Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

Main | Index

Opera 7.0 Beta 2

Type : Fast Web Browser
Protection : ASPack + Serial
Tech : Upacking + IAT Fix + Patching

Crack :

Dumping + IAT Fix :

Put BPX GETVERSION in SICE ...

Run the program ...

OPERA!.text
015F:00611665 55 PUSH EBP <<-- OEP Dump IT Using EBFE TRick
015F:00611666 8BEC MOV EBP,ESP
015F:00611668 6AFF PUSH FF
015F:0061166A 6870E56500 PUSH 0065E570
015F:0061166F 6824206100 PUSH 00612024
015F:00611674 64A100000000 MOV EAX,FS:[00000000]
015F:0061167A 50 PUSH EAX
015F:0061167B 64892500000000 MOV FS:[00000000],ESP
015F:00611682 83EC58 SUB ESP,58
015F:00611685 53 PUSH EBX
015F:00611686 56 PUSH ESI
015F:00611687 57 PUSH EDI
015F:00611688 8965E8 MOV [EBP-18],ESP
015F:0061168B FF1598036200 CALL [KERNEL32!GetVersion]
015F:00611691 33D2 XOR EDX,EDX
015F:00611693 8AD4 MOV DL,AH
015F:00611695 891560156B00 MOV [006B1560],EDX

Note this Info in SICE :

Break due to BPMB #0167:00611665 X DR3 (ET=10.91 seconds)
MSR LastBranchFromIp=006EF3BF <<--- Note This Line
MSR LastBranchToIp=00611665

Now give this command in SICE :
:u 6ef3bf

OPERA!.aspack
015F:006EF3A9 8985A8030000 MOV [EBP+000003A8],EAX
015F:006EF3AF 61 POPAD
015F:006EF3B0 7508 JNZ 006EF3BA
015F:006EF3B2 B801000000 MOV EAX,00000001
015F:006EF3B7 C20C00 RET 000C
015F:006EF3BA 6865166100 PUSH 00611665
015F:006EF3BF C3 RET

We are in ASPack Code ... [ Going to Enter OEP ]

So Dump it using EBFE Trick and use WinHex and correct EBFE-->558B Offset : 211665

Use ImpRec and select "Opera.exe"
Enter : OEP = 211665
"IAT Auto Search"-->"GetImports" --- IAT Read Successfully!
Fix Dump file ... Now Opera is Totaly Unpacked ... and you can run dumped file.

Registering :

Enter any fake S/N : x1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

BPX GETDLGITEMTEXTA -- After 3 breaks

Search for S/N in SICE :

:s -a 0 l fffffff 'x1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

0167:01431C48 78 31 78 78 78 78 78 78-78 78 78 78 78 78 78 78 x1xxxxxxxxxxxxxx
0167:01431C58 78 78 78 78 78 78 78 78-78 78 78 78 78 78 78 78 xxxxxxxxxxxxxxxx
0167:01431C68 78 78 78 78 78 78 78 78-00 00 00 00 00 00 00 00 xxxxxxxx........
0167:01431C78 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

Now put :
:BPR 01431C48 01431C58 R

Trace till we break here ....

015F:00517B0B 384601 CMP [ESI+01],AL = 2D '-'
015F:00517B0E 0F85A4000000 JNZ 00517BB8
015F:00517B14 384607 CMP [ESI+07],AL
015F:00517B17 0F859B000000 JNZ 00517BB8
015F:00517B1D 38460D CMP [ESI+0D],AL
015F:00517B20 0F8592000000 JNZ 00517BB8
015F:00517B26 384613 CMP [ESI+13],AL
015F:00517B29 0F8589000000 JNZ 00517BB8
015F:00517B2F 384619 CMP [ESI+19],AL
015F:00517B32 0F8580000000 JNZ 00517BB8
015F:00517B38 56 PUSH ESI

Trace Back ..

015F:0054AA92 E868D0FCFF CALL 00517AFF
015F:0054AA97 59 POP ECX
015F:0054AA98 85C0 TEST EAX,EAX
015F:0054AA9A 59 POP ECX
015F:0054AA9B 752B JNZ 0054AAC8

Trace Back ..

015F:00540C04 E830010000 CALL 00540D39
015F:00540C09 59 POP ECX
015F:00540C0A 85C0 TEST EAX,EAX --> Make EAX = 0
015F:00540C0C 59 POP ECX
015F:00540C0D 7507 JNZ 00540C16 ---> BAD Boy
015F:00540C0F C745F001000000 MOV DWORD PTR [EBP-10],00000001 <<-- Flag SET
015F:00540C16 FF7510 PUSH DWORD PTR [EBP+10]

So CALL 00540D39 Should always return EAX = 0

Inside CALL 00540D39 ...

015F:0054AAC8 83C8FF OR EAX,-01 <<-- Note This
015F:0054AACB C9 LEAVE
015F:0054AACC C3 RET

Fix :

015F:0054AAC8 90 NOP -- Offset = 14AAC8
015F:0054AAC9 33C0 XOR EAX,EAX
015F:0054AACB C9 LEAVE
015F:0054AACC C3 RET

Now Opera is Fully Registered ... Enjoy ... dheeraj_xp@yahoo.com