Hey guys - totally new here i got my first question right with me.
I have a two programs here, seeming to use exactly the same protection, some kind of packing or encryption and a serial check, which does something in the registry.
But the prog shuts down my RegMon when i start it. I searched the web but wasnt able to find any infos on RegMon protections - this Anti_Anti-Regmon-Patch doesnt work with me.

Any ideas how to defeat that?

Thx in advance,

Joda

Hi there, welcome.

I had the same problem, I got round it by hexediting regmon.exe (and filemon.exe) and replacing all occurrences of regmon with something else, (I used, erm, segmon :P). Then rename the file itself and the folder its in (not sure thats actually necessary, but hey).

Have fun

Hiya,

One other possibility I ran into a few nights ago in ASProtect.

He calls GetClassNameA to find the name of all the classes, then uppercases and compares them too a few known bad guys REGMONCLASS / FILEMONEX and a few others, if he finds them, FindWindowExA & SendMessageA combine to close regmon/filemon.

Take a search in your hex editor for 'regmonclass' and change it slightly and this detection bites the dust. The check is looped several times so this is probably the best solution. Early tools simply change the regmon window caption, for when only FindWindowExA was used.

Regards

CrackZ.

Crackz - thats probably what my search for just regmon changed without me knowing ;-)

why hexedit? regmon cometh with full source
code.

takes longer to compile than to search & replace hehe ;-)

My oh my :-).

To GodsJiva : I intentionally posted the method of detection since in my mind the method is far more important than blindly hex editing strings, you can disagree with me on the learning value of that if you want ;-).

To mo k : Aren't these newbies supposed to work a little and figure out solutions, progression so to speak, thought process "I know he detects the class name, I have the source code, lets see, what if.....".

Regards and please no flames, I'm not criticising anyone here ;-).

CrackZ.

CrackZ, I agree with you. I did actually find what I thought was the reason... After I had done the search & replace, I left the hex editor open, which had the filename filemon.exe in the title bar. When I ran the prog that was killing filemon, it left the modified filemon alone, but closed the hex editor :-P

Heya.

Thanks for the ideas, goin to try them out after breakfast ;D - another guy told me that it seemed, the programmers of that program renamed some sections of the PE header, so the unpackers cant check, that its ASPack - maybe i can get it cracked with the new infos i got

cya

Joda