Log in

View Full Version : teleport pro


digyoubetterdead
June 11th, 2001, 09:25
I cracked a program by forcing a serial number on it, but when I close and open the same program again, I get a message stating that a possible virus was detected and that the program will not run. What is causing this and how can i disable it?

Clandestiny
June 11th, 2001, 10:12
Hiya,

Likely there is a CRC check within the proggy which detects if any bytes have been altered by patching. You'll need to locate this routine and disable it.

Realizing this, a good approach would be to...

Run an API monitor to log the file operation API's. CreateFileA, ReadFile, OpenFile, _lopen, _hread, _lcreat, MapViewOfFile... those are the main ones.
There is a good chance that one or more of these API's will be used to open the file / map it into memory so it can be read and the CRC calcuation can be performed. Once you've found the when and where from the monitor, set a bpx on the suspicious function. SICE should *hopefully* break close to the CRC routine.

If not, a backtrace between CreateFile (or whatever API it uses) and the error MessageBox could be another useful tatic.

Likewise, I'd suggest doing a search right here on the local Fravia mirror for CRC checks. There are at least a handful of essays on the topic which could prove insightful.

Hope this helps

Regards,
Clandestiny

digyoubetterdead
June 11th, 2001, 20:30
thanx