Web
: http://mxb.cjb.net
Contact Me : [email protected] or [email protected]
LSX-MPEG Encoder 2.0
Type : MPEG Encoder
Protection : Time Limit - 30 Sec & Water Mark
Tech : Patching
Crack : This program has a 30 Sec time limit and Water Marking after
150 frames.We will crack this section by section :
(1) Nag Screen At Start Up :
Load the program using Symbol Loader.Trace from start point :)
0x44CCAD CALL 0x467B17
INSIDE THIS CALL .....
0x467B27 CALL 0x4712A4
INSIDE THIS CALL .....
0x4712DB CALL [ESI+58]
INSIDE THIS CALL .....
0x41FEF9 CALL 0x46A113
0x41FEFE MOV EBX,00000001
0x41FF03 CMP EAX,EBX
0x41FF05 JZ 0x41FF48 >> TRY
||||
vvvv
ORDER NOW
Patch :
0x41FEF9 JMP 0x41FF48 | EB 4D OFFSET = 0x1F2F9
(2) 30 Sec Time Limit :
For this I used a AVI file with 1203 frames : this will be enough
to cross the time limit :)
Please Note : 1203 = 0x4B3
Program gives us a warning when we try to encode this file.
So in SICE BPX MESSAGEBOXA and just trace ...
0x4218C3 CALL 0x43E5C0
0x4218C8 MOV ECX,[0x5A1BD8] >> 0x1203
0x4218CE MOV EAX,[0x5A0884] >> 0x12C : LIMIT FACTOR
0x4218D3 CMP ECX,EAX
0x4218D5 JLE 0x4218F4 >> GOOD BOY
Now we will see where the memory [0x5A0884] is loaded with
0x12C
So in SICE BPM 0x5A0884 RW
Then restart the encoding process.
We will pop in to here :
0x421395 FILD DWORD PTR[0x5A0884]
0x42139B FADD ST(0),ST
0x42139D FCOMP ST(1)
0x42139F FSTSW AX
0x4213A1 TEST AH,41
0x4213A4 JNZ 0x4213B7 >> GOOD BOY : MUST JUMP TO CRACK -
0x4213A6 CALL 0x44A930 >> TIME LIMIT
0x4213AB CDQ
0x4213AC SUB EAX,EDX
0x4213AE SAR EAX,1
0x4213B0 MOV [0x5A0884],EAX >> EAX = 0x12C
0x4213B5 JMP 0x4213B9
Patch :
0x4213A4 JMP 0x4213B7 | EB 11 OFFSET = 0x207A4
At main encoder loop :
.........................
0x4166DF MOV EAX,[ESP+10]
0x4166E3 MOV ECX,[0x59DFEC] >> 0x2EE = 750 : FRAMES THAT WILL BE ENCODED
0x4166E9 INC EAX OUT OF 1203 FRAMES
0x4166EA CMP EAX,ECX
0x4166EC MOV [ESP+10],EAX
0x4166F0 JL 0x416280
Now we will see where the memory [0x59DFEC] is loaded with
0x2EE
So in SICE BPM 0x59DFEC RW
Then restart the encoding process.
We will pop in to here :
0x4214E7 MOV ESI,EAX
0x4214E9 MOV [0x59DFEC],ESI >> DANGEROUS INSTRUCTION FILL WITH NOP
0x4214EF LEA EDX,[ECX+EBX]
..........................
0x421629 CMP EDX,64
0x42162C JLE 0x421639 >> GOOD BOY
0x42162E MOV ESI,000003E8
0x421633 MOV [0x59DFEC],ESI
0x421639 MOV EAX,[0x59EB60] >> 0x2EE
0x42163E CMP EAX,ESI
0x421640 JGE 0x421647 >> GOOD BOY
0x421642 MOV [0x59DFEC],EAX >> EAX = 0x2EE
Patch :
Fill 0x4214E9 - 0x4214EE WITH NOP = 0x90
OFFSET = 0x208E9
89 35 EC DF 59 00 ==> 90 90 90 90 90 90
0x42162C JMP 0x421639 | EB 0B OFFSET = 0x20A2C
0x421640 JMP 0x421647 | EB 05 OFFSET = 0x20A40
(3) Water Mark [After 150 Frames] :
After 150 frames this program writes "LSX-MEPG DEMO VERSION"
to the encoded stream :(
It is not using a bitmap to do this but this string is encoded and
kept inside the program.
To crack this I used the program API SPY.
Load Kernel,GDI and User modules in to API SPY and run the program.
Note : We only need to activate the API spying at encode time :)
Start the encoding process and also activate API SPY ,after the Water Mark is
shown you can stop spying and save the log file.Now look in to the log file
,
we can see that API CreateBitmap used.Main part of log file is shown below :
-------------------------------------------------------------------------------------------
API Spy Log File
****************
0043F8B8:GetDC(HWND:0000076C)
0043F8BE:GetDC = 772
0043F8DF:CreateBitmap(DWORD:00000320,DWORD:00000014,
DWORD:00000001,DWORD:00000001,LPDATA:00000000) >> Attack Point
0043F8E5:CreateBitmap = D0E
0043F932:SetBitmapBits(HANDLE:00000D0E,DWORD:000007D0,LPDATA:012BFA20)
0043F938:SetBitmapBits = 7D0
0043F93C:CreateCompatibleDC(HANDLE:00000772)
0043F942:CreateCompatibleDC = D02
0043F94E:SelectObject(HANDLE:00000D02,HANDLE:00000D0E)
0043F954:SelectObject = 72A
0043F974:lstrlenA(LPSTR:004A7CD8:"͂") >> Encoded String "LSX-MPEG
Demo "
0043F976:lstrlenA = E >> String Length
0043F9B5:SetTextColor(HANDLE:00000D02,DWORD:00FFFFFF)
0043F9BB:SetTextColor = 0
0043F9BE:SetBkMode(HANDLE:00000D02,DWORD:00000001)
0043F9C4:SetBkMode = 2
0043FA13:lstrlenA(LPSTR:0085E7A0:"LSX-MPEG Demo ")
0043FA15:lstrlenA = E
0043FA1E:DrawTextA(HANDLE:00000D02,LPSTR:0085E7A0:"LSX-MPEG Demo ", >> Draw
Water Mark
DWORD:0000000E,LPDATA:0085E7F0,DWORD:00000020)
0043FA24:DrawTextA = 10
0043FA24:GdiFlush() >> Flush GDI
0043FA2A:GdiFlush = 1
0043FA7A:GetDIBits(HANDLE:00000D02,HANDLE:00000D0E,DWORD:00000000,
DWORD:00000014,LPDATA:012BFA20,LPDATA:0085E7C8,DWORD:00000000)
-------------------------------------------------------------------------------------------
At 0x43F974 we can see encoded string "LSX-MPEG Demo "
At 0x43FA1E we can see it is using DrawTextA to Water Mark.
Main attack point is shown below :
0x43F8DF CALL [CreateBitmap]
0x43F8E5 TEST EAX,EAX
0x43F8E7 MOV [EBP-0C],EAX
0x43F8EA JZ 0x43FAEC |0F 84 FC 01 00 00 >> MUST JUMP
Patch :
0x43F8EA NOP | 90 OFFSET = 0x3ECEA
0x43F8EB JMP 0x43FAEC | E9 FC 01 00 00
So we have cracked LSX-MPEG DEMO :)