Hi


First my english is not so good but i hobe you understand me.
I have a problem with a prog his name is cb97(file size 700 kb)
The program startīs with a reg box (name/serial) nothing else.
1.It has a Si check ( when you load ice dump Si workīs)
2.wdasm don’t work (debug error)
3.a temp file is generat where the fake serial is checkīt (so i think)
4.on startup reg flag is checkīt (so I think)

the prog is no public so I must send the file.
anyone will help me?


regardīs eight

Hello eight !

This Board is supposed to help people who're stuck somewhere in the cracking process and can tell where they're stuck and what they've found out so far. Not just to come here and ask "Target is ..., it needs a serial number and a name to register, I think it somewhere checks the registration, who helps me to crack it?"

Please tell us something more about you and the program.

Can you use SoftICE?
Do you know if the program is packed? If yes, with what packer?
Have you found the registartion check?
Do you know anything about the format of the registration data?
Which programming language was used?
Do you know if the registartion depends on the username entered?
Is the program a Win32-PE?
Do you know what is different between the registered and unregistered version?
Is the registration checked via online check or offline in the program?
Do you know ... ?
... ?
Do you know ... ?
... ?
Do you know anything more which could be useful?

Hi


My first stepīs with Si
the program is for W9x
packed ? i donīt now
language ?
no online registration
offline

The program donīt startīs without the right serial
when you make a dubble click on the exe a window is popup this is not the right serial/name(reg flag check) put in the right on

My way....not finished
name/serial box Name: eight
serial: 1122-3344 registration data
bpx hmemcpy
F5
ok buttom
1*F11
7*F12
main program code (ARM1234!.text) 1234 number changeīd by every new start is a temp file creat from the exe .
we land here
017F:10004E20 lea eax,[ebp-0100] /ebp-100 is the leng of my name
8*F12
we land here
017F:10004e26 lea eax,[ebp-0200] /ebp-100 is the leng of my serial

I think the check is here (ARM123.....)
017F:10004e76 call 10002c46 /registration check routine ? is very hard code for me i have the call traced many hours !
017F:10004e7B Test al,al
017F:10004e7D JNZ 10004F21 /jump to the good message
017F:10004e83 Mov esi,[kernel/32!getlasterror] /bad boy

when i change the flag on 10004e7d to jump to the good boy a window is popup your serial/name is corekt thank you ! when i pushed the ok buttom the prog runs for 2 sec and than aboard it
debug error message !

Iīm a neawbie and i was interestet how to get the right serial or reg flag !

Sorry for my bad english


I hope you can help !


regardīs eight

Hello eight !

This looks like Armadillo to me. It uses Blowfish to generate valid registration keys, a secure encryption algorithm, if you don't know. The author supplies a password which is choosen different for every protected application. If the program allowed to run in trial mode, it wouldn't be a hard task to unpack it. There are some unpackers available, but they rely on dumping the program when it is decrypted. But in this example this happens only if you've a valid key. Simply changing a 'flag' won't help here.

Can you tell us from which date the program is? So we could think of Armadillo versions not released at this time. If someone knows a way to tell the Armadillo version used to protect a file, this would help. I only worked on the earlier versions of it, (1.8x) but keygenning might work somehow.

Hi DakienDX


I think you ar on the right path !
When i check the prog with regmon i see it use key files in the registry.
HKLM\software\the Silicon Realms Toolworks\Armadillo

The exe file is from 20.juli.01
no trial mode

This Armadillo.
when i scaned it with PEiDentifier it came back
Armadillo 1.xx - 2.xx. if it helps the linker version was 83.82

Hello eight !

Here's some information from Armadillo's history page:

28Jun2001: Armadillo 2.01
The newest version of Armadillo is now available for download. In addition to the features of the beta (listed below), this version corrects one additional bug and adds a new feature, Modification Keys. (Please see the help file for additional details.)

So it could be the 2.x version in your program.

with one know finger print, name and key not so hard to remove armadillo. i've done it on armadillo 1.9

Hi DakienDX


I check it with file inspector he sayīs found a signatur armadillo 1.80 !

right or wrong ????

Hi Viper,



any success with the prog ?

i think this is the check routine
:0040B680 arg_0 = dword ptr 8
:0040B680 arg_4 = dword ptr 0Ch
:0040B680
:0040B680 push ebp
:0040B681 mov ebp, esp
:0040B683 push edi
:0040B684 push esi
:0040B685 push ebx
:0040B686 mov esi, [ebp+arg_4]
:0040B689 mov edi, [ebp+arg_0]
:0040B68C lea eax, ds:40E3A0h
:0040B692 cmp dword ptr [eax+8], 0
:0040B696 jnz short loc_40B6D3
:0040B698 mov al, 0FFh
:0040B69A mov edi, edi

Please correct me if im wrong

Hi

can anyone help us ?
I think we need a specialist here

regardīs