Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com


Main | Index

Microcontroller Simulator ver. 2.3

Type : Micro controller simulator
Protection : Serial
Tech : Serial fishing


Crack : Enter some fake S/N ie for example = DHEERAJ-123456789
In SICE BPX HMEMCPY ....click "OK" button and trace ..

0x43B6B0 CALL 44A708
0x43B6B5 TEST AL,AL
0x43B6B7 JZ 43B71B

INSIDE THIS CALL ...

0x44A7E2 CALL 44A4AC

INSIDE THIS CALL ...

0x44A684 MOV EDX,[EBP-18] >> "56789"
0x44A687 MOV EAX,[EBP-14] >> "XNRAD"
0x44A68A CALL 403C24 ........>> COMPARE BOTH
0x44A68F JZ 44A6C1

Registration Info :

Serial Key = DHEERAJ-1234XNRAD

JUMP --- CRC SHIT ! BYPASS IT

So disable it by filling it with NOP = 90
OFFSET = 1020 --- 9 NOP

2. STUDIO - "Studio.exe"
******************
Use API Spy we can see it is reading three registry keys - "Eval1 - Eval2 - Eval3"
starting from address 0x00416D76 ...
So in SICE BPX 416D76 ...TRACE ....

0x416F0E MOV EAX,[00438D64]
0x416F13 MOV [00438C08],EBX
0x416F19 CMP EAX,1E = 30 DAYS
0x416F1C JLE 416F28

So it is storing no: of days at 0x00438D64 ....So in SICE
BPMB 438D64 RW ---- Restart ....

0x416ED7 CALL 416C70
...............................
0x416EE1 SUB EAX,ESI ---- 2B C6
0x416EE3 INC EAX -------- 40
0x416EE6 MOV [00438D64],EAX => STORE NO: DAYS :)
0x416EEB JLE 416EF2

So our crack will be :

0x416EE1 XOR EAX,EAX - 33 C0 - OFFSET = 16EE1

3. ANIMATOR - "Animator.exe"
*********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 201A1

4. EXPLORER - "Muexplor.exe"
********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 1531

5. LIBRARIAN - "Librarian.exe"
**********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = ADF1

6. ON DISPLAY - "Mupanel.exe"
***********************
Use API Spy we can see it is reading three registry keys - "Eval1 - Eval2 - Eval3"
starting from address 0x004091E6 ...
So in SICE BPX 4091E6 ...TRACE ....

0x40937D MOV EAX,[0041AD10]
0x409382 JNZ 00409393
0x409384 CMP EAX,1E = 30 DAYS

So it is storing no: of days at 0x0041AD10 ....So in SICE
BPMB 41AD10 RW ---- Restart ....

0x409355 TEST EAX,EAX
0x409357 MOV [0041AD10],EAX --- STORE NO: OF DAYS :)
0x40935C JLE 40936C

So our crack will be :

0x409355 XOR EAX,EAX - 33 C0 - OFFSET = 9355


E86C0A0000 CALL 004111F5
015F:00410789 48 DEC EAX --------> Make EAX = 0
015F:0041078A 7403 JZ 0041078F ---> BAD Boy
015F:0041078C 48 DEC EAX
015F:0041078D 750C JNZ 0041079B ---> Good Boy

Patch : Offset : FB89

015F:00410784 E86C0A0000 CALL 004111F5
015F:00410789 90 NOP
015F:0041078A 90 NOP
015F:0041078B 90 NOP
015F:0041078C 90 NOP
015F:0041078D EB0C JMP 0041079B


Opps this DREAMPOP.EXE is using CRC checking :(