///////////////////////////////////////////////////////////////////////
 /////// cracking made easy --for mIRC v5.9 ///////
//////////////////////////////////////////////////////////////////////

One day I was trying to make the key generator for mIRC and I came to know that making the patch is much more simpler than to make the key generator so I decided to write the tut about this method and I think this method will work for the future versions also.

So our target is mIRC v 5.9

Target URL: http://www.mirc.com

Tools required:
1) Win32dasm
2)Hview

If you don't have then download form www.exetools.com ( if you don't know how to use these tools then first read my tut about cracking cool speech 5.0 or any other tut covering the basic)

Let's start download and install the program .Now in mIRC window go to help > register.
Now enter the name and any fake serial like

Name: code buster
Registration number : 0123456789

Now press register. A nag screen pops up displaying the error message"The registration name and Number you have entered does not match".

So write down this error message and close mIRC.copy the mIRC.exe file to any folder and rename It like IRC.exe .Fire win32dasm and disassemble the file IRC.exe. Now click "string data reference" (SDR) box and search for the error message.

Here it is:

String Resource ID=01911: "Your registration has been entered successfully."
String Resource ID=01912: "mIRC Registration"
String Resource ID=01913: "The registration name and number you have entered do" <<<--------
String Resource ID=01914: "'Unable to get local host'"

Now double click the line and close the SDR box.you will land up to this code location

* Possible Reference to String Resource ID=01913: "The registration name and number you have entered do not Mat"

:004AD073 6879070000 push 00000779 <-------here.
:004AD078 E80AEAF6FF call 0041BA87

Now we have to find the reference which called these instructions to execute. So move up words to find the reference.

You will get it as

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ACF72(C) <------this is the reference which we are talking about. the (C) indicates that coditional instruction called this reference.

:004AD02F 6A00 push 00000000

So to find out the instruction press shift+F12 and enter the code 004ACF72. And you will see the conditional jump as follows

:004ACF6B E8D9FBFFFF call 004ACB49
:004ACF70 85C0 test eax, eax
:004ACF72 0F84B7000000 je 004AD02F <--------- jump if equal

now it executes the instruction test eax, eax and according to the result executes the error message.So the logic is that when we enter the mane and fake serial it checks with the serial calculated by the Program and if it is not same then displays the error message.

So just change the JE to JNE ( jumpif not equal to) and the program will accept our fake serial. Let's do it. First write down the offset of that instruction. At the bottom of the win32dasm you will Get it @offset xxxxxxxx in my case it is 000AC572. (Last h means it is hex number so neglect "h")
Now close win32dasm and open the file IRC.exe in Hview.press F4 to select the docode mode.
Now using F5 enter the offset number. Press F3 and replace 84 by 85 ( code of jne).
Press F9 to up date the file and F10 to exit.

Now it's time to test our trick.run IRC.exe and enter the fake info.message pops up saying
"Thank you for registration!" and in "about" box instead "unlicensed copy" it will show you the name used for the registration. Hay we have cracked the program. Wait! Close the program and again run it to test that it is completely cracked. Check about box.

Oh no! It is again saying it is unlicensed copy. What to do???????????????????????
Is our logic wrong? No because after patching the code when we tried to register it. We go the success. So what is the problem? Think...........

This is interesting that there are some codes which separately checks the name and serial again. So let's patch them also but where are they?now just go through the code from where we got the je 004AD02F instruction.

If you see . You will come to know that first it calls 004ACB49 then tests eax and executes je instruction.so our key is the call instruction.so open IRC.exe in win32dasm and press search > find text. Enter 004ACB49 and press find you will get two more locations as follows(actually there are three but we have patched one location already)

1)

:004ACD71 E8D3FDFFFF call 004ACB49
:004ACD76 85C0 test eax, eax
:004ACD78 7445 je 004ACDBF <---------- got it (offset 000AC378)

2)

:004ACCA1 E8A3FEFFFF call 004ACB49
:004ACCA6 85C0 test eax, eax
:004ACCA8 7418 je 004ACCC2 <---------- got it (offset 000AC2A8)

have you came to know that the codes which checks the serial have a fix pattern

call 004ACB49
test eax, eax
je xxxxxxxx
Write down the offset address for the two je instructions. Open IRC.exe in hview and replace 74 by 75(jne). Save the changes and exit . Now run IRC.exe and enter the name and serial. We got the
popup message "Thank you for registration!" now close the program run it again check about box. You will see the name used for registration. Hay! That means we have cracked the program perfectly.

That's all friends.I have tried my best. If you have any difficulties or questions then mail me if I have time I will try to ans you.

Also if you think the software is really worth of it then please pay for it.because cracking
the software is much more easier than to make the software. Also the programmers deserve it.

________________________________________________________________________________________________

--={CoDe bUstEr}=--
code_buster@rediffmail.com
cracking made easy--for mIRC v5.9.

To get more knowledge visit us at : http://kickme.to/ico
________________________________________________________________________________________________


 

This Site is owned by ICO copyright 2000-02©. Read the Disclaimer

0 PRINT " Your name is: "; M$