Page 1 of 4 1234 LastLast
Results 1 to 15 of 56

Thread: CommView 3.4?

  1. #1
    foxthree
    Guest

    CommView 3.4?

    Hello Folks:

    Sorry for posting yet another ASsPr/Tamoz combo, but this one seems to be quite nasty After all, only these two guys seems to be doing something interesting and hey they finally added a TCP session joiner in this, so I thought it is worth a while.

    After the usual, dump, IT fix, blah blah... I get this weird RunTime Error 202 at 40717D and shit is this a loop? Anywayz, I'll keep working on this one this week and post the progress. But I thought I'd throw some "wake-up call" in this otherwise "getting duller and duller by the day" forum

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    SilSaLaMaTa
    Guest
    hi
    I had the same prob , I don't know why it happen after unpacking , but I debug the prog and found where exceptions happens and nop that ! after all , commview runs but there was one more error , I tried to right click on the packet list and I got another runtime error . there was a check "cmp [xxx],4","jb xxx",I changed the "cmp [xxx],4" to "cmp [xxx],7" and everything works
    But I don't know why runtime errors happens after unpacking ...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    foxthree
    Guest

    Yo SilSA

    Hey SilSA:

    How did you bypass the nasty CRC check? +SplAj gurus technique?

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    CV had filesize check since probably 2.6 versions.
    This check happens after some time when you start prog.
    Without searching reason, you can repack unpacked prog to its original size
    & not warn more about it. (for current cv I not looked)

  5. #5
    hi foxthree,

    This Error 202 message is encrypted. This is tamos's trick to detect unpacked/cracked version. The following is the decryption routine(such routine is also used in FlashFXP, only the constants are different). Many other secret strings are decrypted with this routine. Just locate them in IDA by cross-references to this routine. The CRC check can be defeated by hard-coding the 512-byte MD5 hash into unpacked exe. Please refer to v3.0 build 205 thread in the newbies forum. I have successfully unpacked and cracked it. There is also an inline patch from DISTINCT group.

    Code:
    seg000:00655718 sub_655718      proc near               ; CODE XREF: seg000:0063ED3Fp
    seg000:00655718                                         ; seg000:00644393p ...
    seg000:00655718                 push    ebx
    seg000:00655719                 push    esi
    seg000:0065571A                 push    edi
    seg000:0065571B                 push    ebp
    seg000:0065571C                 push    ecx
    seg000:0065571D                 mov     [esp+0], ecx
    seg000:00655720                 mov     esi, edx           <-------key for decryption
    seg000:00655722                 mov     edi, eax
    seg000:00655724                 mov     eax, edi
    seg000:00655726                 call    sub_404DB8
    seg000:0065572B                 mov     edx, eax
    seg000:0065572D                 mov     eax, [esp+0]
    seg000:00655730                 call    sub_40513C
    seg000:00655735                 mov     eax, edi
    seg000:00655737                 call    sub_404DB8
    seg000:0065573C                 mov     ebp, eax
    seg000:0065573E                 test    ebp, ebp
    seg000:00655740                 jle     short loc_655777
    seg000:00655742                 mov     ebx, 1
    seg000:00655747 
    seg000:00655747 loc_655747:                             ; CODE XREF: sub_655718+5Dj
    seg000:00655747                 mov     eax, [esp+0]
    seg000:0065574A                 call    sub_405008
    seg000:0065574F                 mov     dl, [edi+ebx-1]
    seg000:00655753                 movzx   ecx, si
    seg000:00655756                 shr     ecx, 8
    seg000:00655759                 xor     dl, cl
    seg000:0065575B                 mov     [eax+ebx-1], dl
    seg000:0065575F                 xor     eax, eax
    seg000:00655761                 mov     al, [edi+ebx-1]
    seg000:00655765                 add     si, ax
    seg000:00655768                 imul    ax, si, 3039h           <----constant 1
    seg000:0065576D                 add     ax, 2C9h       <---------constant 2
    seg000:00655771                 mov     esi, eax
    seg000:00655773                 inc     ebx
    seg000:00655774                 dec     ebp
    seg000:00655775                 jnz     short loc_655747
    seg000:00655777 
    seg000:00655777 loc_655777:                             ; CODE XREF: sub_655718+28j
    seg000:00655777                 pop     edx
    seg000:00655778                 pop     ebp
    seg000:00655779                 pop     edi
    seg000:0065577A                 pop     esi
    seg000:0065577B                 pop     ebx
    seg000:0065577C                 retn
    seg000:0065577C sub_655718      endp
    Code:
    seg000:00656C68                 push    ebp
    seg000:00656C69                 mov     ebp, esp
    seg000:00656C6B                 push    0
    seg000:00656C6D                 xor     eax, eax
    seg000:00656C6F                 push    ebp
    seg000:00656C70                 push    offset unk_656CD9
    seg000:00656C75                 push    dword ptr fs:[eax]
    seg000:00656C78                 mov     fs:[eax], esp
    seg000:00656C7B                 mov     eax, ds:dword_669C58
    seg000:00656C80                 mov     eax, [eax]
    seg000:00656C82                 mov     edx, eax
    seg000:00656C84                 shl     eax, 3
    seg000:00656C87                 sub     eax, edx
    seg000:00656C89                 cmp     eax, 6E4E00h
    seg000:00656C8E                 jz      short loc_656CC3         <-----------just change this jump
    seg000:00656C90                 push    0
    seg000:00656C92                 lea     ecx, [ebp+var_4]
    seg000:00656C95                 mov     dx, 64h                <---------------decryption key
    seg000:00656C99                 mov     eax, offset unk_656CEC    //"Runtime error 212"
    seg000:00656C9E                 call    sub_655718      <--------decrypt it
    seg000:00656CA3                 mov     eax, [ebp+var_4]
    seg000:00656CA6                 call    sub_404FB0
    seg000:00656CAB                 mov     edx, eax
    seg000:00656CAD                 mov     ecx, offset aError_6 ; "Error"
    seg000:00656CB2                 mov     eax, ds:dword_669D30
    seg000:00656CB7                 mov     eax, [eax]
    seg000:00656CB9                 call    sub_46FD6C
    Last edited by Solomon; August 16th, 2002 at 13:47.
    :DWARNING: Shareware authors are reading your detailed discussions without paying you!:D

  6. #6
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    Hey, foxtree, I was running unpacked CV3.4.0.241 during 30min on W98se
    & nothing happens!

    When happens error & on what system?

  7. #7
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    To SilSaLaMaTa

    Hi SilSaLaMaTa
    I did unpack this one without problems, but when I try to work with the packet list (left or rightclick), I get the same problem as you describe. My copy also exits totally so I have to restart the program. I have tried several things to find the jmp instructions you describe, but no luck. Exactly how did you find it? All kind of input is welcomed.:-)

    Another thing: After I unpacked it, it ran okey without changing anything further. (Not like the previous version with the CRC check desribed by +Splaj). I unpacked it on WinME.

    regards,
    hobgoblin

  8. #8
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    Common guys!!

    What "packet list", where????

    Maybe you will upload SCREEN-SHOT for me, so I will click there with Right-Pen-Click?

  9. #9
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Hi Evaluator

    Hi Evaluator,
    Open the program, push the start capturing button. Then after surfing on the net for a few seconds, click on the banner in the front of the main GUI called "Packets". Then try to click on one of the listed packets.

    Hope this helps,
    hobgoblin

  10. #10
    foxthree
    Guest

    What???

    Hey guys:

    Aren't you getting the Runtime errors??? Bleh... Win98SE is the platform. I first get one RT error which I fixed.... actually "is-ASsPR-present" check .... the second one is what I'd written about. Shitty!!!

    Don't tell me Tamoz removed its fav. CRC decryption loopz. May be they Ph3rrr +SplAj... Yoo hoo r u there?

    Signed,
    -- FoxTHree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    More info...

    I also unpacked it on WinXP. Something must have changed. After unpacking it, fixing the Import table (using revirgin), and so on, it actually runs okey. AND no errors when working with packets occur. Must check to see what happens if I start patching the file....

    hobgoblin

    BTW, something occured to me: Maybe we have a slightly different Import table after rebuilding it. And maybe that can cause some of the differences we experience.
    I found out when tracing the runtime error that pop'ed up when I tried to work with packets on WinME, that I actually ended up in one of the .dll's (fcd.dll), and the error was triggered when the program called the Heapalloc api there...
    Last edited by hobgoblin; August 16th, 2002 at 18:14.

  12. #12
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    NOT crashes! ~:0

    Now look here carefuly:

    CV.exe
    size=1032704
    crc32=0FDFE149

    now make dump on OEP (not runtime)

    OEP=0065C800
    IT=002AF000 SIZE=0280

    paste my IT at 002AF000 in fixed-dump and tell me if crashes.

  13. #13
    SilSaLaMaTa
    Guest
    hi
    Fox3:
    I passed the CRC check with +SplAj techniques

    Solomon :
    I changed the jump , but still run time error

    hobgoblin :
    As Solomon said there is a call to decryption routin , check the xrefs , for CV 3.4 build 238 routin is at 656B9C and the call is on 64618A . look at 646185 , there is the cmp .

    evaluator:
    what do u mean by "now make dump on OEP (not runtime)" , how to make dump - not runtime ?
    Last edited by SilSaLaMaTa; August 16th, 2002 at 20:30.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,516
    Blog Entries
    1
    I mean not after OEP

    BTW, what is SPLAJ's tecknique? rsrc unpacking?

  15. #15
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    About CRC check

    I'm a little confused by the CRC check cracking described by +Splaj myself. After changing one byte in the code I put a bpm <adress that had changed> rw, but it didn't lead me anywhere in CV.exe. I ended up in fcd.dll. I then tried bpr rw on the same address, but didn't find any code similar to what +Splaj described in his Commview tut.
    SilSaLaMaTa, how did you find it?
    I'm wrestling with build 242, so the addreses you give me isn't the same...:-)

    regards,
    hobgoblin

    Actually, I found where the MD5 algo routine is, so I think I will do some reading of older posts before doing anything else.
    Thanks for previous posts about the subject..:-)
    Last edited by hobgoblin; August 16th, 2002 at 22:44.

Similar Threads

  1. CommView 3.3 :) Small issues..
    By nikolatesla20 in forum Malware Analysis and Unpacking Forum
    Replies: 26
    Last Post: April 27th, 2002, 18:43
  2. CommView 3.3 Unpacked but have question
    By foxthree in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 17th, 2002, 09:31
  3. Help CommView 3.1 (build 156)
    By Zurito@~ in forum Malware Analysis and Unpacking Forum
    Replies: 15
    Last Post: December 28th, 2001, 15:26
  4. CommView 2.6....
    By +SplAj in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: May 20th, 2001, 09:59
  5. CommView 2.4 keygen ask you translator..
    By agoutinz in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 24th, 2001, 08:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •