Modem Spy 1.1

Web : http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com

Modem Spy 1.1

Type : Phone recorder
Protection : Serial
Tech : Serial fishing

Crack : Enter any fake S/N and in SICE .....

BPX HMEMCPY ...Click "OK" button .... trace ...

0x40B4DD CALL 40B630
0x40B4E2 TEST EAX,EAX
0x40B4E4 JZ 40B520

Inside this CALL ...

0x40B5A4 CMP BYTE PRT [EAX],2D ....."-" >> So enter S/N = 1234-5678
..............................................
0x40B614 CMP EAX,ESI >> EAX = 4D2 = 1234 ; ESI = 2D5A = 11610

Registration Info :

Name = DHEERAJ
S/N = 11610-5678

01
Let us go inside and look where EAX is cleared .....

Inside CALL 423290

0x4232CA JZ 4232D2 | 74 06 OFFSET = 232CA
0x4232CC XOR EAX,EAX | 33 C0 ..... SHIT !!!

Patch :

So we must change above code to like this ...

0x4232CA XOR EAX,EAX | 33 C0 OFFSET = 232CA
0x4232CC INC EAX | 40
0x4232CD NOP |90

REAL S/N IN HEX

Registration Info :

Name = DHEERAJ
S/N = 7682-716946

E 416F28

So it is storing no: of days at 0x00438D64 ....So in SICE
BPMB 438D64 RW ---- Restart ....

0x416ED7 CALL 416C70
...............................
0x416EE1 SUB EAX,ESI ---- 2B C6
0x416EE3 INC EAX -------- 40
0x416EE6 MOV [00438D64],EAX => STORE NO: DAYS :)
0x416EEB JLE 416EF2

So our crack will be :

0x416EE1 XOR EAX,EAX - 33 C0 - OFFSET = 16EE1

3. ANIMATOR - "Animator.exe"
*********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 201A1

4. EXPLORER - "Muexplor.exe"
********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = 1531

5. LIBRARIAN - "Librarian.exe"
**********************
Same shit is also used here,so just scan for hex string - "2B C6 40 3B C3"
and change :
"2B C6" ----> "33 C0"
OFFSET = ADF1

6. ON DISPLAY - "Mupanel.exe"
***********************
Use API Spy we can see it is reading three registry keys - "Eval1 - Eval2 - Eval3"
starting from address 0x004091E6 ...
So in SICE BPX 4091E6 ...TRACE ....

0x40937D MOV EAX,[0041AD10]
0x409382 JNZ 00409393
0x409384 CMP EAX,1E = 30 DAYS

So it is storing no: of days at 0x0041AD10 ....So in SICE
BPMB 41AD10 RW ---- Restart ....

0x409355 TEST EAX,EAX
0x409357 MOV [0041AD10],EAX --- STORE NO: OF DAYS :)
0x40935C JLE 40936C

So our crack will be :

0x409355 XOR EAX,EAX - 33 C0 - OFFSET = 9355

E86C0A0000 CALL 004111F5
015F:00410789 48 DEC EAX --------> Make EAX = 0
015F:0041078A 7403 JZ 0041078F ---> BAD Boy
015F:0041078C 48 DEC EAX
015F:0041078D 750C JNZ 0041079B ---> Good Boy

Patch : Offset : FB89

015F:00410784 E86C0A0000 CALL 004111F5
015F:00410789 90 NOP
015F:0041078A 90 NOP
015F:0041078B 90 NOP
015F:0041078C 90 NOP
015F:0041078D EB0C JMP 0041079B

Opps this DREAMPOP.EXE is using CRC checking :(