Task 1 - final solution Sunday, 11-Apr-99 11:22:31 This is how the anti-SmartCheck code can be bypassed: In Boundschecker,the following API codes can be seen: FindWindow //pointer to 'NUMEGA SMARTCHECK' as parameter followed by: GetDeskTopWindow GetWindow GetWindowTextA GetWindow GetWindowTextA GetWindow GetWindowTextA ... GetWindow //returns HWND=0 So What the program does: It searches for the Smartcheck window.If it doesn't find it,it checks all the windows captions weather they are 'NUMEGA SMARTCHECK' or not. How to bypass it: first 'bpx FindWindowA' when SICE breaks: dd esp (whant to see the parameters) for me,the params were: 01F3:0044F3E0 BFF93D01 00000000 0064F3F8 And they mean: stack return_addres NULL pointer2string so: db 64F3F8 and edit the string(don't type g yet) Now,for the 'GetWindow,GetWindowTextA' check bpx GetWindow g when SICE breakes again,the code should look like this: mov cl,9F jmp xxxxx //some lines of code xxxx: push ebp mov ebp,esp push ecx sub esp,3c push word ptr [...] push word ptr [...] call [...] leave //<= trace up to here ret when you are at the instruction 'leave' with the instruction pointer,press Alt+R and make ax=0.(Last call for GetWindow in boundschecker returned HWND=0 ); bc * g Andy Andy |
Andy's Thread (Task 1) (Andy) (11-Apr-99 06:56:10) |