Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

Main | Index

AC3 Decoder 1.21

Type : AC3 Decoder to MP3 ... WMA ... WAV
Protection : ASProtect
Tech : Unpacking ... IAT Fixup ... Patching

Crack : This file is packed with ASProtect.This version of ASProtect doesn't clear debugregisiters and no SICE check is activated.How ever the real OEP is hardcoded.Any way there are easy methods to find the OEP.

First API CALL made by host program is GETSTARTUPINFOA ....
So in SICE BPX GETSTARTUPINFOA and run it when we break in AC3 program module look few lines up we can see :

0x45FCAA PUSH EBP = 55 ---- REAL OEP ... Dump here
0x45FCAB MOV EBP,ESP = 8B EC
0x45FCAD PUSH FF = 6A FF
0x45FCAF PUSH 0046CEB8
0x45FCB4 PUSH 0045FF36

Either we can put a BPMB on 0045FCAA and restart the application and dump it when we break.If ASProtect clears BPMB we can also dump it at first api break ... it will work.All you have to do is use JMP EIP trick and dump.Now use WinHex and replace JMP EIP hex values [ EB FE ] with real hex values in the dumped file.

So after dumping use WinHex and make EBFE ---> 558B.
Use PEditor and make EP = 5FCAA

Now ASProtect have fucked its IAT so the dumped file will not work.So we have to find where the sucker ASProtect decoded its IAT.For this run protected program and put a BPX on ShowWindow ... when we break in main program module ... we can see :

JMP [0049DDD0]

So virgin IAT is some where near 49DDD0.Use WinHex and open RAM Editor and select Primary memory of our protected program.Got to address 49DDD0.We can see a bunch of address their.It starts from 0049DB90 ---> to ---> 0049E5EF = A60

Now use ImpRec and select our program name.Enter following values :

OEP = 05FCAA
RVA = 9DB90
SIZE = A60

Now hit "GetImports" .. we can see the IAT read successfully.Now fix our dumped file.

Now our dumped file runs ... without ASProtect.I have seen that some program give page faults even after doing thisthis is because the program is calling ASProtect registration algorithm which can disabled.

Patching AC3 :

Now this baby only decodes 50% of AC3 file.I was unable to find a direct flag check.Every time we end up inside MFC.Seems its made in OOP.

One loop hole is that this baby uses msvcrt.ftell to find the size of input file.So use Win32Dasm [ Don't forget to change the Flags to E0000020] and find the address of ftell.

ftell = CALL [ 0049E380]

So put a BMPB CS:49E380 RW

When we break in the encoding process .... we can see :

0x40611A CALL [ 0049E380 ] --- ftell
0x406120 ADD ESP,04
0x406123 MOV [ 0048F228],EAX --- FILE SIZE

It is seen that if we make EAX = [ EAX *2 - 5000 ] it encodes whole file.Idea is that program thinks that file size is twice and it will find its half .... which is orginal file size.
Making EAX = EAX*2 made the file size too large and our program failed to encode.So delete some 5000 bytes.And it worked.

Patch :

0x406123 ADD EAX,EAX = 03 C0 --- EAX=EAX*2 --- OFFSET = 6123
0x406125 SUB EAX,5000 = 2D 00 50 00 00 ---- EAX = EAX - 5000
0x40612A MOV [0048F228],EAX = A3 28 F2 48 00 --- STORE FAKE FILE SIZE
0x40612F JMP 40613F = EB 0E