Username : REA-cRaCkErTeAm Serial 1 : 9d883-b9449-247ac-86337 Serial 2 : 8FD-D61F6-DF7 Username : Ice Dragon Serial 1 : b2156-523e4-5dfca-59e74 Serial 2 : 61D-FE57C-D18 Ice_Dragon(REA) Crack soft Shortcut PhotoZoom Pro v1.095 Home Page : http://www.shortcutpublishing.com/ Production : Shortcut PhotoZoom Pro v1.095 (Copyright 1997-2004, Shortcut Software Development B.V) CrackFile : PhotoZoom Pro.exe Type : Name / Mail / Serial Pack : ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov Unpack : Olly Scripts (aspr_123_rc4.osc) Language : Microsoft Visual C++ 6.0 Cracktools : PeiD, Olly 1.10 Dung PeiD kiem tra thay phan mem bi pack bang ASProtect 1.23 RC4 - 1.3.08.24 - > Alexey Solodovnikov. Dau tien ta phai Unpack phan mem, cach lam nhu sau : Vao Olly, su dung OllyScipts, chon <Run Scripts> co ten la : aspr_123_rc4.osc, sau khi Scripts chay xong, Olly se dung lai tai day : 00B639EC 3100 XOR DWORD PTR DS:[EAX], EAX <<=====Olly se dung lai tai day sau khi Scripts run xong 00B639EE 64:8F05 0000000> POP DWORD PTR FS:[0] 00B639F5 58 POP EAX 00B639F6 833D B07EB600 0> CMP DWORD PTR DS:[B67EB0], 0 00B639FD 74 14 JE SHORT 00B63A13 00B639FF 6A 0C PUSH 0C 00B63A01 B9 B07EB600 MOV ECX, 0B67EB0 00B63A06 8D45 F8 LEA EAX, DWORD PTR SS:[EBP-8] 00B63A09 BA 04000000 MOV EDX, 4 00B63A0E E8 2DD1FFFF CALL 00B60B40 00B63A13 FF75 FC PUSH DWORD PTR SS:[EBP-4] 00B63A16 FF75 F8 PUSH DWORD PTR SS:[EBP-8] 00B63A19 8B45 F4 MOV EAX, DWORD PTR SS:[EBP-C] 00B63A1C 8338 00 CMP DWORD PTR DS:[EAX], 0 00B63A1F 74 02 JE SHORT 00B63A23 00B63A21 FF30 PUSH DWORD PTR DS:[EAX] 00B63A23 FF75 F0 PUSH DWORD PTR SS:[EBP-10] 00B63A26 FF75 EC PUSH DWORD PTR SS:[EBP-14] 00B63A29 C3 RETN <<==== Set Breakpoint here, roi nhan <Shift-F9>, Olly se dung lai tai Breakpoint vua dat tren. Tai vi tri Breakpoint nay, chung ta nhan <Alt-M> de vao Memory, chon dong nhu duoi day roi lam nhu sau : 00401000 00151000 (1380352.) PhotoZoo 00400000 code Imag 01001002 R RWE <<=====chon dong nay, nhan phim phai chuot, chon “Set memory breakpoint on access” Sau khi “Set memory breakpoint on access”, quay tro lai Olly, nhan <Ctrl-F12> de <Run>, Olly se dung lai tai vi tri sau : 005374EB C3 RETN 005374EC 0000 ADD BYTE PTR DS:[EAX], AL 005374EE 0000 ADD BYTE PTR DS:[EAX], AL 005374F0 0000 ADD BYTE PTR DS:[EAX], AL 005374F2 0000 ADD BYTE PTR DS:[EAX], AL 005374F4 0000 ADD BYTE PTR DS:[EAX], AL 005374F6 0000 ADD BYTE PTR DS:[EAX], AL 005374F8 0000 ADD BYTE PTR DS:[EAX], AL 005374FA 0000 ADD BYTE PTR DS:[EAX], AL 005374FC 0000 ADD BYTE PTR DS:[EAX], AL 005374FE 0000 ADD BYTE PTR DS:[EAX], AL 00537500 0000 ADD BYTE PTR DS:[EAX], AL 00537502 0000 ADD BYTE PTR DS:[EAX], AL 00537504 0000 ADD BYTE PTR DS:[EAX], AL 00537506 0000 ADD BYTE PTR DS:[EAX], AL 00537508 0000 ADD BYTE PTR DS:[EAX], AL 0053750A 0000 ADD BYTE PTR DS:[EAX], AL 0053750C 0000 ADD BYTE PTR DS:[EAX], AL 0053750E 0000 ADD BYTE PTR DS:[EAX], AL 00537510 0000 ADD BYTE PTR DS:[EAX], AL 00537512 FF15 38225500 CALL NEAR DWORD PTR DS:[552238] <=====Olly dang dung o vi tri nay, nhin len tren cac ban se thay cac files “0000”, day chinh la stolen bytes ma chung ta can phai fix lai…hehe…Chung ta dem duoc 19 dong “0000”, suy ra rang se co 38 dong “00” >>Vay day la co form la 38 bytes. Tai day, chung ta nhan <Crtl-A> de re-analyze de chinh sua lai cac stolen bytes do theo “form 38 bytes”…va day la mau “form 38 bytes” : Form 38 bytes of stolen bytes: Code: 0066B131 55 PUSH EBP 0066B132 8BEC MOV EBP,ESP 0066B134 6A FF PUSH -1 0066B136 68 xxxxxxxx PUSH xxxxxxxx << Chung ta phai tim gia tri tai day 0066B13B 68 xxxxxxxx PUSH xxxxxxxx << Chung ta phai tim gia tri tai day 0066B140 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 0066B146 50 PUSH EAX 0066B147 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 0066B14E 83EC 58 SUB ESP,58 0066B151 53 PUSH EBX 0066B152 56 PUSH ESI 0066B153 57 PUSH EDI 0066B154 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP De tim 2 gia tri xxxxxxxx tren, chung ta lai mo them mot khung cua so Olly nua, lam lai thao tac <run scripts> nhu tren, sau do vao <Alt-M>, chon “Set memory breakpoint on access”nhu tren, va buoc khac o day la khi quay tro lai man hinh chinh cua Olly, chung ta se lam them dong tac sau, do la gan dieu kien can bang ebp=esp, va lam dieu do nhu sau : Nhan <Ctrl-T>, chon danh dau box “Conditional is true”, sau do ghi vao “ebp==esp” (luu y la khong co dau [“”] nha cac ban), sau do nhan OK. Roi nhan <Cttrl-F11>, sau khi Olly run xong se dung lai tai dieu kien can bang ebp==esp ma chung ta da dat o tren, cu the la se dung lai tai day : …………………………………………� � 00B7743C 53 PUSH EBX <<=====Olly dang dung tai day, nhin qua cua so FPU, chung ta se thay ESP = EBP (Good) …………………………………………� � Tu vi tri ngung nay, chung ta di chuyen man hinh xuong phia mot chut den khi nao tim duoc dong sau : …………………………………………� �… 00B77534 55 PUSH EBP 00B77535 8BEC MOV EBP, ESP 00B77537 6A FF PUSH -1 00B77539 68 88005A00 PUSH 5A0088 <<=====gia tri xxxxxxxxxxx can tim o tren 00B7753E 68 F0805300 PUSH 5380F0 <<=====gia tri xxxxxxxxxxx can tim o tren …………………………………………� �…… Hehe, ghi lai 2 gia tri [5A0088, 5380F0] nay lai, sau do tro lai man hinh Olly cu de tien hanh chinh sua stolen bytes theo mau tren : Tro lai giai doan tren, sau khi <Ctrl-A> de re-analyze lai, cac ban se duoc doan ma sau : 005374EC 00 DB 00 <<=====Nhan <Ctrl-E> de dien stolen bytes theo mau tren. 005374ED 00 DB 00 005374EE 00 DB 00 005374EF 00 DB 00 005374F0 00 DB 00 005374F1 00 DB 00 005374F2 00 DB 00 005374F3 00 DB 00 005374F4 00 DB 00 005374F5 00 DB 00 005374F6 00 DB 00 005374F7 00 DB 00 005374F8 00 DB 00 005374F9 00 DB 00 005374FA 00 DB 00 005374FB 00 DB 00 005374FC 00 DB 00 005374FD 00 DB 00 005374FE 00 DB 00 005374FF 00 DB 00 00537500 00 DB 00 00537501 00 DB 00 00537502 00 DB 00 00537503 00 DB 00 00537504 00 DB 00 00537505 00 DB 00 00537506 00 DB 00 00537507 00 DB 00 00537508 00 DB 00 00537509 00 DB 00 0053750A 00 DB 00 0053750B 00 DB 00 0053750C 00 DB 00 0053750D 00 DB 00 0053750E 00 DB 00 0053750F 00 DB 00 00537510 00 DB 00 00537511 . 00FF ADD BH, BH Tai vi tri dau tien, chung ta nhan <Ctrl-E> de dien stolen bytes…luu y phai dien tung dong mot tu tren xuong duoi theo nhu mau tren…sau khi dien xong, chung ta se co doan ma hoan chinh nhu sau : 005374EC 55 PUSH EBP 005374ED 8BEC MOV EBP, ESP 005374EF 6A FF PUSH -1 005374F1 68 88005A00 PUSH PhotoZoo.005A0088 005374F6 68 F0805300 PUSH PhotoZoo.005380F0 ; Entry address 005374FB 64:A1 0000000> MOV EAX, DWORD PTR FS:[0] 00537501 50 PUSH EAX 00537502 64:8925 00000> MOV DWORD PTR FS:[0], ESP 00537509 83EC 58 SUB ESP, 58 . 00 00 537 507 00 DB 00 00 537 508 00 DB 00 00 537 509 00 DB 00 00 53750A 00 DB 00 00 53750B 00 DB 00 00 53750C 00 DB 00 00 53750D 00 DB 00 00 53750E 00 DB 00 00 53750F 00 DB 00 00 537 5 10 00 DB 00 . 00 DB 00 00 5374FD 00 DB 00 00 5374FE 00 DB 00 00 5374FF 00 DB 00 00 537 500 00 DB 00 00 5375 01 00 DB 00 00 537 502 00 DB 00 00 537 503 00 DB 00 00 537 504 00 DB 00 00 537 505 00 DB 00 00 537 506 00 . 00 DB 00 00 5374F3 00 DB 00 00 5374F4 00 DB 00 00 5374F5 00 DB 00 00 5374F6 00 DB 00 00 5374F7 00 DB 00 00 5374F8 00 DB 00 00 5374F9 00 DB 00 00 5374FA 00 DB 00 00 5374FB 00 DB 00 00 5374FC 00