|
Tutorial Cracking : Autorun Virus Remover v2.3
|
Target : Autorun Virus Remover v2.3
Tool : OllyDebug DeFixeD
PEiD v0.95
Our new technology blocks threats based on proactive protection and our solution can protect your computer against all threats trying to attack your computer via USB drive, no matter malicious programs are known or unknown.
Comment..!
Crack One Software Every Day Make You The Real Cracker.
Saatnya Mulai
Buka Autorun Virus Removernya
Limited Version.
Menu Immunity terkunci.
Menu Update terkunci.
Menu register, bila diisi salah akan muncul
"Please quit the program and run the program again to verify your license".
Langkah pertama :
Scan AutorunRemover.exe dengan PEiD untuk melihat programnya dipack dengan apa??
Made in "Borland Delphi 6.0 - 7.0".
Langkah kedua :
Buka file AutorunRemover.exe dengan OllyDebug DeFixeD.
Di "CPU - main thread, module AutorunR", klik kanan pilih "Search for" terus "All Referenced Text Strings".
Geser keatas terus klik kanan pilih "Search For Text".
Pada "Enter Text to Search For" masukkan kata "Please quit", hilangkan tanda di case sensitive dan tandai entire scope.
Kita ada di
004D037E MOV EAX,004D03CC ASCII "Please quit the program and run the program again to verify your license."
klik dua kali alamat diatas.
004D037E |. B8 CC034D00 MOV EAX,004D03CC ; ASCII "Please quit the program and run the program again to verify your license."
Kita trace kodenya keatas.
004D0171 |. /72 0D JB SHORT 004D0180
004D0173 |. |2C 02 SUB AL,2
004D0175 |. |0F84 99000000 JE 004D0214
004D017B |. |E9 C9000000 JMP 004D0249
004D0180 |> \8B83 6C040000 MOV EAX,DWORD PTR DS:[EBX+46C] ; Case 0 of switch 004D016F
004D0186 |. E8 E1A2F9FF CALL 0046A46C
004D018B |. 8BF8 MOV EDI,EAX
004D018D |. 4F DEC EDI
004D018E |. 85FF TEST EDI,EDI
004D0190 |. 7C 23 JL SHORT 004D01B5
004D0192 |. 47 INC EDI
004D0193 |. C745 F8 00000>MOV DWORD PTR SS:[EBP-8],0
004D019A |> 8B55 F8 /MOV EDX,DWORD PTR SS:[EBP-8]
004D019D |. 8B83 6C040000 |MOV EAX,DWORD PTR DS:[EBX+46C]
004D01A3 |. E8 88A2F9FF |CALL 0046A430
004D01A8 |. 33D2 |XOR EDX,EDX
004D01AA |. 8B08 |MOV ECX,DWORD PTR DS:[EAX]
004D01AC |. FF51 64 |CALL DWORD PTR DS:[ECX+64]
004D01AF |. FF45 F8 |INC DWORD PTR SS:[EBP-8]
004D01B2 |. 4F |DEC EDI
004D01B3 |.^ 75 E5 \JNZ SHORT 004D019A
004D01B5 |> BA 94024D00 MOV EDX,004D0294 ; ASCII "Registered"
004D01BA |. 8B83 88040000 MOV EAX,DWORD PTR DS:[EBX+488]
004D01C0 |. E8 AB6CF9FF CALL 00466E70
004D01C5 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004D01C8 |. 8BC6 MOV EAX,ESI
004D01CA |. E8 1D84FFFF CALL 004C85EC
004D01CF |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
004D01D2 |. 8B83 90040000 MOV EAX,DWORD PTR DS:[EBX+490]
004D01D8 |. E8 936CF9FF CALL 00466E70
004D01DD |. C645 FF 01 MOV BYTE PTR SS:[EBP-1],1
004D01E1 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004D01E4 |. 8BC3 MOV EAX,EBX
004D01E6 |. E8 556CF9FF CALL 00466E40
004D01EB |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004D01EE |. BA A8024D00 MOV EDX,004D02A8 ; ASCII " (Full Version)"
004D01F3 |. E8 704DF3FF CALL 00404F68
004D01F8 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004D01FB |. 8BC3 MOV EAX,EBX
004D01FD |. E8 6E6CF9FF CALL 00466E70
004D0202 |. BA C0024D00 MOV EDX,004D02C0 ; ASCII "Full Version"
004D0207 |. 8B83 E8040000 MOV EAX,DWORD PTR DS:[EBX+4E8]
004D020D |. E8 5E6CF9FF CALL 00466E70
004D0212 |. EB 35 JMP SHORT 004D0249
004D0214 |> C645 FF 00 MOV BYTE PTR SS:[EBP-1],0 ; Case 3 of switch 004D016F
004D0218 |. BA D8024D00 MOV EDX,004D02D8 ; ASCII "Limited Version"
004D021D |. 8B83 E8040000 MOV EAX,DWORD PTR DS:[EBX+4E8]
004D0223 |. E8 486CF9FF CALL 00466E70
004D0228 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004D022B |. 8BC3 MOV EAX,EBX
004D022D |. E8 0E6CF9FF CALL 00466E40
004D0232 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004D0235 |. BA F4024D00 MOV EDX,004D02F4 ; ASCII " (Limited Version)"
Wah ketemu alamat "Full Version" dan "Limited Version".
kita analisa satu persatu karena banyak sekali lompatannya.
Dialamat "004D0175" kode "JE" ganti dengan "NOP"
Dialamat "004D017B" kode "JMP" ganti dengan "NOP"
Sudah cukup segitu aja patchnya.
Langsung aja ganti "NOP" dikedua alamat diatas.
klik dua kali alamat diatas, masukkan "NOP" trus assemble, trus cancel.
Klik kanan "Copy to Executable" trus klik "All Modification" trus "Copy All".
Klik kanan lagi "Save File" dan overwrite dengan nama yang sama.
Keluar dari OllyDebug
18/06/09
|