Log in

View Full Version : Hint on loadmoduleA


iwannacrack
June 30th, 2005, 20:24
First, I am an extreme newbie, so please try to ignore my ignorance.

That being said, I am attempting my first crack. The exe has references to the standard dlls, but from what I can tell, once launched it loads a few more using the Kernel32.LoadLibraryA. One of these files has the code for the registration dialog and the code to validate the serial.

I have been able to find the jne where the loaded dll displays success or failure of the serial and have cheated by changing this to je and got the success message. But it was short lived celebration, as the file was not cracked. So obviously somewhere upstream it is doing more work and I am not cracking these spots.

But I am very green. I cannot seem to find, or find on search engine, hint on how to find where the EXE file transfers control to the dll. The dll is very big and is more than likely used for many of the vendor's products so not all routines pertain to my EXE. And as the dll is not loaded till after the launch of the EXE, there are no references to it in the EXE to see where it is called.

Can someone provide a hint how I can tell where the main EXE calls the DLL and how to determine the exact entry point into the dll.

Hopefully this is not an obvious or stupid question.

Thanks

SiGiNT
June 30th, 2005, 20:56
You really should read some tuts, the ARTeam link at the bottom is a great place to look, be prepared to think, as most of these tuts, (intentionally?), leave a key but usually obvious piece of info out.

SiGiNT

Fake51
July 1st, 2005, 03:06
Yeah, tuts and lots of them.

Some help:
If the exe loads the library with loadlibrary, then it most likely finds the exports it wants with getprocaddress.
You have three things to do:
1. Check the exe file for strings - these might point you in the right direction, as there might among them be the name of the export you're looking for.
2. Disassemble the dll, and check the exports. You might find the export you're looking for, just by looking at the names.
3. Use a debugger to set conditional breaks on getprocaddress, to check what functions the exe calls in the dll. You can then break on those functions, and see which one provides the dialog, and how data is used after the function call.

Fake

Aimless
July 1st, 2005, 03:41
Have you tried to see whether reversing the JNE actually reverses the PROTECTION or simply reverses the message box DISPLAY?

These are two different things. In many cases its like this:

VERIFICATION_ROUTINE
:
:
jne bad_guy_routine
else continue with full program
:
:

BAD_GUY_ROUTINE:
:
jne Exit_Quickly_Routine
display_msg_box
jmp Exit_Quickly_Routine
:

EXIT_QUICKLY_ROUTINE
:
Just Quit man!
:


The point to note is to correctly crack the program, you may hae to crack the verification routine, not the bad guy routine. Check whether this is indeed the case.

Have Phun

iwannacrack
July 1st, 2005, 20:25
Thank you all for the excellent advice thus far. I have searched and downloaded quite a few tuts, most dealing with Olly, which I have been attempting to use. It appears I still have much to learn.

Unfortunately, it was an old tut which got me into this puzzle. It described how to crack an older version of the proggy I am attempting. I could not locate the old file so ended up with the next version higher, which obviously addressed the easy crack.

But I love a good puzzle. And after the tuts, advice and revisiting my education on assembly, I am much closer to the end result today. I will advise when I get it, as this will be my first, but not my last. I do suspect I have cracked the bad guy routine, but not the validation. But learning how to use Olly better has directed me to the validation code I believe.

Thanks to those who replied, and thanks for your patience.

iwannacrack