=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=[LineZer0 Network 99]=-=

File Investigator

protections:
- Setup Protection 
- File Protection 
- Nag Screen at the start

================
Setup Protection
================

so this protection is very easy. normally its password protectet.get a file
monitor and start it. configure him that it only shows the fi150s files. at
mine it works under the menu:events/filter. process includet: fi150s. start 
setup and type in a password! oh it unzips.when he unzip he had to save the
files on the hd! lets see with the filemon where he put the files. uh.he do
the files in the temporary win folder!  thats the place  where he unzip the
files, but there also in an another folder! start the explorer and copy the 
files on the desktop or anywhere else.open the folder!lol,there are all the
files. k, this prot was finished!

===============
File Protection
===============

when you start the exe,a nag appear:-File Investigator was not properly in-
stalled!-  so only the  copy of the files  wont work, you should finish the 
setup till the end!hmm,maybe the programm need something from the registry!
lets dissasm the file with w32dasm!  (but make a copy of the file!)  if its 
finished, go to the string refs and search for the f*cking nag! if you have 
find it, you are here:

***************************************************************************
********************************CODE STARTS********************************

*Possible StringData Ref from Data Obj ->"Software\RobWare\FileInvestigator
					   \1.50\Path" (an reg key? sure)
                                  |
:00401039 68C8204100              push 004120C8 (push the reg key)
:0040103E 6802000080              push 80000002

* Reference To: ADVAPI32.RegOpenKeyA, Ord:0171h (open the reg Key)
                                  |
:00401043 FF1500004100            Call dword ptr [00410000](does key exist)
:00401049 85C0                    test eax, eax             
:0040104B 741B                    je 00401068		  (if yes then good
						           user [jump]if no
                                                           to bad cracker!
                                                           change JE->JMPS)
:0040104D 6A10                    push 00000010           (the error msg)

* Possible StringData Ref from Data Obj ->"File Investigator Properties"
                                        ->"Start Error"
                                  |
:0040104F 68F4204100              push 004120F4

* Possible StringData Ref from Data Obj ->"File Investigator was not "
                                        ->"properly installed!"
                                  |
:00401054 6820214100              push 00412120
:00401059 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh  (gib msgbox aus)
                                  |
:0040105B FF1568014100            Call dword ptr [00410168]
:00401061 33C0                    xor eax, eax
:00401063 E960060000              jmp 004016C8 (jump to exit programm)
					       (and jmp over the next code)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040104B(C) - (good user! go on in programm)
|			
:00401068 E867080000              call 004018D4
:0040106D 8D9560FFFFFF            lea edx, dword ptr [ebp+FFFFFF60]
:00401073 52                      push edx

*********************************CODE ENDS*********************************

so we only have  to change the JE in  an JMPS because so  it jumps evertime
to the good message. so,lets do it in hiew! try it,it works!now, an another
nag appears, but we can use  the programm now.. this nag  is also annoying,
so lets patch him away!

==================
Nag Screen patchen
==================

"THANK YOU FOR INSTALLING..." lets search for the string in w32dasm (string 
refs) then click on it.. we are here:

********************************CODE STARTS********************************

:00402E98 8985E8F7FFFF            mov dword ptr [ebp+FFFFF7E8], eax
:00402E9E 81BDE8F7FFFF10010000    cmp dword ptr [ebp+FFFFF7E8], 00000110
:00402EA8 7411                    je 00402EBB  <- this jumps to bad!
:00402EAA 81BDE8F7FFFF11010000    cmp dword ptr [ebp+FFFFF7E8], 00000111
:00402EB4 7423                    je 00402ED9  <-if we patch this one there
					       <-wouldnt be text in the dlg
					       <-box.this1 pushes the text!
:00402EB6 E9C0040000              jmp 0040337B <- this one is good!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402EA8(C)
|

* Possible StringData Ref from Data Obj ->"Thank you for installing File "
                                        ->"Investigator Properties."
                                  |
:00402EBB 68802B4100              push 00412B80
:00402EC0 6847040000              push 00000447
:00402EC5 8B4D08                  mov ecx, dword ptr [ebp+08]
:00402EC8 51                      push ecx

*********************************CODE ENDS*********************************

so, what we have to do now? we should nop the second JE..but no if we patch
this one there is no text in the dialog box and the  buttons dont work! end
the programm with CNTRL+ALT+ENTF! so the whole  function starts at 00402E81
and before theres a RET, so the function starts there! ;) lets go on in the
menu on search/find text  and then type in the offset! the w32dasm find the
function call! thats not what we want! try it again! we are here:

*******************************CODE STARTS*******************************

:00401074 682C224100              push 0041222C
:00401079 6802000080              push 80000002

* Reference To: ADVAPI32.RegOpenKeyA, Ord:0171h    ;open REgkey
                                  |
:0040107E FF1500004100            Call dword ptr [00410000]
:00401084 85C0                    test eax, eax
:00401086 7417                    je 0040109F      ;is it real installed?
						   ;yes?then goto good user
						   ;no? then bad msgbox
:00401088 6A00                    push 00000000
:0040108A 68812E4000              push 00402E81	   ;heres the address!
:0040108F 6A00                    push 00000000

*********************************CODE ENDS*********************************  

so, theres a  good JE that jmps over the PUSH command. but i dont know what
this push would do?but lets try. patch the JE to a JMPS. start the programm
, yes it works.. but an  another nag will be showen.. no panik,  thats only
a dialog that tells us that we started the programm without parameter. drop
a file on the exe and it will work! good work ppl!

-nOstradamus <LzNT> [cD] '99



