Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com


Main | Index

Offline Explorer Pro 1.4.322 SR 1

Type : Offline Explorer
Protection : Serial & ASPack
Tech : Unpacking and Patching


Crack : In this version finding S/N is little bit harder.But it can be easily
cracked by setting a flag.

(1) Unpacking :

Change the flag of CODE section to = E0000020 so that it will break in symbol
loader at entry point[Use PE Editor].And now trace...

...............................
0x5614EB MOV [EBP+0x443EA1],EAX >> EAX = 0x507F90 --> OEP
0x5614F1 POPAD
0x5614F2 JNZ 0x5614FC
.....................
0x5614FC PUSH 0x507F90
0x561501 RET >> DUMP FULL MODULE HERE - USE 'JMP EIP'

Now change the EntryPoint of the program by using PE Editor.

EP = OEP - BASE ADD = 507F90 - 400000 = 107F90

Now our dumped file will run and it is unpacked too.Now we can patch
it.

(2) Patching :

We must find where the program is setting flag for registration.
For this we put a BPX on the deep inside the S/N validation algorithm
and then restart the application :) If it uses the same routine at
start up also we will break in to it.


S/N validation main CALL :

0x4CF622 CALL 0x4F67DC
0x4CF627 TEST AL,AL
0x4CF629 JZ 0x4CF6A9 >> BAD BOY

INSIDE CALL 0x4F67DC

0x4F67E0 CALL 0x4F62CC
||||
vvvv
0x4F67E0 CALL 0x4F62CC >> BPX HERE,ENOUGH DEEP :)

Now restart the program..we will break here now trace back...
Till we reach here ..

0x4F664D MOV AL,[EBP-01] | 8A 45 FF >> MAKE AL = 1 TO CRACK
0x4F6650 POP EDI

Patch :

0x4F664D INC EAX | 40 OFFSET = 0xF664D
0x4F664E NOP | 90
0x4F664F NOP | 90

Run Time Patching : PERFECT FIT

0x5614F1 POPAD
0x5614F2 MOV DWORD PTR [004F664D],5F909040 | C7 05 4D 66 4F 00 40 90 90 5F OFFSET = 77EF2


0"
OFFSET = 1531

5. LIBRARIAN - "Librarian.exe"
**********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = ADF1

6. ON DISPLAY - "Mupanel.exe"
***********************
Use API Spy we can see it is reading three registry keys - "Eval1 - Eval2 - Eval3"
starting from address 0x004091E6 ...
So in SICE BPX 4091E6 ...TRACE ....

0x40937D MOV EAX,[0041AD10]
0x409382 JNZ 00409393
0x409384 CMP EAX,1E = 30 DAYS

So it is storing no: of days at 0x0041AD10 ....So in SICE
BPMB 41AD10 RW ---- Restart ....

0x409355 TEST EAX,EAX
0x409357 MOV [0041AD10],EAX --- STORE NO: OF DAYS :)
0x40935C JLE 40936C

So our crack will be :

0x409355 XOR EAX,EAX - 33 C0 - OFFSET = 9355


E86C0A0000 CALL 004111F5
015F:00410789 48 DEC EAX --------> Make EAX = 0
015F:0041078A 7403 JZ 0041078F ---> BAD Boy
015F:0041078C 48 DEC EAX
015F:0041078D 750C JNZ 0041079B ---> Good Boy

Patch : Offset : FB89

015F:00410784 E86C0A0000 CALL 004111F5
015F:00410789 90 NOP
015F:0041078A 90 NOP
015F:0041078B 90 NOP
015F:0041078C 90 NOP
015F:0041078D EB0C JMP 0041079B


Opps this DREAMPOP.EXE is using CRC checking :(