Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com


Main | Index

Quick Time 3.0.2

Type : MOV Player
Protection : Serial
Tech : Serial fishing


Crack : Go to Control Panel and click "Quick Time".
Now select "Registration" and enter fake S/N and your name.

0x1000C845 CALL 0x10008700
..........................
0x1000C855 JNZ 0x1000C875 >> GOOD BOY

Inside this CALL .....

0x6E320B19 CALL [EBP-20]

Inside this CALL ...

0x6E3FDA1C CMP [ESI],18 >> SO S/N SHOULD BE 24 CHAR LONG

0x6E3FDA25 CMP [ESI+05],2D
0x6E3FDA2F CMP [ESI+0A],2D >> COMPARE WITH '-' = 0x2D
0x6E3FDA39 CMP [ESI+0F],2D
0x6E3FDA43 CMP [ESI+14],2D

So S/N is in the form : ABCD-EFGH-IJKL-MNOP-QRST

Checking is done in a loop

0x6E3FDAFD CMP [EDI], BL >>
........................ >> LOOP
........................ >>
0x6E3FDB2A CMP [EDI+1],BL >>

LAST SET OF CHAR IS MADE ZERO

Registration Info :

Name = DHEERAJ
Org = EEE
S/N = AB6D-ECEB-7E68-DE35-0000

are handled by msvbvm60.dll.
We can feel that main program is not at all doing any thing ... always we break in to
msvbvm60.dll.Even BPX MessageBoxIndirectA ... never goes in to program module ... every time we wander inside msvbvm60.dll ???
Now it is the time to bring heroes --- Smart Check .... [Death of VB Programs].

Open Mp3Merger in Smart Check ... and run the process ...When it shows nag screen click "Unlock" and enter your name and some fake unlock code.Now click "OK" ...

Now see Program Results in Smart Check

_Click

.Round = double.dbIVal = 2598463720092
.Sqrt
.Round
.Trim = .pdispVal = 028EE488
.Trim = double.dbVal = 1283792544077 <--- Real Key
.MsgBox returns Integer: 1

Registration Info :

Name = DHEERAJ
Product ID = 3897695580138
Unlock Key = 1283792544077

Note : This is where the program is storing its 50 execution count :Inside the registry ..

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control]
"winsystem"="††"
"windows"="„†zŒ‡}Œ…"

Those invalid charecters are its count if you increase it you will get 50>+ execution ..

 


0x40A6AB CMP EDI,EAX =>3C --"60" ; EDI = NO: DAYS USED
0x40A6AD JLE 40A70A = 7E 5B --> GOOD BOY OFFSET = A6AD
...........................................
NOW BPMB 5F5A78 RW --- CONTINUE
...........................................
0x40A942 PUSH 5F5A78
0x40A947 CALL [005B42A8]
0x40A94D ADD ESP,04
0x40A950 CMP EDI,EAX
0x40A952 JLE 40A973 = 7E 1F --> GOOD BOY OFFSET = A952

So all you want to do is to convert :
JLE ---> JMP i.e 74 ===> EB

 


Suppose we just try to redirect this check to an original and virgin