|
LSX-MPEG v3.0, build 20
|
Not Assigned |
|
|
|
|
|
|
|
|
|
| fra_00xx 98xxxx handle 1100 NA PC |
|
|
|
|
||
|
|
|
|
If you have a need for an MPEG encoder, this little prog is nice and very simple to use. I wish I could say the same for making it work the way it's supposed to. This was a very long and involved process, but at least you get the benefit of knowing you can get this jewel to work perfectly if you persevere.
w32dasm 8.xxx
ultraedit 7.xx or whatever hexeditor you use
Good brain and plenty of time initially
www.ligos.com to get the very latest LSX-MPEG
Encoder, v3.0, build 20
I do not know the program history. This is my first time messing with this prog. I saw requests for help posted on Universal Power Patcher- Forum and decided to try my hand. It converts .avi's to .mpeg1 or 2. That's it.
What we are going to crack here is the 30 second time restriction and the watermark encoding that Ligos puts in our way.
Fire up w32dasm and disassemble this baby. Shouldn't take too long. While you're doing that, let me tell you that Ligos
didn't use a bitmap to encode. That would have been too easy. They rather used a computer generated logo. Nevertheless.
it doesn't really matter as you'll soon see. Are you finished yet?
Go ahead and run the prog through w32dasm debug mode so we can see what's going on inside. There isn't anything to be
messed with here. You will get a nag screen that gives you the option to try now or buy it on the net. You can crack the
nag screen later if you want to, since it poses the least problem for using the prog. It never times out or anything. I
guess Ligos figures they have enough blockades in the way to hinder us. On to the task.
You might want to start by looking at the string section. You will see one that deals with:
:00434A63 E8280FFFFF call 00425990
:00434A68 E8A3DF0300 call 00472A10
:00434A6D A13C3B5D00 mov eax, dword ptr [005D3B3C] # frames of input .avi in hex- will vary with your file
:00434A72 8B15A4315D00 mov edx, dword ptr [005D31A4] # frames allowed, I believe 01C2h
:00434A78 3BC2 cmp eax, edx
:00434A7A 7E63 jle 00434ADF
:00434A7C 83C4F8 add esp, FFFFFFF8
* Possible Reference to String Resource ID=64063: "Input file time exceeded.
Demo version of the LSX-MPEG Enco"
|
:00434A7F C704243FFA0000 mov dword ptr [esp], 0000FA3F
:00434A86 E885DDFFFF call 00432810
:00434A8B 8BF8 mov edi, eax
:00434A8D 83C408 add esp, 00000008
:00434A90 8DB500FDFFFF lea esi, dword ptr [ebp+FFFFFD00]
If your file is longer than 30 seconds you will get this message when you are loading it. As you'll note, there is a very
important comparison at 00434A78 above us. I'll tell you up front. In LSX-MPEG v3.0 variables are very important and have
to be tracked carefully in order to succeed in cracking it properly. We also have to carefully observe the register window
in w32dasm as it's running because subtle changes in these and other variables occur. With that spoken let's move along
again. While you're at this juncture above, go ahead and change 00434A72 to:
00434A72 8B153C3B5D00 mov edx, dword ptr [005D3B3C]
As you'll note, we are not merely causing the comparison to always be equal, and therefore always to jump. We are loading
EDX with a required number, but not with Ligos' restricted frame number. We will be able to use this to our advantage
later. Moving along.
Here we need to nop 004341F5 to prevent a "bad" number (01C2h) from getting loaded into this variable. This is the same
frame restriction number seen above.
:004341E3 898500FFFFFF mov dword ptr [ebp+FFFFFF00], eax
:004341E9 0500000080 add eax, 80000000
:004341EE 1500000080 adc eax, 80000000
:004341F3 D1F8 sar eax, 1
:004341F5 A3A4315D00 mov dword ptr [005D31A4], eax
This next one is a little more complicated, but not really any more difficult, as it involves several lines of code. Let's
drop down to 004346A9.
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00434622(C), :0043462B(C)
|
:00434690 8B0D34325D00 mov ecx, dword ptr [005D3234]
:00434696 B80A000000 mov eax, 0000000A
:0043469B 8BD0 mov edx, eax
:0043469D 8BC1 mov eax, ecx
:0043469F 8BF2 mov esi, edx
:004346A1 99 cdq
:004346A2 F7FE idiv esi
:004346A4 83F864 cmp eax, 00000064
:004346A7 7E0F jle 004346B8
:004346A9 C70534325D00E8030000 mov dword ptr [005D3234], 000003E8 //Here
:004346B3 B9E8030000 mov ecx, 000003E8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004346A7(C)
|
:004346B8 A12C325D00 mov eax, dword ptr [005D322C]
:004346BD 3BC1 cmp eax, ecx
:004346BF 7D05 jge 004346C6
:004346C1 A334325D00 mov dword ptr [005D3234], eax
We definitely do not want to load these numbers at 004346A9 and 004346B3 into them (000003E8). If we load the 000003E8 at
004346A9, we end up resetting to a bad input of frames. The variable [005D3234] needs to be loaded with the proper
number so we'll want to load it in a special way. To do that we'll need to do some fancy footwork here:
004346A9 C70534325D00E8030000 becomes 890D34325D0090909090 mov dword ptr [005D3234], ecx
004346B3 B9E8030000 becomes 9090909090
004346B8 B9E8030000 becomes 89C8909090 mov eax, ecx with 3 nops
As you've surmised, ECX contains exactly what we need. Now with the changes we've made so far, we won't have any problems
loading any .avi we want to convert. If you look through the file carefully, you will find [005D3234] many times, but these
are the only instances we need to fix. If you don't fix these, you will run across the number 0383h = 899. This is
important because it is a restrictive number referring to the maximum frames at 30 frames per second (29.97) = 30 seconds.
Additionally, the very first loading becomes unimportant, since it gets replaced with "our" number.
Okay, we've done great so far. We still need to get rid of that nasty watermark and the message about the demo product.
To the message first. Just change:
:0045F2ED 0F8EC5000000 jle 0045F3B8 to a jump
E9C600000090 can't help but jump now no matter what
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F2DD(C)
|
:0045F2E1 8B0DD4D95A00 mov ecx, dword ptr [005AD9D4]
:0045F2E7 81F9B5030000 cmp ecx, 000003B5 After 949d frames have rendered this will cause a jump to
:0045F2ED 0F8EC5000000 jle 0045F3B8 //HERE messagebox below
:0045F2F3 E8F82E0200 call 004821F0
:0045F2F8 BA1C000000 mov edx, 0000001C
:0045F2FD 8BCA mov ecx, edx
:0045F2FF 99 cdq
:0045F300 F7F9 idiv ecx
:0045F302 83FA01 cmp edx, 00000001
:0045F305 740B je 0045F312
:0045F307 8B0DD4D95A00 mov ecx, dword ptr [005AD9D4]
:0045F30D E9A6000000 jmp 0045F3B8
////////////////////////////////////////////////////////////////
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045F340(C), :0045F375(C)
|
:0045F387 33C0 xor eax, eax
:0045F389 83C4F0 add esp, FFFFFFF0
:0045F38C 8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
:0045F392 88840DD4FEFFFF mov byte ptr [ebp+ecx-0000012C], al
:0045F399 89542404 mov dword ptr [esp+04], edx
:0045F39D 8944240C mov dword ptr [esp+0C], eax
:0045F3A1 C7442408F0915D00 mov [esp+08], 005D91F0
:0045F3A9 890424 mov dword ptr [esp], eax
* Reference To: USER32.MessageBoxA, Ord:01BBh If you don't jump this messagebox you get
| a reminder that this is only a demo of
:0045F3AC FF158C6D5D00 Call dword ptr [005D6D8C] LSX-MPEG Encoder
:0045F3B2 8B0DD4D95A00 mov ecx, dword ptr [005AD9D4]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045F2ED(C), :0045F30D(U)
|
:0045F3B8 3B0DDCD95A00 cmp ecx, dword ptr [005AD9DC] //HERE
:0045F3BE 0F8599010000 jne 0045F55D
:0045F3C4 B80F000000 mov eax, 0000000F
:0045F3C9 8B1D30DC5A00 mov ebx, dword ptr [005ADC30]
:0045F3CF A3E4FF5C00 mov dword ptr [005CFFE4], eax
:0045F3D4 A3E8FF5C00 mov dword ptr [005CFFE8], eax
:0045F3D9 A3DCFF5C00 mov dword ptr [005CFFDC], eax
:0045F3DE A3E0FF5C00 mov dword ptr [005CFFE0], eax
///////////////////////////////////////////////////////////////////////////////
Come on now, to the home stretch. On to the watermark. All we need to do is change:
:0046DB8B 85C0 test eax, eax to
31C0 xor eax, eax
Now it will always jump and the watermark never appears.
* Reference To: USER32.GetDC, Ord:00FBh
|
:0046DB82 FF15686D5D00 Call dword ptr [005D6D68]
:0046DB88 894598 mov dword ptr [ebp-68], eax
:0046DB8B 85C0 test eax, eax //HERE
:0046DB8D 0F84D0040000 je 0046E063
:0046DB93 A13C315D00 mov eax, dword ptr [005D313C]
:0046DB98 3D2C010000 cmp eax, 0000012C
:0046DB9D 7C4F jl 0046DBEE
:0046DB9F 3D58020000 cmp eax, 00000258
:0046DBA4 7C0C jl 0046DBB2
:0046DBA6 A140315D00 mov eax, dword ptr [005D3140]
:0046DBAB 3D90010000 cmp eax, 00000190
:0046DBB0 7D1E jge 0046DBD0
That's all folks!
I hope you enjoyed this. It took many hours of work and rework to get this right. When you're working on a project don't get discouraged. Sometimes we just need to take a break and then come back to it. I recommend taking many notes. It will save you time in the end. If you have any questions please feel free to contact me at jomamameister@yahoo.com I actually have a crack available for the entire prog, but you have to write to me and ask for it. Sojourner