Page 4 of 4 FirstFirst 1234
Results 46 to 55 of 55

Thread: A Troublesome DLL file

  1. #46
    The Svin
    Guest
    ... and flagrant violation of...
    What does flagrant mean?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #47
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    http://dictionary.reference.com/search?q=flagrant

    Also, please use the "quote" functionality of the board when quoting people, instead of just making the quoted text italic, it is much less confusing.

  3. #48
    DaddyJTHC
    Guest

    any luck

    Hey JMI, any luck with anything?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #49
    I have been out of town for a few days and haven't gotten back to it yet. Will try again soon.

    Regards,
    JMI

  5. #50
    DaddyJTHC
    Guest

    Thats Cool!

    Thats okay, just didnt hear anything from anyone. Glad your back, hope it was recreational.

    DJ
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #51
    DaddyJTHC:

    While you are "waiting" for me, did you look at those code sections which i mentioned back on March 16 which write the ApartmentModel entry and or try to further trace the code at ViseEntry + 1A7 calls sub_ 10001125 which alternatively "moves" 6, 5, 4, 3, 2, 1, and then has an "and" of 0. Each of these in turn goes to 1000D145. I stated this may be the test of the returned number of "installs" returned from the server.

    It is interesting that there are two setup files in the two folders created in the temp folder when the program starts up and before it connects to the company server. We need to find the code which reads whatever response is sent back and then follow what it does with it.

    Also have you tried exporting the ApartmentModel key in regedit and importing it into the registry of the machine where the program doesn't work?

    I also noticed that when trying to run the MOD version, it is asking for a rmbe3260.dll from RealProducer. I haven't taken apart the Installshield exe yet to see if it is included.

    I suspect that once the server sends back whatever confirmation it does when it determines whether there have been more than five installs, it simply proceeds with the install, unpacks the install program and inserts the CSLID key as part of the setup instructions. Obviously more study is required, but you should be studying this code also.

    Regards,
    JMI

  7. #52
    DaddyJTHC
    Guest

    Yes Sir.

    Yes, I have been studying this code, although I am not the greatest. Yes I have done a complete registry dump of the working machine, and imported into the non-working machine, still same error. I also believe recently that the company has eliminated my key, as now I am getting "Invalid Key Error". As I have previously stated, I dont have direct access to the working machine, so that is the reasoning between the slow updates.

    I have noticed the coding you were refering to 6,5,4,3,2,1 , and have tried a few NOP commands with no luck. I also was tracing back the errors, and seem to get "Windows must close this program" alot when I try and bypass them.

    As far as the server goes, I cant say that anything actually gets downloaded because I didnt ever check while I was installing with a valid key.

    I have made several attempts to contact the company to get a replacement key, so hopefully that might work out.
    I'll keep you updated, Thanks for the lookout advise.

    DJ
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #53
    DaddyJTHC
    Guest

    Post A Snapshot of life.

    After furthur review, and the loss of my software. I am attempting one last snapshot of the working version. Results:
    Software installed 09-05-99
    Serial - Valid
    Validation - Success
    This software does not have access to internet, but did at time of registration
    if nointernet but validation then success else failure

    Non-working version. Results:
    Software installed 09-05-99
    Serial - Valid
    Validation - Success
    I have disabled this software's access to the internet.
    Still caues failure return.

    Software install form - Downloadable from online shopping cart.
    Software Protection - In form of company DLL. -Can Bypass This but believe is incorrectly preformed.
    Other Software Protection - Database entrys on companys local webserver.
    Protection Data - Email & CdKEY Combination = encoded hexlet string e.g.
    myemail.com|CdKey|SoftwareID or even MachineID = 9e9af73
    Returns Validation Key is success. - Can Bypass this.

    Installed Software makes final check of validation via internet. If internet isnt present the software will scream at you. Once the software makes this final check it no longer requires the internet.

    Since I can no longer install this software correctly, I must use the working machine as a drive tool, but do not have direct access to it for long periods of time.

    I have Filemon and Regmon the working computer, and imported the entire registry. No Success.

    We were last looking for a COM Object in the ApartmentModel ? What would be the correct way to search for this. I am in-experienced when it comes to those.

    Of coursed I have checked p2p software for working cracks, there is one, but produces a "sound card error" on every machine.

    I have searched far and wide, and have gotten the most help here, thanks to JMI & Sarge, and believe there is an answer within site. Please dont be scared to help.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #54
    DaddyJTHC:

    Been very busy of late and haven't had much chance to play with the program. Did run the MOD version through PE Explorer and IDA, however, and noticed some interesting information. I noticed you are lurking on the Board and will add to this in a moment, when I locate my notes.

    In my post of 3-15 I discussed the portion of the Vise DLL which contained the following code:

    "ViseEntry + 1A7 calls sub_ 10001125 which alternatively "moves" 6, 5, 4, 3, 2, 1, and then has an "and" of 0. Each of these in turn goes to 1000D145. This may be the test of the returned number of "installs" returned from the server."

    Looking at the Mod version of the file with PE Explorer I located the following:

    0046A19F L0046A19F:
    0046A19F C705AC525D0001001085 mov dword ptr [L005D52AC],85100001h
    0046A1A9 E822F6FFFF call SUB_L004697D0
    0046A1AE 8B0D4CEF5C00 mov ecx,[L005CEF4C]
    0046A1B4 894C2404 mov [esp+04h],ecx
    0046A1B8 83F806 cmp eax,00000006h
    0046A1BB C644244401 mov byte ptr [esp+44h],01h
    0046A1C0 773F ja L0046A201
    0046A1C2 FF248534A24600 jmp [CASE_PROCTABLE_0046A234+eax*4]
    0046A1C9 CASE_0046A234_PROC0000:
    0046A1C9 6810FD5900 push SSZ0059FD10_Application_validated
    0046A1CE EB28 jmp L0046A1F8

    0046A1D0 CASE_0046A234_PROC0001:
    0046A1D0 68F4FC5900 push SSZ0059FCF4_Validation_Failed__Bad_Key
    0046A1D5 EB21 jmp L0046A1F8
    0046A1D7 CASE_0046A234_PROC0002:
    0046A1D7 68D4FC5900 push SSZ0059FCD4_Validation_Failed__Key_Overuse
    0046A1DC EB1A jmp L0046A1F8
    0046A1DE CASE_0046A234_PROC0003:
    0046A1DE 68B0FC5900 push SSZ0059FCB0_Validation_Failed__Email_mismatc
    0046A1E3 EB13 jmp L0046A1F8
    0046A1E5 CASE_0046A234_PROC0004:
    0046A1E5 6890FC5900 push SSZ0059FC90_Validation_Failed__ID_mismatch
    0046A1EA EB0C jmp L0046A1F8
    0046A1EC CASE_0046A234_PROC0005:
    0046A1EC 6874FC5900 push SSZ0059FC74_Validation_Failed__Unknown
    0046A1F1 EB05 jmp L0046A1F8
    0046A1F3 CASE_0046A234_PROC0006:
    0046A1F3 6848FC5900 push SSZ0059FC48_Validation_Failed__No_Internet_C
    0046A1F8 L0046A1F8:
    0046A1F8 8D4C2408 lea ecx,[esp+08h]
    0046A1FC E873DE0E00 call SUB_L00558074

    0046A201 L0046A201:
    0046A201 8D4C2404 lea ecx,[esp+04h]
    0046A205 C644244400 mov byte ptr [esp+44h],00h
    0046A20A E828DD0E00 call SUB_L00557F37
    0046A20F 8D4C2408 lea ecx,[esp+08h]
    0046A213 C7442444FFFFFFFF mov dword ptr [esp+44h],FFFFFFFFh
    0046A21B E8E0B7FEFF call SUB_L00455A00
    0046A220 8B4C243C mov ecx,[esp+3Ch]
    0046A224 8BC6 mov eax,esi
    0046A226 5E pop esi
    0046A227 64890D00000000 mov fs:[00000000h],ecx
    0046A22E 83C444 add esp,00000044h
    0046A231 C3 retn
    ;----------------------------------------------------------------------------------------------------


    ;----------------------------------------------------------------------------------------------------
    0046A232 8BFF Align 4
    0046A234 CASE_PROCTABLE_0046A234:
    0046A234 C9A14600 dd CASE_0046A234_PROC0000
    0046A238 D0A14600 dd CASE_0046A234_PROC0001
    0046A23C D7A14600 dd CASE_0046A234_PROC0002
    0046A240 DEA14600 dd CASE_0046A234_PROC0003
    0046A244 E5A14600 dd CASE_0046A234_PROC0004
    0046A248 ECA14600 dd CASE_0046A234_PROC0005
    0046A24C F3A14600 dd CASE_0046A234_PROC0006

    0046A250 SUB_L0046A250:
    0046A250 6AFF push FFFFFFFFh
    0046A252 6825D35600 push L0056D325
    0046A257 64A100000000 mov eax,fs:[00000000h]
    0046A25D 50 push eax
    0046A25E 64892500000000 mov fs:[00000000h],esp
    0046A265 81EC0C010000 sub esp,0000010Ch
    0046A26B A14CEF5C00 mov eax,[L005CEF4C]
    0046A270 56 push esi
    0046A271 C744240800000000 mov dword ptr [esp+08h],00000000h
    0046A279 89442404 mov [esp+04h],eax
    0046A27D 8B942424010000 mov edx,[esp+00000124h]
    0046A284 A160685D00 mov eax,[L005D6860]
    0046A289 8D4C240C lea ecx,[esp+0Ch]
    0046A28D 6804010000 push 00000104h
    0046A292 51 push ecx
    0046A293 52 push edx
    0046A294 50 push eax
    0046A295 C7842428010000010000+ mov dword ptr [esp+00000128h],00000001h
    0046A2A0 FF1574655700 call [USER32.dll!LoadStringA]
    0046A2A6 8D4C240C lea ecx,[esp+0Ch]
    0046A2AA 51 push ecx
    0046A2AB 8D4C2408 lea ecx,[esp+08h]
    0046A2AF E8C0DD0E00 call SUB_L00558074
    0046A2B4 8BB42420010000 mov esi,[esp+00000120h]
    0046A2BB 8D542404 lea edx,[esp+04h]
    0046A2BF 52 push edx
    0046A2C0 8BCE mov ecx,esi
    0046A2C2 E8E5D90E00 call SUB_L00557CAC
    0046A2C7 C744240801000000 mov dword ptr [esp+08h],00000001h
    0046A2CF 8D4C2404 lea ecx,[esp+04h]
    0046A2D3 C684241801000000 mov byte ptr [esp+00000118h],00h
    0046A2DB E857DC0E00 call SUB_L00557F37
    0046A2E0 8B8C2410010000 mov ecx,[esp+00000110h]
    0046A2E7 8BC6 mov eax,esi
    0046A2E9 5E pop esi
    0046A2EA 64890D00000000 mov fs:[00000000h],ecx
    0046A2F1 81C418010000 add esp,00000118h
    0046A2F7 C3 retn
    ;----------------------------------------------------------------------------------------------------

    00558074 SUB_L00558074:
    00558074 56 push esi
    00558075 57 push edi
    00558076 8B7C240C mov edi,[esp+0Ch]
    0055807A 8BF1 mov esi,ecx
    0055807C 85FF test edi,edi
    0055807E 7504 jnz L00558084
    00558080 33C0 xor eax,eax
    00558082 EB07 jmp L0055808B

    00558084 L00558084:
    00558084 57 push edi
    00558085 FF1564615700 call [KERNEL32.dll!lstrlenA]
    0055808B L0055808B:
    0055808B 57 push edi
    0055808C 50 push eax
    0055808D 8BCE mov ecx,esi
    0055808F E863FFFFFF call SUB_L00557FF7
    00558094 8BC6 mov eax,esi
    00558096 5F pop edi
    00558097 5E pop esi
    00558098 C20400 retn 0004h

    00557FF7 SUB_L00557FF7:
    00557FF7 56 push esi
    00557FF8 57 push edi
    00557FF9 8B7C240C mov edi,[esp+0Ch]
    00557FFD 8BF1 mov esi,ecx
    00557FFF 57 push edi
    00558000 E809FFFFFF call SUB_L00557F0E
    00558005 57 push edi
    00558006 FF742414 push [esp+14h]
    0055800A FF36 push [esi]
    0055800C E89F1BFEFF call SUB_L00539BB0
    00558011 8B06 mov eax,[esi]
    00558013 83C40C add esp,0000000Ch
    00558016 8978F8 mov [eax-08h],edi
    00558019 8B06 mov eax,[esi]
    0055801B 80243800 and byte ptr [eax+edi],00h
    0055801F 5F pop edi
    00558020 5E pop esi
    00558021 C20800 retn 0008h

    What this shows is that the return of "0" leads to the:

    push SSZ0059FD10_Application_validated
    0046A1CE EB28 jmp L0046A1F8

    section of the code and is where the Code has to end up if it is validated by what has been returned from the server.

    Have you traced the MOD version in Softice and found the point where it failed? I still suspect that it is failing because of the absense of the COM entry we previously discussed.

    Have you done a "file compare" on the working exe vs. the MOD exe to see what was changed and where?

    Hope to have some more time to play with it soon.

    Regards,


    Regards,
    JMI

  10. #55
    DaddyJTHC
    Guest
    Interesting,
    yes i have traced the mod version, and it fails on a sound card 421 error. this may have something to do with the com object as you have stated. I myself have been busy also, but i hope to have some time this weekend to have access to the working machine so i can try and capute the whole system state, and restore it to mine, that way i can have more play time with it.

    Thanks much.
    Daddyj
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Why such a big file for what it does?
    By Swimmer in forum The Newbie Forum
    Replies: 6
    Last Post: June 5th, 2007, 03:40
  2. help for converting map file of ida to sym file sice
    By farzad23 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: September 9th, 2005, 23:31
  3. how to use a .map file?
    By xili in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 8th, 2005, 08:09
  4. exe file
    By NonPanic in forum The Newbie Forum
    Replies: 2
    Last Post: May 20th, 2004, 11:09
  5. VB help file?
    By MrSmith in forum The Newbie Forum
    Replies: 3
    Last Post: October 22nd, 2003, 00:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •