jimmyboy
09-13-2009, 09:10 PM
Here is what I have so far...
First I tried W32Dasm - no dice - it would crash as soon as I loaded the EXE
I suspected packing so I used PEID - hmm no results except it was identified as Borland Delphi Ver 7-8
Next I tried Quick Unpack just to make sure - it says its not packed so I move on to OllyDebug
The program has a nag screen I need to get past and just kills the window after it tells you "This software is NOT free" .. ther trial period is ended blah blah blah - buy or close.. well close.. window killed.. grief..
So lets try setting a breakpoint on Destroywindow and see what comes up
I load it up in Olly - run - hmm an exception - press Shift-F7 - press run again - ok now here we are - keyhook.dll and our message is up.. (Picture 1)
Plugins->Command Line-> type "BP DestroyWindow" enter -> Run
Now it stops at our spot (Picture 2)
Set a breakpoint on the return right below it and look for the Kill Window command by pressing F8 - here is where I get lost - I did try NOOPing the return and found one Kill Window command - restarting and running again but just killed the exe -- any hints? help?
Since there is a trial period - there should be a routine counting the days... How would I track that down I wonder..
************************************************
Hmm a new day - and a second try..
You can see the DestroyWindow call down in the bottom right corner and its address in the PDFExploder executable - so lets go there..
(Picture 3)
right click - View - module PDFExp
now scroll to the address AE60D
Hmm not much to see - no strings nearby - no return nearby we can try NOOPing the Destroywindow itself or maybe a C3 (a Return) at the top at AE5DC where this subroutine seems to start
so write down the codes at AE60D
50E853A7F5FF
and remember the address at the top AE5DC
(Picture 4)
now lets close and go to Winhex to do some editing
so here we are in Winhex and we will try our addresses
Position->go to offset->AE60D ??? hmm thats not right - this data doesnt
match..
lets try this again - lets search for our hex data
Search->Find hex values - 50E853A7F5FF
(Picture 5)
there it is.. the addresses are shifted around for some reason but we found it.. so lets put some NOOPs in our places and try running each time
type over 50E853A7F5FF with 00's or FF's - save and run - hmm no dice
Crash -- try a C3 Return at the top - AE50C - when you restart Winhex it will go back just put the old data back and save - hmm same thing *CRASH*
Lets try finding our favorite message - "this software is NOT free"
right click->Search For->All Referenced strings
this will pull up all the strings in the executable
right click->search for text -- type "this software" unclick case sensitive - hmm nothing.. back to the drawing board ...
Another Day -- and another swing at this..
[please use the Edit button to add to your post]
Lets see if their protection is embarrasingly simple and
go "low tech"
hmm.. turn the system clock back 30 days... nope no dice..
registry keys?
regedit.. only see their software entry under hkey_user - lets export to save and restore if we need later - delete.. Run - well it asks for my language - same thing
ok well back to olly - lets try tracking down that stinking nag message.. its not in pdfexploder.exe or keyhook.dll its in the "lang" subfolder - how nice of them to make their prog in every language - "english.lng" there it is.. so now we should breakpoint on the readfile API since the executable has to read the message from an outside source or maybe loadlibraryA so we can see when the program loads keyhook.dll - well keyhook led me to a little subroutine - but its obviously essential and has to do with all the keyboard input and doesnt seem to be part of the protection scheme - I tried NOOP/Return with the keyhook sub - lock and crash.. Now lets try a BP on readfile API for the english.lng data file - hmm a few of them here.. replace with NOOP or Return loop loop - here is the last one - infinite loop - well at least it wasn't a crash - maybe I am closer .. maybe not - OH... you can tell you have an infinite loop when you start a program and check Task Manager and see that your Performance scale is locked at 100% for Pdfexploder ... well thats half a dozen more "easy" ways checked -- comments welcome.. no pics today -- well unless I get requests for them
First I tried W32Dasm - no dice - it would crash as soon as I loaded the EXE
I suspected packing so I used PEID - hmm no results except it was identified as Borland Delphi Ver 7-8
Next I tried Quick Unpack just to make sure - it says its not packed so I move on to OllyDebug
The program has a nag screen I need to get past and just kills the window after it tells you "This software is NOT free" .. ther trial period is ended blah blah blah - buy or close.. well close.. window killed.. grief..
So lets try setting a breakpoint on Destroywindow and see what comes up
I load it up in Olly - run - hmm an exception - press Shift-F7 - press run again - ok now here we are - keyhook.dll and our message is up.. (Picture 1)
Plugins->Command Line-> type "BP DestroyWindow" enter -> Run
Now it stops at our spot (Picture 2)
Set a breakpoint on the return right below it and look for the Kill Window command by pressing F8 - here is where I get lost - I did try NOOPing the return and found one Kill Window command - restarting and running again but just killed the exe -- any hints? help?
Since there is a trial period - there should be a routine counting the days... How would I track that down I wonder..
************************************************
Hmm a new day - and a second try..
You can see the DestroyWindow call down in the bottom right corner and its address in the PDFExploder executable - so lets go there..
(Picture 3)
right click - View - module PDFExp
now scroll to the address AE60D
Hmm not much to see - no strings nearby - no return nearby we can try NOOPing the Destroywindow itself or maybe a C3 (a Return) at the top at AE5DC where this subroutine seems to start
so write down the codes at AE60D
50E853A7F5FF
and remember the address at the top AE5DC
(Picture 4)
now lets close and go to Winhex to do some editing
so here we are in Winhex and we will try our addresses
Position->go to offset->AE60D ??? hmm thats not right - this data doesnt
match..
lets try this again - lets search for our hex data
Search->Find hex values - 50E853A7F5FF
(Picture 5)
there it is.. the addresses are shifted around for some reason but we found it.. so lets put some NOOPs in our places and try running each time
type over 50E853A7F5FF with 00's or FF's - save and run - hmm no dice
Crash -- try a C3 Return at the top - AE50C - when you restart Winhex it will go back just put the old data back and save - hmm same thing *CRASH*
Lets try finding our favorite message - "this software is NOT free"
right click->Search For->All Referenced strings
this will pull up all the strings in the executable
right click->search for text -- type "this software" unclick case sensitive - hmm nothing.. back to the drawing board ...
Another Day -- and another swing at this..
[please use the Edit button to add to your post]
Lets see if their protection is embarrasingly simple and
go "low tech"
hmm.. turn the system clock back 30 days... nope no dice..
registry keys?
regedit.. only see their software entry under hkey_user - lets export to save and restore if we need later - delete.. Run - well it asks for my language - same thing
ok well back to olly - lets try tracking down that stinking nag message.. its not in pdfexploder.exe or keyhook.dll its in the "lang" subfolder - how nice of them to make their prog in every language - "english.lng" there it is.. so now we should breakpoint on the readfile API since the executable has to read the message from an outside source or maybe loadlibraryA so we can see when the program loads keyhook.dll - well keyhook led me to a little subroutine - but its obviously essential and has to do with all the keyboard input and doesnt seem to be part of the protection scheme - I tried NOOP/Return with the keyhook sub - lock and crash.. Now lets try a BP on readfile API for the english.lng data file - hmm a few of them here.. replace with NOOP or Return loop loop - here is the last one - infinite loop - well at least it wasn't a crash - maybe I am closer .. maybe not - OH... you can tell you have an infinite loop when you start a program and check Task Manager and see that your Performance scale is locked at 100% for Pdfexploder ... well thats half a dozen more "easy" ways checked -- comments welcome.. no pics today -- well unless I get requests for them