View Full Version : RegMon Detection Protection
Joda
June 3rd, 2001, 05:21
Hey guys - totally new here i got my first question right with me.
I have a two programs here, seeming to use exactly the same protection, some kind of packing or encryption and a serial check, which does something in the registry.
But the prog shuts down my RegMon when i start it. I searched the web but wasnt able to find any infos on RegMon protections - this Anti_Anti-Regmon-Patch doesnt work with me.
Any ideas how to defeat that?
Thx in advance,
Joda
GodsJiva
June 3rd, 2001, 08:16
Hi there, welcome.
I had the same problem, I got round it by hexediting regmon.exe (and filemon.exe) and replacing all occurrences of regmon with something else, (I used, erm, segmon :P). Then rename the file itself and the folder its in (not sure thats actually necessary, but hey).
Have fun
CrackZ
June 3rd, 2001, 13:02
Hiya,
One other possibility I ran into a few nights ago in ASProtect.
He calls GetClassNameA to find the name of all the classes, then uppercases and compares them too a few known bad guys REGMONCLASS / FILEMONEX and a few others, if he finds them, FindWindowExA & SendMessageA combine to close regmon/filemon.
Take a search in your hex editor for 'regmonclass' and change it slightly and this detection bites the dust. The check is looped several times so this is probably the best solution. Early tools simply change the regmon window caption, for when only FindWindowExA was used.
Regards
CrackZ.
GodsJiva
June 3rd, 2001, 13:46
Crackz - thats probably what my search for just regmon changed without me knowing ;-)
mo k
June 3rd, 2001, 17:41
why hexedit? regmon cometh with full source
code.
qferret
June 3rd, 2001, 21:47
takes longer to compile than to search & replace hehe ;-)
CrackZ
June 4th, 2001, 00:42
My oh my :-).
To GodsJiva : I intentionally posted the method of detection since in my mind the method is far more important than blindly hex editing strings, you can disagree with me on the learning value of that if you want ;-).
To mo k : Aren't these newbies supposed to work a little and figure out solutions, progression so to speak, thought process "I know he detects the class name, I have the source code, lets see, what if.....".
Regards and please no flames, I'm not criticising anyone here ;-).
CrackZ.
GodsJiva
June 4th, 2001, 01:25
CrackZ, I agree with you. I did actually find what I thought was the reason... After I had done the search & replace, I left the hex editor open, which had the filename filemon.exe in the title bar. When I ran the prog that was killing filemon, it left the modified filemon alone, but closed the hex editor :-P
Joda
June 4th, 2001, 01:52
Heya.
Thanks for the ideas, goin to try them out after breakfast ;D - another guy told me that it seemed, the programmers of that program renamed some sections of the PE header, so the unpackers cant check, that its ASPack - maybe i can get it cracked with the new infos i got
cya
Joda
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.