![]() Web
: http://kickme.to/mxbnet AC3 Decoder 1.21
Type : AC3 Decoder
to MP3 ... WMA ... WAV Crack : This file is packed with ASProtect.This version of ASProtect doesn't clear debugregisiters and no SICE check is activated.How ever the real OEP is hardcoded.Any way there are easy methods to find the OEP. First API CALL made by host program is GETSTARTUPINFOA .... 0x45FCAA PUSH EBP = 55 ---- REAL OEP ... Dump here Either we can put a BPMB on 0045FCAA and restart the application and dump it when we break.If ASProtect clears BPMB we can also dump it at first api break ... it will work.All you have to do is use JMP EIP trick and dump.Now use WinHex and replace JMP EIP hex values [ EB FE ] with real hex values in the dumped file. So after dumping use WinHex and make EBFE ---> 558B. Now ASProtect have fucked its IAT so the dumped file will not work.So we have to find where the sucker ASProtect decoded its IAT.For this run protected program and put a BPX on ShowWindow ... when we break in main program module ... we can see : JMP [0049DDD0] So virgin IAT is some where near 49DDD0.Use WinHex and open RAM Editor and select Primary memory of our protected program.Got to address 49DDD0.We can see a bunch of address their.It starts from 0049DB90 ---> to ---> 0049E5EF = A60 Now use ImpRec and select our program name.Enter following values : OEP = 05FCAA Now hit "GetImports" .. we can see the IAT read successfully.Now fix our dumped file. Now our dumped file runs ... without ASProtect.I have seen that some program give page faults even after doing thisthis is because the program is calling ASProtect registration algorithm which can disabled. Patching AC3 : Now this baby only decodes 50% of AC3 file.I was unable to find a direct flag check.Every time we end up inside MFC.Seems its made in OOP. One loop hole is that this baby uses msvcrt.ftell to find the size of input file.So use Win32Dasm [ Don't forget to change the Flags to E0000020] and find the address of ftell. ftell = CALL [ 0049E380] So put a BMPB CS:49E380 RW When we break in the encoding process .... we can see : 0x40611A CALL [ 0049E380 ] --- ftell It is seen that if we make EAX = [ EAX *2 - 5000 ] it encodes whole file.Idea
is that program thinks that file size is twice and it will find its half
.... which is orginal file size. Patch : 0x406123 ADD EAX,EAX = 03 C0 --- EAX=EAX*2 --- OFFSET = 6123
|