LSX-MPEG Encoder 2.0

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

LSX-MPEG Encoder 2.0

Type : MPEG Encoder
Protection : Time Limit - 30 Sec & Water Mark
Tech : Patching

Crack : This program has a 30 Sec time limit and Water Marking after
150 frames.We will crack this section by section :

(1) Nag Screen At Start Up :

Load the program using Symbol Loader.Trace from start point :)

0x44CCAD CALL 0x467B17
INSIDE THIS CALL .....

0x467B27 CALL 0x4712A4
INSIDE THIS CALL .....

0x4712DB CALL [ESI+58]
INSIDE THIS CALL .....

0x41FEF9 CALL 0x46A113
0x41FEFE MOV EBX,00000001
0x41FF03 CMP EAX,EBX
0x41FF05 JZ 0x41FF48 >> TRY
||||
vvvv
ORDER NOW

Patch :

0x41FEF9 JMP 0x41FF48 | EB 4D OFFSET = 0x1F2F9

(2) 30 Sec Time Limit :

For this I used a AVI file with 1203 frames : this will be enough
to cross the time limit :)

Please Note : 1203 = 0x4B3

Program gives us a warning when we try to encode this file.
So in SICE BPX MESSAGEBOXA and just trace ...

0x4218C3 CALL 0x43E5C0
0x4218C8 MOV ECX,[0x5A1BD8] >> 0x1203
0x4218CE MOV EAX,[0x5A0884] >> 0x12C : LIMIT FACTOR
0x4218D3 CMP ECX,EAX
0x4218D5 JLE 0x4218F4 >> GOOD BOY

Now we will see where the memory [0x5A0884] is loaded with
0x12C
So in SICE BPM 0x5A0884 RW
Then restart the encoding process.
We will pop in to here :

0x421395 FILD DWORD PTR[0x5A0884]
0x42139B FADD ST(0),ST
0x42139D FCOMP ST(1)
0x42139F FSTSW AX
0x4213A1 TEST AH,41
0x4213A4 JNZ 0x4213B7 >> GOOD BOY : MUST JUMP TO CRACK -
0x4213A6 CALL 0x44A930 >> TIME LIMIT
0x4213AB CDQ
0x4213AC SUB EAX,EDX
0x4213AE SAR EAX,1
0x4213B0 MOV [0x5A0884],EAX >> EAX = 0x12C
0x4213B5 JMP 0x4213B9

Patch :

0x4213A4 JMP 0x4213B7 | EB 11 OFFSET = 0x207A4

At main encoder loop :
.........................
0x4166DF MOV EAX,[ESP+10]
0x4166E3 MOV ECX,[0x59DFEC] >> 0x2EE = 750 : FRAMES THAT WILL BE ENCODED
0x4166E9 INC EAX OUT OF 1203 FRAMES
0x4166EA CMP EAX,ECX
0x4166EC MOV [ESP+10],EAX
0x4166F0 JL 0x416280

Now we will see where the memory [0x59DFEC] is loaded with
0x2EE
So in SICE BPM 0x59DFEC RW
Then restart the encoding process.
We will pop in to here :

0x4214E7 MOV ESI,EAX
0x4214E9 MOV [0x59DFEC],ESI >> DANGEROUS INSTRUCTION FILL WITH NOP
0x4214EF LEA EDX,[ECX+EBX]
..........................
0x421629 CMP EDX,64
0x42162C JLE 0x421639 >> GOOD BOY
0x42162E MOV ESI,000003E8
0x421633 MOV [0x59DFEC],ESI
0x421639 MOV EAX,[0x59EB60] >> 0x2EE
0x42163E CMP EAX,ESI
0x421640 JGE 0x421647 >> GOOD BOY
0x421642 MOV [0x59DFEC],EAX >> EAX = 0x2EE

Patch :

Fill 0x4214E9 - 0x4214EE WITH NOP = 0x90
OFFSET = 0x208E9
89 35 EC DF 59 00 ==> 90 90 90 90 90 90

0x42162C JMP 0x421639 | EB 0B OFFSET = 0x20A2C

0x421640 JMP 0x421647 | EB 05 OFFSET = 0x20A40

(3) Water Mark [After 150 Frames] :

After 150 frames this program writes "LSX-MEPG DEMO VERSION"
to the encoded stream :(
It is not using a bitmap to do this but this string is encoded and
kept inside the program.

To crack this I used the program API SPY.
Load Kernel,GDI and User modules in to API SPY and run the program.
Note : We only need to activate the API spying at encode time :)

Start the encoding process and also activate API SPY ,after the Water Mark is
shown you can stop spying and save the log file.Now look in to the log file ,
we can see that API CreateBitmap used.Main part of log file is shown below :
-------------------------------------------------------------------------------------------
API Spy Log File
****************

0043F8B8:GetDC(HWND:0000076C)
0043F8BE:GetDC = 772
0043F8DF:CreateBitmap(DWORD:00000320,DWORD:00000014,
DWORD:00000001,DWORD:00000001,LPDATA:00000000) >> Attack Point
0043F8E5:CreateBitmap = D0E
0043F932:SetBitmapBits(HANDLE:00000D0E,DWORD:000007D0,LPDATA:012BFA20)
0043F938:SetBitmapBits = 7D0
0043F93C:CreateCompatibleDC(HANDLE:00000772)
0043F942:CreateCompatibleDC = D02
0043F94E:SelectObject(HANDLE:00000D02,HANDLE:00000D0E)
0043F954:SelectObject = 72A
0043F974:lstrlenA(LPSTR:004A7CD8:"îñúïòçå‚æÇÏÍ‚") >> Encoded String "LSX-MPEG Demo "
0043F976:lstrlenA = E >> String Length
0043F9B5:SetTextColor(HANDLE:00000D02,DWORD:00FFFFFF)
0043F9BB:SetTextColor = 0
0043F9BE:SetBkMode(HANDLE:00000D02,DWORD:00000001)
0043F9C4:SetBkMode = 2
0043FA13:lstrlenA(LPSTR:0085E7A0:"LSX-MPEG Demo ")
0043FA15:lstrlenA = E
0043FA1E:DrawTextA(HANDLE:00000D02,LPSTR:0085E7A0:"LSX-MPEG Demo ", >> Draw Water Mark
DWORD:0000000E,LPDATA:0085E7F0,DWORD:00000020)
0043FA24:DrawTextA = 10
0043FA24:GdiFlush() >> Flush GDI
0043FA2A:GdiFlush = 1
0043FA7A:GetDIBits(HANDLE:00000D02,HANDLE:00000D0E,DWORD:00000000,
DWORD:00000014,LPDATA:012BFA20,LPDATA:0085E7C8,DWORD:00000000)
-------------------------------------------------------------------------------------------

At 0x43F974 we can see encoded string "LSX-MPEG Demo "
At 0x43FA1E we can see it is using DrawTextA to Water Mark.

Main attack point is shown below :

0x43F8DF CALL [CreateBitmap]
0x43F8E5 TEST EAX,EAX
0x43F8E7 MOV [EBP-0C],EAX
0x43F8EA JZ 0x43FAEC |0F 84 FC 01 00 00 >> MUST JUMP

Patch :

0x43F8EA NOP | 90 OFFSET = 0x3ECEA
0x43F8EB JMP 0x43FAEC | E9 FC 01 00 00

So we have cracked LSX-MPEG DEMO :)

e os528730.bin
GetWindowsDirectory(windir,sizeof(windir));

for(i=0;i < MAX_PATH;i++)
{
if(windir[i] == '\\')
{
windir[i] = '\0';
}
}
strcat(windir,"\\os581474.bin");

if(!DeleteFile(windir))
{
MessageBox(NULL,"Unable to deleted BIN File ...",InfoText,MB_OK);
error = true;
}
//===============================================================
if(error ==false)
{
MessageBox(NULL,"Removed VBOX Files and Registry Keys ...",InfoText,MB_OK);
}

//===============================================================
//Execute VSetupT.exe
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
cl = GetCommandLine();

if (!CreateProcess("VSetupT.exe",cl, NULL, NULL,FALSE,
NORMAL_PRIORITY_CLASS,NULL, NULL,&si, &pi))
{
MessageBox(NULL,"Unable to load \"VSetupT.exe\" ...",InfoText,MB_OK);
error = true;
}else
{
MessageBox(NULL,"Loaded \"VSetupT.exe\" ...",InfoText,MB_OK);
}
//===============================================================

return 0;

}
//====================================================================================

32!lstrcat

face="Verdana, Arial, Helvetica, sans-serif">Put BPMB CS:700C0D4 X
Trace Back.We can find all API and from where it is called ...But realy boring and some APIs are never called in normal working .... you will have to do all sort of thing with this baby to make that API call so that we can find from where it is called.

Inside Win32 API -----------------------------------------------------

015F:BFF7FFE4 C20400 RET 0004
KERNEL32!VirtualAlloc
015F:BFF7FFE7 55 PUSH EBP --- Here !!!
015F:BFF7FFE8 8BEC MOV EBP,ESP
015F:BFF7FFEA 83EC08 SUB ESP,08
015F:BFF7FFED 817D0C0000C07F CMP DWORD PTR [EBP+0C],7FC00000
015F:BFF7FFF4 53 PUSH EBX
015F:BFF7FFF5 56 PUSH ESI
015F:BFF7FFF6 57 PUSH EDI
015F:BFF7FFF7 760C JBE BFF80005

This means : CALL [00CE78E8] ---> CALL KERNEL32!VirtualAlloc

We can use IAT editor in ImpRec to fill this API ...But any way i got full version of FlashMX from warez .... who cares about this silly demo ...

PTR [EBP-70],B5F3
015F:00C400F0 C745FC01000000 MOV DWORD PTR [EBP-04],00000001
015F:00C400F7 B900000000 MOV ECX,00000000
015F:00C400FC 668CC9 MOV CX,CS
015F:00C400FF 32C9 XOR CL,CL
015F:00C40101 E361 JECXZ 00C40164
015F:00C40103 B443 MOV AH,43
015F:00C40105 CD68 INT 68 <----
015F:00C40107 66338558FEFFFF XOR AX,[EBP-01A8]
015F:00C4010E 663B4590 CMP AX,[EBP-70]
015F:00C40112 7550 JNZ 00C40164

EAX=601105B3 ; [EBP-70] = SS:0058B30C=B5F3

UnPacking :

BPMB #0030:00C3D79C W DR3

FCShare.text1

015F:600BD511 50 PUSH EAX
015F:600BD512 8B47F8 MOV EAX,[EDI-08]
015F:600BD515 0345FC ADD EAX,[EBP-04]
015F:600BD518 50 PUSH EAX
015F:600BD519 E8D20B0000 CALL 600BE0F0 <--- Unpack
015F:600BD51E 83C728 ADD EDI,28
015F:600BD521 83C40C ADD ESP,0C
015F:600BD524 8D47EC LEA EAX,[EDI-14]
015F:600BD527 3BC3 CMP EAX,EBX
015F:600BD529 72DE JB 600BD509
015F:600BD52B 8B7DFC MOV EDI,[EBP-04]
015F:600BD52E 3B7DF4 CMP EDI,[EBP-0C]
015F:600BD531 7423 JZ 600BD556 <--- Loop
015F:600BD533 8B86A0000000 MOV EAX,[ESI+000000A0]
015F:600BD539 FFB6A4000000 PUSH DWORD PTR [ESI+000000A4]
015F:600BD53F 03C7 ADD EAX,EDI
015F:600BD541 50 PUSH EAX
015F:600BD542 FF75F4 PUSH DWORD PTR [EBP-0C]
015F:600BD545 57 PUSH EDI
015F:600BD546 E8D8000000 CALL 600BD623
015F:600BD54B 83C410 ADD ESP,10
015F:600BD54E 84C0 TEST AL,AL
015F:600BD550 0F84C9000000 JZ 600BD61F ---> Extraction Error
015F:600BD556 FFB680000000 PUSH DWORD PTR [ESI+00000080]
015F:600BD55C 57 PUSH EDI
015F:600BD55D E852010000 CALL 600BD6B4
015F:600BD562 59 POP ECX
015F:600BD563 84C0 TEST AL,AL
015F:600BD565 59 POP ECX
015F:600BD566 0F84B3000000 JZ 600BD61F ---> Extraction Error
015F:600BD56C 8D86F8000000 LEA EAX,[ESI+000000F8]

Quickly restoring the patch in memory avoids page fault.
So each section act as an decryption key.

Patch :

Write String "Asshole" at end of file FCShare.dll and run it ... we can
see that there is no page fault.So that part is not part of key.

File offset : 46F60
In memory :

015F:6011CF60 41 73 73 68 6F 6C 65 00-00 00 00 00 00 00 00 00 Asshole.........
015F:6011CF70 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

So we will use this place to write our code.

Winnt.h

#define PAGE_NOACCESS 0x01
#define PAGE_READONLY 0x02
#define PAGE_READWRITE 0x04
#define PAGE_WRITECOPY 0x08
#define PAGE_EXECUTE 0x10
#define PAGE_EXECUTE_READ 0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80
#define PAGE_GUARD 0x100
#define PAGE_NOCACHE 0x200
#define PAGE_WRITECOMBINE 0x400

Text1.Section
Flag : 60000020 -- Contains executable code + readable
Offset : 2DF

The section we where looking to patch have only Execute and Readonly permission.So we can't use runtime patching directly [ we will end up in page fault ].But there are loop holes ... If we can use some api with Ring0 prvg we can bypass this protection.

How To Patch This Baby :

What we are going to do is to change OEP to 6011CF40 using hex editor and quickly restore its OEP in memory so that Armadillo will think every thing is OKand do our stuff and then jump to real OEP

015F:6011CF40 60 PUSHAD -- NEW EP
015F:6011CF41 33FF XOR EDI,EDI
015F:6011CF43 E8EE79E65F CALL KERNEL32!GetCurrentProcessId
015F:6011CF48 50 PUSH EAX
015F:6011CF49 57 PUSH EDI
015F:6011CF4A 6A38 PUSH 38
015F:6011CF4C E8FC8CE75F CALL KERNEL32!OpenProcess
015F:6011CF51 8BF0 MOV ESI,EAX ---> Let us restore OEP in memory
015F:6011CF53 B804000000 MOV EAX,00000004 <-- Count
015F:6011CF58 B930CF1160 MOV ECX,6011CF30 <-- Buffer:Data To Write "40ED0300"
015F:6011CF5D BA48010860 MOV EDX,60080148 <-- Addr To Write
015F:6011CF62 6A00 PUSH 00
015F:6011CF64 50 PUSH EAX
015F:6011CF65 51 PUSH ECX
015F:6011CF66 52 PUSH EDX
015F:6011CF67 56 PUSH ESI
015F:6011CF68 E8687AE75F CALL KERNEL32!WriteProcessMemory --- Write orginal OEP
015F:6011CF6D 90 NOP -----> ===== Start Hook Routine =====
015F:6011CF6E A1C0C00C60 MOV EAX,[KERNEL32!VirtualProtect]
015F:6011CF73 A394120D60 MOV [600D1294],EAX
015F:6011CF78 C705C0C00C6090CF1160MOV DWORD PTR [600CC0C0],6011CF90
015F:6011CF82 61 POPAD
015F:6011CF83 E9B81DFAFF JMP 600BED40 -- JMP TO OEP
015F:6011CF88 0000 ADD [EAX],AL
015F:6011CF8A 0000 ADD [EAX],AL
015F:6011CF8C 0000 ADD [EAX],AL
015F:6011CF8E 0000 ADD [EAX],AL == Hook Function ===
015F:6011CF90 66C78090C70000EB28 MOV WORD PTR [EAX+0000C790],28EB -- Patch
015F:6011CF99 A194120D60 MOV EAX,[KERNEL32!VirtualProtect]
015F:6011CF9E A3C0C00C60 MOV [600CC0C0],EAX -- Restore API Address
015F:6011CFA3 B820000000 MOV EAX,00000020
015F:6011CFA8 6890120D60 PUSH 600D1290 <-- Buffer
015F:6011CFAD 6A00 PUSH 00
015F:6011CFAF 6A00 PUSH 00
015F:6011CFB1 6800CE1160 PUSH 6011CE00 <-- THread Func
015F:6011CFB6 6A00 PUSH 00
015F:6011CFB8 6A00 PUSH 00 -- Create a Thread to Patch after Some time
015F:6011CFBA E8AB9FE55F CALL KERNEL32!CreateThread
015F:6011CFBF C3 RET

At line 6011CF90 --- EAX=00C31000
Eax + C790 = 00C3D790

Thread Function :

015F:6011CE00 C60584D20A6045 MOV BYTE PTR [600AD284],45
015F:6011CE07 6A00 PUSH 00
015F:6011CE09 E8D1D0E65F CALL KERNEL32!ExitThread

It is seen that while we reach here data is ready to patch

Note : I get a PAge Fault while closing IE ? But program is working in registered mode..

Special Note to Armadillo programers : You $%#$%^! ,you have no right
to control my PC ... which is my private property.Kick Ass $%^$#%!

http://kickme.to/mxbnet
dheeraj_xp@yahoo.com

border:none;mso-border-alt:solid windowtext .5pt;