Ok,

I've been reading and learning and watching this forum for quite a while, and now I think I'm brave enough to start a thread. I've been playing with this tool and I really like it, but it seems that there are some anti-Smartcheck tricks out there that I can't find any info on, I've found a couple of threads that discuss one of these problems - Smartcheck crashes when loading the target - they end with the assumption that the file header was unpacked incorrectly, but this doesn't seem to be the case, I've got a target that has not been packed that does this, (no traces of previous packing either), and another app that loads fine but when run shows absolutely no event info. None of these has the types of anti-smartcheck stuff I've found - search for the string smartcheck or the NMSC--- thing, I do have one crackme that is dumb enough to issue a nag so I know how to bypass that one - I guess my long winded request is for a pointer to a good tut on how to defeat anti-snartcheck routines. There is some good info from the other side located at :

http://www.activelock.org/boards/?showtopic=6

Any additional help would be appreciated. (I've been using both ver, 6.03 and 6.6).

Thanx!,

SiGiNT

Someone in one of the threads mentioned a 2 Byte change to a Smartcheck DLL that would presumably defeat some of the anti-smartcheck schemes, does anyone have that info?

smartcheck activate IsDebuggerPresent flag and can be detected with the api IsdebuggerPresent or checking the byte checked by the api.

Ricardo Narvaja

also smartcheck didn't like so much multi-thread application...

that may be why you didn't see anything in the event windows. Have
you ever been successful with Smartcheck ? because he need to be
properly configured to give desired results....

FoolFox

Thanx for the replies!

I'm using the settings recommended by Eternal Bliss in the eb_tut4, although I've read several tuts all with different recommendations, and have had very good success with fishing out serials that are not encrypted, the only difficulty in reversing a serial protection has been when the input serial is encrypted, and checked against the encrypted real serial, it appears that Smartcheck isn't great at exposing arithmetic ops. I don't think IsDebuggerPresent is the problem as the targets run fine outside of smartcheck with smartcheck open, and a dead listing doesn't show that call. I kinda wonder about the QueryInterface call - maybe that is where the detection is taking place.

SiGiNT

if smartcheck is open but not debugging your aplication the flag is not activated only when you debug with smart check or other debugger the flag change to 1.

The test is by example, run your program in a debugger (ollydbg by example) without any plugin for hide the debugger of the api IsDEbuggerpresent, if the program run, is other problem,if not the flag is tested directly.

Ricardo Narvaja

Ricardo,

1 of my targets will not run in olly - bad memory write - so IsDebuggerPresent is probably the reason it crashes Smartcheck, but I still have others that do run in olly but crash smartcheck. Now the good news - they all run in BoundsChecker (a variation on Smartcheck), the difference being that BoundsChecker does not flag specific events like RegClick or Click1, that narrow the search, all the data is there but it's buried in the continuous stream of timer data and is much harder to find. If i can find the differences in the environment between Smartcheck and Boundry Checker, I'll know what to look for. In the mean time I also need to find the reason for no event reporting for my other crackme.

Thanx for your help!

SiGiNT

Theres a few ways of detecting SC, that i know of. You can use FindWindow to check the if any of the captions/classnames match up to the one(s) in an unmodified version. My tool RE-Pair will fix SC so that this method doesnt work.
IsDebuggerPresent can also be used as Ricardo Narvaja stated. Note that just because the API isnt there, doesnt mean the programmer hasnt coded his own version (its only a few asm lines long).
And one more method that i know of is checking for the presence of .SUP files in the programs directory. These files are created and used by SC. I havent quite figured out where the .SUP file creation takes place, so RE-Pair doesnt fix this yet. If anyone knows, i would love for them to share it with me.
Hope this helps you out. If one of these methods is not used, I would love to take a look at the app to see if i can figure it out.
Crudd [RET]

Crudd,

I think I can prevent the crashing problem by preventing the app from issuing an alt f4 keystroke - I'm doing a lot of searching and can't seem to find the hex equivalent, (I would imagine this is probably the 2 byte SmartCheck dll modification, but which one? there are about 8 or 10 of them), I tried RE-PAIR and it didn't work, probably because I'm on an XP platform - actually it seemed to disable SmartCheck 6.03 I haven't tried it on ver 6.6 yet. I have a tendency to obssess on problems like this so I hope eventually I'll find an answer - this is probably a good trait for a newbie! Of course I could always break down and learn how to use olly.

SiGiNT

You can prevent the .sup file being written by making the directory the target is in read-only.

Added later:

Well NUTZ! blocking alt f4 doesn't do it - back to the reading room! I'm sure you would have no problems with this target, but if I don't figure out myself , I wouldn't really be learning anything, thanks for the offer! I may have you look at the one that Smartcheck loads and runs without showing any events, that's a crackme from FCE.