Modem Booster 2.4

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

Modem Booster 2.4

Type : Boost your modem
Protection : Serial
Tech : Patching

Crack : This program has a peculiar behaviour .... false S/N calculation ..and if we
enter that S/N it will lead to page fault .... never mind this shit can be easily patched.
Use w32DASM and search for string "Unregistered version" shown in splash screen :)
We can find many such reff and just look above that code .... you can see this call ..

0x401AE0 CALL 423290
0x401AE5 CMP EAX,01
0x401AE8 JNE 401B4A .... JUMP TO "Unregistered version"

CALL 423290 is our attack point ... it should always return EAX = 01
Let us go inside and look where EAX is cleared .....

Inside CALL 423290

0x4232CA JZ 4232D2 | 74 06 OFFSET = 232CA
0x4232CC XOR EAX,EAX | 33 C0 ..... SHIT !!!

Patch :

So we must change above code to like this ...

0x4232CA XOR EAX,EAX | 33 C0 OFFSET = 232CA
0x4232CC INC EAX | 40
0x4232CD NOP |90

REAL S/N IN HEX

Registration Info :

Name = DHEERAJ
S/N = 7682-716946

E 416F28

So it is storing no: of days at 0x00438D64 ....So in SICE
BPMB 438D64 RW ---- Restart ....

0x416ED7 CALL 416C70
...............................
0x416EE1 SUB EAX,ESI ---- 2B C6
0x416EE3 INC EAX -------- 40
0x416EE6 MOV [00438D64],EAX => STORE NO: DAYS :)
0x416EEB JLE 416EF2

So our crack will be :

0x416EE1 XOR EAX,EAX - 33 C0 - OFFSET = 16EE1

3. ANIMATOR - "Animator.exe"
*********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 201A1

4. EXPLORER - "Muexplor.exe"
********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 1531

5. LIBRARIAN - "Librarian.exe"
**********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = ADF1

6. ON DISPLAY - "Mupanel.exe"
***********************
Use API Spy we can see it is reading three registry keys - "Eval1 - Eval2 - Eval3"
starting from address 0x004091E6 ...
So in SICE BPX 4091E6 ...TRACE ....

0x40937D MOV EAX,[0041AD10]
0x409382 JNZ 00409393
0x409384 CMP EAX,1E = 30 DAYS

So it is storing no: of days at 0x0041AD10 ....So in SICE
BPMB 41AD10 RW ---- Restart ....

0x409355 TEST EAX,EAX
0x409357 MOV [0041AD10],EAX --- STORE NO: OF DAYS :)
0x40935C JLE 40936C

So our crack will be :

0x409355 XOR EAX,EAX - 33 C0 - OFFSET = 9355

E86C0A0000 CALL 004111F5
015F:00410789 48 DEC EAX --------> Make EAX = 0
015F:0041078A 7403 JZ 0041078F ---> BAD Boy
015F:0041078C 48 DEC EAX
015F:0041078D 750C JNZ 0041079B ---> Good Boy

Patch : Offset : FB89

015F:00410784 E86C0A0000 CALL 004111F5
015F:00410789 90 NOP
015F:0041078A 90 NOP
015F:0041078B 90 NOP
015F:0041078C 90 NOP
015F:0041078D EB0C JMP 0041079B

Opps this DREAMPOP.EXE is using CRC checking :(