Tutorial v2.0 for Ulead MediaStudioPro 6.0

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

Tutorial v2.0 for Ulead MediaStudioPro 6.0

Type : Tutorial
Protection : Serial
Tech : Serial fishing

Crack : I go this from http://www.activeservice.co.uk/video/book/download.htm
It is 5MB size ...tutor is like surfing a website ... only problem is that if we click
on a link to the topic it will ask for Password ...

So enter any fake S/N ....In SICE BPX HMEMCPY ....and come out of SICE
and enter one more char in S/N ....soon we will break in to SICE ....

We can easily locate our fake S/N in memory ....then just use
BPMB xxxxxxxx RW ..... and exit SICE.Now click "OK" button...soon we will break in to SICE ...
Now trace ....

0x47AE6C CALL 421B64
0x47AE71 CMP DW PTR [EBP-08],00 ---> OUR FAKE s/n ...
................................................
0x481C60 MOV EAX,[EBP-20] -----> "33F8E8CD" --- real S/N : )

Registration Info :

Name = DHEERAJ
S/N = 33F8E8CD

DHEERAJ
S/N = 7682-716946

E 416F28

So it is storing no: of days at 0x00438D64 ....So in SICE
BPMB 438D64 RW ---- Restart ....

0x416ED7 CALL 416C70
...............................
0x416EE1 SUB EAX,ESI ---- 2B C6
0x416EE3 INC EAX -------- 40
0x416EE6 MOV [00438D64],EAX => STORE NO: DAYS :)
0x416EEB JLE 416EF2

So our crack will be :

0x416EE1 XOR EAX,EAX - 33 C0 - OFFSET = 16EE1

3. ANIMATOR - "Animator.exe"
*********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 201A1

4. EXPLORER - "Muexplor.exe"
********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 1531

5. LIBRARIAN - "Librarian.exe"
**********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = ADF1

6. ON DISPLAY - "Mupanel.exe"
***********************
Use API Spy we can see it is reading three registry keys - "Eval1 - Eval2 - Eval3"
starting from address 0x004091E6 ...
So in SICE BPX 4091E6 ...TRACE ....

0x40937D MOV EAX,[0041AD10]
0x409382 JNZ 00409393
0x409384 CMP EAX,1E = 30 DAYS

So it is storing no: of days at 0x0041AD10 ....So in SICE
BPMB 41AD10 RW ---- Restart ....

0x409355 TEST EAX,EAX
0x409357 MOV [0041AD10],EAX --- STORE NO: OF DAYS :)
0x40935C JLE 40936C

So our crack will be :

0x409355 XOR EAX,EAX - 33 C0 - OFFSET = 9355

E86C0A0000 CALL 004111F5
015F:00410789 48 DEC EAX --------> Make EAX = 0
015F:0041078A 7403 JZ 0041078F ---> BAD Boy
015F:0041078C 48 DEC EAX
015F:0041078D 750C JNZ 0041079B ---> Good Boy

Patch : Offset : FB89

015F:00410784 E86C0A0000 CALL 004111F5
015F:00410789 90 NOP
015F:0041078A 90 NOP
015F:0041078B 90 NOP
015F:0041078C 90 NOP
015F:0041078D EB0C JMP 0041079B

Opps this DREAMPOP.EXE is using CRC checking :(