Page 1 of 4 1234 LastLast
Results 1 to 15 of 46

Thread: Making a program run without the loader ?

  1. #1
    markh51
    Guest

    Making a program run without the loader ?

    I have a none commercial program which I want to change...

    I want it to run without the use of the dongle in place. (I have the dongle, but it is a pain in the arse, as I have more than 1 prog which requires the use of a dongle on the LPT port)

    I have tried to reverse the prog but is proving to be a bit of a nightmare, as the program with the protection can't be run by itself. If you try it throws a "Access violation at adress..." error. It will only run if it is called by the loader. When it does run, it opens in full screen and you can't switch back to the disassembler !

    So my questions are:

    1) What routine would the program use to check to see if it was run by the loader ?

    2) How do I stop it loading in full screen and not been able to switch back ?

    3) How do I get rid of the nasty dongle (Dallas iButton)

    Thanks in advance.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    markh51:

    At the moment, your post simply looks like a crack request. You have apparently not read the FAQ listed in the BIG RED LETTERS at the top of the Forum. Time for you to do so now.

    After you read the FAQ, you will discover that one of our requirements here is that you not only attempt to help yourself before you ask a question, you also have to do your own research, show what you have done and where you are stuck, after tyring to help youself.

    Your post shows no personal effort at solving your own problem and contains information which suggests you are not being truthful with us. For example, why would a "non-commercial" program be protected with a "Dallas iButton"? So I ask YOU what you have done to determine:

    1) What routine would the program use to check to see if it was run by the loader ?

    2) How do YOU try to stop it loading in full screen and not been able to switch back ?

    3) What have you searched for and read on how YOU get rid of the nasty dongle?

    We are not here to do YOUR work for you, only to try to help you along AFTER you have demonstrated that you have tried to help yourself.

    Regards,
    JMI

  3. #3
    markh51
    Guest
    First of all, I am not expecting anyone to do all the work for me, I have been working on this program for over 8 days without any luck... thats how I have "helped myself".

    Secondly... I came to the conclusion that the proram is not commercial due to the fact that it is not available for sale... anywhere. I OWN a copy of this program as well as 2 dongles for it. I just want to make it work without the dongle as I have other programs such as my compiler which requires a dongle to be in place as well.

    The reason why I have had no luck with this prog is because, it must be run through a "loader" for it to run. When it does run, it opens in full screen and stops you switching back to the debugger.

    The only way I can see me been able to do this, is if I can make it run without the loader and stoping it going in to full screen (or finding a way of switching back to the debugger)

    So any help is greatly appreciated.

    Best regards,
    Markh51
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    markh51:

    You still seem to be missing the point. We are not mind readers, we can deal ONLY with what you write. You will notice your first post (as well as your second) says nothing about what you have actually done to help yourself execpt: "I have been working on this program for over 8 days without any luck."

    You say the program has to be run by a "loader." Have you looked at this "loader" in any analysis tools, such as IDA and/or WDasm to examine the code?

    You say it "stops you switching back to the debugger." Have you done ANY research here or on the net on "anti-debugger" procedures or techniques or are you simply waiting for someone to give you a tutorial on how programs might muck with your debugger? Are you aware that it is not unusual for programs to disable a debugger or how they might do that? Have you seached here or anywhere for such information? We don't even know WHICH debugger you might be trying.

    No one can tell from what you have posted ANYTHING about your skill level or knowledge base or ANYTHING you may have already tried. The FAQ states you should:

    Cut and Paste these questions in your post, including your answers :
    1. What is the problem....
    2. What is the protection.....
    3. What tools are you using....
    4. What tutorials have you read....
    5. Show your output listing WITH comments....
    6. NOW ask your question....

    It is hard to argue you have done ANY of these things and you certainly have not told us ANYTHING you have actually done to help yourself solve this problem. You may have done many things, but you have done NOTHING to SHOW that you have done ANYTHING. That IS the point.

    Regards,
    JMI

  5. #5
    markh51
    Guest
    Sorry about this, I'm new to posting things, I never thought to explain in a bit more detail:

    1. What is the problem....
    The application which I need to remove the dongle protection from must be called from the loader. This make it a bit more tricky to debug, but no impossible.

    2. What is the protection.....
    The only protection what I can see, is the Dallas iButton and a anti-soft ice routine which I have already removed.

    3. What tools are you using....
    IDA Pro, W32DASM 8.93, PE Explorer and a Hexeditor

    4. What tutorials have you read....
    I have trawled the net about the Dallas iButton, but there appears to be nothing apart from it can be cracked by using a dictionary attack only if the developer uses a "normal" word... not in this case ! I have downloaded a copy of the API and have searched for the Functions/refrences but there appears to be nothing in the main prog or the DLL file.

    5. Show your output listing WITH comments....
    I have attached TXT file, is this what you mean by output listing ?

    6. NOW ask your question....

    1) What routine would the program use to check to see if it was run by the loader ? If you run the prog without the loader it throws a "Access violation at address..."

    2) How do I stop it loading in full screen and not been able to switch back ? You can't use CTRL-ALT-DEL or ALT-TAB or anything only CAPSLOCK appears to work.

    3) How do I get rid of the nasty dongle (Dallas iButton) ?
    I think I would be able to this myself if I could debug the prog as it was running, as I am just having to take a shot in the dark at the moment.
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    markh51:

    This is much better. Now it's time to use some stratigic thinking and do some searching. You say you have removed the anti-softice routine (or at least disabled it) and now advise that one of the problems is that the program appears to disable parts of the keyboard necessary for activating softice.

    This should suggest to you certain search criterial for analysis of your problem, such as "keyboard" and "disable." Just doing a simple search HERE using those two terms I found several threads here, including one titled:
    "how to remove Alt+tab protection" which may have some pertinent information. You will find it at

    http://www.woodmann.com/forum/showthread.php?t=5287&highlight=disable+keyboard

    The other threads with that search may also help. What you need is some general research on keyboard hooking and the API which are used for that prupose and then determining what the "loader" is using to disable those keys.

    You might be interested in the fact that Windows has an " application compatibility toolkit" that allows some hooking and modification of the keyboard. Check out the article at http://www.rpgexpert.com/548.html on how the program can be used to disable some keys. Analysis on the program might give you some clues and might actually permit you to modify your program itself.

    Googling using "disabling alt tab" also will find some useful information, such as this short article at:

    http://www.codeguru.com/Cpp/misc/misc/keyboard/article.php/c433/

    "Disabling the Alt-Tab key combination
    Rating: none

    Dan Crea (view profile)
    February 4, 1999

    The simplest way to achieve this is to use the RegisterHotKey function. By calling this function from within your process you take precedence over the O/S. The WM_HOTKEY message that is generated by the specified key combination will be re-directed to the your processes message queue. To block the hotkey, don't process the WM_HOTKEY message that is sent to your queue. Below I have copied a constructor and destructor that demonstrate this action.


    // Call the RegisterHotKey function when the application
    // is instantiated to block the ALT-TAB combination
    // Note: The m_nHotKeyID is a int which specifies the hotkey
    // ID, the hotkey id is programmer defined
    CMainFrame::CMainFrame()
    {
    m_nHotKeyID = 100;

    BOOL m_isKeyRegistered = RegisterHotKey(GetSafeHwnd(), m_nHotKeyID,
    MOD_ALT, VK_TAB);

    ASSERT(m_isKeyRegistered != FALSE);
    }


    //lets remove the hotkey block when the application is destroyed
    CMainFrame::~CMainFrame()
    {
    BOOL m_iskeyUnregistered = UnregisterHotKey(GetSafeHwnd(), m_nHotKeyID);
    ASSERT(m_isKeyUnregistered != FALSE);
    }

    There you have it, the simplest way to block the ALT-TAB without writing a VxD.
    One last thing, the hotkey block will continue as long as your application is running. When your process terminates the hotkey will return to its original functionality. "

    Those same search terms will find you an interesting article titled: "Typename, Disabling Keys in Windows XP with TrapKeys" at

    http://msdn.microsoft.com/msdnmag/issues/02/09/CQA/default.aspx

    which discusses ways it can be done.

    In other words, when you identify a problem (in this case certain keys on the keyboard are disabled) this should suggest to you various terms you can use to search for answers to your problems. This is the result of thinking about your problem, understanding what it is, and chosing terms which describe the problem, and then searching for answers.


    Regards,
    JMI

  7. #7
    markh51
    Guest
    JMI:

    The thing is I don't use softice I use W32DASM or IDA, I just disabled the routines as I thought they might affect other debuggers. I don't know how to use softice

    The main loader totaly disabled the keyboard, but I have now patched that. The prog which I am trying to debug uses directdraw for full screen, does this stop you switching tasks ?

    Why would the prog throw a Access violation at address error if it is not called from the loader. I have looked at API's like kernel32 GetCommandLineA.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    markh51:

    Read the additions to my previous post. If you aren't dealing with anything (at the moment) other than the disabling of parts of the keyboard, those links and search terms I suggested should get you on your way.

    Are you using IDA as your debugger or are you not using a debugger at all?

    If the loader "totally disabled the keyboard" and you patched it, maybe you didn't do so correctly or completely. And if it "totally disables the keyboard" does the program run only from the mouse?

    Please note that DETAILS ARE IMPORTANT. Nothing in your first two posts mentioned that the "entire" keyboard was disabled, so you certainly left the impression this was a anti-debugger issue when it now suggests it is something else. Maybe you should search for "keyboard disabled."

    Regards,
    JMI

  9. #9
    markh51
    Guest
    JMI:

    I am using IDA and W32DASM as my Debugger and Disassembler.

    The patch for the "Disabled keyboard" does work because, if you run the "unpatched" loader and exit, the keyboard remains diabled, however if you run the patched version and exit... everything seems OK.

    This prog DOES only work from the mouse.

    I am not sure if the main prog does disable the keyboard, as it does not accept commands from the keyboard, however pressing capslock makes the light go on and off, but other key combo's won't work.

    Also had a look through previous posts but nothing really stands out. I had a look at the link you sent, I will follow it up a bit more through Google.

    Any other ideas are welcome.

    Cheers.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    markh51
    Guest
    JMI:

    Can you have a look at the Anti-Softice code I patched, is this right:

    * Referenced by a CALL at Addresses:
    |:0044EF46 , :004521E9
    |
    :0044F3F8 53 push ebx
    :0044F3F9 33DB xor ebx, ebx
    :0044F3FB 6A00 push 00000000
    :0044F3FD 6880000000 push 00000080
    :0044F402 6A03 push 00000003
    :0044F404 6A00 push 00000000
    :0044F406 6A03 push 00000003
    :0044F408 68000000C0 push C0000000

    * Possible StringData Ref from Code Obj ->"\\.\SICE"
    |
    :0044F40D 6828F44400 push 0044F428

    * Reference To: kernel32.CreateFileA, Ord:0000h
    |
    :0044F412 E88976FBFF Call 00406AA0
    :0044F417 83F8FF cmp eax, FFFFFFFF
    :0044F41A EB08 jmp 0044F424 <--- I changed this to a JMP
    :0044F41C 50 push eax

    * Reference To: kernel32.CloseHandle, Ord:0000h
    |
    :0044F41D E85E76FBFF Call 00406A80
    :0044F422 B301 mov bl, 01

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0044F41A(U)
    |
    :0044F424 8BC3 mov eax, ebx
    :0044F426 5B pop ebx
    :0044F427 C3 ret

    Also, I am having a problem with my softice 4.05 for W95... When you press CTRL-D, the screen goes black and nothing happens.

    Thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    markh51:

    This is known as the "MeltICE" method of detecting SoftICE. You will find it discussed here as method 11 and how to work around it:

    http://www.crackstore.com/003.htm

    As the code there shows you, there used to be a compare eax and a je if eax was not -001.

    Are you really running win95? I've deleted your duplicate thread in the Tools of the Trade Forum asking about the Softice 4.05 and win95 question you already asked here. dELTA was refering to the BIG RED LETTERS and the mention of the FAQ at the top of the forums, which I've mentioned to you already. He's telling you you need to use the search button for "softice" and "video" problems before asking for help. It is most likely a problem with compatiability of your video card, which is an issue you will see discussed many times.

    as I said in my previous post:
    In other words, when you identify a problem (softice, blank screen, video, win95) this should suggest to you various terms you can use to search for answers to your problems. This is the result of thinking about your problem, understanding what it is, and chosing terms which describe the problem, and then searching for answers.

    For example, using "softice and blank screen" (without the quotes) I got a thread titled: "softice 4.05 and WINME, black screen on start-up...." and while I realize it refers to WinME you should have at least read it because you may have the same problem. You will find it at:
    http://www.woodmann.com/forum/showthread.php?t=6025&highlight=softice+blank+screen




    Regards,
    JMI

  12. #12
    markh51
    Guest
    JMI:

    Thanks for that but I sorted the softice problem by un-installing and then re-installing it. it now seems to work fine.

    I DID do a search before I posted this and I found the same thread which you found but it is was not the same problem which I was getting... but never mind now it's all sorted.

    Is the patch which I applied to the "MeltIce" code OK, I wasn't too sure whether to force a jump or just go to the next line.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    markh51:

    Let me say again that the way to avoid suggestion to searching, is to say you searched and didn't find anything which seemed to answer your question.

    On the MeltICE trick, assuming your code was previously a "je" (jump if equal), then you want to take the jump. You could do it one of two ways.

    You could make
    :0044F417 83F8FF cmp eax, FFFFFFFF into
    :0044F417 cmp eax, eax

    and then the je would be taken, or as you did, you can change the je to jmp to always go, no matter how the compare works out. The code compares a negative result, meaning it didn't find Softice so it jumps to continue. If it found Softice, it would go somewhere else.

    Just remember for other circumstances that the cmp will set a flag, depending on the result, and it is at least possible that something might check that flag later in the routine, but in this case I don't think it is part of the MeltICE routine.

    Also you might want to take a look at OllyDBG as a somewhat easier debugger to start with. It works only in ring 3, but that will work for most earily reversing activities. You will find it at:
    http://home.t-online.de/home/Ollydbg/

    Regards,
    JMI

  14. #14
    Hiya,

    I'm not sure whether there was a conversation had here about Dallas iButton's, I seem to remember one, or perhaps that was with someone else, regardless :

    Find the iButton v4.31 SDK, and then from what I quoted then:

    "Most iButton protected programs I've seen are statically linked with the dll swa32ut.dll (something like that), even if this is not the case its a trivial patch to make your target load this dll and of course redirect calls there (I have if you need an example swa32ut.dll with source code."

    Give me a shout anyway if you want more help with this.

    Regards

    CrackZ.

  15. #15
    markh51
    Guest
    JMI:

    I have just had a look at the code which call's the "MeltIce" routines:

    :0044EF42 753E jne 0044EF82 <--- Goto Kernel32.CloseHandle
    :0044EF44 8BC7 mov eax, edi
    :0044EF46 E8AD040000 call 0044F3F8 <--- Check //./SICE
    :0044EF4B 84C0 test al, al
    :0044EF4D 7533 jne 0044EF82 <--- Goto Kernel32.CloseHandle
    :0044EF4F 8BC7 mov eax, edi
    :0044EF51 E8DE040000 call 0044F434 <--- Check //./NTICE
    :0044EF56 84C0 test al, al
    :0044EF58 7528 jne 0044EF82 <--- Goto Kernel32.CloseHandle
    :0044EF5A 6A00 push 00000000

    What are the "test's" and "jne's" for after it has returned from the "MeltIce" routines ? I ask this because, If I patch the "meltIce" code like you said before, with the JMP's, the prog just quits ?!?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Making fun of your...
    By esther in forum Off Topic
    Replies: 0
    Last Post: April 13th, 2014, 09:57
  2. Making a keygen - almost there...
    By ljre24 in forum The Newbie Forum
    Replies: 30
    Last Post: November 20th, 2008, 11:51
  3. Making the change
    By Ryno in forum The Newbie Forum
    Replies: 10
    Last Post: March 14th, 2005, 12:40
  4. Making a asm rip keygen???
    By bik78 in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: May 14th, 2002, 15:13
  5. SI loader doesn't always break at program start ??
    By Mr. Smith in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: December 5th, 2000, 17:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •