Results 1 to 6 of 6

Thread: Help with finding keyfile a program used by program

  1. #1
    Polt
    Guest

    Help with finding keyfile a program used by program

    Hello,

    I'm a relative newbie at cracking Win 95/NT etc. based software. The program I am looking at is called Websnatcher, I've been messing around with it for several days, but no go.. Having read the key-file related tutorials, I tried all the mentioned breakpoints (.lopen, createfilea, readfile, and a couple of others), but have had no luck locating the spot where the program looks for or tries to access the keyfile. Complicating matters is the fact that a .DLL file that websnatcher uses (it places two .DLL files in your system dir) is encrypted with ASProtect. Needless to say I've been unable to remove. Does anyone know of anything else I can try to find the area of the program that looks for the presence, or tries to open the keyfile? Note that despite the Asprotect, I can debug the program (breakpoints for other windows calls work, including a messagebox breakpoint when the nag screen pops up). I appreciate any help someone can provide with this.
    Thanks!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    test
    Guest
    test
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    aimless
    Guest
    Hullo Polt,

    I think that you need to (as you have mentioned you are) crack easier programs (the serial num kind) rather than the keyfile ones, as you are relatively new to this. This is not to dissuade you, but to simply put things in perspective. However, if you DO want to go ahead, maybe you can follow the pointers, which, if not really crack the application for you, can atleast point you to the right direction.

    Firstly, its protected with Asprotect, which by iteself has got a few ICE detection tricks up its sleeves. And worse, it does not tell you its detected the same (it simply does something that its supposed to do - nasty of course). Trying to run around unpack that manually is going to be a long long exercise (unless you are one of the experts on unpacking). So I would suggest that you get a file analyzer. And run your program and its dlls through that. This will tell you approximately (no file analyzer is 100% correct) , as to what version of Asprotect it was compressed with. Un Asprotect it with apps lying around the web for the same.

    Secondly, if it is indeed protected with Asprotect, I might suggest cracking it using a disassembler, rather than ICE. After you have unpacked the dlls, of course

    NOW! we come to the actual approach. You have ONLY 2 approaches in this case.

    Approach 1: Regenerate the keyfile as it was meant to be (crazy, if the developer was smart and has ensured that it requires several KBs of key file !! or alter the keyfile if ICE was detected (though I doubt very much the latter option, as developers are generally sloppy)

    Approach 2: Crack the dlls an/or exe via disassembly and find out the locations (please note the plural! and not the singular) where it reads for the key file. You can then reverse/invert/nop do whatever you want to your heart's content. A note here to remember is that it is not necessary to check for the keyfile in only one location or two or even three for that matter (as most tuts assume they would). It could be even in tens and twentys (the locations, I mean!) So be patient and trace EVERY access to the key file, modify the files and carry on. However...

    After modifications, your app may not run. Developer may have a checksum or CRC on each file, which may be interlinked and may have a check on whether its protected and STILL compressed with Asprotect (size compare) and so on...you get the idea.

    So a better idea would be to patch the file in memory using a loader. And of course, he could also check for the checksum of the memory...but I doubt that.

    So best of luck on your new attempts. Having fun while doing this is the success. Be serious and think that there is a mandate to cracking the file will not get you anywhere. Enjoying and having the time of your life while doing it will.

    Have phun.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Polt
    Guest
    aimless,

    Thanks for the info. I ran the .EXE and the dll files through a couple of file analyzers and they come up with Asprotect 1.3 (damn) on the websnatcher.exe file. So I was wrong about the protection being on the .DLL. The only unpackers I found were for up thru v1.2. So I'm trying a different approach -- got an earlier version of websnatcher (v2.0) and figuring it might have an earlier version of Asprotect - but it had none!! So now I can concentrate on the keyfile and forget about Asprotect And then hope it works with 2.4, if I can make a fake keyfile in the first place :O
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Programmer Run Amock... Bengaly's Avatar
    Join Date
    Aug 2001
    Location
    Somewhere over the Rainbow
    Posts
    289
    Blog Entries
    1
    hehe KeyFiles are easy to find!
    Especially what is the KeyFile the program File search for!

    Here are the steps in Order to find the KeyFile name:

    1. load Softice
    2.Set a BPX CreateFileA
    3.unload sICE
    4.run the program u want to find the keyfile for
    5.SoftICE will Break at the instruction:

    EAX=0047799C EBX=00477954 ECX=00000003 EDX=00000000 ESI=0000002C
    EDI=0047799C EBP=006DFC48 ESP=006DFBF0 EIP=BFF77AF6 o d I s Z a P c
    CS=0177 DS=017F SS=017F ES=017F FS=62EF GS=0000
    ----KERNEL32!GetFullPathNameA+0046-----
    KERNEL32!CreateFileA--------------------
    0177:BFF77ADA JMP BFF7CAD0
    0177:BFF77ADF PUSH EDI
    0177:BFF77AE0 PUSH 00000127
    0177:BFF77AE5 SUB EDX,EDX
    0177:BFF77AE7 PUSH BFFA19C3
    0177:BFF77AEC PUSH DWORD PTR FS:[EDX]
    0177:BFF77AEF MOV FS:[EDX],ESP
    0177:BFF77AF2 MOV EDI,[ESP+14]
    0177:BFF77AF6 SUB EAX,EAX <=here
    ---------------------------------------
    On Adress 0177:BFF77AF2 Type: D EDI
    full path+name of the KeyFile will be presented to u by SoftICE!!

    Have Fun
    bengaly
    "knowledge is now free at last, everything should be free from now on, enjoy knowledge and life and never work for everybody else"

  6. #6
    Polt
    Guest
    Thanks for the general info on finding keyfile accesses. I've been plugging away at this and found out that the keyfile feature of websnatcher is actually part of asprotect itself!!

    I found an excellent tool called 'Caspr' which blew away the ASprotect v1.2 on websnatcher 2.3. Totally cracked!! Now the problem is Asprotect 1.3 on Websnatcher 2.4
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Help with What this program does??
    By gogreen in forum The Newbie Forum
    Replies: 1
    Last Post: November 19th, 2013, 02:55
  2. looking for program
    By book in forum Tools of Our Trade (TOT) Messageboard
    Replies: 7
    Last Post: November 20th, 2005, 09:21
  3. Replies: 3
    Last Post: November 4th, 2003, 00:41
  4. help, or is there a program?
    By Rage9 in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: December 11th, 2001, 08:40

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •