Web
: http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com
Offline Explorer Enterprise 2.4.934 SR1
Type : Offline Explorer
Crack :
Unpacking
No CRC check is implemented ...Put BPX GETPROCADDRESS and run the program.When we break in "oe.daat" section ... look few lines down .....
0x6C23B4 MOV [EBP+443CF6],EAX
Use PEditor to dump .. let it be "oe_dmp.exe" and change the EP of dumped file to : IAT Restoration
Luckly we have an excellent tool ImpRec to do this job.Make a copy of file "oe_dmp.exe" some where else.Say "oe2_dmp.exe".Now run the dumped file "oe_dmp.exe" in the program folder.Now run ImpRec and choose "oe_dmp" as active task.Now click "IAT Auto search" --- "Get Imports" ... so easy ....Now click Fix dump and point it to "oe2_dmp.exe" ... all done .Now "oe2_dmp.exe" will run on other Pc.And you can verify it using a hex editor .. look at Name ... First Thunk ... etc.This baby works >>>
Reg Check
Now our job is not finished ... we have to crack main program...Enter some bogus S/n and in SICE put BPX HMEMCPY .... trace
0x5BA36B LEA ECX,[EBP-08] >> FAKE S/N
0x6087E0 JLE 6087F7 = 7E 15
All we want is to reach 608D42 ...
Patch :
0x6087E0 JMP 6087F7 = EB 15 -- OFFSET = 2087E0
Now you can enter any S/N and this baby will work in registered mode.
Protection : ASPack - RSA Serial
Tech : Unpacking + Patching
.............................
0x6C23BA POPAD = 61
0x6C23BB JNZ 6C23C5
0x6C23BD MOV EAX,01
0x6C23C2 RET C
0x6C23C5 PUSH 628E00 ---- OEP ...!
0x6C23CA RET ---- DUMP HERE ... USE JMP EIP TRICK = EB FE
...................
0x628E00 PUSH EBP = 55 ------ VIRGIN PROGRAM STARTS HERE
0x628E01 MOV EBP,ESP = 8B E0
EP = 228E00
Now this dumped file will run on your PC fow few months .... but it will not run on another PC.Because the sucker ASPack has fucked the IAT of main program.It does the job of PE loader and fills the IAT buff with address of API calls and destroy orginal IAT.
0x5BA36E LEA EDX,[EBP-04]
0x5BA371 MOV EDX,[EDI]
0x5BA373 CALL 6090CC --- MAIN REG CHECK
0x5BA378 TEST AL,AL --- MAKE AL = 01
0x5BA37A JZ 5BA48E
..................
0x5BA382 MOV BYTE PTR[EAX+708],01 ---- FLAG SET ..
Now inside call 6090CC ----
0x6090D6 CALL 608760
Inside this call .....
...................
0x608807 JLE 608D46 = 0F 8E 39 05 00 00
...................
0x608D42 MOV BYTE PTR[EBP-09],01 --- GOOD FLAG SET
0x608D46 XOR EAX,EAX -- WE REACH HERE ... BYPASSING ABOVE LINE
...................
0x608807 JMP 608D42 = E9 36 05 00 00 --- OFFSET = 208807