Log in

View Full Version : A Troublesome DLL file


DaddyJTHC
March 9th, 2004, 21:33
I have this software that uses a DLL file to validate a email & cdkey code. My only guess is that after a successfull verification it makes a registry entry that the installed software checks before using.

I can track the website this dll file visits, but cannot get it to return the data i wish for.
here is a link for the download of this dll file

I promise I will NOT violate the Rules again by posting a URL of a Target

any help would be most acceptable.
and thankfully accepted.

JMI
March 9th, 2004, 21:51
DaddyJTHC:

How did you draw the impression that we had suspended the Rule against posting URLs for targets just for YOU???? These are matters that are supposed to be left to PM if someone ASKS you for a URL. Otherwise do not post them here. Please acknowledge that you have clearly understood this message.

Regards,

evlncrn8
March 9th, 2004, 21:58
mebe he's color blind and didnt see the red lettering on the main page

thats the excuse i'll use if i ever break the rules ;p

/me runs

Woodmann
March 9th, 2004, 22:17
HAHAHAHAAHHAHAHAHAAA.........

YAYA, thats it, I'm color blind...
I like that answer, f'ing clever and witty


Could you please make the words size 60 font please
Oh shit, I just had a great idea
(watch for it in the near future)

-cbo-

JMI
March 9th, 2004, 22:25
We could start a variation of the joke: "Here's your sign!"

Regards,

DaddyJTHC
March 10th, 2004, 21:22
i didnt think they applied since the file is freeware, and it is a private server, but they your rules and i will follow.

JMI
March 10th, 2004, 22:48
That is all we ask. We don't want to have to guess what may or maynot be commercial software.

Concept wise, your question makes no sense with this being "freeware." Why would the program check something on "freeware" and not get the correct information? Is this really "freeware" that can be upgraded and you simply haven't told us the truth?

Have you attempted to determine what the DLL is checking when it connects to the website and/or what information it is attempting to validate? There are programs which will tell you what passes between the DLL and the website and if it is freeware, it shouldn't be checking anything all that complex. If it is "freeware" it should be able to register itself and you should be able to use Filemon and/or Regmon to determine what it has done. So at this point your story does not seem to be holding together. If, in fact, you have an email addy and a CDKey already, why don't you "register" your "freeware" and then use one of the many available programs to detail for you exactly what has changes in you register??????

Regards,

Woodmann
March 10th, 2004, 23:22
OWWWWWWWWWWW....

To quote someone else who's name escape's me,

Wrong move dude.

-cbo-

DaddyJTHC
March 11th, 2004, 21:03
well told, and thanks for the proper azz chewing, you've taken my words, and i didnt explain myself clearly. The program is not freeware, the verification DLL is an open source protection scheme, so i considered that freeware. modified for use of the program. but thanks anyway.

JMI
March 11th, 2004, 22:22
So where we end up is:

1.) You did not start out telling the truth;

2.) Then you only tried to argue with me and ignored some advise which was suggested to you as to how to attempt to determine what was happening with your program after it connected with the server, and finally,

3.) You once again attempt to justify your untruth, deception, and flagrant violation of our Rules because YOU considered it "freeware" because it "used a variation of an open source protection system."

How truely and utterly pathetic.

Regards,

esther
March 12th, 2004, 00:49
>thanks for the proper azz chewing

You did it to JMI!?!!!

DaddyJTHC
March 12th, 2004, 09:22
More pathetic and childish personal flames removed. Can personal banning be far behind?

Kayaker
March 12th, 2004, 16:27
Somehow I'm reminded of a sign above the photocopier at work...


WARNING!

This machine is subject to breakdowns during periods of critical need.

A special circuit in the machine called a 'critical detector' senses the operator's emotional state in terms of how desperate he or she is to use the machine. The 'critical detector' then creates a malfunction proportional to the desperation of the operator. Threatening the machine with violence only aggravates the situation. Likewise, attempts to use another machine may cause it to also malfunction. They belong to the same union. Stay cool and say nice things to the machine. Nothing else seems to work. Never let anything mechanical know you are in a hurry.

JMI
March 12th, 2004, 16:44
Actually DaddyJTHC has now posted three threads here attempting to have someone solve his inability to determine how this "freeware" VISE Dll manages its email/cdkey/online validation. He even said in one that he had purchased a legal copy of the software and was complaining that it "only" allowed five installs. It seems he is so desparate to get his music career going that he can't "afford" to tell the truth.

He also apparently doesn't seem to understand that we can easily edit out those portions of his "gansta rap" attitude that he attempts to post here to impress his "homeys." But he's obviously still very young and maybe he'll grow out of it, or at least realize his attitude has not impressed anyone here.

Regards,

DaddyJTHC
March 13th, 2004, 11:08
As per JMI, I will keep this post proper, listing everything i have tried, and progresed onto this work.

I can see the data being sent, and even change the data being sent. The only problem is there is a perl script on the server. What is the most effective way to view a .pl file on an apache web server.

A side note.
JMI please accept this thread, I'm only asking for help, I am working on the actual problem.

nikolatesla20
March 13th, 2004, 11:31
All you have to do is set up your own web server, (read some docs and throw up a basic server on your Local Machine)

Then, if you know the website, for example, www.blather.com, you go to "C:\windows\system32\drivers\etc" (this is the path on 2000/XP) and you will find a file name "hosts" (there is no file extension on it). Open this file in Notepad and add a line

127.0.0.1 www.blather.com

THis makes your system resolve blather.com to your local machine instead of asking a DNS server. Then, the application will unwittingly be going to your own web server. Now, if you know the page it's going to, just set up a similar path and page name on your own web server, and change the data (the page) that comes back so it's what it needs to be.

Simple.

-nt20

JMI
March 13th, 2004, 11:33
Partial Attitude Adjustment noted.

I have taken the liberty of merging this with your most recent thread and will include a reference to the others of this series. Part of the problem is that you keep making new threads when you are still talking about the same original problem and you really provide insufficient information each time you restart the discussion.

For anyone who may be interested, he has a protection system that uses a DLL file to validate a email/cdkey/online registration system and he has to connect to a remote server to validate his online registration. He has now apparently determined that it runs a perl script to vaildate his target and he thinks he wants to "read" it on the remote server.

If you are interested, you can review his other threads on this same topic at:

http://www.woodmann.com/forum/showthread.php?t=5590

and

http://www.woodmann.com/forum/showthread.php?t=5600

You mentioned in one of these prior posts you still have one working version on another machine. Have you, by any chance, attempted to run a file comparer on the "good' version and a "not good" version to determine any differences and to see this "perl script" changed anything on your file?

And "Daddy Jiggles, The Hemp Clown," you are not going to win any points here (except maybe with your homeys) by pointing out typos in my posts. Everyone but you already knew I make typos and can't spell. You STILL aren't paying attention to the fact that I can edit or delete your posts at will, but you've already demonstrated you learn very slowly.

Regards,

DaddyJTHC
March 13th, 2004, 11:41
I am in the process of doing this, using regmon & filemon, the program itself doesnt do an online check after the first time.
I'm still comparing the lists.


Side note.
I'm sorry for making new threads, I will cease. Thank you for your patience.
DJ

JMI
March 13th, 2004, 11:59
If you are wading through a regmon log file you might find this thread useful:

http://www.woodmann.com/forum/showthread.php?t=4162

Kayaker wrote a tool to reduce the duplicates in the log to make finding what one may be seeking easier.

Again, refering to your earlier posts, if you have five "valid" re-installs, there has to be a countdown entry for the server to check against. Each time you re-install, it has to reduce this "entry" by one and to check it, there most likely has to be a compare instruction in the checking routine.

Regards,

DaddyJTHC
March 13th, 2004, 12:18
I agree totally, I've pretty much chopped there webserver up looking for an answer. Basically as far as I can gather, each install get added into there database.(I couldnt find it) BUT After the intial check it doesnt make anymore attempts to verify. Either a file is downloaded or a registry entry is made. I havent determined which of the 2 is true.

Thanks for that link, it will help.

JMI
March 13th, 2004, 15:59
And another thought:

You are aware, are you not, that VISE offers not only free copies of its software for downloading, it offers free copies of its User's Guide for downloading. Anytime you are attempting to reverse a protection system, it is a very good practice to obtain as much information as possible about how the maker describes its workings.

They also have a set of examples for the 3.1 version, including documentation and examples, for things like:
Default Install Location
Default Registration Info
Does Registry Key Exist
Uninstall Existing App

It is also a fairly good probability that the program itself is protected by the same general systems they offer to their customers. One of the things included in the program is an updater, which includes a reg snapshot and difference comparison tool which maps all the changes made to your system with the installation of the program protected by their products.

Regards,

JMI
March 13th, 2004, 21:38
And yet another thought.....

Have you, by any chance examined the dll with IDA? There are some references to two CLSID's where your counter and/or validation might be hiding. There are also references to "AppKey," "SingleKey," and "Last Key." And have you looked at the .inx file which comes with the Release program? The one with the demo only refers to the "free version" and I suspect that they might have learned the lesson that the only safe demo is an incomplete one. However, if you reviewed the Manual for Vise and compared the .inx file for the "free" demo to the Actual Progrom which you still have on one of your machines, I believe you would find useful information by doing a compare of the two files.

Regards,

DaddyJTHC
March 14th, 2004, 02:02
Quote:
[Originally Posted by JMI]However, if you reviewed the Manual for Vise and compared the .inx file for the "free" demo to the Actual Progrom which you still have on one of your machines, I believe you would find useful information by doing a compare of the two files.


I will definitly check this, I have view the dll in IDA, I could understand most of it. I will do this now.

Thanks for the info.
DJ

JMI
March 14th, 2004, 02:46
I did notice that the DLL had string compare functions and writes to a particular CLSID. Have you checked that one for the "good boy/bad cracker" and/or declining installs?

Regards,

DaddyJTHC
March 14th, 2004, 14:52
Quote:
[Originally Posted by nikolatesla20]All you have to do is set up your own web server,

I have a local server, and can get it to connect to it, but i dont know the information that gets returned, if only it were that simple.

DaddyJTHC
March 14th, 2004, 15:01
Quote:
[Originally Posted by JMI]writes to a particular CLSID.

I have notcied this, and have spent alot of time in my registry lately, the machine that has it installed finds the key and queries it according to regmon
QueryKey HKCR\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9} SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9}
then again
QueryValue HKCR\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9}\ApartmentModel SUCCESS 99 D2 32 19 01 3C 28 47

So how can I now, convert this into a registry entry?

JMI
March 14th, 2004, 18:16
DaddyJTHC:

There are a number of things going with this install and you do not seem to be approaching them "logically" and/or sequencially. You have a DLL which identifies itself as VISE and you have a "setup.inx" file. Are you aware that the ".inx" is an Installshield script? Have you decompiled it and looked at the code for the "free version" as compared to the "purchased version" like I suggested? Assuming you have original install disks or the original install package, simply starting it and letting it run to the point where it asks you for the serial number will provide the needed files in you temp directory, as you have already discovered. You can simply copy them to another folder before you chose "Cancel" and close out the program. There are decompliers that will disassemble these ".inx" files very effectively and can be found on various tool sites with a search in your favorite search engine. WHERE to find it is NOT something you are supposed to ask here.

You said the purchased version has only five installs. Well, obviously, it has to keep track of how many installs you have had "somewhere." This code has to be recorded in a "reg" file or a temp file or a registry entry. Assuming the possibility it is a registry entry, you need to look for code in the ".inx" and/or DLL file that WRITES to a registry entry or writes somewhere else.

We can also assume that the vendor needs some way to "know" how many instally you have/had so they do not validate an attempt in excess of their limit. We can also assume, if they arent' completely incompetent, that they have a mechanism to check that it is not installed "five times" on as many different machines as you want to put it on. So you can expect and look for information that determines your Volumn ID information and/or HD and/or CD identification and/or OS information and something that may send this information to their server and/or writes it someplace on your machine. I see in the DLL and the INX file references to date parameters and their server could easily store the date of first-through fifth installs by recording these type of dates from where they are recorded on your machine.

Now you know that the DLL has references to TWO different CLSID keys. Do you know whether it writes to both or only one? If it writes to only one, does their server write to the other? Have you logged what goes OUT when you log on to their server? Or were you only thinking about what came IN? You regmon entries should show you what was QUERIED and what was SET and may even show by whom.

Another good place to look may be in the comparison of the registration checking function for the "free version" vs. the "purchased version." In the "free version" there is a StrCompare(global_string15, "521-1217-00004" which is supposed to be "local_number6 = (local_number6 != 0)" and if the result doesn't equal "0"

if(local_number6) then // ref index: 1
@00004F8C:0021 MessageBox("Invalid license key. Please re-enter.", -65534);
@00004FC0:0005 goto label_4df4;

which goes back to the enter password screen. Your "valid" password for your install may be hard coded in your "purchased version" .inx file, and if it is, this would suggest that their server is really checking the number of installs recorded against that serial number. Finding where this data is stored on your machine and what part of the DLL and/or .inx file access it should lead to where they check and should reveal what the proper result code might be for the "good-boy" result.

Regards,

DaddyJTHC
March 14th, 2004, 19:38
Quote:
[Originally Posted by JMI] Have you logged what goes OUT when you log on to their server?


Yes when reporting to thier server. It transmit the folloing information
email|cdkey|machineid
in a custom hex-let hash format.

this in turn causes the page to be returned
DPERROR:1 Key used to many times!

So based off what you have said, during install the program could download a different setup.inx if the cdkey verification process succeeds.

DaddyJTHC
March 14th, 2004, 19:48
Another thing I have noticed is the frequest usage of the NTUSER.DAT.LOG file, is this common to use this file?

JMI
March 14th, 2004, 21:21
OK. That tells you the server keeps track of the number of times the serial number is installed and probably checks for which email address and machineID, but it could just validate it five times regardless.

You need to answer some questions:

1.) Does the "purchased" version comes with a different ".inx" file and/or do you know whether or not it has the same dll file.

2.) How did you receive it? Do you purchase it on line and receive disks, or was it sent to you by email or download from their server?

3.) Do you have a copy of the original install exe on one of your machines? If so, what is it's size in KBs?

4.) When you get the error message "1 Key used to many times" does the install stop altogether, or does it just install the "free" version? I do not find that error message in either the "free" ".inx" or Dll files.

5.) Do you have a copy of the "purchased" ."inx" file and have you decompiled and compared it to the "free" version? Does that error message appear in its text?

6.) On the machine where it is still running, have you tried to get an update and if you try, make sure to record what is sent and received.

7.) I assume that Q5MDB-A5CG-YZEY-APBD9 was the hash of the original serial. Is that correct?

8.) What are the entries on the working copy for the A88A6800 Key and for the B43CCF60 Key, as shown in RegEdit? Do you have another copy installed on another machine you can compare those entries against?

Regards,

DaddyJTHC
March 14th, 2004, 21:41
Quote:
[Originally Posted by JMI]
1.) Does the "purchased" version comes with a different ".inx" file and/or do you know whether or not it has the same dll file.

There is no free demo of this version of software.
Quote:
[Originally Posted by JMI]
2.) How did you receive it? Do you purchase it on line and receive disks, or was it sent to you by email or download from their server?

Download from there server.
Quote:
[Originally Posted by JMI]
3.) Do you have a copy of the original install exe on one of your machines? If so, what is it's size in KBs?

Both EXE's are the same.
Quote:
[Originally Posted by JMI]
4.) When you get the error message "1 Key used to many times" does the install stop altogether, or does it just install the "free" version? I do not find that error message in either the "free" ".inx" or Dll files.

No it resets the fields. during install. If you use the modified dll to install, the program will display the error, and terminate. THERE IS however a hacked version of this software, but it displays a 421 Sound Error, then terminates.
Quote:
[Originally Posted by JMI]
5.) Do you have a copy of the "purchased" ."inx" file and have you decompiled and compared it to the "free" version? Does that error message appear in its text?

Yes both are the same.
Quote:
[Originally Posted by JMI]
6.) On the machine where it is still running, have you tried to get an update and if you try, make sure to record what is sent and received.

No updates for the program exist.
Quote:
[Originally Posted by JMI]
7.) I assume that Q5MDB-A5CG-YZEY-APBD9 was the hash of the original serial. Is that correct?

That is my orignal cdkey yes.
Quote:
[Originally Posted by JMI]
8.) What are the entries on the working copy for the A88A6800 Key and for the B43CCF60 Key, as shown in RegEdit? Do you have another copy installed on another machine you can compare those entries against?

The machine is no longer at my house, so I am a little slow about getting this information, I have regmon logs, and am looking thru them now as I type.

DaddyJTHC
March 14th, 2004, 21:44
This is the only key found in the regmon log on the machine that has it installed.

HKCR\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9} SUCCESS
Name: \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9}

HKCR\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9}\ApartmentModel SUCCESS 99 D2 32 19 01 3C 28 47

JMI
March 14th, 2004, 21:59
DaddyJTHC:

If you want to put the original exe up where you had it posted before (without reposting the URL) I'll download it and take a look. The whole exe would be best, but I need at least the DLL and the .inx file for the program, because the one I have from the company is the free demo.
If you want to do that, PM me and I'll download it and then you can take it down again.

Regards,

JMI
March 14th, 2004, 22:20
DaddyJTHC:

Download completed. You can take it down now. I failed to notice the single letter difference between the file I down loaded and the one you have. Happens when your eyes get older. Looking back over your other threads, I also notice that while the B43CCF60 Key appears to be the same, I failed to notice that the A88A6800 key did not match your programs second CLSID. However that may suggest good things for further review. I'll take a look at the material and report when I've had a chance to look at it. I might also at some point need the non-working DLL, although sgdt's post suggests where it might be different.

Do you know if he may have only been looking at the "free version" also, but his discussion it is of that version, and not yours?

Edit: Now that I've had time to unrar it, I see the other files are included. Thanks. Always good to plan ahead.

Regards,

DaddyJTHC
March 14th, 2004, 22:26
Quote:
[Originally Posted by JMI]DaddyJTHC:

Edit: Now that I've had time to unrar it, I see the other files are included. Thanks. Always good to plan ahead.


For as long as I have been dealing with this, I am just glad someone will take the time to look.

JMI
March 14th, 2004, 23:28
DaddyJTHC:

A few random thoughts from my quick review so far. First I believe I can say that the error code returned does not exist in either the .inx or the dll file. I've only begun to scratch the surface, but have an idea worth pursuing. The "ApartmentModel SUCCESS 99 D2 32 19 01 3C 28 47" may be more significant than I understand. Doing a little parallel research on the M$ site and here and the "ApartmentModel" seems to be an indicator of a COM object which may, and I emphasis may, indicate that such an object was downloaded by the server. This is mostly guesses at the moment. Some discussion of COM objects is found here:
http://www.woodmann.com/forum/showthread.php?t=5437

Frankly, I don't know a hell of a lot about COM objects (OK really almost nothing), even to know if my guess may be in the right direction, but it sure would be interesting if we can locate a COM object on the machine with the working program that is somehow related to that "99 D2 32 19 01 3C 28 47" listing. Now just have to figure out how to find such things. More research required. I need to take a break and get some food and then I'll do some more research and review some more code. Might not post again until tomorrow. Thanks for the interesting progect. Maybe someone with more knowledge about COMs and where they hide will chime in.

Have you seen any reference to any COM files in the regmon printout?

Regards,

Regards,

DaddyJTHC
March 14th, 2004, 23:47
Quote:
[Originally Posted by JMI]
indicate that such an object was downloaded by the server. This is mostly gussess at the moment.

This may be the case, as after further investagation, the working machine doesnt ever check online to see if the cdkey is valid. I've tried many different attempts to recreate that registry entry (NO LUCK). As far as the logs go, I can send them. I have the REG & file logs for both the Non-Working, and the Working Computer.

Another thing you noted that the error wasnt in the dll file. I do beg to differ there (I could be wrong). When I viewed the DLL in WDASM, and went into string refs. I could see the error listed in there. Under the format of
String Resource ID=00116
"Cannot install. This %s key has been used to many times."
Line 10576 pg 132 and 133 of 516.

If you look at the MODed .EXE it does bypass this check, but get held on the 421 Sound Card Error. Is there any light there to bypass ?

DaddyJTHC
March 15th, 2004, 00:24
Noticed something odd in the regmon logs:
:Working Machine:
OpenKey HKCU\CLSID SUCCESS Key: 0xE18E2B20
QueryKey HKCU\CLSID SUCCESS Name: \REGISTRY\USER\S-1-5-21-73586283-789336058-839522115-1003_CLASSES\CLSID
OpenKey HKCR\CLSID SUCCESS Key: 0xE16B5640
CloseKey HKCR\CLSID SUCCESS Key: 0xE16B5640
It doesnt query the HKCR

:NON Working Machine:
OpenKey HKCU\CLSID NOTFOUND
OpenKey HKCR\CLSID SUCCESS Key: 0xE4039180
QueryKey HKCR\CLSID SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID

Any signifigance here?

JMI
March 15th, 2004, 00:58
Hey DaddyJTHC:

You'r not suggesting that I made a mistake are you? That would be the first one I ever made....so far this evening. It is somewhat curious, though. I am using IDA, as I'm running XP SP2 and haven't gotten WDSAM to work on my box. I have reviewed the IDA string references many times and don't see that listing. I have now checked the DLL with a text editor and do find the string at 1A882 but haven't figured out why they don't show up in IDA yet.

I can see two possiblilities for copying but first we need to identify exactly what it refers to because it would do no good to have an entry without the corresponding COM object. Perhaps you could do a search of the machine that works and the one that doesn't for ".com" files and maybe we can identify what was installed. I need to figure out how to configure this version of IDA so it recognizes these strings.

Regards,

DaddyJTHC
March 15th, 2004, 01:36
Quote:
[Originally Posted by JMI] I'm running XP SP2 and haven't gotten WDSAM to work on my box.

The version of wdasm I have runs fine on both my 2003 server box, and my xpsp1 box. It is version 8.9.

I will do a search on that machine next time I get a chance for the .com Object.

Also about the two CLSID's

the A6 one isnt useful to us. It is to verify addons to the program. We need to stick with just the B4 CLSID , that one is definitly the more important of the two.

JMI
March 16th, 2004, 02:17
DaddyJTHC:

Haven't had too much time with the program today, but do have a few interesting observations from the dead listing.

Public Entry of the DLL occurs at ViseEntry =10003E0A. At ViseEntry + 14A there is a reference to sub_100023B8 with a CODE XREF: sub_10001E1B+504.

Most of the relevant action seems to be connected with subroutines which begins at 10001E1B. This subroutine has reference to DPERROR at 1E1B + 20A1. Which is the “error code” format returned by the server.

We suspect that the "ApartmentModel" registry entry is important. There are calls related both to the "query", "creation", and "setting" of the Key at around 1E1B+ 504. ViseEntry + 14A calls 10001E1B + 504 which opens and queries the ApartmentModel Key at sub_100023B8.

10001E1B+4FA calls sub_10002476.

There are two calls to RegCreateKeyExA at 1002476 + 21 and at + 38. There are two calls to RegSetValueExA at 10002476 + 15C and at 10003DB3 + 44.

Only the Subroutines at 10002476 deals with "creating" and "setting" of an "ApartmentModel" Key. 2476 + 21 calls RegCreateKeyExA and 2474 + 15C calls RegSetValueExA in relation to an “ApartmentModel”.

ViseEntry + 1A7 calls sub_ 10001125 which alternatively "moves" 6, 5, 4, 3, 2, 1, and then has an "and" of 0. Each of these in turn goes to 1000D145. This may be the test of the returned number of "installs" returned from the server

So some further study of the dead listing should, hopefully lead to further isolation and understanding of these routines.

Regards,

nikolatesla20
March 16th, 2004, 09:33
w00t COM reversing I love...

Anyway, if it IS com it doesn't necessarily have to be on your machine, DCOM can create an object remotely over the internet. However, I doubt this is the actual case.

Wow I wouldn't mind looking at this in my spare time-

nikolatesla20_at_yahoo_D-O-T_com.

-nt20

Tolstoinisten
March 16th, 2004, 12:11
Quote:
[Originally Posted by JMI]I need to figure out how to configure this version of IDA so it recognizes these strings.


Did you find out what caused this "error", JMI?

Sorry to budge in like this. It is very interresting read, but it would be nice to know what caused the error, so something like this doesn't happen with my version of IDA.

Cheerz,

DaddyJTHC
March 18th, 2004, 20:57
JMI:

I have searched the working computer over, and either do not know how to look, or didnt find anything.
Both computers make a reg entry to the tk421.dll file. I'm currently examing this file for any relavance, although I believe it is more of an "audio related nature". No luck on much of anything else, will keep posted.

DJ

DaddyJTHC
March 20th, 2004, 23:48
Quote:
[Originally Posted by nikolatesla20]w00t COM reversing I love...

Anyway, if it IS com it doesn't necessarily have to be on your machine, DCOM can create an object remotely over the internet. However, I doubt this is the actual case.

Wow I wouldn't mind looking at this in my spare time-

nikolatesla20_at_yahoo_D-O-T_com.

-nt20

pm me for more info if your interested in helping!
DJ

The Svin
March 23rd, 2004, 11:33
... and flagrant violation of...
What does flagrant mean?

dELTA
March 23rd, 2004, 13:12
http://dictionary.reference.com/search?q=flagrant

Also, please use the "quote" functionality of the board when quoting people, instead of just making the quoted text italic, it is much less confusing.

DaddyJTHC
March 24th, 2004, 18:44
Hey JMI, any luck with anything?

JMI
March 24th, 2004, 19:42
I have been out of town for a few days and haven't gotten back to it yet. Will try again soon.

Regards,

DaddyJTHC
March 24th, 2004, 22:01
Thats okay, just didnt hear anything from anyone. Glad your back, hope it was recreational.

DJ

JMI
March 25th, 2004, 14:04
DaddyJTHC:

While you are "waiting" for me, did you look at those code sections which i mentioned back on March 16 which write the ApartmentModel entry and or try to further trace the code at ViseEntry + 1A7 calls sub_ 10001125 which alternatively "moves" 6, 5, 4, 3, 2, 1, and then has an "and" of 0. Each of these in turn goes to 1000D145. I stated this may be the test of the returned number of "installs" returned from the server.

It is interesting that there are two setup files in the two folders created in the temp folder when the program starts up and before it connects to the company server. We need to find the code which reads whatever response is sent back and then follow what it does with it.

Also have you tried exporting the ApartmentModel key in regedit and importing it into the registry of the machine where the program doesn't work?

I also noticed that when trying to run the MOD version, it is asking for a rmbe3260.dll from RealProducer. I haven't taken apart the Installshield exe yet to see if it is included.

I suspect that once the server sends back whatever confirmation it does when it determines whether there have been more than five installs, it simply proceeds with the install, unpacks the install program and inserts the CSLID key as part of the setup instructions. Obviously more study is required, but you should be studying this code also.

Regards,

DaddyJTHC
March 25th, 2004, 17:01
Yes, I have been studying this code, although I am not the greatest. Yes I have done a complete registry dump of the working machine, and imported into the non-working machine, still same error. I also believe recently that the company has eliminated my key, as now I am getting "Invalid Key Error". As I have previously stated, I dont have direct access to the working machine, so that is the reasoning between the slow updates.

I have noticed the coding you were refering to 6,5,4,3,2,1 , and have tried a few NOP commands with no luck. I also was tracing back the errors, and seem to get "Windows must close this program" alot when I try and bypass them.

As far as the server goes, I cant say that anything actually gets downloaded because I didnt ever check while I was installing with a valid key.

I have made several attempts to contact the company to get a replacement key, so hopefully that might work out.
I'll keep you updated, Thanks for the lookout advise.

DJ

DaddyJTHC
April 5th, 2004, 13:24
After furthur review, and the loss of my software. I am attempting one last snapshot of the working version. Results:
Software installed 09-05-99
Serial - Valid
Validation - Success
This software does not have access to internet, but did at time of registration
if nointernet but validation then success else failure

Non-working version. Results:
Software installed 09-05-99
Serial - Valid
Validation - Success
I have disabled this software's access to the internet.
Still caues failure return.

Software install form - Downloadable from online shopping cart.
Software Protection - In form of company DLL. -Can Bypass This but believe is incorrectly preformed.
Other Software Protection - Database entrys on companys local webserver.
Protection Data - Email & CdKEY Combination = encoded hexlet string e.g.
myemail.com|CdKey|SoftwareID or even MachineID = 9e9af73
Returns Validation Key is success. - Can Bypass this.

Installed Software makes final check of validation via internet. If internet isnt present the software will scream at you. Once the software makes this final check it no longer requires the internet.

Since I can no longer install this software correctly, I must use the working machine as a drive tool, but do not have direct access to it for long periods of time.

I have Filemon and Regmon the working computer, and imported the entire registry. No Success.

We were last looking for a COM Object in the ApartmentModel ? What would be the correct way to search for this. I am in-experienced when it comes to those.

Of coursed I have checked p2p software for working cracks, there is one, but produces a "sound card error" on every machine.

I have searched far and wide, and have gotten the most help here, thanks to JMI & Sarge, and believe there is an answer within site. Please dont be scared to help.

JMI
April 14th, 2004, 19:07
DaddyJTHC:

Been very busy of late and haven't had much chance to play with the program. Did run the MOD version through PE Explorer and IDA, however, and noticed some interesting information. I noticed you are lurking on the Board and will add to this in a moment, when I locate my notes.

In my post of 3-15 I discussed the portion of the Vise DLL which contained the following code:

"ViseEntry + 1A7 calls sub_ 10001125 which alternatively "moves" 6, 5, 4, 3, 2, 1, and then has an "and" of 0. Each of these in turn goes to 1000D145. This may be the test of the returned number of "installs" returned from the server."

Looking at the Mod version of the file with PE Explorer I located the following:

0046A19F L0046A19F:
0046A19F C705AC525D0001001085 mov dword ptr [L005D52AC],85100001h
0046A1A9 E822F6FFFF call SUB_L004697D0
0046A1AE 8B0D4CEF5C00 mov ecx,[L005CEF4C]
0046A1B4 894C2404 mov [esp+04h],ecx
0046A1B8 83F806 cmp eax,00000006h
0046A1BB C644244401 mov byte ptr [esp+44h],01h
0046A1C0 773F ja L0046A201
0046A1C2 FF248534A24600 jmp [CASE_PROCTABLE_0046A234+eax*4]
0046A1C9 CASE_0046A234_PROC0000:
0046A1C9 6810FD5900 push SSZ0059FD10_Application_validated
0046A1CE EB28 jmp L0046A1F8

0046A1D0 CASE_0046A234_PROC0001:
0046A1D0 68F4FC5900 push SSZ0059FCF4_Validation_Failed__Bad_Key
0046A1D5 EB21 jmp L0046A1F8
0046A1D7 CASE_0046A234_PROC0002:
0046A1D7 68D4FC5900 push SSZ0059FCD4_Validation_Failed__Key_Overuse
0046A1DC EB1A jmp L0046A1F8
0046A1DE CASE_0046A234_PROC0003:
0046A1DE 68B0FC5900 push SSZ0059FCB0_Validation_Failed__Email_mismatc
0046A1E3 EB13 jmp L0046A1F8
0046A1E5 CASE_0046A234_PROC0004:
0046A1E5 6890FC5900 push SSZ0059FC90_Validation_Failed__ID_mismatch
0046A1EA EB0C jmp L0046A1F8
0046A1EC CASE_0046A234_PROC0005:
0046A1EC 6874FC5900 push SSZ0059FC74_Validation_Failed__Unknown
0046A1F1 EB05 jmp L0046A1F8
0046A1F3 CASE_0046A234_PROC0006:
0046A1F3 6848FC5900 push SSZ0059FC48_Validation_Failed__No_Internet_C
0046A1F8 L0046A1F8:
0046A1F8 8D4C2408 lea ecx,[esp+08h]
0046A1FC E873DE0E00 call SUB_L00558074

0046A201 L0046A201:
0046A201 8D4C2404 lea ecx,[esp+04h]
0046A205 C644244400 mov byte ptr [esp+44h],00h
0046A20A E828DD0E00 call SUB_L00557F37
0046A20F 8D4C2408 lea ecx,[esp+08h]
0046A213 C7442444FFFFFFFF mov dword ptr [esp+44h],FFFFFFFFh
0046A21B E8E0B7FEFF call SUB_L00455A00
0046A220 8B4C243C mov ecx,[esp+3Ch]
0046A224 8BC6 mov eax,esi
0046A226 5E pop esi
0046A227 64890D00000000 mov fs:[00000000h],ecx
0046A22E 83C444 add esp,00000044h
0046A231 C3 retn
;----------------------------------------------------------------------------------------------------


;----------------------------------------------------------------------------------------------------
0046A232 8BFF Align 4
0046A234 CASE_PROCTABLE_0046A234:
0046A234 C9A14600 dd CASE_0046A234_PROC0000
0046A238 D0A14600 dd CASE_0046A234_PROC0001
0046A23C D7A14600 dd CASE_0046A234_PROC0002
0046A240 DEA14600 dd CASE_0046A234_PROC0003
0046A244 E5A14600 dd CASE_0046A234_PROC0004
0046A248 ECA14600 dd CASE_0046A234_PROC0005
0046A24C F3A14600 dd CASE_0046A234_PROC0006

0046A250 SUB_L0046A250:
0046A250 6AFF push FFFFFFFFh
0046A252 6825D35600 push L0056D325
0046A257 64A100000000 mov eax,fs:[00000000h]
0046A25D 50 push eax
0046A25E 64892500000000 mov fs:[00000000h],esp
0046A265 81EC0C010000 sub esp,0000010Ch
0046A26B A14CEF5C00 mov eax,[L005CEF4C]
0046A270 56 push esi
0046A271 C744240800000000 mov dword ptr [esp+08h],00000000h
0046A279 89442404 mov [esp+04h],eax
0046A27D 8B942424010000 mov edx,[esp+00000124h]
0046A284 A160685D00 mov eax,[L005D6860]
0046A289 8D4C240C lea ecx,[esp+0Ch]
0046A28D 6804010000 push 00000104h
0046A292 51 push ecx
0046A293 52 push edx
0046A294 50 push eax
0046A295 C7842428010000010000+ mov dword ptr [esp+00000128h],00000001h
0046A2A0 FF1574655700 call [USER32.dll!LoadStringA]
0046A2A6 8D4C240C lea ecx,[esp+0Ch]
0046A2AA 51 push ecx
0046A2AB 8D4C2408 lea ecx,[esp+08h]
0046A2AF E8C0DD0E00 call SUB_L00558074
0046A2B4 8BB42420010000 mov esi,[esp+00000120h]
0046A2BB 8D542404 lea edx,[esp+04h]
0046A2BF 52 push edx
0046A2C0 8BCE mov ecx,esi
0046A2C2 E8E5D90E00 call SUB_L00557CAC
0046A2C7 C744240801000000 mov dword ptr [esp+08h],00000001h
0046A2CF 8D4C2404 lea ecx,[esp+04h]
0046A2D3 C684241801000000 mov byte ptr [esp+00000118h],00h
0046A2DB E857DC0E00 call SUB_L00557F37
0046A2E0 8B8C2410010000 mov ecx,[esp+00000110h]
0046A2E7 8BC6 mov eax,esi
0046A2E9 5E pop esi
0046A2EA 64890D00000000 mov fs:[00000000h],ecx
0046A2F1 81C418010000 add esp,00000118h
0046A2F7 C3 retn
;----------------------------------------------------------------------------------------------------

00558074 SUB_L00558074:
00558074 56 push esi
00558075 57 push edi
00558076 8B7C240C mov edi,[esp+0Ch]
0055807A 8BF1 mov esi,ecx
0055807C 85FF test edi,edi
0055807E 7504 jnz L00558084
00558080 33C0 xor eax,eax
00558082 EB07 jmp L0055808B

00558084 L00558084:
00558084 57 push edi
00558085 FF1564615700 call [KERNEL32.dll!lstrlenA]
0055808B L0055808B:
0055808B 57 push edi
0055808C 50 push eax
0055808D 8BCE mov ecx,esi
0055808F E863FFFFFF call SUB_L00557FF7
00558094 8BC6 mov eax,esi
00558096 5F pop edi
00558097 5E pop esi
00558098 C20400 retn 0004h

00557FF7 SUB_L00557FF7:
00557FF7 56 push esi
00557FF8 57 push edi
00557FF9 8B7C240C mov edi,[esp+0Ch]
00557FFD 8BF1 mov esi,ecx
00557FFF 57 push edi
00558000 E809FFFFFF call SUB_L00557F0E
00558005 57 push edi
00558006 FF742414 push [esp+14h]
0055800A FF36 push [esi]
0055800C E89F1BFEFF call SUB_L00539BB0
00558011 8B06 mov eax,[esi]
00558013 83C40C add esp,0000000Ch
00558016 8978F8 mov [eax-08h],edi
00558019 8B06 mov eax,[esi]
0055801B 80243800 and byte ptr [eax+edi],00h
0055801F 5F pop edi
00558020 5E pop esi
00558021 C20800 retn 0008h

What this shows is that the return of "0" leads to the:

push SSZ0059FD10_Application_validated
0046A1CE EB28 jmp L0046A1F8

section of the code and is where the Code has to end up if it is validated by what has been returned from the server.

Have you traced the MOD version in Softice and found the point where it failed? I still suspect that it is failing because of the absense of the COM entry we previously discussed.

Have you done a "file compare" on the working exe vs. the MOD exe to see what was changed and where?

Hope to have some more time to play with it soon.

Regards,


Regards,

DaddyJTHC
April 15th, 2004, 18:55
Interesting,
yes i have traced the mod version, and it fails on a sound card 421 error. this may have something to do with the com object as you have stated. I myself have been busy also, but i hope to have some time this weekend to have access to the working machine so i can try and capute the whole system state, and restore it to mine, that way i can have more play time with it.

Thanks much.
Daddyj