Web
: http://mxb.cjb.net
Contact Me : [email protected] or [email protected]
Edit
Pro 1.15
Type : Editor
Protection : Serial & CRC Check & Multi layer Encryption..etc
Tech : Proc Patch
Crack : This was a crack request ... I got this from www.serpik.com
Just look in to the section details of file "Editpro.exe" using PEditor.
We can see a nameless four or five sections..this file is encrypted.I tried
to unpack
it,but falied.More over this program is written in Delphi.No more API Spy !!!!
Now use PEditor and change the flag of first section to : E0000020
So that SICE Symbol loader will break at start point.
Opps .... running this program again gives us an error " File Corrupted
" --- CRC check.
Redirection Of CRC Check :
*******************
So before changing flag :===
Make a virgin copy of file "Editpro.exe" and name it "Dditpro.exe"
and put it in the same
folder ...So we have two copies of same file - one modifed and other not modified.
In SICE BPX GETMODULEFILENAMEA ... trace ...
0xCF0012 CALL GETMODULEFILENAMEA
0xCF0017 LEA EAX,[EBP-FF] >> "C:\Program Files\EditPro\Editpro.exe"
==> MAKE "Editpro.exe" =>"Dditpro.exe"
0xCF001D MOV EDX,EBX
0xCF001F CALL 00CEEE14
0xCF0024 MOV [00CF39D0],EAX >> EAX = CHECK SUM VALUE
So change "E" to "D" so that program will check virgin copy.
BPX LOADLIBRARYA ... trace
0x503FC7 CALL [507208]
Inside this CALL ...
0xCEC7C8 CMP DWORD PTR[00CF35A8],00
0xCEC7CF JZ 00CEC7D7
0xCEC7D1 CALL [00CF35A8] ===>> Here comes the real fun ....
if [00CF35A8] = 0x00503A54 >> PROGRAM WILL RUN
if [00CF35A8] = 0x00503AC0 >> PROGRAM WILL EXIT
Here the encryption is done according to trial period.
I was unable to find the address which will lead us to a registered version
:(
But the program is fully functional as it is said ...and also we will get nice
freeware
programs than this sucker ..
Patch:
So our crack will be to write 0x00503A54 at [00CF35A8].Here patching the exe
file is a real
headhace.We will use Process Patcher technique.i.e we will write a simple C
program that
will load "Editpro.exe" and patch the value at [00CF35A8] when encryption
routine is over.
//=========================Proc Patch Edit Pro 1.15=====================================
//gl_force.cpp
//GL_CrAck_F0rCe
//***********************************
//email : [email protected]
//web : www.glcrackforce.50megs.com
//***********************************
//================================================================================
#include <windows.h>
#include <stdio.h>
//================================================================================
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,
LPSTR lpCmdLine,int nShowCmd)
{
STARTUPINFO si;
char InfoText[] = "Proc Patch - GL_CrAck_F0rCe";
unsigned long i = 0;
unsigned long AddressOfPatch = 0x00CF35A8;
char DataRead[2] = {0};
char* cl;
PROCESS_INFORMATION pi;
char FileName[] = "EditPro.exe";
//==============================================================================
//Patch Data
char scanbyte1 = 0xC0;
char scanbyte2 = 0x3A;
//==============================================================================
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
cl = GetCommandLine();
if (CreateProcess(FileName, cl, NULL, NULL,FALSE,
NORMAL_PRIORITY_CLASS,NULL, NULL, &si, &pi))
{
ReadProcessMemory(pi.hProcess, (LPVOID) AddressOfPatch,
DataRead, 2, NULL);
for(;DataRead[0] != scanbyte1;)
{
ReadProcessMemory(pi.hProcess, (LPVOID) AddressOfPatch,
DataRead, 2, NULL);
}
//=============================================================================
if(DataRead[0] == scanbyte1 && DataRead[1] == scanbyte2)
{
WriteProcessMemory (pi. hProcess,
(LPVOID) AddressOfPatch, "\x54\x3A", 2, NULL);
}
//=============================================================================
CloseHandle (pi.hProcess);
CloseHandle (pi.hThread);
}
else
{
MessageBox(NULL,"Unable to load program..exiting..",InfoText,MB_OK);
return 0;
}
MessageBox(NULL,"Program Loaded...",InfoText,MB_OK);
return 0;
}
//=================================================================================
NB : It is seen that when we run Editpro
with Filemon and Regmon working...this sucker kills
these two programs.To escape from this BPX REGQUERYVALUEEXA and note down after
how many
bpx this sucker kills Filemon and Regmon..suppose it is after 7th break.Then
restart and when we reach
7th break at REGQUERYVALUEEXA....trace back in to the program and raise an Exception.i.e
fill next two
bytes of the next instruction with zeros....this will raise an exception and
it will not kill Filemon and Regmon.