Contact Me : dheeraj_np@usa.net or gl_force@usa.net www.glcrackforce.50megs.com Main | Index
LSX-MPEG Encoder 2.0
Type : MPEG Encoder Protection : Time Limit - 30 Sec & Water Mark Tech : Patching Crack File : Click here to download ... Crack : This program has a 30 Sec time limit and Water Marking after 150 frames.We will crack this section by section : (1) Nag Screen At Start Up : Load the program using Symbol Loader.Trace from start point :) 0x44CCAD CALL 0x467B17 INSIDE THIS CALL ..... 0x467B27 CALL 0x4712A4 INSIDE THIS CALL ..... 0x4712DB CALL [ESI+58] INSIDE THIS CALL ..... 0x41FEF9 CALL 0x46A113 0x41FEFE MOV EBX,00000001 0x41FF03 CMP EAX,EBX 0x41FF05 JZ 0x41FF48 >> TRY |||| vvvv ORDER NOW Patch : 0x41FEF9 JMP 0x41FF48 | EB 4D OFFSET = 0x1F2F9 (2) 30 Sec Time Limit : For this I used a AVI file with 1203 frames : this will be enough to cross the time limit :) Please Note : 1203 = 0x4B3 Program gives us a warning when we try to encode this file. So in SICE BPX MESSAGEBOXA and just trace ... 0x4218C3 CALL 0x43E5C0 0x4218C8 MOV ECX,[0x5A1BD8] >> 0x1203 0x4218CE MOV EAX,[0x5A0884] >> 0x12C : LIMIT FACTOR 0x4218D3 CMP ECX,EAX 0x4218D5 JLE 0x4218F4 >> GOOD BOY Now we will see where the memory [0x5A0884] is loaded with 0x12C So in SICE BPM 0x5A0884 RW Then restart the encoding process. We will pop in to here : 0x421395 FILD DWORD PTR[0x5A0884] 0x42139B FADD ST(0),ST 0x42139D FCOMP ST(1) 0x42139F FSTSW AX 0x4213A1 TEST AH,41 0x4213A4 JNZ 0x4213B7 >> GOOD BOY : MUST JUMP TO CRACK - 0x4213A6 CALL 0x44A930 >> TIME LIMIT 0x4213AB CDQ 0x4213AC SUB EAX,EDX 0x4213AE SAR EAX,1 0x4213B0 MOV [0x5A0884],EAX >> EAX = 0x12C 0x4213B5 JMP 0x4213B9 Patch : 0x4213A4 JMP 0x4213B7 | EB 11 OFFSET = 0x207A4 At main encoder loop : ......................... 0x4166DF MOV EAX,[ESP+10] 0x4166E3 MOV ECX,[0x59DFEC] >> 0x2EE = 750 : FRAMES THAT WILL BE ENCODED 0x4166E9 INC EAX OUT OF 1203 FRAMES 0x4166EA CMP EAX,ECX 0x4166EC MOV [ESP+10],EAX 0x4166F0 JL 0x416280 Now we will see where the memory [0x59DFEC] is loaded with 0x2EE So in SICE BPM 0x59DFEC RW Then restart the encoding process. We will pop in to here : 0x4214E7 MOV ESI,EAX 0x4214E9 MOV [0x59DFEC],ESI >> DANGEROUS INSTRUCTION FILL WITH NOP 0x4214EF LEA EDX,[ECX+EBX] .......................... 0x421629 CMP EDX,64 0x42162C JLE 0x421639 >> GOOD BOY 0x42162E MOV ESI,000003E8 0x421633 MOV [0x59DFEC],ESI 0x421639 MOV EAX,[0x59EB60] >> 0x2EE 0x42163E CMP EAX,ESI 0x421640 JGE 0x421647 >> GOOD BOY 0x421642 MOV [0x59DFEC],EAX >> EAX = 0x2EE Patch : Fill 0x4214E9 - 0x4214EE WITH NOP = 0x90 OFFSET = 0x208E9 89 35 EC DF 59 00 ==> 90 90 90 90 90 90 0x42162C JMP 0x421639 | EB 0B OFFSET = 0x20A2C 0x421640 JMP 0x421647 | EB 05 OFFSET = 0x20A40 (3) Water Mark [After 150 Frames] : After 150 frames this program writes "LSX-MEPG DEMO VERSION" to the encoded stream :( It is not using a bitmap to do this but this string is encoded and kept inside the program. To crack this I used the program API SPY. Load Kernel,GDI and User modules in to API SPY and run the program. Note : We only need to activate the API spying at encode time :) Start the encoding process and also activate API SPY ,after the Water Mark is shown you can stop spying and save the log file.Now look in to the log file , we can see that API CreateBitmap used.Main part of log file is shown below : ------------------------------------------------------------------------------------------- API Spy Log File **************** 0043F8B8:GetDC(HWND:0000076C) 0043F8BE:GetDC = 772 0043F8DF:CreateBitmap(DWORD:00000320,DWORD:00000014, DWORD:00000001,DWORD:00000001,LPDATA:00000000) >> Attack Point 0043F8E5:CreateBitmap = D0E 0043F932:SetBitmapBits(HANDLE:00000D0E,DWORD:000007D0,LPDATA:012BFA20) 0043F938:SetBitmapBits = 7D0 0043F93C:CreateCompatibleDC(HANDLE:00000772) 0043F942:CreateCompatibleDC = D02 0043F94E:SelectObject(HANDLE:00000D02,HANDLE:00000D0E) 0043F954:SelectObject = 72A 0043F974:lstrlenA(LPSTR:004A7CD8:"îñúïòç傿ÇÏÍ‚") >> Encoded String "LSX-MPEG Demo " 0043F976:lstrlenA = E >> String Length 0043F9B5:SetTextColor(HANDLE:00000D02,DWORD:00FFFFFF) 0043F9BB:SetTextColor = 0 0043F9BE:SetBkMode(HANDLE:00000D02,DWORD:00000001) 0043F9C4:SetBkMode = 2 0043FA13:lstrlenA(LPSTR:0085E7A0:"LSX-MPEG Demo ") 0043FA15:lstrlenA = E 0043FA1E:DrawTextA(HANDLE:00000D02,LPSTR:0085E7A0:"LSX-MPEG Demo ", >> Draw Water Mark DWORD:0000000E,LPDATA:0085E7F0,DWORD:00000020) 0043FA24:DrawTextA = 10 0043FA24:GdiFlush() >> Flush GDI 0043FA2A:GdiFlush = 1 0043FA7A:GetDIBits(HANDLE:00000D02,HANDLE:00000D0E,DWORD:00000000, DWORD:00000014,LPDATA:012BFA20,LPDATA:0085E7C8,DWORD:00000000) ------------------------------------------------------------------------------------------- At 0x43F974 we can see encoded string "LSX-MPEG Demo " At 0x43FA1E we can see it is using DrawTextA to Water Mark. Main attack point is shown below : 0x43F8DF CALL [CreateBitmap] 0x43F8E5 TEST EAX,EAX 0x43F8E7 MOV [EBP-0C],EAX 0x43F8EA JZ 0x43FAEC |0F 84 FC 01 00 00 >> MUST JUMP Patch : 0x43F8EA NOP | 90 OFFSET = 0x3ECEA 0x43F8EB JMP 0x43FAEC | E9 FC 01 00 00 So we have cracked LSX-MPEG DEMO :)