mIRC 5.71

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

mIRC 5.71

Type : Chat Program
Protection : Serial
Tech : Serial Fishing

Crack : Enter fake S/N and in SICE BPX MESSAGEBOXA
Now click 'OK'..and trace UPWARDS when we pop in to SICE

0x4A33A8 PUSH 0x531B23 >> FAKE S/N
0x4A33AD PUSH 0x53173C >> NAME
0x4A33B2 CALL 0x4A2F9C >> MAIN CHECK
0x4A33B7 TEST EAX,EAX >> TEST FLAG
0X4A33B9 JZ 0x4A345A >> BAD BOY

INSIDE CALL 0x4A2F9C ...

0x4A2FF4 PUSH 0x5425DC >> FAKE S/N
0x4A2FF9 PUSH 0x5424DC >> NAME
0x4A2FFE CALL 0x4A2EA4

INSIDE CALL 0x4A2EA4

0x4A2EB4 CALL 0x401318 >> COUNT CHAR IN OUR NAME
0x4A2EBA CMP EAX,5 >> COMPARE IT WITH 5

0x4A2EC9 CALL 0x401278 >> CHECK FOR '-' = 0x2D IN S/N

SO OUR S/N IS IN THE FORM 'xxxx-yyyy'

0x4A3070 CALL 0x4A2EA4

INSIDE THIS CALL..

0x4A2F82 CMP EBX,[EBP-4] >> [EBP-4] POINTS TO 'xxxx'
EBX = FIRST PART OF REAL S/N IN HEX

0x4A2F82 CMP EBX,[EBP-8] >> [EBP-8] POINTS TO 'yyyy'
EBX = SECOND PART OF REAL S/N IN HEX

Registration Info :

Name = DHEERAJ
S/N = 7682-716946

E 416F28

So it is storing no: of days at 0x00438D64 ....So in SICE
BPMB 438D64 RW ---- Restart ....

0x416ED7 CALL 416C70
...............................
0x416EE1 SUB EAX,ESI ---- 2B C6
0x416EE3 INC EAX -------- 40
0x416EE6 MOV [00438D64],EAX => STORE NO: DAYS :)
0x416EEB JLE 416EF2

So our crack will be :

0x416EE1 XOR EAX,EAX - 33 C0 - OFFSET = 16EE1

3. ANIMATOR - "Animator.exe"
*********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 201A1

4. EXPLORER - "Muexplor.exe"
********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 1531

5. LIBRARIAN - "Librarian.exe"
**********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = ADF1

6. ON DISPLAY - "Mupanel.exe"
***********************
Use API Spy we can see it is reading three registry keys - "Eval1 - Eval2 - Eval3"
starting from address 0x004091E6 ...
So in SICE BPX 4091E6 ...TRACE ....

0x40937D MOV EAX,[0041AD10]
0x409382 JNZ 00409393
0x409384 CMP EAX,1E = 30 DAYS

So it is storing no: of days at 0x0041AD10 ....So in SICE
BPMB 41AD10 RW ---- Restart ....

0x409355 TEST EAX,EAX
0x409357 MOV [0041AD10],EAX --- STORE NO: OF DAYS :)
0x40935C JLE 40936C

So our crack will be :

0x409355 XOR EAX,EAX - 33 C0 - OFFSET = 9355

E86C0A0000 CALL 004111F5
015F:00410789 48 DEC EAX --------> Make EAX = 0
015F:0041078A 7403 JZ 0041078F ---> BAD Boy
015F:0041078C 48 DEC EAX
015F:0041078D 750C JNZ 0041079B ---> Good Boy

Patch : Offset : FB89

015F:00410784 E86C0A0000 CALL 004111F5
015F:00410789 90 NOP
015F:0041078A 90 NOP
015F:0041078B 90 NOP
015F:0041078C 90 NOP
015F:0041078D EB0C JMP 0041079B

Opps this DREAMPOP.EXE is using CRC checking :(