Page 3 of 4 FirstFirst 1234 LastLast
Results 31 to 45 of 55

Thread: A Troublesome DLL file

  1. #31
    DaddyJTHC
    Guest
    Quote Originally Posted by JMI
    1.) Does the "purchased" version comes with a different ".inx" file and/or do you know whether or not it has the same dll file.
    There is no free demo of this version of software.
    Quote Originally Posted by JMI
    2.) How did you receive it? Do you purchase it on line and receive disks, or was it sent to you by email or download from their server?
    Download from there server.
    Quote Originally Posted by JMI
    3.) Do you have a copy of the original install exe on one of your machines? If so, what is it's size in KBs?
    Both EXE's are the same.
    Quote Originally Posted by JMI
    4.) When you get the error message "1 Key used to many times" does the install stop altogether, or does it just install the "free" version? I do not find that error message in either the "free" ".inx" or Dll files.
    No it resets the fields. during install. If you use the modified dll to install, the program will display the error, and terminate. THERE IS however a hacked version of this software, but it displays a 421 Sound Error, then terminates.
    Quote Originally Posted by JMI
    5.) Do you have a copy of the "purchased" ."inx" file and have you decompiled and compared it to the "free" version? Does that error message appear in its text?
    Yes both are the same.
    Quote Originally Posted by JMI
    6.) On the machine where it is still running, have you tried to get an update and if you try, make sure to record what is sent and received.
    No updates for the program exist.
    Quote Originally Posted by JMI
    7.) I assume that Q5MDB-A5CG-YZEY-APBD9 was the hash of the original serial. Is that correct?
    That is my orignal cdkey yes.
    Quote Originally Posted by JMI
    8.) What are the entries on the working copy for the A88A6800 Key and for the B43CCF60 Key, as shown in RegEdit? Do you have another copy installed on another machine you can compare those entries against?
    The machine is no longer at my house, so I am a little slow about getting this information, I have regmon logs, and am looking thru them now as I type.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #32
    DaddyJTHC
    Guest
    This is the only key found in the regmon log on the machine that has it installed.

    HKCR\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9} SUCCESS
    Name: \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9}

    HKCR\CLSID\{B43CCF60-CE86-11d3-BDF4-00902745D0A9}\ApartmentModel SUCCESS 99 D2 32 19 01 3C 28 47
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #33
    DaddyJTHC:

    If you want to put the original exe up where you had it posted before (without reposting the URL) I'll download it and take a look. The whole exe would be best, but I need at least the DLL and the .inx file for the program, because the one I have from the company is the free demo.
    If you want to do that, PM me and I'll download it and then you can take it down again.

    Regards,
    JMI

  4. #34
    DaddyJTHC:

    Download completed. You can take it down now. I failed to notice the single letter difference between the file I down loaded and the one you have. Happens when your eyes get older. Looking back over your other threads, I also notice that while the B43CCF60 Key appears to be the same, I failed to notice that the A88A6800 key did not match your programs second CLSID. However that may suggest good things for further review. I'll take a look at the material and report when I've had a chance to look at it. I might also at some point need the non-working DLL, although sgdt's post suggests where it might be different.

    Do you know if he may have only been looking at the "free version" also, but his discussion it is of that version, and not yours?

    Edit: Now that I've had time to unrar it, I see the other files are included. Thanks. Always good to plan ahead.

    Regards,
    JMI

  5. #35
    DaddyJTHC
    Guest
    Quote Originally Posted by JMI
    DaddyJTHC:

    Edit: Now that I've had time to unrar it, I see the other files are included. Thanks. Always good to plan ahead.
    For as long as I have been dealing with this, I am just glad someone will take the time to look.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #36
    DaddyJTHC:

    A few random thoughts from my quick review so far. First I believe I can say that the error code returned does not exist in either the .inx or the dll file. I've only begun to scratch the surface, but have an idea worth pursuing. The "ApartmentModel SUCCESS 99 D2 32 19 01 3C 28 47" may be more significant than I understand. Doing a little parallel research on the M$ site and here and the "ApartmentModel" seems to be an indicator of a COM object which may, and I emphasis may, indicate that such an object was downloaded by the server. This is mostly guesses at the moment. Some discussion of COM objects is found here:
    http://www.woodmann.com/forum/showthread.php?t=5437

    Frankly, I don't know a hell of a lot about COM objects (OK really almost nothing), even to know if my guess may be in the right direction, but it sure would be interesting if we can locate a COM object on the machine with the working program that is somehow related to that "99 D2 32 19 01 3C 28 47" listing. Now just have to figure out how to find such things. More research required. I need to take a break and get some food and then I'll do some more research and review some more code. Might not post again until tomorrow. Thanks for the interesting progect. Maybe someone with more knowledge about COMs and where they hide will chime in.

    Have you seen any reference to any COM files in the regmon printout?

    Regards,

    Regards,
    JMI

  7. #37
    DaddyJTHC
    Guest
    Quote Originally Posted by JMI
    indicate that such an object was downloaded by the server. This is mostly gussess at the moment.
    This may be the case, as after further investagation, the working machine doesnt ever check online to see if the cdkey is valid. I've tried many different attempts to recreate that registry entry (NO LUCK). As far as the logs go, I can send them. I have the REG & file logs for both the Non-Working, and the Working Computer.

    Another thing you noted that the error wasnt in the dll file. I do beg to differ there (I could be wrong). When I viewed the DLL in WDASM, and went into string refs. I could see the error listed in there. Under the format of
    String Resource ID=00116
    "Cannot install. This %s key has been used to many times."
    Line 10576 pg 132 and 133 of 516.

    If you look at the MODed .EXE it does bypass this check, but get held on the 421 Sound Card Error. Is there any light there to bypass ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #38
    DaddyJTHC
    Guest
    Noticed something odd in the regmon logs:
    :Working Machine:
    OpenKey HKCU\CLSID SUCCESS Key: 0xE18E2B20
    QueryKey HKCU\CLSID SUCCESS Name: \REGISTRY\USER\S-1-5-21-73586283-789336058-839522115-1003_CLASSES\CLSID
    OpenKey HKCR\CLSID SUCCESS Key: 0xE16B5640
    CloseKey HKCR\CLSID SUCCESS Key: 0xE16B5640
    It doesnt query the HKCR

    :NON Working Machine:
    OpenKey HKCU\CLSID NOTFOUND
    OpenKey HKCR\CLSID SUCCESS Key: 0xE4039180
    QueryKey HKCR\CLSID SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID

    Any signifigance here?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #39
    Hey DaddyJTHC:

    You'r not suggesting that I made a mistake are you? That would be the first one I ever made....so far this evening. It is somewhat curious, though. I am using IDA, as I'm running XP SP2 and haven't gotten WDSAM to work on my box. I have reviewed the IDA string references many times and don't see that listing. I have now checked the DLL with a text editor and do find the string at 1A882 but haven't figured out why they don't show up in IDA yet.

    I can see two possiblilities for copying but first we need to identify exactly what it refers to because it would do no good to have an entry without the corresponding COM object. Perhaps you could do a search of the machine that works and the one that doesn't for ".com" files and maybe we can identify what was installed. I need to figure out how to configure this version of IDA so it recognizes these strings.

    Regards,
    JMI

  10. #40
    DaddyJTHC
    Guest
    Quote Originally Posted by JMI
    I'm running XP SP2 and haven't gotten WDSAM to work on my box.
    The version of wdasm I have runs fine on both my 2003 server box, and my xpsp1 box. It is version 8.9.

    I will do a search on that machine next time I get a chance for the .com Object.

    Also about the two CLSID's

    the A6 one isnt useful to us. It is to verify addons to the program. We need to stick with just the B4 CLSID , that one is definitly the more important of the two.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #41
    DaddyJTHC:

    Haven't had too much time with the program today, but do have a few interesting observations from the dead listing.

    Public Entry of the DLL occurs at ViseEntry =10003E0A. At ViseEntry + 14A there is a reference to sub_100023B8 with a CODE XREF: sub_10001E1B+504.

    Most of the relevant action seems to be connected with subroutines which begins at 10001E1B. This subroutine has reference to DPERROR at 1E1B + 20A1. Which is the “error code” format returned by the server.

    We suspect that the "ApartmentModel" registry entry is important. There are calls related both to the "query", "creation", and "setting" of the Key at around 1E1B+ 504. ViseEntry + 14A calls 10001E1B + 504 which opens and queries the ApartmentModel Key at sub_100023B8.

    10001E1B+4FA calls sub_10002476.

    There are two calls to RegCreateKeyExA at 1002476 + 21 and at + 38. There are two calls to RegSetValueExA at 10002476 + 15C and at 10003DB3 + 44.

    Only the Subroutines at 10002476 deals with "creating" and "setting" of an "ApartmentModel" Key. 2476 + 21 calls RegCreateKeyExA and 2474 + 15C calls RegSetValueExA in relation to an “ApartmentModel”.

    ViseEntry + 1A7 calls sub_ 10001125 which alternatively "moves" 6, 5, 4, 3, 2, 1, and then has an "and" of 0. Each of these in turn goes to 1000D145. This may be the test of the returned number of "installs" returned from the server

    So some further study of the dead listing should, hopefully lead to further isolation and understanding of these routines.

    Regards,
    JMI

  12. #42
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Location
    :ether:
    Posts
    815
    w00t COM reversing I love...

    Anyway, if it IS com it doesn't necessarily have to be on your machine, DCOM can create an object remotely over the internet. However, I doubt this is the actual case.

    Wow I wouldn't mind looking at this in my spare time-

    nikolatesla20_at_yahoo_D-O-T_com.

    -nt20

  13. #43
    Tolstoinisten
    Guest
    Quote Originally Posted by JMI
    I need to figure out how to configure this version of IDA so it recognizes these strings.
    Did you find out what caused this "error", JMI?

    Sorry to budge in like this. It is very interresting read, but it would be nice to know what caused the error, so something like this doesn't happen with my version of IDA.

    Cheerz,
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #44
    DaddyJTHC
    Guest
    JMI:

    I have searched the working computer over, and either do not know how to look, or didnt find anything.
    Both computers make a reg entry to the tk421.dll file. I'm currently examing this file for any relavance, although I believe it is more of an "audio related nature". No luck on much of anything else, will keep posted.

    DJ
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #45
    DaddyJTHC
    Guest
    Quote Originally Posted by nikolatesla20
    w00t COM reversing I love...

    Anyway, if it IS com it doesn't necessarily have to be on your machine, DCOM can create an object remotely over the internet. However, I doubt this is the actual case.

    Wow I wouldn't mind looking at this in my spare time-

    nikolatesla20_at_yahoo_D-O-T_com.

    -nt20
    pm me for more info if your interested in helping!
    DJ
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Why such a big file for what it does?
    By Swimmer in forum The Newbie Forum
    Replies: 6
    Last Post: June 5th, 2007, 03:40
  2. help for converting map file of ida to sym file sice
    By farzad23 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: September 9th, 2005, 23:31
  3. how to use a .map file?
    By xili in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 8th, 2005, 08:09
  4. exe file
    By NonPanic in forum The Newbie Forum
    Replies: 2
    Last Post: May 20th, 2004, 11:09
  5. VB help file?
    By MrSmith in forum The Newbie Forum
    Replies: 3
    Last Post: October 22nd, 2003, 00:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •