Ulead GIF Animator 4.0

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

Ulead GIF Animator 4.0 - VBOX 4.1

Type : Animation
Protection : VBOX 4.1
Tech : Unpacking and memory dumping

Crack : I was realy afraid of VBOX.Recently I gave it a try ...an older version ..VBOX 4.1
Program was Ulead Gif Animator 4.0.My trial period was over.Here we will see how to remove
VBOX sucker.

IN SICE BPX DIALOGBOXPARAMA

Now run the program .....we will reach here ...after pressing "Quit" button.

Inside VBOXT410 Module

0x70025C3 CALL DIALOGBOXPARAMA
0x70025C9 MOV ESI,EAX >> WE REACH HERE ....MAKE EIP = 0x70025DD
.................................
0x70025DD POP EDI
0x70025DE POP ESI
0x70025DF POP EBX
0x70025E0 RET

I found an interesting behaviour ..if we make EIP = 0x70025DD the program runs..even if our trial
period is over.

Trace till we reach in GA_MAIN Module.....

0x4FC026 PUSH FFFFFFFF >> DUMP HERE ...
0x4FC02B CALL EAX ==>> EAX= 0x4CB41C - OEP

Use PEditor and change EP of dumped file.
EP = 4CB41C - 400000 = CB41C

Now we can run this dumped file :)

1 >> BAD BOY
....................
.................... >> SIMILAR ONE OR TWO CHECK
....................
0x411317 LEA EAX,[EBP-00D0] >> REAL S/N
0x41131D PUSH EAX
0x41131E LEA EAX,[EBP-0090] >> FAKE S/N
0x411325 CALL 48B3C0 >> ANOTHER CHECK
....................
0x41132B TEST EAX,EAX
0x41132E JZ 411340 >> GOOD BOY

May be program is using many set of S/N ... that is why registration details is checked
many times.
Our S/N seems to be working ... but after some days the program is self deleting
registration file "Uedit32.reg" ... why ??? is it a protection or bug ...

Registration Info :

Name = DHEERAJ
S/N = U5T4T-M0P4V-07Z2I-C1P00

4
015F:0041DF97 6689AEC0000000 MOV [ESI+000000C0],BP <-- Flag Set

Fix :

015F:0041DE98 66BD0200 MOV BP,0002 - Offset = 1DE98
015F:0041DE9C 90 NOP
015F:0041DE9D 90 NOP
015F:0041DE9E 6683FD02 CMP BP,02
015F:0041DEA2 0F8EEA000000 JLE 0041DF92

Name : Set your name ....

REGEDIT4

[HKEY_CURRENT_USER\Software\MGShareware\Screen Saver Builder]
"User"="DHEERAJ"

D EAX,000000FF
0x41715F CMP EAX,14
0x417162 JNZ 41733F

Many other interesting encryption are also there which i am not explaining .... just
go inside it and explore.

Registration Info :

Reg Key = 555555555555555555555555B8M3HH28B22B427701MDLUH0
Concurrent Users = 32
Expiration Date = None
Processors = 3
********************************************************
Reg Key = 55555555555555555555555567M3HH28B22B427701MDLUH0
Concurrent Users = 247
Expiration Date = None
Processors = 3
********************************************************
Reg Key = 55555555555555555555555567M3LD28B22B427701MDLUH0
Concurrent Users = 24700
Expiration Date = None
Processors = 1
********************************************************
Reg Key = 55555555555555555555555555555555B2MB4277BODH56HX
Concurrent Users = 3520180
Expiration Date = None
Processors = 4

his