Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com


Main | Index

Opera 5.0

Type : Browser
Protection : Serial
Tech : Patching

Crack : Finding a serail number for this baby is now little harder.
But it can be cracked with a simple trick.

Opera uses serial number . If you enter S/N it will
be encrypted and stored in file "OUsr500.dat". So when this program
starts up it will check S/N inside this file.

If the S/N is correct it will set two flags and the program
runs in registered mode.

Tracing the program from begining is not a solution to the
problem.We will not reach any where if we do so :(

Let us take the registration algorithm itself as a path
finder to our destination.

Enter fake S/N and in SICE BPX HMEMCPY
When you pop up into SICE use BPR xxxxxxxx xxxxxxxx RW
on the S/N .This is very improtant as Opera does not use direct flow
in validating a S/N.Then trace.

One important CALL is shown below :

0x43C83C CALL 0x51C9A9 >> Here our S/N is checked if it is in the
form x-xxxxx-xxxxx......

Now our trick : if at startup also the program is using the same
algorithm we can easily reach where the flag is set :)

So in SICE BPX 0x43C83C

Now close Opera and restart it ....Bingo !!
We can see at two place it is called and if we trace back we can
see the flag set :)

0x41C750 CALL 0x412179
0x41C755 CMP EAX,EDI >> MAKE EAX = 1 TO CRACK THIS
0x41C757 MOV [0x5938D0],EAX >> SAVE FLAG
...........................
0x4D7A5E CALL 0x412179
0x4D7A63 MOV [EDI+0x8B0],EAX >> MAKE EAX = 1 TO CRACK THIS

Patch : [PERFECT FIT]

0x41C750 MOV EAX,00000001 | B8 01 00 00 00 - OFFSET = 0x1C750

0x4D7A5E MOV EAX,00000001 | B8 01 00 00 00 - OFFSET = 0xD7A5E


e an excellent tool ImpRec to do this job.Make a copy of file "oe_dmp.exe" some where else.Say "oe2_dmp.exe".Now run the dumped file "oe_dmp.exe" in the program folder.Now run ImpRec and choose "oe_dmp" as active task.Now click "IAT Auto search" --- "Get Imports" ... so easy ....Now click Fix dump and point it to "oe2_dmp.exe" ... all done .Now "oe2_dmp.exe" will run on other Pc.And you can verify it using a hex editor .. look at Name ... First Thunk ... etc.This baby works >>>

Reg Check

Now our job is not finished ... we have to crack main program...Enter some bogus S/n and in SICE put

BPX HMEMCPY .... trace

0x5BA36B LEA ECX,[EBP-08] >> FAKE S/N
0x5BA36E LEA EDX,[EBP-04]
0x5BA371 MOV EDX,[EDI]
0x5BA373 CALL 6090CC --- MAIN REG CHECK
0x5BA378 TEST AL,AL --- MAKE AL = 01
0x5BA37A JZ 5BA48E
..................
0x5BA382 MOV BYTE PTR[EAX+708],01 ---- FLAG SET ..
Now inside call 6090CC ----
0x6090D6 CALL 608760
Inside this call .....

0x6087E0 JLE 6087F7 = 7E 15
...................
0x608807 JLE 608D46 = 0F 8E 39 05 00 00
...................
0x608D42 MOV BYTE PTR[EBP-09],01 --- GOOD FLAG SET
0x608D46 XOR EAX,EAX -- WE REACH HERE ... BYPASSING ABOVE LINE

All we want is to reach 608D42 ...

Patch :

0x6087E0 JMP 6087F7 = EB 15 -- OFFSET = 2087E0
...................
0x608807 JMP 608D42 = E9 36 05 00 00 --- OFFSET = 208807

Now you can enter any S/N and this baby will work in registered mode.


: Offset : FB89

015F:00410784 E86C0A0000 CALL 004111F5
015F:00410789 90 NOP
015F:0041078A 90 NOP
015F:0041078B 90 NOP
015F:0041078C 90 NOP
015F:0041078D EB0C JMP 0041079B


Opps this DREAMPOP.EXE is using CRC checking :(