|
|
|
|
#1
06-28-2004, 07:51
|
|||
|
|||
|
attached...
|
|
#2
06-28-2004, 16:04
|
|||
|
|||
|
hmmm, thanks ... nice work but where did ordinal at rva 1094 go? I think Real|sty stuck with the same entry.ok, I'll try to find it by myself.
Thanks again Crk for the dump and the IAT tree file.
|
|
#3
06-28-2004, 21:41
|
|||
|
|||
|
can't find it neither..
 maybe is invalid to fool with us ??? if invalid then just nop it
|
|
#4
07-01-2004, 10:00
|
|||
|
|||
|
OK... after analyzing the working IAT for v2.07 i found out that the missing one is DllFunctionCall ... i could be wrong .. but correct me anytime if i'm mistaken ... here are attached new dumped including added IAT + IAT tree for new and old version.
btw the app. still crash always at same offset ... i believe this most be a crc check  btw i used as OEP 0000137A to get the IAT for v3.0.4 
|
|
#5
07-01-2004, 17:59
|
|||
|
|||
|
thanks Crk again, so nice of you to complete the job.
I appreciate it very much.
|
|
#6
07-01-2004, 18:56
|
|||
|
|||
|
ok, after some analysis it seems neither is correct, the added entry or the oep.
 the missing entry is away from msvbvm60.dll, perhaps it's decryption routine, or some sort on code injection routine. I think if the author of the product spent his time enhancing his product more than the time he spent to over-protect it, that would have been much much better for him.I cannot imagine that a little program to change some entries in registry, or do things that freeware program does, can have such protection.
|
|
#7
07-01-2004, 20:23
|
|||
|
|||
|
this is right OEP and the way it should be... check more VB. app. and you'll know why
|
|
#8
07-01-2004, 21:32
|
|||
|
|||
 here it is some part of the code (P-Code) disasembled ... now it's possible to analyze the keyfile routine and possible to reverse without license
|
|
#9
07-01-2004, 21:50
|
|||
|
|||
|
and here are all TweakXP Resources i got using VBReformer
 for knowledge and studies purposes only!
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
