Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #61  
Old 03-17-2004, 22:52
Satyric0n
 
Posts: n/a
Unhappy

Pompeyfan, I was going to refer you to the mini-tut I wrote on unpacking Elcor TweakRAM that Kyrios had already mentioned, since it has basically the same protection mechanisms as RegDefrag. But, it seems my mini-tut has been deleted from the FTP (along with almost everything else...).

I don't have that mini-tut on my hard drive any more, since I wasn't expecting the exetools FTP to get wiped out..

Unlikely, but just in case, I'll ask: By chance, does anyone happen to have the files that used to be on the FTP in the "/incoming/Elcor TweakRAM 3.31.0.3404" folder? If so, could you reupload them please? Thanks in advance...

Regards,
Satyric0n

Last edited by Satyric0n; 03-17-2004 at 22:55.
Reply With Quote
  #62  
Old 03-17-2004, 23:12
Nilrem
 
Posts: n/a
I do, I'll upload them.
Reply With Quote
  #63  
Old 03-17-2004, 23:54
Satyric0n
 
Posts: n/a
Ah, thank you very much, Nilrem. I owe you one.

Regards
Reply With Quote
  #64  
Old 03-17-2004, 23:59
Nilrem
 
Posts: n/a
Np, my pleasure. Heh.
Reply With Quote
  #65  
Old 03-18-2004, 03:56
Pompeyfan
 
Posts: n/a
Actually I have read your mini tut on TweakRAM, but the file corrupted message in Registry Defragmentation seems far more complex, in TwekRAM if I remember right, all you had to do is change 4 conditional jumps to JMP's, this one has about 12 calls to the error message, and all sorts of avenues lead to those calls, it is a frigging nightmare, if I had an ounce of sense I'd let it go, but for some reason I cant, grrrrrrrrr
Reply With Quote
  #66  
Old 03-18-2004, 04:58
Satyric0n
 
Posts: n/a
Pompeyfan, I took a look at RegDefrag a few months ago, and at the time, it actually seemed easier than TweakRAM. Could be that they've improved their protection recently... If I get some time I'll take a look at it, but I can't make any guarantees, as work and my Winamp keygenning tutorial are taking up all my time right now.

Regards,
Satyric0n
Reply With Quote
  #67  
Old 03-18-2004, 06:03
Pompeyfan
 
Posts: n/a
Thanks mate, don't worry if you are pressed for time.
Reply With Quote
  #68  
Old 03-20-2004, 04:08
Kyrios Kyrios is offline
Friend
 
Join Date: Feb 2003
Posts: 48
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Kyrios Reputation: 0
TweakRAM

Hi pompeyfan,

Have you practiced on the TweakRAM? If yes, did it run smoothly?
If i remembered correctly, you MUST XORing EAX in another file. I didn't remember the name of that file. But the file is used as system service. You can look at it by Ctrl+Alt+Del and look for that file. It has small size (less than 100 kb), when scanned using PEID, it tell you it's delphi.
Like i said be4, the protection is same with TweakRAM.


kyrios
Reply With Quote
  #69  
Old 03-20-2004, 09:54
Pompeyfan
 
Posts: n/a
I think I had problems unpacking the TweakRAM program from memory, I might try it again soon, but I did read the mini tut thoroughly, and the code in that program seems totally different from that is in Registry Defragmentation around the File Corrupted message.
Reply With Quote
  #70  
Old 03-20-2004, 23:12
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
popeyfan !,
I looked at the tweak. and regdef. today and their protection almost equal, I will try to help you on regdefrag :
at the oep you see three calls , enter the
second one , use F8 , you will have two eedfade exceptions pass them by SHIFT+F7, after that the show begins,step through the code with F8, first call , I believe it checks iF registered,pass it, the next call checks if target ep start at 1000, inside the call change the last two je to jmp, next call, put retn inside, next call, the target should take off but there is a problem, I will leave it to you to solve the last problem.(the program will start with the above corrections I made but still need to be fixed)
regards.
britedream.

Last edited by britedream; 03-21-2004 at 01:38.
Reply With Quote
  #71  
Old 03-21-2004, 04:25
Pompeyfan
 
Posts: n/a
Thumbs up

Thanks a ton mate, I really appreciate that, this one for some reason has been nagging at me for ages, good idea to leave some for me to figure out, but I never would have figured out the first bit.
Reply With Quote
  #72  
Old 03-21-2004, 11:33
Pompeyfan
 
Posts: n/a
Hi,

I was going okay with your instructions until here:

"the next call checks if target ep start at 1000, inside the call change the last two je to jmp, next call, put retn inside"

How do you mean put a retn inside the next call, inside this call I have:

0041040C /$ 55 PUSH EBP
0041040D |. 8BEC MOV EBP,ESP
0041040F |. 51 PUSH ECX
00410410 |. 53 PUSH EBX
00410411 |. 8B05 C6554000 MOV EAX,DWORD PTR DS:[4055C6] ; <&kernel32.GetModuleHandleA>
00410417 |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
00410419 |. FF33 PUSH DWORD PTR DS:[EBX]
0041041B |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX
0041041E |. 8F03 POP DWORD PTR DS:[EBX]
00410420 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00410423 |. 5B POP EBX
00410424 |. 59 POP ECX
00410425 |. 5D POP EBP
00410426 \. C3 RETN

and if I F8 from here, I hit an access violation, and the file corrupted message comes up soon after.

What should I change in this call, and why?

I really appreciate your help.
Reply With Quote
  #73  
Old 03-21-2004, 12:14
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
my address is slightly different due to my pc setup, but codes look right , so change 55 "push ebp", to c3 " retn", or nope the call.

Last edited by britedream; 03-21-2004 at 12:32.
Reply With Quote
  #74  
Old 03-21-2004, 21:35
britedream britedream is offline
Friend
 
Join Date: Jun 2002
Posts: 436
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 7 Posts
britedream Reputation: 0
Hi PopeyFan,

With the information I gave you it is easy now, it shouldn't take you long to fix it.
Reply With Quote
  #75  
Old 03-22-2004, 02:27
Pompeyfan
 
Posts: n/a
I still get the file corrupted message after the changes, here is the call stack from when I get the message now:

Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0012EB0C 77D43C53 Includes 7FFE0304 user32.77D43C51 0012EB40
0012EB10 77D4B3F2 user32.WaitMessage user32.77D4B3ED 0012EB40
0012EB44 77D4D9A0 user32.77D4B265 user32.77D4D99B 0012EB40
0012EB6C 77D6AE8E user32.77D4D8EC user32.77D6AE89 0012EB68
0012EE24 77D6A911 ? user32.SoftModalMessageBox user32.77D6A90C 0012EDAC
0012EF6C 77D6AFD5 ? user32.77D6A7D7 user32.77D6AFD0 0012EEF4
0012EFC4 77D6B0BD user32.MessageBoxTimeoutW user32.77D6B0B8 0012EFC0
0012EFF8 77D6B04A ? user32.MessageBoxTimeoutA user32.77D6B045 0012EFF4
0012F018 77D6B02E ? user32.MessageBoxExA user32.77D6B029 0012F014
0012F01C 00000000 hOwner = NULL
0012F020 004109B4 Text = "File corrupted ! Please ru
0012F024 004109AC Title = "Warning"
0012F028 00001030 Style = MB_OK|MB_ICONEXCLAMATION|M
0012F02C 00000000 LanguageID = 0 (LANG_NEUTRAL)
0012F030 004109AA ? <JMP.&user32.MessageBoxA> RegDefra.004109A5
0012F034 00000000 hOwner = NULL
0012F038 004109B4 Text = "File corrupted ! Please ru
0012F03C 004109AC Title = "Warning"
0012F040 00001030 Style = MB_OK|MB_ICONEXCLAMATION|M
0012F044 00418A40 ? RegDefra.00410994 RegDefra.00418A3B
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
The new asprotect 1.31 britedream General Discussion 48 06-03-2004 17:12
Anyone can help me with this one?? ASProtect loman General Discussion 0 12-31-2003 16:37


All times are GMT +8. The time now is 07:39.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )