Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com


Main | Index

DzSoft Perl Editor 4.0

Type : Perl Editor
Protection : ASProtect - 6KB file limit
Tech : Loader


Crack : This ASProtect sucker is becoming a real problem....now unpacking this
stuff is not so easy ....but here we will make a loader to load and patch our
target.
First of all we must find where to patch ...for this observe DzSoft Perl Editor.
It is showing "UNREGISTERED" in status bar ... this will be our attack point.

In SICE BPX GETSTARTUPINFOA

When we break in to programs code ....search for "UNREGISTERED" ...

s -a 0 l ffffff "UNREGISTERED"

Now use - BPR xxxxxxxx xxxxxxxx RW - where you found "UNREGISTERED"

Now continue ....

As soon as program reads this memory we break in to SICE ....look up wards ..
we will see ...

0x4C8324 CALL 4BC144
0x4C8329 TEST AL,AL
0x4C832B JNZ 4C8397 | 75 6A ----> GOOD BOY must jump - this will solve every thing

So we must make : JNZ = 75 6A ---> JMP = EB 6A

We wil make a simple loader .....

Loader :

//=========================Proc Patch ===============================
//loader.cpp
//MxB
//***********************************
//email : mxbnet@hotmail.com
//web : mxb.cjb.net
//***********************************
//===================================================================

#include <windows.h>
//===================================================================
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,
LPSTR lpCmdLine,int nShowCmd)
{


STARTUPINFO si;
char InfoText[] = "MxB NET - DzSoft Perl Editor 4.0";
unsigned long i = 0;
unsigned long AddressOfPatch1 = 0x004C832B;

char DataRead[2] = {0};
char* cl;
PROCESS_INFORMATION pi;
char FileName[] = "Pleditor.exe";
//============================================================
//Patch Data
char scanbyte1 = 0x75;
char scanbyte2 = 0x6A;

//============================================================
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
cl = GetCommandLine();

if (CreateProcess(FileName, cl, NULL, NULL,FALSE,
NORMAL_PRIORITY_CLASS,NULL, NULL, &si, &pi))
{
//=====================================================
//=====================================================
//Patch
ReadProcessMemory(pi.hProcess, (LPVOID) AddressOfPatch1,
DataRead, 2, NULL);
for(;DataRead[0] != scanbyte1;)
{

ReadProcessMemory(pi.hProcess, (LPVOID) AddressOfPatch1,
DataRead, 2, NULL);
}
//=======================================================
//sleep till asprotect do memchk
Sleep(300);
//=======================================================
if(DataRead[0] == scanbyte1 && DataRead[1] == scanbyte2)
{
//===================================================
WriteProcessMemory (pi. hProcess,
(LPVOID) AddressOfPatch1,
"\xEB\x6A", 2, NULL);
//====================================================
}
//========================================================
//====================================================

//========================================================
CloseHandle (pi.hProcess);
CloseHandle (pi.hThread);

}
else
{
MessageBox(NULL,"Unable to load program .. exiting",InfoText,MB_OK);
return 0;
}

//============================================================

//============================================================
return 0;
}
//==================================================================

that we can fix it.Run dumped file and select process "dreamweaver.exe" in ImpRec.Give EP = 006F0E48 and hit "IAT Auto Search" ...It will tell IAT read succesfully..Now click "GetImports" .... we can see all import functions .... Now click "Fix Dump" and point it to another copy of dump file we have saved ....thats all we can now run [other file] this baby every where ...
You can verify it just look at FirstThunk in a hex editor.Orginal IAT will be restored in a new section.And ImpRec will align new IAT.

Thanks IMPREC ...

I have tested it on different PC with Win98 and WinXP .... and it is working fine ... So we have ripped of VBOX 4.622 ..... and it is time to celebrate ....

NB : Special thanks to [yAtEs] for his wonderfull essay on IAT.Special thanks to Kilby for his wonderfull essay on Copylok IAT and many many thanks for MackT/uCF2000 for his excellent tool ImpRec.


===========================================================
if(!DeleteFile(windir))
{
MessageBox(NULL,"Unable to deleted Lic File ...",InfoText,MB_OK);
error = true;
}
//===============================================================
GetWindowsDirectory(windir,sizeof(windir));
strcat(windir,"\\Vbox\\Licenses\\ _5.51.277_5044.prf");

if(!DeleteFile(windir))
{
MessageBox(NULL,"Unable to deleted Prf File ...",InfoText,MB_OK);
error = true;
}
//================================================================
if(!DeleteFile(sysdir))
{
MessageBox(NULL,"Unable to deleted OCX File ...",InfoText,MB_OK);
error = true;
}
//===============================================================
//Delete os*****.bin
GetWindowsDirectory(windir,sizeof(windir));

for(i=0;i < MAX_PATH;i++)
{
if(windir[i] == '\\')
{
windir[i] = '\0';
}
}
strcat(windir,"\\os291494.bin");

if(!DeleteFile(windir))
{
MessageBox(NULL,"Unable to deleted BIN File ...",InfoText,MB_OK);
error = true;
}
//===============================================================
if(error ==false)
{
MessageBox(NULL,"Removed VBOX Files and Registry Keys ...",InfoText,MB_OK);
}

//===============================================================
//Execute VSetupT.exe
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
cl = GetCommandLine();

if (!CreateProcess("VSetupT.exe",cl, NULL, NULL,FALSE,
NORMAL_PRIORITY_CLASS,NULL, NULL,&si, &pi))
{
MessageBox(NULL,"Unable to load \"VSetupT.exe\" ...",InfoText,MB_OK);
error = true;
}else
{
MessageBox(NULL,"Loaded \"VSetupT.exe\" ...",InfoText,MB_OK);
}
//===============================================================

return 0;

}
//===================================================================================