Program crash

[dyn!o]

I suggest you to forget about these cryptos if you don't know them already (you will probably lose too much valuable time on trying to learn them all at one shot).

What you should do in my opinion is not reversing the checksum scheme but find its place of execution.

I would consider the following: (separate ideas, not ordered)

1. Check if the main file size is being verified (by itself or separate process/thread). Is it? Then WHERE?
2. Check if the main file is being read (by itself/process/thread). WHERE?
3. Backtrace the code. This is my favorite method and the most effective if it comes to my experience (e.g. all nowadays anti-xxx tricks can be analyzed this way with easy). The disadvantage is that your memory (brain memory) must be very deep since you have to perform back-step-trace. If you aren't experienced with such an analysis then you can still perform it by noticing everything what happens on a sheet... but usually it's a serious amount of different information (APIs/offsets/data/calls/jmps and finally: the contexture).

Try the first two and let us know about the results, sheriff

By the way, the following fragment is my ExeTools 2005 Golden Quote: (you did not edit your post)

Quote:

I was stoned when i checked my dump!!! Check the attachment!!
I could not upload the attachment, so here are the cryptos.

If the software isn't big can you upload it somewhere (dump+data needed to run it... We may take a look on it)?

JMI: what about an idea of adding a sticky with similar stuff (like Golden Thread/Post/Answer)? You can even add some voting system...

Regards.

[LaDidi]

Does 5A4550F0 exist in the original version ?
If so, try to add the corresponding section to the dumped version.
Regards

Hy there.

As first, i actually edited my thread (when i saw that my file has not been uploaded).

1. I tried to chek main file size (Getfilesize, correct?)
But the progi didn't brake. The same message i got, like last time.
And no, 5A4550F8 does not exist in the normal program either, how that?.
2. Check if the main file is being read, how to do that? (I simply erased the file from that directory, and nothing happended also.
3. Backtrace the code. I already did some version of that. But it is very time spending, and nervs spending tool. I'll try it on the weekend, when i got more time.

I think it is not a good idea to upload the file, cause the dump is containing some important infos about me.
Something tells me that i will have to learn more about those cryptos.
I must mention again that the same thing (crashing) happen, when i change any byte in the orig program.
Regard, MAHMUT

P.S I played something with dump options in procdump. And i gote the dumped file in the same size like the first dump. But this time the dump is still protected with hardlock envelope (stupid studpe says neolite, but peid hardlock). And the program runs great! Conslusion-the Filesizecheck is not in this progi, correct?

[toro]

hi MAHMUT

if your program acctually protected with hardlock envelope, removing envelpe even latest version is very easy. there are only one envelope that has some different. are you playing with hlcwin32.exe (envelope creator of hardlock)? if not, you must find oep, dump the file with olly and if you like, delete .protect section. and it will work. however i have seen some programs that check module address from envelope for test if envelope present.

Hy Toro, thanx for repling.

Actually, my program has a check wheter envelope is present or not. I know that, because i dumped the progi with some option, that envelope stayed in the file (even the file became bigger for aprox. 400 kbite) and i could run the program. The next time i dumped with classic option (paid said not packed) and program crashed (the reason of this whole thread).

How can i find the code where the progi check if envelope is present or not?
I tried also to change any bite in the orignial program. Result is the same, crashing.
Thanx,
Regards, MAHMUT

[toro]

hi
i have seen one hardlock protected program that call getmodulehandle and test oep with original oep and if equal, mean that envelope is not present.

however because your target envelped , i do not think that program test itself with crc or in a same way. you must dump it correctly. i removed hardlock envelpe from more than 20 program and always did it with olly and all of them worked correctly.

Can you give me some instruction how to dump correctly?
I am using Olly for dumping too. I use Method1 Search JMP(API) Call (API) in memory image.
Regard, MAHMUT

[toro]

hi MAHMUT

you must find original oep. possibly you know how. then set a bp on original oep and when program stop on bp, use dump plugin of olly and uncheck "rebuild import" and dump the file. then exit olly and run dongle protected and then use imprec to correct imports and then fix dumped file. it will work.

regards