1) Did security updates to windows (probably not it)
2) Downloaded new drivers for windows 7 64bit from ATIs website (uninstalled with installer old drivers)
3)Restored all ATI settings to default from preferences menu. (Probably this did the trick – I assume the config had been corrupted somehow)

You can try the third option right away and see how it goes.

I guess he fixed the return values or whatever. Should be working now for all OSes.

Havent tested them!

Download imprec plugins

ACProtect #1.dll
ACProtect #3.dll
Alex Protector.dll
CoolCrypt.dll
Cryptocrack’s
PE Protector.dll
Excalibur.dll
EXEStealth275.dll
Expressor 1.5.x.dll
GoatsPEMutilator16.dll
Krypton 0.5.dll
Morphine.dll
Obsidium 1.3.dll
PE123.dll
PECompact 2.7.x.dll
PELock 1.06 (regged).dll
Perplex101.dll
PESpin.dll
PrivateExeProtector 1.8.dll
Protection Plus 4.x.dll
RLPack 0.7.dll
RLPack 0.7.x.dll
RLPack 1.16.dll
RLPack 1.18.dll
SDProtector 1.12.dll
tELock 0.71.dll
tELock 0.98 #1.dll
tELock 0.98 #4.dll
tELock 0.99.dll TPP.dll
VisualProtect.dll
Yoda Crypter 1.02.dll

Download PECompact 2.7 fixed imprec plugin

Protection: PECompact 2.x

Made in: Borland Delphi

Version:For this post 1.12.5 – I will calculate the base + address soon when I deal with the newer version.

There seems to be a CRC check (or something else) somewhere which doesn’t let you use the application after unpacking it and a big deal of anti debugging methods are involved. So it displays you error #17 when you start the app and wont run.

Error #17 0×008BF0FC

It appears to be coming from function which resides at 0×008DFDD0 RVA

<br />
.text:008DFE42                 mov     ecx, offset aEwdjk32489jhde ; "ewdjk32489jhde892klde;lk21e02134jldw;ql"...<br />
.text:008DFE47                 mov     edx, offset aLqohm3nlt1eqgq ; "lQohM3nlt+1eqgQU+qcKO4f7QtOciTmcE6ZEhLk"...<br />
.text:008DFE4C                 mov     eax, esi<br />
.text:008DFE4E                 call    DecryptString<br />
.text:008DFE53                 mov     edx, [ebp+var_C]<br />
.text:008DFE56                 xor     ecx, ecx<br />
.text:008DFE58                 mov     eax, esi<br />
.text:008DFE5A                 call    MessageDlg<br />

DecryptString

Found at 0×008CC158 RVA The strings are uncrypted there.

MessageDlg

This works like MessageBoxA in C++ for delphi, resides at 0×008BE024 RVA  and is used to display nag boxes including the ones which contain crypted text.

Checks after passing the #17 nag

text:008BF298

.text:008BF2F4

.text:008BF37B

JZ jumps. Decrypt and MessageDlg functions are followed by these jumps.. There actually are whole bunch of places where Decryption is used but I havent investigated.

Thats it for now but this will be my new sunday hobby. Contributions are welcome.

2010-03-10

008BE084                                 /74 31                     JE      SHORT 008BE0B7     ; Is debugger present
008BE0B3                                  FFD7                      CALL    NEAR EDI                  ;IsDebuggerPresent call

There are also name checks for some debuggers. Application scans through active processes to find ollydbg.exe and few other (I think there was about three of them).

#17 bypass

008DFDFF                                 /74 6A                     JE      SHORT 008DFE6B

Just make this JMP instead and you should be fine.

#ExitProcess() trick at 0×008F1CBF

Some sort of debugger trick to stop you from starting the application via debugger.

2010-03-11

It seems that the application verifies its license at startup. There isn’t any verification for correct license information eg. “Correct serial! Thank you for using our software”.  So in order to bypass it I would have to fake the license check result via hooking the wsock or patch it from inside of the application itself.

–

For some strange reason when I started Virtual Machine today the scrapebox was activated and licensed. I am feeling slightly confused.

Last update – project closed:

I have decided not to work on this project anymore because scrapebox isn’t worth my efforts. I have been using the licensed version which was probably given to me by the author himself. I see no point wasting my time for a program which I already can use and which isn’t that useful as it might seem in the first place. If I ever have the need for it again then I will reopen this project and crack it. But far as I can tell: scrapebox is useless and overhyped, like most of the SEO tools are.

This a thread I started in a forum and I plan to update it when somebody replies to it. Posted it on my blog so I can “archive” it for my own use which may never come.

Methods?
By methods I mean the process which leads you to detection of “badboy” or helps you getting closer to it. I am not talking about methods here how to avoid them (NOPing/Codecaves/Changing registry flags and so on[Though chainging registry flags can help finding a bad- or goodboy.]). Neither I am talking about upacking or deobfuscating.

Methods I somewhat know:

1 Search for the Text string
This is something what i’ve seen in like 80% of the tutorials about cracking. I think its self explanationary and everybody on this forum knows it.

2 Api breakpointing
This is the second most used method in tutorials and thats for a reason, every program needs API’s to function. Unless programmers have decided to make their own functions which you end up analzying in IDA (atleast I do ) and that can get really long…
For example you set a breakpoint on all dialog text handling functions and narrow it down until you find the function which is used to copy the serial number you entered – then see what application is doing with it from there.

3 Step through the code and see where it leads you.
Usually this is something which is considered hard in tutorials because it means you have to have some assamblery knowledge. In logic, it applies to every “method” here but I wanted to note this one out because sometimes you are analyzing code line by line (F8/F7/ctrl+F9). Usually i’ve seen it called “digging deeper”

4 Conditional breakpoints
Havent seen this in tutorials – this method works for specific cases, for example you are in a loop and want to see “where it takes you” with a specific value for the variable in the loop. Probably it could be applied in variety of situations.
This is something I am not really good at and more experienced people could maybe share the variety of usages for this.

5 ID numbers for your advantage
This is something what I vaguely remember. You get the ID of a button or whatever element from window/dialog with winspy or reshack and then do SOMETHING with it, haha.
Yet again this is something what could use some clarification. If you know a good tutorial regarding this matter then please share!

6 Call stack
You get your nag screen running and then within a second you hit pause button in olly, next you check the “Call stack” and see what were the last instructions for the process to run.
Only place I’ve seen this method being used was on Lenas tutorials. If you know more, then please do share!
There is also similar method where you pause and trace until user code execution, from there you can see where was the last function called from and take action.

7 Signature scanning

You search for specific opcodes throughout the application to detect a certain type of protection or whatever your needs are.