=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[LineZer0 Network 99]=-= File Investigator protections: - Setup Protection - File Protection - Nag Screen at the start ================ Setup Protection ================ so this protection is very easy. normally its password protectet.get a file monitor and start it. configure him that it only shows the fi150s files. at mine it works under the menu:events/filter. process includet: fi150s. start setup and type in a password! oh it unzips.when he unzip he had to save the files on the hd! lets see with the filemon where he put the files. uh.he do the files in the temporary win folder! thats the place where he unzip the files, but there also in an another folder! start the explorer and copy the files on the desktop or anywhere else.open the folder!lol,there are all the files. k, this prot was finished! =============== File Protection =============== when you start the exe,a nag appear:-File Investigator was not properly in- stalled!- so only the copy of the files wont work, you should finish the setup till the end!hmm,maybe the programm need something from the registry! lets dissasm the file with w32dasm! (but make a copy of the file!) if its finished, go to the string refs and search for the f*cking nag! if you have find it, you are here: *************************************************************************** ********************************CODE STARTS******************************** *Possible StringData Ref from Data Obj ->"Software\RobWare\FileInvestigator \1.50\Path" (an reg key? sure) | :00401039 68C8204100 push 004120C8 (push the reg key) :0040103E 6802000080 push 80000002 * Reference To: ADVAPI32.RegOpenKeyA, Ord:0171h (open the reg Key) | :00401043 FF1500004100 Call dword ptr [00410000](does key exist) :00401049 85C0 test eax, eax :0040104B 741B je 00401068 (if yes then good user [jump]if no to bad cracker! change JE->JMPS) :0040104D 6A10 push 00000010 (the error msg) * Possible StringData Ref from Data Obj ->"File Investigator Properties" ->"Start Error" | :0040104F 68F4204100 push 004120F4 * Possible StringData Ref from Data Obj ->"File Investigator was not " ->"properly installed!" | :00401054 6820214100 push 00412120 :00401059 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:01BEh (gib msgbox aus) | :0040105B FF1568014100 Call dword ptr [00410168] :00401061 33C0 xor eax, eax :00401063 E960060000 jmp 004016C8 (jump to exit programm) (and jmp over the next code) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040104B(C) - (good user! go on in programm) | :00401068 E867080000 call 004018D4 :0040106D 8D9560FFFFFF lea edx, dword ptr [ebp+FFFFFF60] :00401073 52 push edx *********************************CODE ENDS********************************* so we only have to change the JE in an JMPS because so it jumps evertime to the good message. so,lets do it in hiew! try it,it works!now, an another nag appears, but we can use the programm now.. this nag is also annoying, so lets patch him away! ================== Nag Screen patchen ================== "THANK YOU FOR INSTALLING..." lets search for the string in w32dasm (string refs) then click on it.. we are here: ********************************CODE STARTS******************************** :00402E98 8985E8F7FFFF mov dword ptr [ebp+FFFFF7E8], eax :00402E9E 81BDE8F7FFFF10010000 cmp dword ptr [ebp+FFFFF7E8], 00000110 :00402EA8 7411 je 00402EBB <- this jumps to bad! :00402EAA 81BDE8F7FFFF11010000 cmp dword ptr [ebp+FFFFF7E8], 00000111 :00402EB4 7423 je 00402ED9 <-if we patch this one there <-wouldnt be text in the dlg <-box.this1 pushes the text! :00402EB6 E9C0040000 jmp 0040337B <- this one is good! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402EA8(C) | * Possible StringData Ref from Data Obj ->"Thank you for installing File " ->"Investigator Properties." | :00402EBB 68802B4100 push 00412B80 :00402EC0 6847040000 push 00000447 :00402EC5 8B4D08 mov ecx, dword ptr [ebp+08] :00402EC8 51 push ecx *********************************CODE ENDS********************************* so, what we have to do now? we should nop the second JE..but no if we patch this one there is no text in the dialog box and the buttons dont work! end the programm with CNTRL+ALT+ENTF! so the whole function starts at 00402E81 and before theres a RET, so the function starts there! ;) lets go on in the menu on search/find text and then type in the offset! the w32dasm find the function call! thats not what we want! try it again! we are here: *******************************CODE STARTS******************************* :00401074 682C224100 push 0041222C :00401079 6802000080 push 80000002 * Reference To: ADVAPI32.RegOpenKeyA, Ord:0171h ;open REgkey | :0040107E FF1500004100 Call dword ptr [00410000] :00401084 85C0 test eax, eax :00401086 7417 je 0040109F ;is it real installed? ;yes?then goto good user ;no? then bad msgbox :00401088 6A00 push 00000000 :0040108A 68812E4000 push 00402E81 ;heres the address! :0040108F 6A00 push 00000000 *********************************CODE ENDS********************************* so, theres a good JE that jmps over the PUSH command. but i dont know what this push would do?but lets try. patch the JE to a JMPS. start the programm , yes it works.. but an another nag will be showen.. no panik, thats only a dialog that tells us that we started the programm without parameter. drop a file on the exe and it will work! good work ppl! -nOstradamus [cD] '99