View Full Version : CommView 3.4?
foxthree
August 15th, 2002, 20:51
Hello Folks:
Sorry for posting yet another ASsPr/Tamoz combo, but this one seems to be quite nasty
After all, only these two guys seems to be doing something interesting
and hey they finally added a TCP session joiner in this, so I thought it is worth a while.
After the usual, dump, IT fix, blah blah... I get this weird RunTime Error 202 at 40717D and shit is this a loop? Anywayz, I'll keep working on this one this week and post the progress. But I thought I'd throw some "wake-up call" in this otherwise "getting duller and duller by the day" forum
Signed,
-- FoxThree
SilSaLaMaTa
August 16th, 2002, 09:18
hi
I had the same prob , I don't know why it happen after unpacking , but I debug the prog and found where exceptions happens and nop that ! after all , commview runs but there was one more error , I tried to right click on the packet list and I got another runtime error . there was a check "cmp [xxx],4","jb xxx",I changed the "cmp [xxx],4" to "cmp [xxx],7" and everything works
But I don't know why runtime errors happens after unpacking ...
foxthree
August 16th, 2002, 09:21
Hey SilSA:
How did you bypass the nasty CRC check? +SplAj gurus technique?
Signed,
-- FoxThree
evaluator
August 16th, 2002, 13:20
CV had filesize check since probably 2.6 versions.
This check happens after some time when you start prog.
Without searching reason, you can repack unpacked prog to its original size
& not warn more about it. (for current cv I not looked)
Solomon
August 16th, 2002, 13:23
hi foxthree,
This Error 202 message is encrypted. This is tamos's trick to detect unpacked/cracked version. The following is the decryption routine(such routine is also used in FlashFXP, only the constants are different). Many other secret strings are decrypted with this routine. Just locate them in IDA by cross-references to this routine. The CRC check can be defeated by hard-coding the 512-byte MD5 hash into unpacked exe. Please refer to v3.0 build 205 thread in the newbies forum. I have successfully unpacked and cracked it. There is also an inline patch from DISTINCT group.
Code:
seg000:00655718 sub_655718 proc near ; CODE XREF: seg000:0063ED3F�p
seg000:00655718 ; seg000:00644393�p ...
seg000:00655718 push ebx
seg000:00655719 push esi
seg000:0065571A push edi
seg000:0065571B push ebp
seg000:0065571C push ecx
seg000:0065571D mov [esp+0], ecx
seg000:00655720 mov esi, edx <-------key for decryption
seg000:00655722 mov edi, eax
seg000:00655724 mov eax, edi
seg000:00655726 call sub_404DB8
seg000:0065572B mov edx, eax
seg000:0065572D mov eax, [esp+0]
seg000:00655730 call sub_40513C
seg000:00655735 mov eax, edi
seg000:00655737 call sub_404DB8
seg000:0065573C mov ebp, eax
seg000:0065573E test ebp, ebp
seg000:00655740 jle short loc_655777
seg000:00655742 mov ebx, 1
seg000:00655747
seg000:00655747 loc_655747: ; CODE XREF: sub_655718+5D�j
seg000:00655747 mov eax, [esp+0]
seg000:0065574A call sub_405008
seg000:0065574F mov dl, [edi+ebx-1]
seg000:00655753 movzx ecx, si
seg000:00655756 shr ecx, 8
seg000:00655759 xor dl, cl
seg000:0065575B mov [eax+ebx-1], dl
seg000:0065575F xor eax, eax
seg000:00655761 mov al, [edi+ebx-1]
seg000:00655765 add si, ax
seg000:00655768 imul ax, si, 3039h <----constant 1
seg000:0065576D add ax, 2C9h <---------constant 2
seg000:00655771 mov esi, eax
seg000:00655773 inc ebx
seg000:00655774 dec ebp
seg000:00655775 jnz short loc_655747
seg000:00655777
seg000:00655777 loc_655777: ; CODE XREF: sub_655718+28�j
seg000:00655777 pop edx
seg000:00655778 pop ebp
seg000:00655779 pop edi
seg000:0065577A pop esi
seg000:0065577B pop ebx
seg000:0065577C retn
seg000:0065577C sub_655718 endp
Code:
seg000:00656C68 push ebp
seg000:00656C69 mov ebp, esp
seg000:00656C6B push 0
seg000:00656C6D xor eax, eax
seg000:00656C6F push ebp
seg000:00656C70 push offset unk_656CD9
seg000:00656C75 push dword ptr fs:[eax]
seg000:00656C78 mov fs:[eax], esp
seg000:00656C7B mov eax, ds:dword_669C58
seg000:00656C80 mov eax, [eax]
seg000:00656C82 mov edx, eax
seg000:00656C84 shl eax, 3
seg000:00656C87 sub eax, edx
seg000:00656C89 cmp eax, 6E4E00h
seg000:00656C8E jz short loc_656CC3 <-----------just change this jump
seg000:00656C90 push 0
seg000:00656C92 lea ecx, [ebp+var_4]
seg000:00656C95 mov dx, 64h <---------------decryption key
seg000:00656C99 mov eax, offset unk_656CEC //"Runtime error 212"
seg000:00656C9E call sub_655718 <--------decrypt it
seg000:00656CA3 mov eax, [ebp+var_4]
seg000:00656CA6 call sub_404FB0
seg000:00656CAB mov edx, eax
seg000:00656CAD mov ecx, offset aError_6 ; "Error"
seg000:00656CB2 mov eax, ds:dword_669D30
seg000:00656CB7 mov eax, [eax]
seg000:00656CB9 call sub_46FD6C
evaluator
August 16th, 2002, 14:18
Hey, foxtree, I was running unpacked CV3.4.0.241 during 30min on W98se
& nothing happens!
When happens error & on what system?
hobgoblin
August 16th, 2002, 15:58
Hi SilSaLaMaTa
I did unpack this one without problems, but when I try to work with the packet list (left or rightclick), I get the same problem as you describe. My copy also exits totally so I have to restart the program. I have tried several things to find the jmp instructions you describe, but no luck. Exactly how did you find it? All kind of input is welcomed.:-)
Another thing: After I unpacked it, it ran okey without changing anything further. (Not like the previous version with the CRC check desribed by +Splaj). I unpacked it on WinME.
regards,
hobgoblin
evaluator
August 16th, 2002, 16:40
Common guys!!
What "packet list", where????
Maybe you will upload SCREEN-SHOT for me, so I will click there with Right-Pen-Click?
hobgoblin
August 16th, 2002, 16:58
Hi Evaluator,
Open the program, push the start capturing button. Then after surfing on the net for a few seconds, click on the banner in the front of the main GUI called "Packets". Then try to click on one of the listed packets.
Hope this helps,
hobgoblin
foxthree
August 16th, 2002, 17:40
Hey guys:
Aren't you getting the Runtime errors??? Bleh... Win98SE is the platform. I first get one RT error which I fixed.... actually "is-ASsPR-present" check .... the second one is what I'd written about. Shitty!!!
Don't tell me Tamoz removed its fav. CRC decryption loopz. May be they Ph3rrr +SplAj... Yoo hoo r u there?
Signed,
-- FoxTHree
hobgoblin
August 16th, 2002, 18:10
I also unpacked it on WinXP. Something must have changed. After unpacking it, fixing the Import table (using revirgin), and so on, it actually runs okey. AND no errors when working with packets occur. Must check to see what happens if I start patching the file....
hobgoblin
BTW, something occured to me: Maybe we have a slightly different Import table after rebuilding it. And maybe that can cause some of the differences we experience.
I found out when tracing the runtime error that pop'ed up when I tried to work with packets on WinME, that I actually ended up in one of the .dll's (fcd.dll), and the error was triggered when the program called the Heapalloc api there...
evaluator
August 16th, 2002, 19:43
NOT crashes! ~:0
Now look here carefuly:
CV.exe
size=1032704
crc32=0FDFE149
now make dump on OEP (not runtime)
OEP=0065C800
IT=002AF000 SIZE=0280
paste my IT at 002AF000 in fixed-dump and tell me if crashes.
SilSaLaMaTa
August 16th, 2002, 20:23
hi
Fox3:
I passed the CRC check with +SplAj techniques
Solomon :
I changed the jump , but still run time error
hobgoblin :
As Solomon said there is a call to decryption routin , check the xrefs , for CV 3.4 build 238 routin is at 656B9C and the call is on 64618A . look at 646185 , there is the cmp .
evaluator:
what do u mean by "now make dump on OEP (not runtime)" , how to make dump - not runtime ?
evaluator
August 16th, 2002, 21:49
I mean not after OEP
BTW, what is SPLAJ's tecknique? rsrc unpacking?
hobgoblin
August 16th, 2002, 21:54
I'm a little confused by the CRC check cracking described by +Splaj myself. After changing one byte in the code I put a bpm <adress that had changed> rw, but it didn't lead me anywhere in CV.exe. I ended up in fcd.dll. I then tried bpr rw on the same address, but didn't find any code similar to what +Splaj described in his Commview tut.
SilSaLaMaTa, how did you find it?
I'm wrestling with build 242, so the addreses you give me isn't the same...:-)
regards,
hobgoblin
Actually, I found where the MD5 algo routine is, so I think I will do some reading of older posts before doing anything else.
Thanks for previous posts about the subject..:-)
foxthree
August 17th, 2002, 08:11
Hajo Fellow RCEs:
I think we have quite a few different results here. Let me summarize my findings so that we're on the same plane.
The proggie is CommView 3.4.0.242
Size: 1,032,704 bytes (original packed size)
Difference #1:
~~~~~~~~~
My Original EntryPoint Found: 0065C8E0
Eval Says: OEP=0065C800 Why?
Finding #2:
~~~~~~~
After doing ususal ImpREC/RV two APIs remain. I find them to be LockResource and FreeResource. Is this correct?
Finding #3:
~~~~~~~
After usual unpack, first error occur in 0x403xxx. This is a simpe AsSPR check. Did you guys also get this?
Finding #4
~~~~~~~
After fixing that, another 202 RT error at 40717D. Why AREN'T you guys getting this?
Anyways, can somebody comment? I agree with Solomon that there is decryption going on. Based on his tip I found LoadString following by decryption.
Eval <---- Either you have "magic pc"
or some advanced dumper
???
BTW, the platform is Win98SE. I'll try on Win2K later today
Signed,
-- FoxThree
evaluator
August 17th, 2002, 08:56
OK,I dld today
for CV3.4.0.242 IT is same & you can use my...
CV.exe size=1032704 crc32=C42AF322
OEP=65C8E0
IT=2AF000 SIZE=280
Hey, maybe we shoud exchange our unpacked EXEs & check differences??
hobgoblin
August 17th, 2002, 09:18
I have build 242.
OEP=0065C8E0
In addition to Lockresource and Freeresource, I also found Sizeofresource. I used a loader to find the OEp and to halt the program before dumping it with Lordpe.
IT address=2AF280
size=9F8
I'm using Revirgin, and after ripping the import table I trace all the unresolved calls using Softice.
After unpacking it, it ran okey on XP and WinME. But I do get the runtime error as described before when I rightclick on packets. But I understand that it can be fixed by patching the program as described by Solomon. I do not get another runtime error before patching the program.(I haven't tried to run it for an extended period of time though).
What I'm wondering about is how Solomon actually is managing to hardcode the 512 byte hash into the unpacked exe.
Question: doesn't the program compare the original hash value with the one calculated? If so, what about looking at this location?
(I'm new to this kind og check, so bare with me...:-))
regards,
hobgoblin
GlObAl
August 17th, 2002, 10:57
Hello,
another way to defeat the CRC is to jump to an free space before he run the crc code.
There you set all changed places back to the orginalvalues like.
mov byte ptr [adress],074
also the place were you jump out than the code looks like untouched in the memory.
than call the crc code callīs from you free place after that patch all back regoffset and jump to this place.
Mh hard to explain but its an easy way... :~)
evaluator
August 17th, 2002, 11:22
hobgoblin!
Be sure, I many time click left-right-back-oral mouseButton, but nothing..
Did you use my IT?
Ok, do this:
pack your unpacked file with winace>zip , upload somewhere & send me address in PM
Hello, GlObAl!
that method, you wrote, is my gift to SPLAJ
maybe you see it in others cr_ck, but they see..
foxthree
August 17th, 2002, 12:02
Guys:
Stop playing
.... and notice what is happening at 403CAE location. This is where some kind of decryption happens. And this is where the first Access Violation should occur pointing to some address 13b1c78 (AsSPR address). If you by pass this you'll get another exception which is ofcourse a hard coded string which says something like 402a22 accessed address at 893005 or some shit like that.
Now tell me did you guys get this or what????
Signed,
-- FoxThree
evaluator
August 17th, 2002, 12:20
pack your unpacked file with winace>zip , upload somewhere & send me address in PM
evaluator
August 17th, 2002, 14:57
OK!
I dlded hobgoblin's unpacked cv.
There is simple error in IT>fcd.dll's thunks.
I paste my IT.BIN & all workXS!
So AGAIN!
Download my previouslly attached IT.zip, paste in CV-dump at 2AF000,
then in LordPE set values I written
(IT=002AF000 SIZE=0280)
And see if crashes.
FINITA ALLA COMEDIA
hobgoblin! what version of RV you use?
Redownload latest RV's(1.3 & 1.5)
hobgoblin
August 17th, 2002, 16:43
You were right. After rebuilding the exe as you did with your IT section, the packet problem was solved.
I used the latest Revirgin (1.5) when I'm using XP, and version 1.2 Public version when I worked on WinME. In fact, when I rebuild the exe on XP, I didn't get the packet error. Maybe the problem comes from using an earlier version of Revirgin.
Another thing: I build the IT section into the exe as the last section.
Exactly what do you think was the problem?
Anyway, as this is solved, I'm looking deeper into the CRC problem. Interesting stuff....
Thanks a lot for the help.:-)
hobgoblin
Late comment: I just went over the whole process once more, but this time with Revirgin 1.3 Public version. NO problems...:-)
evaluator
August 17th, 2002, 17:21
Yah!
This happens because of you use old RV.
Some time ago I notified Tsehp about this problem & he solved it.
So you must renew RV. Download RV1.3 & all will OK.
BTW, you also can use RV1.5 on W9x. Only tracer not works, but import resolver works normal. (don't trace unresolved)
Thats All Folls!
Hey, foxtree, so how are you? Also use old RV?
foxthree
August 17th, 2002, 21:33
Hey, EVAL ---> it's all RV's fault
...
Step1:
~~~~
Anyways, after initial scan of CV using RV I get the following unresolved:
1DF0EE8, 1DF133C, 1DF139C, 0065B6C4, 0065B744, 1DF1358, 1DF1390, 1DF1388, 0065B778. Right???
Step2:
~~~~
Now use my brain ( no RV/ImpREC Only SOFTICE )
1DF0EE8 == GetProcAddress
1DF133C == GetModuleHandleA
1DF139C == GetCommandLineA
0065B6C4 == SizeOfResource
0065B744 == GetCommandLineA
1DF1358 == GetVersion
1DF1390 == GetCurrentProcessId
1DF1388 == GetCurrentProcess
0065B778 == (Dummy) FreeResource
Correct??
Step3
~~~~
Add new section to dumped CV and paste the IAT (len = 280 as you said) at offset 0x338000.
Still Crashes???
Enclosed is IAT.txt file for your scrutiny... Maybe I did something wrong?
Signed,
-- FoxThree
evaluator
August 18th, 2002, 07:25
Now here is YOUR mistake!!
you have 2nd GetCommandLineA at
103 002AF434 BFF8C5DA 0149 KERNEL32.dll GetCommandLineA
??????
but this most be
103 002AF434 00000000 0000 KERNEL32.dll LockResource
evaluator
August 18th, 2002, 07:37
Now KEEP in MIND!
DUMP & RESOLVING unpacker MUST MAKE
_NOT_ after OEP!
Clear?
This is why you have tricky thunks with adresses
0065B6C4
0065B744
Because Tumos playng with thunks from main code.
I detected this trick long time ago...I'm lazy for search in forum,
but you can found it.
foxthree
August 18th, 2002, 08:53
Hey Eval:
In the uploaded version of IT.txt, I make mistake. You're right! But my original resolve was FreeResource. You can find that in my earlier post. However, the IT.bin created by RV 1.3 seems faulty. I enter these values in RV 1.3 under W9x. IT RVA = 338000 and len = 280 but bin was wrong.
I dl RV 1.5 and hacked to get it installed in W9x. Then I give same IT RVA but this time as 00338000 and len 280. Bingo! it works!!!!
Thanks for all your help.
Hob:
Thanks for your mail. Alas, you're under WinME I suppose which explains the SetProcessWorkingSetSize and all... which aren't there under Win9x. So is the last 2 ADVADPI calls OpenSCManagerA isn't ther under Win9x
But thanks anyways....
3 Questions:
[To Eval]
DUMP & RESOLVING unpacker MUST MAKE
_NOT_ after OEP!
What exactly you mean. I resolve IT as 0040142C. But you're right I was surprised so use SoftICE and find no 0065xxxx but 1DFxxxx. If you could explain a little bit more clearly it would help?
[To +Tsehp and other RV coders]
Can you make RV 1.5 install under Win9x. Now it just quits. I had to hack it to get it installed under my system. You can put a warning saying Tracer/Plugins will not work and then install the rest of the package. Just a suggestion!!!
[To +SplAj guru]
Yoohoo where r u? we miss u ...
Signed,
-- FoxThree
Solomon
August 18th, 2002, 09:50
well, I think he means we have to suspend CV.EXE at the OEP before we use RV/ImpREC to resolve IATs, coz some appz will modify the contents of IAT after it enters OEP, which was discussed before.
And please don't blame the tools for wrong resolved APIs.
I always manually examine every "suspicious/unresolved" API in ImpREC/RV and it saves me a lot of time to avoid debugging unknown runtime errors.
Quote:
Originally posted by foxthree
[To Eval]
DUMP & RESOLVING unpacker MUST MAKE
_NOT_ after OEP!
What exactly you mean. I resolve IT as 0040142C. But you're right I was surprised so use SoftICE and find no 0065xxxx but 1DFxxxx. If you could explain a little bit more clearly it would help?
|
Solomon
August 18th, 2002, 10:15
In CV.exe, this is the ONLY runtime error (error 212) concerning with anti-unpacking tricks. Other runtime errors are due to incorrect unpacking.
BTW: ReGet Deluxe also uses some "Runtime error #xxx" to detect unpacking/cracking attempts.
Quote:
Originally posted by SilSaLaMaTa
I changed the jump , but still run time error
|
evaluator
August 18th, 2002, 13:46
foxtree!
Solomon's explanation is right.
Yes, I mean, you must stop program at OEP & do resolving+dump here.
(Of course, also is good to make control dump right after unpacking.)
This will resolving for home use
For HQ unpacking Unpacker must find where ImportNames are decrypted & check each resolved name!!!
Now back to RV.
Be sure, I use RV1.3 & nothing happens wrong.
I now uploaded another IT.bin for pasting at 338000.
Values for RV was
OEP 00401000
IAT RVA 002AF280
IAT SIZE 00000A00
IT RVA 00338000
IT SIZE 00000280
Values for LordPe>Directories are:
ImportTable RVA=338000 SIZE=280
Values for LordPe>Sections>added idata section:
VA=00338000 VSise=4000 RO=00338000 RSize=4000
Check with you values. Somewhere must error. Finally you can (as Hobgoblin)
compress your unpacked exe, upload somewhere & send me URL in PM.
foxthree
August 18th, 2002, 14:02
Hey Solomon/Eval:
Sorry if I'd sounded like I blamed RV. RV rockz!!! Absolutely... No doubt. What I wanted to say was more like a bug report: IT's are correctly resolved (both via RV and manully fixed unresolved ones correctly) but RV 1.3 did not do the .bin generation correctly. That's was what I intended to say. My sincere apologies if it was conceived in any other way.
Eval: You're right. I dled RV 1.3 latest today from tsehp.cjb.net and the IT.bin problz is solved. I might've used the older version of 1.3... who knowz. Now RV 1.3 and RV 1.5 both are working on my machine. Special batch file to swtich tracer.dll and thread.dll
Eval, many thanks for ur patience with this target and helping me out. Alas, I was too jumpy which is against every known *zen* philosophy .... and I apologize.
Two things though:
1. Can we make RV 1.5 install in W9x
2. Can we code specific versions correctly in the about box (For instance the RV 1.3 version says RV 1.3 Public release in Title bar but 1.2 in about box
Once again many thanks to +Tsehp and RV Team for all their help and patience
Signed,
-- FoxThree
PS: Hmmm, still no sign of +Splaj ???
nofurs
August 18th, 2002, 14:03
Hi evaluator,
Are you uploading a crack
oops dissapeard
FoxThree did you tried winrar?
evaluator
August 18th, 2002, 16:06
cluesurf, explain what you want to say..
my attachments are deleted?
Explanations will good, Mod!
nofurs
August 18th, 2002, 16:13
Hi evaluator,
>For all your unpacking questions. No uploads of patches and >such will be allowed.
Could be this man it just suddenly dissapeared
FoxThree, I mean this ;P
>1. Can we make RV 1.5 install in W9x
Try the latest winrar and extract it in win9x
You still need to msi installed
foxthree
August 18th, 2002, 16:17
Hi Cluesurf:
Winrar? u mean for unzipping what Eval uled? Ofcourse, and it works. Didn't it work for u?
Signed,
-- FoxThree
evaluator
August 18th, 2002, 17:03
>No uploads of patches and >such will be allowed.
Sorry! My eNgLiSh is so littEl! Can you explain, since what time IT.BIN is "patches"?
I wait for Mod's explanation, because I just want to know, what TO DO tommorow!
Or just point me to new FAQ page!?
evaluator
August 18th, 2002, 19:26
esther, thanks for explanations!
Just I can say to you, I, SPLAJ & many others lot of times uploaded such IT.BINs...
So if now rules are changed, Rules must be clearly defined for override mistakes.
Also I can (I think) discuss about educational purpose of such files, but will not do it right now.
Maybe in OFF topic I will do..
So for clear thing, last time Q:
No more uploading for IT.bin & IAT.txt?
hobgoblin
August 19th, 2002, 10:13
Hi there,
I'm still working on this target, and therefore I need a copy of Commview 3.4 build 239. I need the evaluation version, so this is not a crack request. I've been searching the net for quite a long time, but the only version I get hold of is 242. I need 239 to make some comparisons.
So if someone could point me in the right direction, or simply mail it to me, I would be grateful.
regards,
hobgoblin
Solomon
August 19th, 2002, 11:38
I have it. About 1MB.
solomon2000(at)gmx.net
SilSaLaMaTa
August 22nd, 2002, 12:17
Hi ,
I did all that u said but still some thing wrong, I can't fix it
I put a "push 7fffffff" and "sleep" at the oep (65c734) (CV 3.4 build 238) .Then IT rva 2af280 and len A00 . RV reslved the imports
and then fix asprotect imports and a LockResource at 2af434 . IAT rva : 338000 and len : 5C0 (<-- I think ) . RV generated it.bin
After that I dumped the prog and fix the bytes (the push and call)
to the original .
In lordPe : Sections->Load Section -> It.Bin -> Section loaded
Directories -> Imports : 338000 , Len : 5C0 -> save ...
I tried to run the prog but I got RunTime Error 216 at 403CAE
I'm using the lastes RV 1.5 on XP (With a lot of problems
).
I aslo tried ImpRec ...
I attached my IT .
evaluator
August 22nd, 2002, 12:30
SilSaLaMaTa
your OEP looks strange. Check, what we wrote about OEP.
& you values are terrible different with my!
See up 12 post, what I wrote!
SilSaLaMaTa
August 22nd, 2002, 12:56
I have CV build 238 , It is the correct oep , cause it's working if I patch CV .
I forgot to upload my IT ...
evaluator
August 22nd, 2002, 21:41
you have 1 MISTAKE entry
correct is
002AF2E0 > KERNEL32.dll GetCommandLineA
you have
>GetVersion
Seems you did it with plugin??
OUR thanks to SOLOMON for ITcompare
)
SilSaLaMaTa
August 23rd, 2002, 10:52
Hi ,
Everything is ok now
I didn't know that the plugin may do the work wrong !
I checked some of the imports and there were ok , so I didn't check all of them .
Thanx .
esther
September 7th, 2002, 07:28
Hi evaluator,
I delete it coz it acts as a patch.copy and paste to the dumped file and it willl show all the strings and references even iat.txt are deleted.It shows no purpose teaching ,helping ppl to learn.
Btw you can send it Foxthree if you want to help him understand
the problems.Uploading in here sure to cause problems to the forum...
Hopes its explains everything.
Regards
foxthree
September 15th, 2002, 20:58
Fellowz:
Did you see the CV 3.4.243. Unpax it under Win2K...Have Tamoz guys been reading this board ???
Signed,
-- FoxThree
Nebob
December 8th, 2002, 16:30
Here is the IT for build 248. I only get runtime error 212, so I assume it is correct?
diz
December 29th, 2002, 01:14
Quote:
Originally posted by Solomon
Please refer to v3.0 build 205 thread in the newbies forum. I have successfully unpacked and cracked it. There is also an inline patch from DISTINCT group.
|
sorry for upping such old topic, but I just discovered that there is some another thing which all crackers seems to miss. When you start program with "mirror" parameter (look in help for what it does) programs allow only capturing packets for 5 minutes.
ReaL|sTy
January 2nd, 2003, 19:59
i'll hope this help ... there's a working unpacker that can easily do the job and works for many aspr latest version packet programs.... check protools! but this is not matter of aspr Tamos program use some internal crc check . that makes program crash like hell ,even if you use a loader will crash if you modify some bytes, actually the ones you need to patch :P. because at the end is all matter of that so you or anyone else won't pay for the program and use it for free. i think is time limited only but you can easily remove time limit from the registry without modifing the .exe, maybe this information will help. i'm not sure if this is really a crc check or some internal extra protection to prevent the exe from been crac........ good luck!
diz
January 3rd, 2003, 17:04
Quote:
Originally posted by ReaL|sTy
i'm not sure if this is really a crc check or some internal extra protection to prevent the exe from been crac........ good luck! |
there was a good discussion about that crc check some time ago (you'll find it with search function).
This program also displays only half of the packets so it's not true what you'r saying that it has only time limit.
And, btw. you'r saying that time limit can be removed by modifing registry key? You mean that 'five minutes only capturing' limit?
diz
ReaL|sTy
January 3rd, 2003, 18:51
i said i think i din't say i'm sure. but if you want the program full registered you will have to study the algo and look where to patch to simule is been registered. you see dosen't have any registration option is because needs a key file that it should be in the program's dir. about time limit ,is for the trial days the info. i gave
Solomon
January 15th, 2003, 07:03
Did u mean "Fatal error #43" ?
Quote:
Originally posted by foxthree
Fellowz:
Did you see the CV 3.4.243. Unpax it under Win2K...Have Tamoz guys been reading this board ???
Signed,
-- FoxThree |
Solomon
January 15th, 2003, 07:09
yes you are right.
Quote:
Originally posted by diz
sorry for upping such old topic, but I just discovered that there is some another thing which all crackers seems to miss. When you start program with "mirror" parameter (look in help for what it does) programs allow only capturing packets for 5 minutes. |
ReaL|sTy
January 15th, 2003, 08:23
that program has many limitations as i see. i found discussions about it thanks for telling me diz. yes Solomon many crap on those fatal errors looks like an ascci stuff. the only way to remove all those limitation is making/simulate been registered
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.