Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com


Main | Index

DLL Demon 1.0

Type : Shows us all task running in our system
Protection : Serial
Tech : Serial fishing


Crack : Enter fake S/N and in SICE BPX HMEMCPY
And trace ...

0x461A7C POP EAX
0x461A7D CALL 0x403C90
0x461A82 JZ 0x461B37

Go inside this CALL and you will get real S/N

Registration Info :

Name = DHEERAJ
S/N = OFFSPRINGjmeroxMETALLICA


0x470053 JNZ 0x470080 >> BAD BOY

Inside CALL 0x408520

0x408542 CALL 0x4C2D04 >> CHECK LAST TWO CHAR OF S/N IS BETWEEN 0 - 9

Main S/N is found at :

0x470066 MOV EAX,[EBP-4] >> REAL S/N
0x470069 MOV EDX,EDI >> FAKE S/N
0x47006B CALL 0x403ED8 >> COMPARE BOTH

Note : Product ID is different on different PC so S/N will not be
same in your PC

Registration Info :

Name = DHEERAJ
Unlock Key = A077B6913400


few lines above ....

0x1A9757C CALL 1A926E0
0x1A97581 ADD ESP,10
0x1A97584 CMP EAX,01
0x1A97587 JNZ 1A975A3

Go inside this call and we can see the comparision made ....

Registration Info :

S/N = 799020-704950-876886-861489


eRegistrator
Host: dbregistration.cuteftp.com
Content-Length: 226
Pragma: no-cache

CUTERG0100046B657931000E413232323232323232323232323200046B65793200404E4D4D4F38574E
4B3233394159574B464C314F504C334A3350594A3058414E324F4B574E4A4554575654383058384830
3239574C544D334F544E4D35564D3556000870726F64747970650003434635

So our S/N is validated by "dbregistration.cuteftp.com" visit this server by your browser and you can see a interesting string showed in your browser ...

CUTERG010007636F6D6D616E64000B696E76616C696464617461 - This means "d invaliddata"

So this is how comunication is taking place ... we are not doing our stuff ... here just for info.

This baby can easily be stoped from verifying our S/N [OnLine check] by just changing the name of server to what ever you like ..."xbregistration.cuteftp.com" using a hex editor.

But there is also a nasty CRC Check and Memory check sum ... going on in seperate thread ...

CRC Check - Memory Check Sum :

This baby is doing these checks in a seperate thread .. Memory check sum is done using API ...

MAPVIEWOFFILENAME ...GETMODULEFILENAMEA ...

We can't put BPX on any address as it corrupts its memory and Consistency check will trace out it .. so use hardware break point - BPMB cs:xxxxxx X.Most funnniest part is that we can't patch it as CALL to this routine will depend upon its virginity.If we patch it CALL to this routine will point to some address and result is page fault.Never mind outer call can be patched.

BPX MAPVIEWOFFILE ... trace back we will end here ...

CALL [EBP-18]
MOV [EBP-1C],EAX --- > FLAG SET

Inside this call ..

004773A7 MOV EAX,01
004773AC ADD ESP,48
004773AF RET
004773B0 XOR EAX,EAX -- PUT BPMB HERE ..
004773B2 ADD ESP,48
004773B5 RET

Put a BPMB in side this routine and you will break where every it is called.Main outside calls calling this routine are ..

0044445E CALL [00556E1C]
00444464 TEST EAX,EAX
00444466 JNZ 004444EC = 0F 85 80 00 00 00 --> GOOD BOY
0044446C CALL [00556E3C] --- CONSISTENTCY CHK FAILED NAG BOX -- AND QUIT
........................
00477BC8 CALL [00556E18]
00477BCE TEST EAX,EAX
00477BD0 JNZ 00477BDA = 75 08 ---> GOOD BOY
00477BD2 CALL [00556E38] --- CONSISTENTCY CHK FAILED NAG BOX -- AND QUIT
........................
00477B92 CALL [00556E30]
00477B98 TEST EAX,EAX
00477B9A JNZ 00477BAA = 75 0E ---> GOOD BOY
00477B9C CALL [00556E50] --- CONSISTENTCY CHK FAILED NAG BOX -- AND QUIT
-----------------------PATCH THESE TO ---------------
00444466 NOP = 90 OFFSET = 44466
00444464 JMP 004444EC = E9 80 00 00 00

00477BD0 JMP 00477BDA = EB 08 OFFSET = 77BD0

00477B9A JMP 00477BAA = EB 0E OFFSET = 77B9A

S/N ..

Now go offline and register this program with this S/N .....

S/N = A2222222222222
Name = DHEERAJ

It will tell that S/N seems to be ok but not verified ... See "About Box".A quick view with Win32DASM shows that CALL 00404110 is the main sucker behind this ....Inside this CALL we will alter flag clearing part ..

004043FE XOR EAX,EAX = 33 C0
00404400 JMP 40454E = E9 49 01 00 00
----------- PATCH THIS TO ---------
004043FE XOR EAX,EAX = 33 C0
00404400 INC EAX = 40 OFFSET = 4400
00404401 JMP 40454E = E9 48 01 00 00

Now we have finished ... it is working fine and "About Box" shows it is licensed to me ...


trcat(sysdir,"\\ws057043.ocx");
//===============================================================
if(!DeleteFile(windir))
{
MessageBox(NULL,"Unable to deleted Lic File ...",InfoText,MB_OK);
error = true;
}
//===============================================================
GetWindowsDirectory(windir,sizeof(windir));
strcat(windir,"\\Vbox\\Licenses\\ _5.51.277_5044.prf");

if(!DeleteFile(windir))
{
MessageBox(NULL,"Unable to deleted Prf File ...",InfoText,MB_OK);
error = true;
}
//================================================================
if(!DeleteFile(sysdir))
{
MessageBox(NULL,"Unable to deleted OCX File ...",InfoText,MB_OK);
error = true;
}
//===============================================================
//Delete os*****.bin
GetWindowsDirectory(windir,sizeof(windir));

for(i=0;i < MAX_PATH;i++)
{
if(windir[i] == '\\')
{
windir[i] = '\0';
}
}
strcat(windir,"\\os291494.bin");

if(!DeleteFile(windir))
{
MessageBox(NULL,"Unable to deleted BIN File ...",InfoText,MB_OK);
error = true;
}
//===============================================================
if(error ==false)
{
MessageBox(NULL,"Removed VBOX Files and Registry Keys ...",InfoText,MB_OK);
}

//===============================================================
//Execute VSetupT.exe
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
cl = GetCommandLine();

if (!CreateProcess("VSetupT.exe",cl, NULL, NULL,FALSE,
NORMAL_PRIORITY_CLASS,NULL, NULL,&si, &pi))
{
MessageBox(NULL,"Unable to load \"VSetupT.exe\" ...",InfoText,MB_OK);
error = true;
}else
{
MessageBox(NULL,"Loaded \"VSetupT.exe\" ...",InfoText,MB_OK);
}
//===============================================================

return 0;

}
//===================================================================================