Web
: http://mxb.cjb.net
Contact Me : [email protected] or [email protected]
Opera
5.02
Type : Browser
Protection : Serial
Tech : Patching
Crack
: Finding a serail number for this baby is now little harder.
But it can be cracked with a simple trick.
Opera uses serial number . If you enter S/N it will
be encrypted and stored in file "OUsr500.dat". So when this program
starts up it will check S/N inside this file.
If the S/N is correct it will set two flags and the program
runs in registered mode.
Tracing the program from begining is not a solution to the
problem.We will not reach any where if we do so :(
Let us take the registration algorithm itself as a path
finder to our destination.
Enter fake S/N and in SICE BPX HMEMCPY
When you pop up into SICE - search for S/N using ...
s -a 0 L FFFFFF 'xxxxxxxxxxxxxxxxxx'
Then use BPR xxxxxxxx xxxxxxxx RW on the S/N .
This is very improtant as Opera does not use direct flow
in validating a S/N.Then trace till we reach ...
0x522105 CMP [ESI+01],AL >> 2D '-'
0x522108 JNZ 5221B2
0x52210E CMP [ESI+07],AL >> 2D '-'
0x522111 JNZ 5221B2
0x522117 CMP [ESI+0D],AL >> 2D '-'
0x52211A JNZ 5221B2
0x522120 CMP [ESI+13],AL >> 2D '-'
0x522123 JNZ 5221B2
0x522129 CMP [ESI+19],AL >> 2D '-'
0x52212C JNZ 5221B2
Here our S/N is
checked if it is in the form x-xxxxx-xxxxx......
Now our trick : if at startup also the program is using the same
algorithm we can easily reach where the flag is set :)
So in SICE BPX 0x522105
Now close Opera and restart it ....Bingo !!
We can see at two place it is called and if we trace back we can
see the flag set :)
0x41C870 CALL 0x412232 | E8 BD 59 FF FF
0x41C875 CMP EAX,EDI >> MAKE EAX = 1 TO CRACK THIS
0x41C877 MOV [0x595E50],EAX >> SAVE FLAG
...........................
0x4DB621 CALL 0x412232 | E8 0C 6C F3 FF
0x4DB626 MOV [EDI+90C],EAX >> MAKE EAX = 1 TO CRACK THIS
Patch : [PERFECT FIT]
0x41C870 MOV EAX,00000001 | B8 01 00 00 00 - OFFSET = 0x1C870
0x4DB621 MOV EAX,00000001 | B8 01 00 00 00 - OFFSET = 0xDB621