Unknown packer trouble

Hi !
I've taken a look at your proggy and I've got a question.
What is your goal exactly ?
Is it to crack the proggy or to reverse / unpack the packed stuff ?
Because, if you just want to register this software, you can try different approach to succeed in diong so.
What I've understood about this program is that the packer is not only a packer, but a layer added to the proggy. It uses a lot of excellent obfuscation techniques and is really difficult to trace into. In fact, the IAT is also partially destroyed and redirected to the protector's routines. Then, even if you unpack it, you can't use it because of the bad IAT.

This approach is the hard one... maybe it could be simpler to try to reverse the little "register.exe" program.
In fact, it's a piece of cake to do so. Unfortunately, the "working serial" generated by this external registering tool is not valid, because of this :

email : [email protected]
password : XXXXXXXXX=000000 <- This part (000000) only is tested in registered.exe and depends on the email entered.

Once registered, 2 keys were created by 'register.exe' in the registry :
- Code : XXXXXXXXX
- Mail : [email protected]

the 'XXXXXXXXX' part is tested in the main game program. But you can easily find where with SI.
Take a look at this :
CODE : 00446E0E or CODE : 00446E2B

So, I let you try by yourself.
hope it can help you.
bye.
(if you just want to defeat the packer, I'm sorry for this "no use" long piece of text.)

[hosiminh]

A piece of cake to reverse little "register.exe" program ?

Look at 004039A4 where validation routine start . There are more than 8 loops waiting for you .

This is why i am more interesting in unpacking & patching.

One interesting this i had noticed : you can put CC (bpx & bp breakpoint only once , after you restart main program ( FunnyCreatures.exe ) and load ti again you will get Exception C000001E (INVALID LOCK SEQUENCE) .
But if you then quit Ollydbg , clean all *.UDDs and load it , you can put those bp again.

Hi again.
Yes, reversing register.exe is a piece of cake.

Load it in IDA and take few seconds to look at what it does.
What about those loops you talked about ? Explain in what way it's a problemn please.
Just take a look at offset 403b91, you'll find the final check
Mov EAX, computed number
CMP EAX, entered number. (425 or 936 in my lower example)
ok ... try these :
email : *put here just what you want*
serial : 1234567=425

or this
email : *still not important*
serial : whatyouwant=936

So ... it works fine with register.exe but *NOT* with the game... you can break into the game just to watch hwo it computes these 2 created registry values.

Frequency was right ! It's an EXEcryptor's work. This prog can pack and cipher very well.

Reversing it is quite hard... because of the IAT destroying, AND because it replaces (yes, recompiles) some routines in the original program. These routines are doing the same thing than original compiled code, but is replaced by an incredible piece of crap, very long and very obfuscated when only 2 or 3 bytes are really doing something hidden in a huge amount of horrible (and no-use and unreadable) code.


I'm sorry, but if you can't reverse properly the 'not protected' register.exe written in delphi, you will have some difficulties to break this really good packer called EXEcryptor.

So, just tell us what you want to do : crack the little game or break down EXECryptor.
have fun.
bye