Find "EXE is damaged" by NetCaptor v7.01 [Archive]

View Full Version : Find "EXE is damaged" by NetCaptor v7.01

Solomon

September 13th, 2002, 02:52

netcaptor ncsetup.a1000.exe

It's a Delphi target. The following job has been done:
1. unpack the ASPack or use SMC to patch it. I use the 2nd way.
Put 2 into CS:[52E094], we get a registered version.

2. Search for the references to DS:[52E094], we find the "Invalid Key" check, which is located at CS:4E84F8.

Now we have to locate the "EXE is damaged" message, which seems to be an integrity check. This msg will pop up about 10 minutes after its launching. Obviously this msg is encrypted. I have tried "BPX CreateFileA" to locate file CRC check, but no luck. And I also tried setting a BPM in the memory location where I patched the code, no hit yet.

Decompiling it with DeDe, we can see that the msg box is a dialog of TFrmConfirm, which is dynamically created each time, so you can't set a BPM on the "EXE is damaged" string to find out where it's decrypted, coz the addr of plaintext string changes each time.

I need help to locate this EXE check. Thx

foxthree

September 13th, 2002, 03:49

Hi Solomon:

Try to run APISpy on the unpacked and rebuilt EXE to locate the exact API used to make the window appear. Or you can use bpx on CreateWindowEx to break into in SoftICE and then trace backwards from there.

I've fixed many a apps using this technique [which never fails as the app has to call CreateWindow at somepoint to display the nag

] the latest being the Tamoz guys play tool

....

A bit tardy, but will help. I'm curious to hear other techniques too

Signed,
-- FoxThree

Solomon

September 13th, 2002, 04:22

yeah, actually I BPXed CreateWindowExA/ShowWindow and traced back, but couldn't find the exact place where it does the following. For appz written in VC++, it's easy, while a bit difficult for Delphi/BCB appz.

TFrmConfirm *pForm = new TFrmConfirm( );
pForm->ShowModal( );

SpeKKeL

September 13th, 2002, 09:23

you could allso try setting a bpx on one of the time api's,
which will lead you to the popup message.
I thought i used gettickcount a few times.

(you could kill the rest of the apps which use these api's)

Ciao,

Spek

Solomon

September 13th, 2002, 10:47

thx but GetTickCount( ) and SetTimer( ) are called too many times by many appz in the system

SilSaLaMaTa

September 13th, 2002, 15:06

Hi solomon ,

I don't know what is exaclty happening ,
but I changed a byte and I didn't get the message more ,
I have 7.0.2 Beta1 .
The message would appear after unpacking ...

0042515B A1 68 A6 52 00 mov eax, ds:dword_0_52A668
00425160 83 78 08 00 cmp dword ptr [eax+8], 0
00425164 7F 04 jg short loc_0_42516A
00425166
...
0042516A
0042516A loc_0_42516A:
0042516A B0 01 mov al, 1
0042516C
0042516C loc_0_42516C:
0042516C 88 45 FF mov [ebp+var_1], al
0042516F 80 7D FF 00 cmp [ebp+var_1], 0
00425173 74 75 jz short loc_0_4251EA
00425175 EB 61 jmp short loc_0_4251D8

I changed "mov al,1" at 42516A to "mov al,0" and no message

SelfChecking should be somewhere near .
I didn't checked the prog exactly to check if the prog running normaly with this change . but It runs .

Manko

September 13th, 2002, 15:48

Quote:

Originally posted by SilSaLaMaTa
Hi solomon ,

I don't know what is exaclty happening ,
but I changed a byte and I didn't get the message more ,
I have 7.0.2 Beta1 .
The message would appear after unpacking ...

0042515B A1 68 A6 52 00 mov eax, ds:dword_0_52A668
00425160 83 78 08 00 cmp dword ptr [eax+8], 0
00425164 7F 04 jg short loc_0_42516A
00425166
...
0042516A
0042516A loc_0_42516A:
0042516A B0 01 mov al, 1
0042516C
0042516C loc_0_42516C:
0042516C 88 45 FF mov [ebp+var_1], al
0042516F 80 7D FF 00 cmp [ebp+var_1], 0
00425173 74 75 jz short loc_0_4251EA
00425175 EB 61 jmp short loc_0_4251D8

I changed "mov al,1" at 42516A to "mov al,0" and no message
SelfChecking should be somewhere near .
I didn't checked the prog exactly to check if the prog running normaly with this change . but It runs .

I'd be more interested in knowing how you found that place than knowing where it is.

edit: (I'm probably not going to check it out, but somehow suspect I'd not be asking if I did...?)

/Manko

Solomon

September 13th, 2002, 15:55

Thx. Late night now, will check it tomorrow

Quote:

Originally posted by SilSaLaMaTa
I don't know what is exaclty happening ,
but I changed a byte and I didn't get the message more ,
I have 7.0.2 Beta1 .

Solomon

September 14th, 2002, 07:00

now mission completed

(v7.02 beta 1)

Code:



:004E8701 8D45F4                  lea eax, dword ptr [ebp-0C]

:004E8704 E827B2FEFF              call 004D3930            <-----------FindFirstFileA inside

:004E8709 E8CE62FAFF              call 0048E9DC

:004E870E 3D00350C00              cmp eax, 000C3500      <------------size check

:004E8713 7E61                    jle 004E8776

:004E8715 A1ECCC5200              mov eax, dword ptr [0052CCEC]

:004E871A 803800                  cmp byte ptr [eax], 00         <----------another check

:004E871D 7557                    jne 004E8776

Solomon

September 14th, 2002, 07:40

oops, not completed yet

There are other exe checks

SilSaLaMaTa

September 14th, 2002, 11:41

Hi Solomon ,
1- My NetCaptor.exe size is 707,072 (0xACA00) ,why it's compating it with 0xC3500 ?

2- I just changed the byte as I said , and I'm not getting any message ... Did u check that ?

Solomon

September 14th, 2002, 12:39

1. the unpacked file size is greater than C3500, hence greater than ACA00.

2. You can't change that byte, coz this procedure is called many times. That means it's not only for exe check purpose.

search in IDA for references to 004EB18C(which displays the err msg), you will find sth. Now it seems to be defeated.

Quote:

Originally posted by SilSaLaMaTa
Hi Solomon ,
1- My NetCaptor.exe size is 707,072 (0xACA00) ,why it's compating it with 0xC3500 ?

2- I just changed the byte as I said , and I'm not getting any message ... Did u check that ?

hobgoblin

September 14th, 2002, 12:48

Ho solomon,
I small question: I can't find the references you made here:

1. unpack the ASPack or use SMC to patch it. I use the 2nd way.
Put 2 into CS:[52E094], we get a registered version.

2. Search for the references to DS:[52E094], we find the "Invalid Key" check, which is located at CS:4E84F8.

I can in Sice find 52E094, but putting any number in that location doesn't change anything. And the address 4E84F8 doesn't exist.

Do you have another version than me? I downloaded the latest one today.

Just wondering....

And how did you find the location you mention?

Solomon

September 14th, 2002, 12:58

The first post is for v7.01, the others are for v7.02 beta 1.
Here are some data for v7.02 beta 1:
CS:[52F094] //registered = 2
CS:4E8808 //Invalid key check

Just set a "BPX LoadString", you can see how NAG strings are loaded in CS:406F64.

Quote:

Originally posted by hobgoblin
Ho solomon,
I small question: I can't find the references you made here:

1. unpack the ASPack or use SMC to patch it. I use the 2nd way.
Put 2 into CS:[52E094], we get a registered version.

2. Search for the references to DS:[52E094], we find the "Invalid Key" check, which is located at CS:4E84F8.

I can in Sice find 52E094, but putting any number in that location doesn't change anything. And the address 4E84F8 doesn't exist.

Do you have another version than me? I downloaded the latest one today.

Just wondering....

And how did you find the location you mention?

hobgoblin

September 14th, 2002, 13:07

Thanks a lot for the fast reply.

hobgoblin

Stone()

September 14th, 2002, 17:46

What do you mean I can't change that byte? I changed it to

3D00350C00 cmp eax, 000C3500 to

3D00350C10 cmp eax, 100C3500

004EB000 55 push ebp -> c3 and no more trouble

004FF538 ok we register here

so no more nags and self checks, mission completed?

Solomon

September 15th, 2002, 07:26

I mean you can't change "mov al,1" at 42516A to "mov al,0".

SilSaLaMaTa

September 15th, 2002, 08:16

Understood , Thanx