Cracking "MP3 File Editor v 4.0 MLV (Beta 2)"
Date: August 19, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew
Program Name : MP3 File Editor v 4.0 MLV (Beta 2)
Location : http://www.mp3.cz/mp3fe/index2.htm
Method: Math. + Range compare + Char compare.
<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------
Enter the following information.
Name: evc_viper
Company: home
s/n: 2841805454545454123
bpx hmemcpy
'F11'
'F12' 6 times
'F10' 22 times and we land at :0049CE88.
:0049CE88 8B45FC mov eax, dword ptr [ebp-04]
:0049CE8B E8D8FCFFFF call 0049CB68 <-- 'F8' into this call
:0049CE90 84C0 test al, al <-- otherwise, you are a bad cracker
:0049CE92 0F84B1000000 je 0049CF49 <-- bad cracker
-= Step 1 =-
:0049CB68 55 push ebp
:0049CB69 8BEC mov ebp, esp
:0049CB6B B905000000 mov ecx, 00000005
:0049CB70 6A00 push 00000000
:0049CB72 6A00 push 00000000
:0049CB74 49 dec ecx
:0049CB75 75F9 jne 0049CB70
:0049CB77 53 push ebx
:0049CB78 56 push esi
:0049CB79 57 push edi
:0049CB7A 8945FC mov dword ptr [ebp-04], eax
:0049CB7D 8B45FC mov eax, dword ptr [ebp-04] <-- fake s/n
:0049CB80 E82F74F6FF call 00403FB4
:0049CB85 33C0 xor eax, eax
:0049CB87 55 push ebp
:0049CB88 684CCE4900 push 0049CE4C
:0049CB8D 64FF30 push dword ptr fs:[eax]
:0049CB90 648920 mov dword ptr fs:[eax], esp
:0049CB93 C645DF00 mov [ebp-21], 00 <-- set zero for later
:0049CB97 C645DE00 mov [ebp-22], 00 <-- check.
:0049CB9B C645DD00 mov [ebp-23], 00 <--
:0049CB9F C645DC00 mov [ebp-24], 00 <--
:0049CBA3 8D45E8 lea eax, dword ptr [ebp-18]
:0049CBA6 E8D96FF6FF call 00403B84
:0049CBAB 8D45E4 lea eax, dword ptr [ebp-1C]
:0049CBAE E8D16FF6FF call 00403B84
:0049CBB3 8D45E0 lea eax, dword ptr [ebp-20]
:0049CBB6 E8C96FF6FF call 00403B84
:0049CBBB 8B45FC mov eax, dword ptr [ebp-04]
:0049CBBE E83D72F6FF call 00403E00 <-- calculate the length of s/n
:0049CBC3 83F812 cmp eax, 00000012 <-- lenght must bigger than
:0049CBC6 7D07 jge 0049CBCF 12. Acturally, the real
:0049CBC8 33DB xor ebx, ebx length should be 13.
:0049CBCA E95A020000 jmp 0049CE29
:0049CBCF 8D45F8 lea eax, dword ptr [ebp-08]
:0049CBD2 E8AD6FF6FF call 00403B84
:0049CBD7 33F6 xor esi, esi
:0049CBD9 83C601 add esi, 00000001 <-------------------------
:0049CBDC 7105 jno 0049CBE3 |
:0049CBDE E8D563F6FF call 00402FB8 |
:0049CBE3 8D45D8 lea eax, dword ptr [ebp-28] |
:0049CBE6 8B55FC mov edx, dword ptr [ebp-04] |
:0049CBE9 8A5432FF mov dl, byte ptr [edx+esi-01] |
:0049CBED E83671F6FF call 00403D28 |
:0049CBF2 8B55D8 mov edx, dword ptr [ebp-28] |
:0049CBF5 8D45F8 lea eax, dword ptr [ebp-08] |
:0049CBF8 E80B72F6FF call 00403E08 |
:0049CBFD 83FE06 cmp esi, 00000006 |
:0049CC00 7CD7 jl 0049CBD9 <-------------------------------
The above loop copies the first 6 chars from the fake s/n and put it in the
place pointed by EAX.
:0049CC02 33D2 xor edx, edx
:0049CC04 55 push ebp
:0049CC05 6811CE4900 push 0049CE11
:0049CC0A 64FF32 push dword ptr fs:[edx]
:0049CC0D 648922 mov dword ptr fs:[edx], esp
:0049CC10 8B45F8 mov eax, dword ptr [ebp-08]
:0049CC13 E80CB5F6FF call 00408124 <-- convert 284180 to hex
:0049CC18 8BC8 mov ecx, eax <-- value and put it to ECX
:0049CC1A 81F15D4D0200 xor ecx, 00024D5D
:0049CC20 81F9491B0600 cmp ecx, 00061B49
:0049CC26 7504 jne 0049CC2C
:0049CC28 C645DF01 mov [ebp-21], 01 <-- need this
Notice here. The code above basically convert 284180 to hex value which is 45614(hex).
Then, put that value in ECX and then "ECX xor 24D5D(hex)". The result is then compare
with 61B49(hex). If the result is the same, [ebp-21]=1. Hence, In order to find
what are the correct first 6 numbers for s/n. I assume it is XXXXXXXX(hex).
XXXXXXXX
xor 00024D5D
-------------
00061B49
So, XXXXXXXX must be equal to 00045614(hex) which is 284180(dec). Done step 1.
-= Step 2 =-
:0049CC2C 8BC1 mov eax, ecx
:0049CC2E 25FF000000 and eax, 000000FF
:0049CC33 B90A000000 mov ecx, 0000000A
:0049CC38 99 cdq
:0049CC39 F7F9 idiv ecx
:0049CC3B 8BD8 mov ebx, eax
:0049CC3D 8D45E8 lea eax, dword ptr [ebp-18]
:0049CC40 33D2 xor edx, edx
:0049CC42 8AD3 mov dl, bl
:0049CC44 83C240 add edx, 00000040
:0049CC47 7105 jno 0049CC4E
:0049CC49 E86A63F6FF call 00402FB8
:0049CC4E E8D570F6FF call 00403D28
:0049CC53 83C601 add esi, 00000001
:0049CC56 7105 jno 0049CC5D
:0049CC58 E85B63F6FF call 00402FB8
:0049CC5D 8D45F4 lea eax, dword ptr [ebp-0C]
:0049CC60 E81F6FF6FF call 00403B84
:0049CC65 83C601 add esi, 00000001 <-------------------------
:0049CC68 7105 jno 0049CC6F |
:0049CC6A E84963F6FF call 00402FB8 |
:0049CC6F 8D45D8 lea eax, dword ptr [ebp-28] |
:0049CC72 8B55FC mov edx, dword ptr [ebp-04] |
:0049CC75 8A5432FF mov dl, byte ptr [edx+esi-01] |
:0049CC79 E8AA70F6FF call 00403D28 |
:0049CC7E 8B55D8 mov edx, dword ptr [ebp-28] |
:0049CC81 8D45F4 lea eax, dword ptr [ebp-0C] |
:0049CC84 E87F71F6FF call 00403E08 |
:0049CC89 83FE0A cmp esi, 0000000A |
:0049CC8C 7CD7 jl 0049CC65 <------------------------------
:0049CC8E 8B45F4 mov eax, dword ptr [ebp-0C]
:0049CC91 E88EB4F6FF call 00408124
The above code is similar to the above code segment. This time, it takes
454 for the fake s/n. (454 in the bracket --> 2841805[454]545454xxx, note
that 5 (284180[5]454545454xxx is skipped.))
You can see this by 'd eax' while the line 0049CC91 is highlighted. 0049CC91
just convert 454 to 1C6(hex).
:0049CC96 83E837 sub eax, 00000037
:0049CC99 7105 jno 0049CCA0
:0049CC9B E81863F6FF call 00402FB8
:0049CCA0 3C62 cmp al, 62
:0049CCA2 7204 jb 0049CCA8
:0049CCA4 C645DE01 mov [ebp-22], 01 <-- need this
454 is good enough to let you reach line 0049CCA4 mov [ebp-22], 01. And this
is what we need.
-= Step 3 =-
:0049CCA8 8B45F4 mov eax, dword ptr [ebp-0C]
:0049CCAB E874B4F6FF call 00408124
:0049CCB0 8BD8 mov ebx, eax
:0049CCB2 83EB37 sub ebx, 00000037
:0049CCB5 7105 jno 0049CCBC
:0049CCB7 E8FC62F6FF call 00402FB8
:0049CCBC 81E3FF000000 and ebx, 000000FF
:0049CCC2 85DB test ebx, ebx
:0049CCC4 7903 jns 0049CCC9
:0049CCC6 83C303 add ebx, 00000003
:0049CCC9 C1FB02 sar ebx, 02
:0049CCCC 8D45E4 lea eax, dword ptr [ebp-1C]
:0049CCCF 33D2 xor edx, edx
:0049CCD1 8AD3 mov dl, bl
:0049CCD3 83C240 add edx, 00000040
:0049CCD6 7105 jno 0049CCDD
:0049CCD8 E8DB62F6FF call 00402FB8
:0049CCDD E84670F6FF call 00403D28
:0049CCE2 83C601 add esi, 00000001
:0049CCE5 7105 jno 0049CCEC
:0049CCE7 E8CC62F6FF call 00402FB8
:0049CCEC 8D45F0 lea eax, dword ptr [ebp-10]
:0049CCEF E8906EF6FF call 00403B84
:0049CCF4 83C601 add esi, 00000001 <-------------------------
:0049CCF7 7105 jno 0049CCFE |
:0049CCF9 E8BA62F6FF call 00402FB8 |
:0049CCFE 8D45D8 lea eax, dword ptr [ebp-28] |
:0049CD01 8B55FC mov edx, dword ptr [ebp-04] |
:0049CD04 8A5432FF mov dl, byte ptr [edx+esi-01] |
:0049CD08 E81B70F6FF call 00403D28 |
:0049CD0D 8B55D8 mov edx, dword ptr [ebp-28] |
:0049CD10 8D45F0 lea eax, dword ptr [ebp-10] |
:0049CD13 E8F070F6FF call 00403E08 |
:0049CD18 83FE10 cmp esi, 00000010 |
:0049CD1B 7CD7 jl 0049CCF4 <-------------------------------
:0049CD1D 8B45F0 mov eax, dword ptr [ebp-10]
:0049CD20 E8FFB3F6FF call 00408124
Same as above. This time, it takes 45454 form the fake s/n.
(45454 in the bracket --> 28418054545[45454]xxx)
You can see this by 'd eax' while the line 0049CD1D is highlighted. 0049CD20
just convert 45454 to its hex value.
:0049CD25 8BD0 mov edx, eax
:0049CD27 D1FA sar edx, 1
:0049CD29 7903 jns 0049CD2E
:0049CD2B 83D200 adc edx, 00000000
:0049CD2E 6BD202 imul edx, 00000002
:0049CD31 7105 jno 0049CD38
:0049CD33 E88062F6FF call 00402FB8
:0049CD38 3BC2 cmp eax, edx
:0049CD3A 7504 jne 0049CD40
:0049CD3C C645DD01 mov [ebp-23], 01 <-- need this
Again, 45454 is good enough to let us reach 0049CD3C. So, [ebp-23]=1 too.
-= Step 4 =-
:0049CD40 8BD8 mov ebx, eax
:0049CD42 81E3FF000000 and ebx, 000000FF
:0049CD48 85DB test ebx, ebx
:0049CD4A 7903 jns 0049CD4F
:0049CD4C 83C307 add ebx, 00000007
:0049CD4F C1FB03 sar ebx, 03
:0049CD52 8D45E0 lea eax, dword ptr [ebp-20]
:0049CD55 33D2 xor edx, edx
:0049CD57 8AD3 mov dl, bl
:0049CD59 83C240 add edx, 00000040
:0049CD5C 7105 jno 0049CD63
:0049CD5E E85562F6FF call 00402FB8
:0049CD63 E8C06FF6FF call 00403D28
:0049CD68 8D45EC lea eax, dword ptr [ebp-14]
:0049CD6B E8146EF6FF call 00403B84
:0049CD70 83C601 add esi, 00000001
:0049CD73 7105 jno 0049CD7A
:0049CD75 E83E62F6FF call 00402FB8
:0049CD7A 8D45D8 lea eax, dword ptr [ebp-28]
:0049CD7D 8B55FC mov edx, dword ptr [ebp-04]
:0049CD80 8A5432FF mov dl, byte ptr [edx+esi-01]
:0049CD84 E89F6FF6FF call 00403D28
:0049CD89 8B55D8 mov edx, dword ptr [ebp-28]
:0049CD8C 8D45EC lea eax, dword ptr [ebp-14]
:0049CD8F E87470F6FF call 00403E08
:0049CD94 83FE13 cmp esi, 00000013 <-- see this, it means that
:0049CD97 7CD7 jl 0049CD70 the length of s/n should be
at least 13(hex)
:0049CD99 8D45D8 lea eax, dword ptr [ebp-28]
:0049CD9C 8B55EC mov edx, dword ptr [ebp-14]
:0049CD9F 8A12 mov dl, byte ptr [edx]
:0049CDA1 E8826FF6FF call 00403D28
:0049CDA6 8B45D8 mov eax, dword ptr [ebp-28] <- 'd eax' to see
the fake char.
:0049CDA9 8B55E8 mov edx, dword ptr [ebp-18] <- 'd edx' to see
the correct char.
:0049CDAC E85F71F6FF call 00403F10
:0049CDB1 753A jne 0049CDED <-- jump if they are not equal.
Hence, in our fake s/n, 2841805454545454123, the last 3 chars are 123. The
above code tells you that in the place of 1, it should be 'G'.
:0049CDB3 8D45D8 lea eax, dword ptr [ebp-28]
:0049CDB6 8B55EC mov edx, dword ptr [ebp-14]
:0049CDB9 8A5201 mov dl, byte ptr [edx+01]
:0049CDBC E8676FF6FF call 00403D28
:0049CDC1 8B45D8 mov eax, dword ptr [ebp-28]
:0049CDC4 8B55E4 mov edx, dword ptr [ebp-1C]
:0049CDC7 E84471F6FF call 00403F10
Same as above, so, the 2 in 123 should be 'c'.
:0049CDCC 751F jne 0049CDED
:0049CDCE 8D45D8 lea eax, dword ptr [ebp-28]
:0049CDD1 8B55EC mov edx, dword ptr [ebp-14]
:0049CDD4 8A5202 mov dl, byte ptr [edx+02]
:0049CDD7 E84C6FF6FF call 00403D28
:0049CDDC 8B45D8 mov eax, dword ptr [ebp-28]
:0049CDDF 8B55E0 mov edx, dword ptr [ebp-20]
:0049CDE2 E82971F6FF call 00403F10
Same as above, so, the 3 in 123 should be 'Q'.
:0049CDE7 7504 jne 0049CDED
:0049CDE9 C645DC01 mov [ebp-24], 01
If the last three chars are correct, [ebp-24]=1.
The rest of the code is not really interesting. So, skip it. ^__^
Enter the following info to register this program.
Name: evc_viper
Company: home
s/n: 2841805454545454GcQ
Final Note:
Study and think well.
Ob Duh
Do I really have to remind you all that by buying and NOT stealing the
software you use will ensure that these software houses will continue to
produce even *better* software for us to use and more importantly, to
continue offering even more challenges to breaking their often weak
protection systems.
+ViPeR+
[E]bola [V]irus [C]rew
August 19 1999