View Full Version : Ugly Filecheck

July 11th, 2007, 13:09
Hey to all

Have found a new traget. After Days of tracing , i found the functions , what make my app make working happy . So , i patch it. After Start ---> CRASHHH

In Ida the Patch looks correct. Its not a realy hard patch.
Original: mov eax,1
Mine: mov eas,0

Ok, so i starting searching for my "friends" (CreateFileA,...).
Oooooh , no "friends" called :-((

Ok, searching for CMP "Hardcoded CRC","File CRC"
Oooooh, no luck :- (

The Traget is protected in 3 DLL files with the "mov eax,1" "jz BadBoy" commands. The functions are called in the Main Exe with ugly indirect calls.
All files writen in C++.

What would you try at this? Does it give a "PE CRC Corrector", what could I try? Google doesnt cooperate with me.

Thanks, for all answers.

Sorry for my bad english.

July 11th, 2007, 15:36
You could try setting a memory breakpoint over the patched instruction.

July 11th, 2007, 20:57
had somehing similar, was a flag check... try xor eax, eax...

July 12th, 2007, 10:37
Or find the conditional jump and force that instead...

July 13th, 2007, 07:08
I have tried it with DUP. At 1 system the program run without any troubles, at the other 3 it crash (DuP says "No bytes found,Timout".

The Trouble is, that before the DLL's are called all Fontnames are loaded. On 3 system there are a much of Fonts installed. At the One there are just standart Fonts installed.

Does somebody know a loader like Dup , where i can set the Timout ???
(for the time i am searching for my "Crash" Command on my Software)

Does anybody know some good Keywords for Filecheck ??

July 13th, 2007, 07:56
bpx CreateFileA, trace from there maybe?

July 14th, 2007, 07:17

Drigo, you appear to have NOT followed ANY of the advice in the posts ABOVE you, which you were supposed to have read before posting. Now you're just not making any sense

July 15th, 2007, 02:08
MapViewOfFile, CreateFileMapping are a couple others if I recall the names correctly, but first try Zairon's suggestion, it should lead you to the exact code checking the CRC, as for a loader with an adjustable time to patch - Abel works well.


July 16th, 2007, 04:55
Ok. I found out (other people says to me) it is a CRC32 Check, but i dont find it. It give no Memmory breakpoint, no CreateFileA ... .

Does anybody know a good CRC32 Corrector? I am to stupid, to callculate bytes to add.

July 16th, 2007, 07:13
You really didn't think life was THAT easy did you??? Did you ever actually read the FAQ or the part in it which says:

Do not ask where to find the "tools".

It's the 3rd item listed.

Or the RED letters in the Caption in the Tools of the Trade Forum which reads:

Do not ask where to get the Tools of our Trade. Do not even think about asking for them.

What's wrong with YOUR brain? Are YOU completely helpless? What EFFORT did YOU make to find what YOU want?

Are YOU incapable of using a SEARCH ENGINE yourself? Why didn't you put"

CRC32 Corrector

correcting CRC32

and/or various other combinations in YOUR search engine to find what YOU seek???

Or, to use YOUR words, are you "to stupid" to understand that is one of our Rules here.


July 16th, 2007, 07:53
Hi Drigo!

I know it could sounds a little bit fool but i found that and it seems good... besides it's from fravia!!!!! i guess if you try to read it that should help you...



July 16th, 2007, 11:21

Did YOU, in your rush to be "helpful," miss the part of my post where I stated that DRIGO was supposed to do his OWN searching BEFORE he asked for help here?????

So WHY did YOU feel compelled to attempt to give him an answer BEFORE he showed that HE had done ANY work on his own to solve HIS problem???

NOT a wise move!


July 21st, 2007, 11:40
thanx you guys

July 25th, 2007, 14:22
[Originally Posted by Drigo;67071]

In Ida the Patch looks correct. Its not a realy hard patch.
Original: mov eax,1
Mine: mov eas,0

If this is exactly what your change looks like, perhaps you should look a bit closer...


July 26th, 2007, 04:48
heh i think we all know its a typo Rackmount