home *** CD-ROM | disk | FTP | other *** search
Text File | 2000-05-25 | 47.0 KB | 1,376 lines
======================================================== +HCU Maillist Issue: 201 04/23/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Happy birthday! #2 Subject: Eschalon setup self extracting #3 Subject: Notebooks, video and Softice. ARTICLES: -----#1------------------------------------------------- Subject: Happy birthday! 200 issues!!! :) Happy birthday HCUML! :)) Ehmm... sorry for the offtopic O:-) byez, .+MaLaTTiA. -----#2------------------------------------------------- Subject: Eschalon setup self extracting Please bear with me as I'm new to cracking I have this program InfoPower by woll2woll. U gan get it via ******************************************************** The setup itself is using the now defunct Eschalon setup using Delphi3 and the program it's installing is D3 VCl library. Now this is as far as I gets. The real software it's installing are d3 vcl library with full source code and has been vote by the Delphi community as one of the best. The real software is encrypted somehow in the setup program. When it starts up, the setup will extract a temp file into ure temp directory using the name edi??.tmp. This file is actually a PE DLL and will be overwritten whenever the setup is run. When setup is run, You'll be asked about ure name, company, registration code and then a release key. The last two u get when purchasing the product. Looking at dead listing all of the work is done in the edi??.tmp file (which is 524k in size). To crack it you must crack the temp file. Although the file is created in every run, that can be easily defeated by using SoftICE or any in-memrory patching. BTW the full path of the DLL is located at 00407b08. In simple term this is the program work: (i) ip31s.exe is run and extract from itself C: empedi??.tmp. (ii)It then load edi?? and run an exported function SetupMain. (iii)SetupMain is the actual starting point. It will find from ip31s.exe the list of encrypted (I Think) files and decrypt them to the dir user chooses. It's step (iii) which is where I fail to follow. It's quite long winded. And as the program is written in Object Pascal there are a lot of jump here and there (virtual dispatch table). There is also another way to attack the program using tutorial on +Fravia's page on how to crack VCL program. When the setup is run, whenever the dialog box which asked for the registraion key changed, the EDI??.tmp DLL will call this function: BrandingPgSomethingChanged which I find is located at 0045f5B4 which is really a jump to 0043cb18. A word of caution the location might have changed since the file I download was version 3.01 and current version is 3.02. This is as far as I get. If ne1 can offer insight would be great <<<< __HangTuah__ >>>> Tak Melayu Hilang di Dunia -----#3------------------------------------------------- Subject: Notebooks, video and Softice. Hello! Sorry, I'm not going to talk about crack this time but about hardware. Planning to buy a notebook, do someone of you use some of them to run SoftIce 3.2, I mean without problem of video board we know all? I know some Toshiba Notebooks with a good old S3 virge chip on video board, Softice does it pop correctly on it? Thanks to ya help. I won't plan to travel without my beloved Winnie. ;-) --FootSteps =====End of Issue 201=================================== ======================================================== +HCU Maillist Issue: 202 04/24/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: How to register this? #2 Subject: once again, TASM #3 Subject: Cookies #4 Subject: Installshield Disassembler #5 Subject: SICE on Laptop ARTICLES: -----#1------------------------------------------------- Subject: How to register this? Hi, dear +HCUs: Recently I tried to "crack" an register-code scheme in an "3d resouce CD-ROM". Their protection is like this: you can browse the whole CD freely, but when you try to "download" resouce form it, it will ask you for an "code". If your code is "wrong", it will display a messageBox saying "Bad guy..." The main module of it called "present". There are too many window handles under the module "present". All windows and dialogs of it is "transparent", so it seems not use the standard windows MessageBox, GetDlgItemText... , to interact with users. And it's not easy to intecept API calls or messages from it. So I search the register string "11112222333..." in it and BPMB at the address I found it. After some tracing, I found the module "PRESNET " cycled like following: A) ...... cmp es:[bx], 0 (access to the string"11112222333...") jz .... call... jz.... call.... B) cmp ....... jz A) I set a BPX at point B). And after every 24 times the BPX breakpoint reach, the window saying "bad guy" will prompt. But there are too many calls and jmps between A) and B). It's very difficult to found the correct point to "trace into". I guess this part of code specially designed to anti-anylise. So many loops and jmps in it, and the code of "comparing" is hidden deep. Could someone give me some hints on this kind of register-code cracking? -----#2------------------------------------------------- Subject: once again, TASM Hello all, remember when someone posted TASM on an URL with four zip files. Well, the fourth one was corrupt, and I asked him to put it back, but it never showed up.... Anyway, I was looking in my 'incomplete' directory, and TASM is still there (and so is Redneck Rampage, but I found, at last, the missing zips). So.... does someone have a tasm for me? E-mail me at *************** pls. And - any chance, anyone, with the satellite proggy? WAFNA -----#3------------------------------------------------- Subject: Cookies Hello Everyone FYI, the following site is devoted to information on cookies. **************************** cheers Rundus ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: Installshield Disassembler Hi this is MUSO, I recently had a look at a nice tool called InterMute, which strippes ads of your browser etc. (have a look at: ******************* Well, this prog generates a 14 day license at installation time. This license is generated inside the install-shield script, so I took the installshield-disassembler... unfortunately it fails to disassemble the INS file (an error pops-up). Is there any chance to get this bug fixed in the disassembler? I hope so.... That's it for now -----#5------------------------------------------------- Subject: SICE on Laptop >Planning to buy a notebook, do someone of you use some of them to run >SoftIce 3.2, I mean without problem of video board we know all? There are several options... In fact I believe that most notebooks will rather gladly run SICE coz manufacturers nowadays tend to use more "standard" parts in Notebooks than they do in Desktops, coz the prize competition is not as tough... I have no trouble running SICE on an IBM Thinkpad and have tried 3 models already, they shouldn't get you into any trouble. >I know some Toshiba Notebooks with a good old S3 virge chip on video >board, I would be careful with that. I recently bough a cheap computer with a graphics card which claimed to have the S3 chip too, but I have to notice now that the graphics driver is not 100% compatible with SICE. SICE works fine until the first time a DOS/Console window is opened. From there on SICE will NOT display it's screen any more in Windows, but only in a full-screen console... which is quite annoying... A reboot fixes that problem in my case... but there are so many cards with S3 (+various Enhancements) out there that I would be careful to rely solely on that. As I said, SICE works nice on a (borrowed) ThinkPad... IBM's Laptops seem to be very tolerant anyways, I had no trouble installing Linux + X on there.... HalVar ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 202=================================== ======================================================== +HCU Maillist Issue: 203 04/25/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: softice notebook #2 Subject: Delphi cracking - Form spy #3 Subject: Time 2 update #4 Subject: Re: Installshield Disassembler #5 Subject: HCU search idea. #6 Subject: tasm5 ARTICLES: -----#1------------------------------------------------- Subject: softice notebook Soft-Ice Notebook: I have had no problems whatsoever using Soft-Ice on notebook computers--less, in fact than on desktops ;) I used to use 2.0 to save space (I was working with a 150 MB partition drivespaced to give more room), but now I decided to stick with 3.22 although I use Generic VGA instead of the manufacturer card as it gives you the full screen (much easier to read). Also, if you use drivespace, be sure to put softice on the uncompressed drive _m ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: Delphi cracking - Form spy I'm working on a delphi program, and I need form spy. I've tried searching but found nothing. Please email me ********************* if you have it. :-] Thanks, Fresh -----#3------------------------------------------------- Subject: Time 2 update Hi It has been quite a long time... 1st : What do you think about this request : Fravia+ should send +his site updates directly to the hcuml, to allow us not to loose time seeking deeply in +his pages. He could for instance just send a message like +his what_new.htm page! Any thoughts? 2nd : go there : *********************************************** download the full material, and learn, learn, learn : it's free! ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: Re: Installshield Disassembler Muso, currently many have been experiencing that same bug, which most commonly is a "RichEdit Line Insertion Error". It has been fixed, so just watch ******************************* for the latest release of the disassembler which should be out soon. The Krazy Nomad [SiEGE] -----#5------------------------------------------------- Subject: HCU search idea. Hello all, remember all those discussions on cracking PDF passwords? Well, I now have Acrobat full myself, and I thought of something - why not make a repository of HCU issues in PDF format with the search capability provided by Acrobat Catalog? I will be making one myself for my personal use, but IMHO it's good idea... F. -----#6------------------------------------------------- Subject: tasm5 Message Body = T5 should still be in my orcpaks/more directory greythorne.home.ml.org =====End of Issue 203=================================== ======================================================== +HCU Maillist Issue: 204 04/26/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: InstallSHIELD Compressor #2 Subject: "Art of Assembly/zips" #3 Subject: to Krazy Nomad ARTICLES: -----#1------------------------------------------------- Subject: InstallSHIELD Compressor Hello all, few days ago, I encountered some problem when I tried to decompress a data.z made by InstallShield 2.x, (the utility I used is InstallSHIELD Compressor, Version 2.00.051, Version 3.00.061) because it use long-filename inside this data.z, so some file is missing and it only generated 8.3 dos filename, but when I used the -l option (List files compressed in 'output') to see what files inside the data.z, I can see all the long-filename listing. So what's wrong ? Could anybody help me ? IceAxe -----#2------------------------------------------------- Subject: "Art of Assembly/zips" Thanks to the announcement in the latest HCU issue, I have downloaded AOA.zip: it is an assembly of various source files to Randy Hyde text (book?) "Art of Assembly Language Programming". The book itself is probably in the rest of the files, by each chapter, in .ps format. I could not open them: "Type1BuildChar is undefined. A fault has been detected in this document..." Or maybe is it a test to us? Could anybody open them? AZ111. -----#3------------------------------------------------- Subject: to Krazy Nomad Hi, > The Krazy Nomad [SiEGE] can you contact me at *************** I wanted to ask you something. WAFNA =====End of Issue 204=================================== ======================================================== +HCU Maillist Issue: 205 04/27/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: source files #2 Subject: Satelite and HASP #3 Subject: Reply to *.ps files #4 Subject: VB Cracking #5 Subject: gthorne on icq lack of security #6 Subject: FRMSPY #7 Subject: Dongles ! ARTICLES: -----#1------------------------------------------------- Subject: source files Hi, Who can tell me where I can find sample source code for OCR programs? and for compiler/decompiler programs? The programs themselves can be freely loaded at many Websites (for example TextBridge OCR program), but I am interested in the source files and in writing them. Thanks. AZ111. -----#2------------------------------------------------- Subject: Satelite and HASP Hi all !!! Hi WAFNA : About the satelite program ( Are we talking abou the same 3M proggie ??): As far as I found out it is "only" a Delphie proggie. After dissasembling it (with Wdasm) i see a lot of system calls. And I can brake as hell on hmemcpy ! I think that Razzia dicovered for cracking VB progs should be OK. I'm busy like hell lately (exams ...) so I didn't have the time to have fun with it but as far as I have noticed It copies the reg number A LOT !! I think that this approach is the best one 'cos dead listing won't make much sense. I have seen a posting about Delphie few days ago, and as far as I remember one of the list readers was working on a way to crack D. programs long ago (but I didn't see any results) If I just get some free time I'll try to have some one with it. Hi all: Now maybe some one can help me ? As I have wriiten earlier I was working on a HASP protected proggie called NORMA that didn't break at bpio [-h]. I still don't know how to cope with it so if anyone has an idea, don't feel ashamed and feel free to help me out ! The proggie has a simple reg no. for installing, dongle check at the time you run it and then it works fine. Untill you try to print something out: when there is no dongle it screws up the data passed to the print procedure and therefor crashes the program. The problem is that I can't find the second routine that checks for the dongle ;(. It came to me that it can only be that one prcedure and I have cracked it all wrong but it is still a fact that NORMA won't break at bpio. You can d/l the demo of NORMA at *********************** but as I have used the full version I dont know if it has the same shames. Thanx in advance Kubak -----#3------------------------------------------------- Subject: Reply to *.ps files This is a multi-part message in MIME format. ------=_NextPart_000_000C_01BD7161.E6FE8C10 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Hi, *.ps file can be opened. There is a tool called GhostView can read these files. Hope it help. =20 geofox ------=_NextPart_000_000C_01BD7161.E6FE8C10 Content-Type: text/html; charset="big5" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Dbig5 http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV> <DIV><FONT color=3D#000000 face=3DArial size=3D2>Hi,</FONT></DIV> <DIV><FONT color=3D#000000 face=3DArial size=3D2></FONT><FONT = face=3DArial size=3D2>*.ps=20 file can be opened.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>There is a tool called GhostView can = read these=20 files.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Hope it help.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>geofox</FONT></DIV></DIV> <DIV> </DIV></BODY></HTML> ------=_NextPart_000_000C_01BD7161.E6FE8C10-- -----#4------------------------------------------------- Subject: VB Cracking I'm a newbie who wants to learn the art of cracking badly, I did'nt know where to start so I start by search on the web and found Fravia's Great Pages and they have brought me a long way, I knew nothing about cracking Visual Basics nothing, but you are always hereing bout VB so I want to know more and have read ever Tut available ( mostly Razzia Great Stuff) My question is simple I can get to a certain point in Razzi Tut ( read below) "we do 'bpr es:di-8 es:di-1 rw'. Dont hit enter yet - read step 7 first. Step 7: Before you hit enter i will tell you what to expect. Softice will break everywhere where that block of memory with the string is read or written to. For example you will break inside the function strlen where the lenght of the string is calculated. And you will break where the string is copied to another place in memory (for example with REPZ MOVSW). When this happens place a new bpr at the new location with the string. It will also break when the string or part of it gets deleted. If not the whole string gets deleted do not remove the corresponding bpr. Only remove it when the complete string gets written over by something else. Also you will break again in hmemcpy. Hmemcpy will read another echo of the string in the dll's memory. Place a bpr there too. And finally you will break at the part of the code that does the comparing (the instruction you will see is REPZ CMPSB). When i reached that part of code i had 4 breakpoints set. One breakpoint for hmemcpy and 3 bpr's on 3 echos of the string (or parts of it). Step 8: Now we found the code where the VB3 dll does comparing we can place a breakpoint there and disable the other breakpoints. We wont need them anymore. We found the place where things get compared in VB3. What you see is this : : 8BCA mov cx, dx : F3A6 repz cmpsb ;<- here the strings in ds:si and es:di : 7401 je 8CB6 ; are being compared : 9F lahf : 92 xchg ax,dx : 8D5E08 lea bx, [bp+08] : E80E06 call 92CB" I'm having problems following the after the bpr ed:si-8 es:si-1 RW I don't know what he means when he saids set a breakpoint at these different location in memory (what command, is it memory seg:xxxx) or what could someone please try to clear this up for me, and I know that VB cracking is something a newbie shouldn't start with but i've got sucked in and just need to know what going on here, Ohhh one other thing I think that having a forum like this for crackers and aspiring crackers is the great I plan on making full use of it. -----#5------------------------------------------------- Subject: gthorne on icq lack of security Message Body = one of my more usual communicadoros sent me a couple of urls those of you who use icq really need to see ************************************ and ************************************************************** have fun and watch your back ;) +gthorne -----#6------------------------------------------------- Subject: FRMSPY Hi! I was reading (again) that essay on +Fravia's page about VCL cracking. That essay is from +Trurl and he mentioned a tool called FRMSPY... But there is no link to that tool in the essay. As i remember i saw this tool - FRMSPY, (once, somewhere) but yesterday when i tried to find it again i had no luck :( So if anybody stil have it, or if somebody could just send the link to it, my live would be much easyer :) THX! Pero -----#7------------------------------------------------- Subject: Dongles ! sorry to look like a dumass but what are dongles??? TecH_bOi aka dR.FreEzE _____________________________________________________________________ You don't need to buy Internet access to use free Internet e-mail. Get completely free e-mail from Juno at ******************* Or call Juno at (800) 654-JUNO [654-5866] =====End of Issue 205=================================== ======================================================== +HCU Maillist Issue: 206 04/28/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: re: gthorne on icq lack of security #2 Subject: 3m, formspy #3 Subject: Re: frmspy #4 Subject: Two PC┤s ARTICLES: -----#1------------------------------------------------- Subject: re: gthorne on icq lack of security I was most interested when I saw this message, so I immediately downloaded a copy of ICQ IPsniffer. I tried it out on one of my "unprotected" ICQ numbers and it correctly retrieved my IP address. I then tried it on a "protected" number and it retrieved some IP address of lord knows where, which could not be reached by a browser or DNS lookup and was seemingly non-existant. Now when I say "protected" I do not mean hidden by ICQ, but sent through the Junkbuster local proxy on my PC. Any further news, opinions etc would be most welcome. Regards, Zipper49 ______________________________________________________ Get Your Private, Free Email at ********************** -----#2------------------------------------------------- Subject: 3m, formspy Hi all! Kubak wrote: >About the satelite program ( Are we talking abou the same 3M proggie >??): As far as I found out it is "only" a Delphie proggie. After >dissasembling it (with Wdasm) i see a lot of system calls. And I can >brake as hell on hmemcpy ! I think that Razzia dicovered for cracking VB >progs should be OK. I'm busy like hell lately (exams ...) so I didn't >have the time to have fun with it but as far as I have noticed It copies >the reg number A LOT !! I think that this approach is the best one 'cos A few days ago I have checked this 3m program, but for me it seems that it does not touch the serial number after you press the register button. When could you break with hmemcopy? It is sure that during the typing of the registration number the ascii code of the characters are copied around a lot. In my opinion the program chatch all the typing messages like wm_char, wm_keydown and calculate the registering info on the fly. I have met a program like this one before, but it was written in C. With this Delphi thing it is a real mess to find out what the hell is it doing with the punched in character. I just never know whether it is just doing all the basic things instead of windows or this is already the protection. >dead listing won't make much sense. I have seen a posting about Delphie >few days ago, and as far as I remember one of the list readers was >working on a way to crack D. programs long ago (but I didn't see any >results) If I just get some free time I'll try to have some one with it. It was about the formspy proggie +Trulr (I think he is on the list) come up with some time ago and was deposited on one of Greythorns sites. I hope we did not loose it. It was about finding out where the function belonging to a button starts. In this 3m program the register button is called Button2, the action is Button2Click. If you look for the Button2Click string in the program you will find it at two places (in a table and at the very end of the program in the Tform resource section.) At the first place immediately before the string you can find the address of the corresponding function 42d754. If you put a bpx on it it will break nicely when you push the register button. Unfortunately, this did not help me to much as I mentioned the program probably already decided at this point whether the reg number is ok or not. No obvious flag checking either as I see. Nevertheless, I do not see any particular trick here (unless we count the supposed reg check while the typing still goes on.), but the usage of Delphi makes it difficult to find the reg calculation rutin. Well, I try it again this evening. Bye Zer0+ -----#3------------------------------------------------- Subject: Re: frmspy Hi +all! >That essay is from +Trurl and he mentioned a tool called FRMSPY... >But there is no link to that tool in the essay. Where could I upload it? Sorry for the long time away. I'm working too much to have time for anything else (like cracking). I hardly can read more than titles in the ml :-( I hope to be back soon... maybe for HCU 98? :) best regards +trurl saludos =20 Nico *************************** -----#4------------------------------------------------- Subject: Two PC┤s Hi all :) I have a little question: I cracked at home on my PC a very nice screensaver. I patched one byte, so the prog doesn┤t expire. I patched another byte, so the the prog was registered. And I patched one byte, so the prog don┤t shows annoying text. But now it comes: The prog runs not so good on my PC at work because this annoying text was there again. Has anybody an explanation for this? BTW the idea with the site updates from Fravia directly to the HCUML is really good because i have not the time to seek +his pages like this anonymus writer. byez, NiKai ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 206=================================== ======================================================== +HCU Maillist Issue: 207 04/29/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Some tools... #2 Subject: fravia's updates (by fravia+) #3 Subject: gthorne - uploaded frmspy #4 Subject: frmspy again ARTICLES: -----#1------------------------------------------------- Subject: Some tools... Hi +all, Just wanted to say I have setup a tools page on ******************************************** Newbies might want to check it out (???) Fresh. -----#2------------------------------------------------- Subject: fravia's updates (by fravia+) Well, let me get this right: You want me to send a copy of my what_new.htm to the HCUML? What's the (time) problem in getting it from my site? I don't get it. Yet if you really want it, just automate it: I update every 4-7 days, or so. Batch the top part of the what_new as an email to yourself (say 10 rows every week). This should solve the problem... or did I not dig it? BTW, ************************************ for those of you that never used this microsoft debugger. later fravia+ -----#3------------------------------------------------- Subject: gthorne - uploaded frmspy Message Body = i havent linked to it yet from anywhere, but it is uploaded again now the direct address is: ********************************************* +gthorne -----#4------------------------------------------------- Subject: frmspy again Hi +All, In my last message there was an http address. Sorry, frmspy isn't there. In fact this guy programmed frmspy but, as you can see, he's a Delphi programmer and he doesn't like too much what I'm using his program for ;-) So please tell me a FTP site or email address and I'll upload the program for everybody that could find it useful. greetings +trurl =====End of Issue 207=================================== ======================================================== +HCU Maillist Issue: 208 04/30/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: monitor ARTICLES: -----#1------------------------------------------------- Subject: monitor Hi to all Anyone know a prog to monitor packet tcp/ip,filtering,sniffer like for windows95? Thers a bunch on Unix but for win? thanks strafi ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 208=================================== ======================================================== +HCU Maillist Issue: 209 04/30/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: 3M Sat. proggie #2 Subject: Re: +HCU ML Issue 205 #3 Subject: Re: +HCU ML Issue 200 #4 Subject: Re: +HCU ML Issue 195 #5 Subject: Re: +HCU ML Issue 203 #6 Subject: Process Tree #7 Subject: visual basic #8 Subject: packet monitoring ARTICLES: -----#1------------------------------------------------- Subject: 3M Sat. proggie Well, this proggie looks so wierd... I did manage to get a step further... With IDA i found a .sig file for delphi3 VCL available at: ***************************************** Which is by the way bundled with IDA 3.75 It shows all the local delphi routine.... and by the way that function at 42d754 is just 0042D754 mov eax, ds:off_42E92C 0042D759 mov eax, [eax] 0042D75B call ********************** ; 0042D760 retn and that is what the sig file identified . which does not look to me like a checker routine at all.... and there is no bad guy /good guy jump any where.... which produces the the same modal dialog box every time regardless of what you enter in the serial# dialog.... how ever the .sig file identified lots of string comparing routines.(which as i don't have enough time these days to do) could be inspected at run time.... or even brute force the thing ..(cause up till now i think it is a practical joke from someone on IRC) Cause the prog itself is only a mere 500 KB .and delphi wrap around routines count for more than 400 KB ...so what is that mysterious 100 KB proggie that does god know what..(notice ,no readme.txt no .hlp files,just the plain .exe file) k0X ____________________________________________________________________ Get free e-mail and a permanent address at ****************************** -----#2------------------------------------------------- Subject: Re: +HCU ML Issue 205 > ======================================================== > +HCU Maillist Issue: 205 04/27/1998 > ======================================================== > Subject: Satelite and HASP > Hi all !!! Hi, Kubak ! > Hi WAFNA : > About the satelite program ( Are we talking abou the same 3M proggie > ??): As far as I found out it is "only" a Delphie proggie. After > dissasembling it (with Wdasm) i see a lot of system calls. And I can > brake as hell on hmemcpy ! I think that Razzia dicovered for cracking VB > progs should be OK. I'm busy like hell lately (exams ...) so I didn't > have the time to have fun with it but as far as I have noticed It copies > the reg number A LOT !! I think that this approach is the best one 'cos > dead listing won't make much sense. I have seen a posting about Delphie > few days ago, and as far as I remember one of the list readers was > working on a way to crack D. programs long ago (but I didn't see any > results) If I just get some free time I'll try to have some one with it. Please, don't mix VB with Delphi ... remember that Delphi executables are (OOP overbloated) *real* EXE's, not Micro$oft interpreted shit ... I don't think you must take any special way for cracking VCL based software, I've cracked a lot of them (even protected VCL components) by 'classic' +methods ... Bye, Aitor. -----#3------------------------------------------------- Subject: Re: +HCU ML Issue 200 > ======================================================== > +HCU Maillist Issue: 200 04/22/1998 > ======================================================== > Subject: Dongles ! > Since we talkin bout dongles: I'm trying to crack a progiie (dongle > protected) that does'n break on bpio. I don't have the time to make that > dongle procedure detector pluged ino the lpt port and it starts to get > me nervous. Has anyone of You seen a proggie that woldNOT brake on bpio Yes, I was working some months ago with 'Cosmos/M v1.75a' ... it dindn't break ... Most of the times the bpio -h approach must be the last approach you should try ... Bye, Aitor. -----#4------------------------------------------------- Subject: Re: +HCU ML Issue 195 Hi, WAFNA ! > ======================================================== > +HCU Maillist Issue: 195 04/16/1998 > ======================================================== > Subject: 3m satellite program > Hello all, > I was wondering if anyone wanted to try to crack a funny little > program (about 500kb) which is quite restricted, because it is only > for dealers in Access cards. It seems that it allows one to program > these cards and watch satellite TV for free. Someone sent it to me > while I was on #cracking on efnet. > Anyway, I thought it would be easy, just the usual looking for the > calculations of the key, but I trace, and I trace, and I can't bpx on > any function, I get no find on string searches on IDA and WDASM. > Very funny. Using smartcheck, I get that the program uses ZERO win32 > functions. It seems to me that it verifies each keystroke, but I am > not sure. In any case, if someone's interested, pls e-mail me at > ************** and I will send the program as an attached file. Please, send it to me ... ****************** Bye, Aitor. -----#5------------------------------------------------- Subject: Re: +HCU ML Issue 203 > ======================================================== > +HCU Maillist Issue: 203 04/25/1998 > ======================================================== > Subject: Time 2 update > Hi > It has been quite a long time... Hi, Mr. +Unknown ! > 1st : What do you think about this request : Fravia+ should send > +his site updates directly to the hcuml, to allow us not > to loose time seeking deeply in +his pages. > He could for instance just send a message like +his > what_new.htm page! > Any thoughts? Yes, one thought for you ... think a second that you was fravia+, how many hours a week would you spend on Fravia's Pages maintainance? ... I think we all must free fravia+ from *any* additional work, don't you think so? Bye, Aitor. -----#6------------------------------------------------- Subject: Process Tree Hi I wanted you to consider a new "tool of the trade", called Process Tree, that you can find at ************************** The file name begins with "pts210" if I remember well, and is less than 2MB. This tool is pretty useful for us, as it contains MANY features, about processes and threads under Macroshit Win95. However, if you want to use it completely, you need a executable program coming from Microsoft C++, this prog allowing to disassemble directly from the memory. Please have a look at it, and share your thougths. +joNaH "Art is long, but time is short" ______________________________________________________ Get Your Private, Free Email at ********************** -----#7------------------------------------------------- Subject: visual basic This is a multi-part message in MIME format. ------=_NextPart_000_0014_01BD745D.B35032C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all.. any1 who has been in #c4n last few days will know that I am trying to = get info about VB functions. I was trying to crack a visual basic program the other day, and while in = softice, saw reference to : KERNEL32!ListrcmpiA and I thought....Hmmm = Kernel32 is a .dll and LstrcmpiA is a function. I wonder If I can break = on any functions in VB40032.dll as my target uses functions from = vb40032.dll only...none of its own or any other dll's. so into w32dasm, into imports and print a list of them. into softice = and try BPX VB40032!rtcStringBstr and I get symbol not defined.. damm.....NO NO wait.. into symbol loader = and load up VB40032.dll and back to softice and Boom BPX is set no = worries!! Wow I thought ..So I set a BPX on every single function in = lots of 5 at a time and out of 53 it broke on 7 of them. now.. the 7, in order of breaking, are... 1. ProcCallEngine 2. MethCallEngine 3. rtcStringBstr 4. rtcUpperCaseBstr 5. rtcMidCharBstr 6.rtcAnsiValueBstr 7. rtcMsgBox where (5) and (6) break around 40 times each alternating between the = two. Now bieng not totally brain dead by all the VB surrounding me, I am = guessing that it grabs the string, uppercases it, grabs each character = (like the MID function in basic) and uses its ansi value somehow, then a CMP with a jmp to either good or = bad msgbox. what is the "Bstr" and "rtc" ?? - and how are the parameters used? the hard bit was to find any reference to what the hell these functions = do. they are fairly self explanitory, but after searching MS, VB sites, = IRC #'s and such I find nothing. I was looking for something along the = lines of win32.hlp but people tell me they are "undocumented functions" = - IN VB40032.dll ??? if they are undocumented then how did this shareware programmer know = what functions to use??=20 The main goals of this email was to show other newbies like myself that = there are other breakpoints possible, and also in the hope that some1 = has these functions documented somewhere as it would be nice to see the = parameters and such.... Cheers !! HaQue. ------=_NextPart_000_0014_01BD745D.B35032C0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.3110.2"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT color=3D#000000 size=3D2>Hi all..</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>any1 who has been in #c4n last few = days will=20 know that I am trying to get info about VB functions.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>I was trying to crack a visual basic = program the=20 other day, and while in softice, saw reference to : = KERNEL32!ListrcmpiA=20 and I thought....Hmmm Kernel32 is a .dll and LstrcmpiA is a = function. I=20 wonder If I can break on any functions in VB40032.dll as my target uses=20 functions from vb40032.dll only...none of its own or any other=20 dll's.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>so into w32dasm, into imports and = print a list=20 of them. into softice and try BPX = VB40032!rtcStringBstr</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>and I get symbol not defined.. = damm.....NO NO=20 wait.. into symbol loader and load up VB40032.dll and back to softice = and Boom=20 BPX is set no worries!! Wow I thought ..So I set a BPX on every single = function=20 in lots of 5 at a time and out of 53 it broke on 7 of them.</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>now.. the 7, in order of breaking,=20 are...</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>1. ProcCallEngine</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>2. MethCallEngine</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>3. rtcStringBstr</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>4. rtcUpperCaseBstr</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>5. = rtcMidCharBstr<BR>6.rtcAnsiValueBstr<BR>7.=20 rtcMsgBox<BR></FONT>where (5) and (6) break around 40 times each = alternating=20 between the two.</DIV> <DIV>Now bieng not totally brain dead by all the VB surrounding me, I am = guessing that it grabs the string, uppercases it, grabs each character = (like the=20 MID function in basic)</DIV> <DIV>and uses its ansi value somehow, then a CMP with a jmp to either = good or=20 bad msgbox.</DIV> <DIV><FONT color=3D#000000 size=3D2>what is the "Bstr" and = "rtc"=20 ?? - and how are the parameters used?</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>the hard bit was to find any = reference to what=20 the hell these functions do. they are fairly self explanitory, but after = searching MS, VB sites, IRC #'s and such I find nothing. I was looking = for=20 something along the lines of win32.hlp but people tell me they are=20 "undocumented functions" - IN VB40032.dll ???</FONT></DIV> <DIV><FONT color=3D#000000 size=3D2>if they are undocumented then how = did this=20 shareware programmer know what functions to use?? </FONT></DIV> <DIV> </DIV> <DIV><FONT size=3D2>The main goals of this email was to show other = newbies like=20 myself that there are other breakpoints possible, and also in the hope = that=20 some1 has these functions documented somewhere as it would be nice to = see the=20 parameters and such....</FONT></DIV> <DIV><FONT size=3D2>Cheers !!</FONT></DIV> <DIV><FONT size=3D2>HaQue.</FONT></DIV></BODY></HTML> ------=_NextPart_000_0014_01BD745D.B35032C0-- -----#8------------------------------------------------- Subject: packet monitoring I think you might find NukeNabber useful. You can find latest version via web search. Probably find links to other stuff you want from this. ~~ Ghiribizzo =====End of Issue 209=================================== ======================================================== +HCU Maillist Issue: 210 05/01/1998 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** Web Repository.........................hcuml.home.ml.org ======================================================== CONTENTS: #1 Subject: Better memory view questions #2 Subject: Norma #3 Subject: process tree ARTICLES: -----#1------------------------------------------------- Subject: Better memory view questions While disassembling Win95 files, I am confronted with certain questions difficult to answer: 1) Inside a given application all EXE, DLL and HLP files are interconnected. How can one see it in dissassembled files? How can one watch all calls to a particular DLL file? In which way the name of those called files are encoded? 2) The stack size limit: is it defined for the whole application, or for every particular file? 3) I assume that all called system functions (from GDI, USER, KERNEL) are being run in their ring, returning just answers, and are not being copied inside the application run-time memory. 4) From reading HCU essays, it appears that the way the inputted string being copied into the memory, is not clear to many (including me). 5)Conditional breakpoints while working with WinIce: the way to write and to introduce macro programs, and maybe the real programs. Any answers and hints are welcome, but I do not insist: everybody has his own research field. Thanks. AZ111. -----#2------------------------------------------------- Subject: Norma I've quick looked in this. Look in norma.exe the hexstring 83 7e f4 00 74 0c 8e 46 08 jnz the first jz and the second too put a bp at this area. Sorry but it's whole polish and i dont know what's disabled in the demo,i dont know where looking to check demo/full! hope may help you! +Haribo ______________________________________________________ Get Your Private, Free Email at ********************** -----#3------------------------------------------------- Subject: process tree RE: ProcTree This is an excellent tool: prepare to throw away Quick View! (Well, almost...) It is only really effective if you couple it with DumpBin from MSVC++ 5, so I have taken the liberty of uploading the dumpbin package (with all requisite DLLs, etc) here ************************************************************* for those who lack it. Extract it to the same directory as Process Tree and you'll be fine _m ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 210=================================== 
