/hobferret