Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com


Main | Index

pcAnywhere 9.0

Type : Communication Software
Protection : Date Check
Tech : Patching

Crack :
TIME BOMB CHECK
***************


0x406112 CALL [0x458124] >> CALL TimeBombCheck
0x406118 TEST EAX,EAX
0x40611A JNE 0x406125 >> GOOD BOY

This check is found in the file : AwComm32.dll
Following JUMPS must be made to crack this.

0x67EA3AEB JNZ 0x67EA3B09 >> MUST JUMP
.........................
0x67EA3B2D JNZ 0x67EA3B56 >> MUST JUMP
.........................
0x67EA3BC7 JG 0x67EA3BFC >> MUST JUMP

Patch :

File = AwComm32.dll

0x67EA3AEB JMP 0x67EA3B09 | EB 1C ; OFFSET = 0x3AEB
0x67EA3B2D JMP 0x67EA3B56 | EB 27 ; OFFSET = 0x3B2D
0x67EA3BC7 JMP 0x67EA3BFC | EB 33 ; OFFSET = 0x3BC7

- search for S/N using ...
s -a 0 L FFFFFF 'xxxxxxxxxxxxxxxxxx'

Then use BPR xxxxxxxx xxxxxxxx RW on the S/N .
This is very improtant as Opera does not use direct flow
in validating a S/N.Then trace till we reach ...

0x522105 CMP [ESI+01],AL >> 2D '-'
0x522108 JNZ 5221B2
0x52210E CMP [ESI+07],AL >> 2D '-'
0x522111 JNZ 5221B2
0x522117 CMP [ESI+0D],AL >> 2D '-'
0x52211A JNZ 5221B2
0x522120 CMP [ESI+13],AL >> 2D '-'
0x522123 JNZ 5221B2
0x522129 CMP [ESI+19],AL >> 2D '-'
0x52212C JNZ 5221B2

Here our S/N is checked if it is in the form x-xxxxx-xxxxx......
Now our trick : if at startup also the program is using the same
algorithm we can easily reach where the flag is set :)

So in SICE BPX 0x522105

Now close Opera and restart it ....Bingo !!
We can see at two place it is called and if we trace back we can
see the flag set :)

0x41C870 CALL 0x412232 | E8 BD 59 FF FF
0x41C875 CMP EAX,EDI >> MAKE EAX = 1 TO CRACK THIS
0x41C877 MOV [0x595E50],EAX >> SAVE FLAG
...........................
0x4DB621 CALL 0x412232 | E8 0C 6C F3 FF
0x4DB626 MOV [EDI+90C],EAX >> MAKE EAX = 1 TO CRACK THIS

Patch : [PERFECT FIT]

0x41C870 MOV EAX,00000001 | B8 01 00 00 00 - OFFSET = 0x1C870

0x4DB621 MOV EAX,00000001 | B8 01 00 00 00 - OFFSET = 0xDB621


ur job is not finished ... we have to crack main program...Enter some bogus S/n and in SICE put

BPX HMEMCPY .... trace

0x5BA36B LEA ECX,[EBP-08] >> FAKE S/N
0x5BA36E LEA EDX,[EBP-04]
0x5BA371 MOV EDX,[EDI]
0x5BA373 CALL 6090CC --- MAIN REG CHECK
0x5BA378 TEST AL,AL --- MAKE AL = 01
0x5BA37A JZ 5BA48E
..................
0x5BA382 MOV BYTE PTR[EAX+708],01 ---- FLAG SET ..
Now inside call 6090CC ----
0x6090D6 CALL 608760
Inside this call .....

0x6087E0 JLE 6087F7 = 7E 15
...................
0x608807 JLE 608D46 = 0F 8E 39 05 00 00
...................
0x608D42 MOV BYTE PTR[EBP-09],01 --- GOOD FLAG SET
0x608D46 XOR EAX,EAX -- WE REACH HERE ... BYPASSING ABOVE LINE

All we want is to reach 608D42 ...

Patch :

0x6087E0 JMP 6087F7 = EB 15 -- OFFSET = 2087E0
...................
0x608807 JMP 608D42 = E9 36 05 00 00 --- OFFSET = 208807

Now you can enter any S/N and this baby will work in registered mode.


: Offset : FB89

015F:00410784 E86C0A0000 CALL 004111F5
015F:00410789 90 NOP
015F:0041078A 90 NOP
015F:0041078B 90 NOP
015F:0041078C 90 NOP
015F:0041078D EB0C JMP 0041079B


Opps this DREAMPOP.EXE is using CRC checking :(