Contact Me : dheeraj_np@usa.net or gl_force@usa.net
             www.glcrackforce.50megs.com
Main | Index

LSX-MPEG Encoder 2.0




Type       : MPEG Encoder
Protection : Time Limit - 30 Sec & Water Mark
Tech       : Patching

Crack File : Click here to download ...

Crack : This program has a 30 Sec time limit and Water Marking after
150 frames.We will crack this section by section :

(1) Nag Screen At Start Up : 

    Load the program using Symbol Loader.Trace from start point :)

    0x44CCAD CALL 0x467B17
    INSIDE THIS CALL .....

    0x467B27 CALL 0x4712A4
    INSIDE THIS CALL .....

    0x4712DB CALL [ESI+58]
    INSIDE THIS CALL .....

    0x41FEF9 CALL 0x46A113
    0x41FEFE MOV EBX,00000001
    0x41FF03 CMP EAX,EBX
    0x41FF05 JZ 0x41FF48      >> TRY
                ||||
                vvvv
              ORDER NOW

    Patch :

    0x41FEF9 JMP 0x41FF48 | EB 4D OFFSET = 0x1F2F9

(2) 30 Sec Time Limit :

    For this I used a AVI file with 1203 frames : this will be enough
    to cross the time limit :)

    Please Note : 1203 = 0x4B3

    Program gives us a warning when we try to encode this file.
    So in SICE BPX MESSAGEBOXA and just trace ...

    0x4218C3 CALL 0x43E5C0
    0x4218C8 MOV ECX,[0x5A1BD8]   >> 0x1203
    0x4218CE MOV EAX,[0x5A0884]   >> 0x12C  : LIMIT FACTOR
    0x4218D3 CMP ECX,EAX
    0x4218D5 JLE 0x4218F4         >> GOOD BOY

    Now we will see where the memory [0x5A0884] is loaded with
    0x12C
    So in SICE BPM 0x5A0884 RW
    Then restart the encoding process.
    We will pop in to here :

    0x421395 FILD DWORD PTR[0x5A0884]
    0x42139B FADD ST(0),ST
    0x42139D FCOMP ST(1)
    0x42139F FSTSW AX
    0x4213A1 TEST AH,41
    0x4213A4 JNZ 0x4213B7            >> GOOD BOY : MUST JUMP TO CRACK -
    0x4213A6 CALL 0x44A930           >>            TIME LIMIT
    0x4213AB CDQ
    0x4213AC SUB EAX,EDX
    0x4213AE SAR EAX,1
    0x4213B0 MOV [0x5A0884],EAX      >> EAX = 0x12C
    0x4213B5 JMP 0x4213B9

    Patch :

    0x4213A4 JMP 0x4213B7 | EB 11 OFFSET = 0x207A4

    At main encoder loop :
    .........................
    0x4166DF MOV EAX,[ESP+10]
    0x4166E3 MOV ECX,[0x59DFEC]  >> 0x2EE = 750  : FRAMES THAT WILL BE ENCODED
    0x4166E9 INC EAX                               OUT OF 1203 FRAMES
    0x4166EA CMP EAX,ECX
    0x4166EC MOV [ESP+10],EAX
    0x4166F0 JL 0x416280

    Now we will see where the memory [0x59DFEC] is loaded with
    0x2EE
    So in SICE BPM 0x59DFEC RW
    Then restart the encoding process.
    We will pop in to here :

    0x4214E7 MOV ESI,EAX
    0x4214E9 MOV [0x59DFEC],ESI   >> DANGEROUS INSTRUCTION FILL WITH NOP
    0x4214EF LEA EDX,[ECX+EBX]
    ..........................
    0x421629 CMP EDX,64
    0x42162C JLE 0x421639         >> GOOD BOY
    0x42162E MOV ESI,000003E8
    0x421633 MOV [0x59DFEC],ESI
    0x421639 MOV EAX,[0x59EB60]   >> 0x2EE
    0x42163E CMP EAX,ESI
    0x421640 JGE 0x421647         >> GOOD BOY
    0x421642 MOV [0x59DFEC],EAX   >> EAX = 0x2EE

    Patch :

    Fill 0x4214E9 - 0x4214EE WITH NOP = 0x90 
    OFFSET = 0x208E9 
    89 35 EC DF 59 00 ==> 90 90 90 90 90 90

    0x42162C JMP 0x421639 | EB 0B OFFSET = 0x20A2C

    0x421640 JMP 0x421647 | EB 05 OFFSET = 0x20A40

(3) Water Mark [After 150 Frames] :

    After 150 frames this program writes "LSX-MEPG DEMO VERSION"
    to the encoded stream :(
    It is not using a bitmap to do this but this string is encoded and
    kept inside the program.

    To crack this I used the program API SPY.
    Load Kernel,GDI and User modules in to API SPY and run the program.
    Note : We only need to activate the API spying at encode time :)

    Start the encoding process and also activate API SPY ,after the Water Mark is
    shown you can stop spying and save the log file.Now look in to the log file ,
    we can see that API CreateBitmap used.Main part of log file is shown below :
    -------------------------------------------------------------------------------------------
    API Spy Log File
    ****************

    0043F8B8:GetDC(HWND:0000076C)
    0043F8BE:GetDC = 772
    0043F8DF:CreateBitmap(DWORD:00000320,DWORD:00000014,
               DWORD:00000001,DWORD:00000001,LPDATA:00000000)               >> Attack Point
    0043F8E5:CreateBitmap = D0E
    0043F932:SetBitmapBits(HANDLE:00000D0E,DWORD:000007D0,LPDATA:012BFA20)
    0043F938:SetBitmapBits = 7D0
    0043F93C:CreateCompatibleDC(HANDLE:00000772)
    0043F942:CreateCompatibleDC = D02
    0043F94E:SelectObject(HANDLE:00000D02,HANDLE:00000D0E)
    0043F954:SelectObject = 72A
    0043F974:lstrlenA(LPSTR:004A7CD8:"îñúïòç傿ÇÏÍ‚")     >> Encoded String "LSX-MPEG Demo "
    0043F976:lstrlenA = E                                  >> String Length
    0043F9B5:SetTextColor(HANDLE:00000D02,DWORD:00FFFFFF)
    0043F9BB:SetTextColor = 0
    0043F9BE:SetBkMode(HANDLE:00000D02,DWORD:00000001)
    0043F9C4:SetBkMode = 2
    0043FA13:lstrlenA(LPSTR:0085E7A0:"LSX-MPEG Demo ")
    0043FA15:lstrlenA = E
    0043FA1E:DrawTextA(HANDLE:00000D02,LPSTR:0085E7A0:"LSX-MPEG Demo ",    >> Draw Water Mark
                       DWORD:0000000E,LPDATA:0085E7F0,DWORD:00000020)
    0043FA24:DrawTextA = 10
    0043FA24:GdiFlush()                                                    >> Flush GDI
    0043FA2A:GdiFlush = 1
    0043FA7A:GetDIBits(HANDLE:00000D02,HANDLE:00000D0E,DWORD:00000000,
                       DWORD:00000014,LPDATA:012BFA20,LPDATA:0085E7C8,DWORD:00000000)
    -------------------------------------------------------------------------------------------

    At 0x43F974 we can see encoded string "LSX-MPEG Demo "
    At 0x43FA1E we can see it is using DrawTextA to Water Mark.

    Main attack point is shown below :

    0x43F8DF CALL [CreateBitmap]
    0x43F8E5 TEST EAX,EAX
    0x43F8E7 MOV [EBP-0C],EAX
    0x43F8EA JZ 0x43FAEC |0F 84 FC 01 00 00 >> MUST JUMP


    Patch : 

    0x43F8EA NOP          | 90    OFFSET = 0x3ECEA 
    0x43F8EB JMP 0x43FAEC | E9 FC 01 00 00

    So we have cracked LSX-MPEG DEMO :)