Web : http://mxb.cjb.net
Contact Me : [email protected] or [email protected]

Main | Index

Advanced Registry Tracer 1.43

Type : Registry Spy tool
Protection : Packed - Serial
Tech : Loader - ProcPatch

Crack : This application is packed and has SICE detection.It uses Melt Ice to detect
SICE.

BPX _lopen and now run ART .....we can see it is trying to open two files ...

0x16C0570 PUSH EAX ==>> "\\.\NTICE"
0x16C0571 CALL _lopen
................................
0x16C0580 PUSH EAX ==>> "\\.\SICE"
0x16C0581 CALL _lopen

Now escape from this i.e make EAX = -1 after _lopen .Now enter any fake S/N and in SICE
BPX HMEMCPY ...click "OK" button and trace .....

MAIN CHECK

0x496654 MOV EAX,[EBP-08]
0x496657 CALL 49573C
0x49665C TEST AL,AL
0x49665E JZ 4966D8

Now BPX 49573C - and restart the application ...escape from MeltIce.We can see that packer is not
using dynamic loading...
Now the program breaks at 49573C ...it seems that this is the main validation algo.Trace back ....

0x495842 CALL 49573C
0x495847 TEST AL,AL
0x495849 JZ 495857 | 74 0C ===>>> BAD BOY

So we will make a loder which kills MeltIce and patch :

0x495849 NOP | 90
0x49584A NOP | 90

Patch :

Make a simple loader ...

//=========================Proc Patch ===============================
//gl_force.cpp
//GL_CrAck_F0rCe
//***********************************
//email : [email protected]
//web : www.glcrackforce.50megs.com
//***********************************
//===================================================================

#include <windows.h>

//===================================================================
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,
LPSTR lpCmdLine,int nShowCmd)
{

STARTUPINFO si;
char InfoText[] = "GL_CrAck_F0rCe - ART 1.43";
unsigned long i = 0;
unsigned long AddressOfPatch = 0x00495849;
unsigned long AddressSice = 0x016C04F4;
char DataRead[2] = {0};
char* cl;
PROCESS_INFORMATION pi;
char FileName[] = "Art.exe";
//============================================================
//Patch Data
char scanbyte1 = 0x74;
char scanbyte2 = 0x0C;

char sicebyte1 = 0x4E;
char sicebyte2 = 0x54;
//============================================================
ZeroMemory(&si,sizeof(si));
si.cb = sizeof(si);
cl = GetCommandLine();

if (CreateProcess(FileName, cl, NULL, NULL,FALSE,
NORMAL_PRIORITY_CLASS,NULL, NULL, &si, &pi))
{
//=====================================================
//Debugger escape
ReadProcessMemory(pi.hProcess, (LPVOID) AddressSice,
DataRead, 2, NULL);
for(;DataRead[0] != sicebyte1;)
{

ReadProcessMemory(pi.hProcess, (LPVOID) AddressSice,
DataRead, 2, NULL);
}
//=======================================================
if(DataRead[0] == sicebyte1 && DataRead[1] == sicebyte2)
{
//===================================================
WriteProcessMemory (pi. hProcess,
(LPVOID) AddressSice,
"\x78\x54", 2, NULL);
AddressSice = AddressSice + 12;
WriteProcessMemory (pi. hProcess,
(LPVOID) AddressSice,
"\x78\x49", 2, NULL);

//====================================================


}

//=====================================================
//Patch
ReadProcessMemory(pi.hProcess, (LPVOID) AddressOfPatch,
DataRead, 2, NULL);
for(;DataRead[0] != scanbyte1;)
{

ReadProcessMemory(pi.hProcess, (LPVOID) AddressOfPatch,
DataRead, 2, NULL);
}
//=======================================================
if(DataRead[0] == scanbyte1 && DataRead[1] == scanbyte2)
{

//===================================================
WriteProcessMemory (pi. hProcess,
(LPVOID) AddressOfPatch,
"\x90\x90", 2, NULL);
//====================================================


}
//========================================================

CloseHandle (pi.hProcess);
CloseHandle (pi.hThread);

}
else
{
MessageBox(NULL,"Unable to load program..exiting..",InfoText,MB_OK);
return 0;
}

MessageBox(NULL,"Program Loaded...",InfoText,MB_OK);

return 0;
}
//===================================================================