hi ,
I have unpacked a prog (Essentian Net tools 3.0) ,it was packed with aspr . After patching the prog , it crashes . I know that there is a CRC check , but I can't find it . I saw some tuts , but they didn't say how to find the CRC check .they were just for a specified prog . I can't debug the prog with ollydbg or w32dasm , cause it cause a exception and I don't know how to fix it . What should i do ? help plz !

A board search for CRC Check should pretty well answer your question. Anything anyone could tell you right now about the basics of finding CRC checks has already been documented and can easily be found with a search here.

Once you've read several posts and tried a few basic api's you'll have a better idea of what to do and what to look for. Specifying a target is pointless and you'll get more help when you've got more detail of the algorithm involved and if your interest isn't just to crack it.

Kayaker

hi ,
I have searched for "CRC check" and I read all the threads ,
but still having problem
I have tested CreateFileA and _lopen , but the prog is not using them for opening itself.
I changed one byte in file and put a BPM on the byte that I have changed befor . But sice didn't break . the prog craches with a message : Exception EReadError ...
I tried another way , I put a break point on entry point .
then changed one byte in memory with sice , prog crashes with the same message

I found 2 threads that was realted to my prob :
1 - http://www.woodmann.net/forum/showthread.php?s=&threadid=1610
-> Splaj : Opinions on the 'CRC' check system
I didn't understand this part :
...only that it's possible to dick it in
5 minutes once you trace the algo to it's
end and see what the real CRC code is REPZ'd.
Then just emulate it in the disprotected exe


2 - http://www.woodmann.net/forum/showthread.php?s=&threadid=1876
-> SuperCali : First of all I'd like to say that the version ...

Didn't help me , I noped 2 SetErrorMode calls , but get a "Exception EAccessViolation..." message .

help plz !

hi
the prog runs normaly if I don't try to patch it . So I have resolved the apis correctly .
I can't trace the prog until the crash , cause I think it has anti debugging codes too when I try to debug it , I got a lot of more exception (first exception happens when it calls ZwSetInformation Thread) .

Hey!

Do you know what you should try while searching CRC check in AsProtect? There are a lot of SEHs, so you must evoid them. Read some tuts about that (as far as i remember, you may find really good one by Crusader at www.anticrack.de). One more hint: try CreateFileA as a break point, it can help you much.

SilsAl,

you are up against a nice team of programmers as well as Alexey in EssentialNetToolz 3

The Tamos CRC checking is MUCH more comprehensive since CV3.2 and quite fun to defeat
There are several methods to try. You could actually dump all the TFORM resources after a decrypt and poke them back to rebuilt.exe. Or as Solomon did. Log ALL the CRC results in an array at the end of the exe and poke them back...!!!

However I prefer the patented 'SV-Black-Box' filter

I played with ENT v3.1 b102 . They use the same complex crc check and I also notice that even ASPR is new...check out the dynamic 61,FF,E0..... LOL

FOXTHREE WHERE R U

So I can only say just start the target and pres CTL-D you are probably in the crc loop. It is so massive and slooooow these days it's pretty much impossible to NOT to find it.......

I can give you some pointers regarding the latest ENT 3.1 build :-

CRC range check is from 401000 to 555000.The essential part - for us of the CRC code is at 553FB2. Here EBP holds the current memory range check. It increases with 0x40 bytes at a time. Now here we should log all the CRC results that are relevant for us. For example we need to patch out the bytes at 553FB2 and take us somewhere clean so we can do something about this shit.

:00553FA7 0106 add dword ptr [esi], eax <-here is stored 16 byte CRC/hash result
:00553FA9 015E04 add dword ptr [esi+04], ebx
:00553FAC 014E08 add dword ptr [esi+08], ecx
:00553FAF 01560C add dword ptr [esi+0C], edx
:00553FB2 5D pop ebp <- we patch here to JMP 55C000
:00553FB3 5F pop edi <- and filter the hash/crc results
:00553FB4 5E pop esi
:00553FB5 5B pop ebx
:00553FB6 C3 ret

So here follows the system logic for filtering the CRC checks :-

Find a good area of code outside of the CRC range to patch some code in. I found area 0x15C000 (RVA 55C000)
So at RVA 553FB2 we will change the POP's to JMP 55C000 (E9 49 80 00 00]

Also set a 'BPMB 553FB2 if EBP==553F80' and write down the GOOD 16 byte result - for me it is :-
F0 7C FC 44 51 47 03 8C-D5 1A 36 B6 C3 D7 D5 A7

This is the value we have to poke back into the system.
Hex this into offset 0x15C100

We also need to save the checked bytes value - 00553F80 as well because our changes are in range 553FB2->
The next 0x40 bytes will be 00553FC0.
Hex this value - 80 3F 55 00 - into offset 0x15C060

We also need a counter for dword REPNZ . lets use offset 0x15C0A0.
Add 1 to the number of patches we have eg, 1 patch here so value is 2

Now enter the following code into RVA 55C000 (0x15C000)

0167:0055C000 60 PUSHAD <- save all registers
0167:0055C001 8BC5 MOV EAX,EBP <- mov eax our current check address
0167:0055C003 BF60C05500 MOV EDI,0055C060 <- mov edi our patched address
0167:0055C008 8B0DA0C05500 MOV ECX,[0055C0A0] <- mov ecx our counter
0167:0055C00E F2AF REPNZ SCASD <- match eax value in our patch array ?
0167:0055C010 85C9 TEST ECX,ECX <- 0 == no match 1 == found
0167:0055C012 7418 JZ 0055C02C <- jump if not found
0167:0055C014 A1A0C05500 MOV EAX,[0055C0A0] <- we found a match, now which bytes !!!!
0167:0055C019 2BC1 SUB EAX,ECX <- calculate the correct bytes
0167:0055C01B 48 DEC EAX <- just some trickery
0167:0055C01C C1E004 SHL EAX,04 <- to fix the array
0167:0055C01F 8BFE MOV EDI,ESI <- find current CRC check
0167:0055C021 BE00C15500 MOV ESI,0055C100 <- get our good 16 bytes to poke back
0167:0055C026 2BF0 SUB ESI,EAX <- match the CRC result to our patch bytes
0167:0055C028 A5 MOVSD
0167:0055C029 A5 MOVSD
0167:0055C02A A5 MOVSD
0167:0055C02B A5 MOVSD <- overwrite the CRC check with CORRECT value
0167:0055C02C 61 POPAD <- return state and ret back to codewoods
0167:0055C02D 5D POP EBP
0167:0055C02E 5F POP EDI
0167:0055C02F 5E POP ESI
0167:0055C030 5B POP EBX
0167:0055C031 C3 RET

Now to add more patches, as u surely need to erm 'Evaluation' !!!!, then add the relevant datas to the next offsets
i.e increment the 'counter' add the CRC result and add the patch byte value to the black-box and CRC is history.
I am sure you can work it out.

Spl/\j

hi
I have downloaded the last version of ent (3.1.102) .
I understood what happens and do all the things that splaj said ,
but prog crashes
I put "bpx 553fb2 if(ebp==553f80)" , then "d esi" and wrote down the crc :
6C 80 02 B0 - 1A 29 9F A0 - 56 1D E5 8F - 3B F4 A0 A1

I put the code on 55C000 and other things , but the prog still crashes ,
there should be something else ...

I restarted my computer and I checked the CRC , I got another CRC !
55 4A A6 AB - 3A E6 46 D4 - F7 C6 16 68 - 46 61 B5 3C
I tried more restarts , but the CRC didn't changed anymore

How can CRC changes ? Why my CRC is diffrent from spalj's ?

i'm using XP pro , I don't know if there is something wrong with this os
(splaj : if i'm wrong , Can u send me your fixed file ? my email : SilSaLaMaTa@Yahoo.com)

SilsAl

Read VERY CAREFULLY my words.... where did I say BPX !!!! do ya know what a BPX does to the code !!!!!!!

Spl/\j


CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

hi ,
I tried bpmb first but sice didn't break . now beter go and test under win98

SiSal

To properly reverse current targets under W2K or XP you have to have the RIGHT tools available, hide bloody SI and know a LOT about PE, Anti-debug etc etc

I'll bet you don't have SI patched and NTdump to protect BPM from Context tricks ?

Then u r fuxed before you start. You can NEVER set a BPX when such CRC checks as these are running through the proggy and decrypting as they go. A BPX sets a CC (Int3) in your target and that changes EVERYTHING !!!!

Spl/\j

Everything works thanks alot , I learnt many things .

I have patched sice myself (I read http://www.woodmann.net/forum/showthread.php?s=&threadid=1806) . But i'm not using NTDump , i'll get that and I'll read about PE

now I have 2 questions :
1- Is there anyway to disable CRC check ?
2- maybe it's funny ! I can't crack it !
it seems that strings r moving to somewhere else after running ent .
I can't find it with IDA ...
I found something with sice (00443E84 , 004684CC)
but I don't know what to do .
can anyone help me with this ?

SisLA

It may have slipped your attention....but the bloody CRC is DECRYPTING the TFORMS...... how can you find 'Evaluation' when it's encrypted ?

Examine the dumped.exe with a Resource editor and you'll see wot I mean...........

The only way is to do option 1) Open ALL forms one at a time and dump them. Paste back into dumped.exe and disable the decrypt for that form. This takes a LOT of time and patience and maybe ONE DAY will be the ONLY way to make it work

Now actually Tamos boyz have been lazy with this target.... I can see lots of clues with Wdasm - after changing section headers to E00000020

eg File Size check, did you use Numega Loader check , new licence type .ENL from old ule.dta check blah blah

So ....... get buzy in da codewoods SislA we helped enough already ))

Spl/\j

Hola +SplAj, the unpaxor "king"

Nice target eh!!! Atlast, Alexey phhears OEPFinder . Guys, try to find the re-based OEP JMP just using SICE. It is lot of fun

Now to do some "CRC-checking"

Signed,
-- FoxThree

hi ,
I should read some tuts about keyfile cracking .
I have to work on it , and I'll crack it

thanx alot for helping me

Hi SilSA:

The reason why BPMBs are not breaking is that there are two more DRx clearing being done at 554030 and 5540A0. Bypass them and all is well. BTW, the call at 553880 is where the "interesting" stuff is. Trace it and you'll see what +SplAj guru meant.

Signed,
-- FoxThree

hi foxthree :
how did u find 5540A0 and 554030 ?? searching for the string (31,00,64,...) or tracing or ... ?
for 553880 , the check sum , I put a bpx 553fb2 , sice breaks and ebp=401000 , I cleard the bpx and put a bpmb on
553fb2 if(ebp==553f80) , sice breaks this time without trying to bypass the SEHs , bypassed automaticly . I searched for a Exception handling and I found a tut , I should read to understand SEHs clearly ...

i know this thread is really old but i would really like to know how to exactly DUMP this delphi Encrypted FORMS .....

i'm trying Bookmark Converter 3.1 and i think uses same CRC protection as Tamos' soft .... crashing....... always crash.... my Asprotect DUMPED working and running but since i modify a byte on this...... crash

please help!

Heh, it's usually just easier to get the crc values and patch the EXE to grab them instead of calculating them. Easier to do that than to try and dump all the decrypted stuff in my opinion, all though you do have to know how to add code to an EXE, but it's not that hard if you've graduated unpacking school

-nt20

i'm not an expert guru but i have done some unpacking success ... i think the deal with this is the matter of encryption and not unpacking at all .. but since i saw the comment about Dumping this encrypted FORMS/disable the protection and write them back with a resource editor like EXescope.. i was curious about "how to do this?" how to dump this.....

exactly what kind of code injection we're talking nikolatesla20 ?

have you tried this target?? maybe it is harder than Essential Net tools... not sure ... i would like some guru to check it and write some info. or tuto about reversing this. i haven't seen any tut about reversing this kind of protection, just some comments and is not enought for newbies.