Allok Video to 3GP Converter shelling + cracking (figure)

Comments: ①. After downloading and installing the tool, use the DIT command to view MoleBox 2.5.x. ----------------------------------------------------------------------------- OD, for example, RUN. After the program is fully running, run alt + M to view the memory ing. MBX @ XZXXXS and other names are found, and the _ BOX _ segment name is bound.
After the installation is downloaded, use the DIT command to view the MoleBox 2.5.x.
-----------------------------------------------------------------------------
OD, such as RUN, after the program is fully RUN, ALT + M to view the memory ing.
 

MBX @ XZXXXS and other names and _ BOX _ segment names are found. You can be sure that this is the file (DLL) bundled and involved in program running ),
Let's get the DLL below.
-----------------------------------------------------------------------------

② Capture the bundled DLL.
-----------------------------------------------------------------------------
Load again
0047EB53> E8 00000000 call Allok_Vi.0047EB58: Stop at EP.
0047EB58 60 pushad
0047EB59 E8 4F000000 call Allok_Vi.0047EBAD
0047EB5E FD std
0047EB5F BE 208F9F0F mov esi, 0F9F8F20
0047EB64 ED in eax, dx
0047EB65 ^ 7F 91 jg short Allok_Vi.0047EAF8
Bytes -----------------------------------------------------------------------------------------------
Let's verify my guess.
BP GetFileTime. After the breakpoint is canceled, the returned value is
00484C92 C745 AC 0000000> mov dword ptr ss: [ebp-54], 0
00484C99 EB 09 jmp short Allok_Vi.00484CA4
00484C9B 8B4D AC mov ecx, dword ptr ss: [ebp-54]
00484C9E 83C1 01 add ecx, 1
00484CA1 894D AC mov dword ptr ss: [ebp-54], ecx
00484CA4 8B55 AC mov edx, dword ptr ss: [ebp-54]
00484CA7 3B55 9C cmp edx, dword ptr ss: [ebp-64]
00484CAA 0F83 E3000000 jnb Allok_Vi.00484D93
00484CB0 8B45 AC mov eax, dword ptr ss: [ebp-54]
00484CB3 C1E0 04 shl eax, 4
00484CB6 8B4D E0 mov ecx, dword ptr ss: [ebp-20]
00484CB9 8B51 04 mov edx, dword ptr ds: [ecx + 4]
00484CBC 8B4D DC mov ecx, dword ptr ss: [ebp-24]
00484cb030c02 add ecx, dword ptr ds: [edx + eax]

Bytes --------------------------------------------------------------------------------------------------
00484CA7 3B55 9C cmp edx, dword ptr ss: [ebp-64]
Stack ss: [0012FBB8] = 00000001; number of bundled files 1
Edx = 00000000
Bytes --------------------------------------------------------------------------------------------------
00484CBC 8B4D DC mov ecx, dword ptr ss: [ebp-24]
Stack ss: [0012FBF8] = 003C2330, (ASCII "SkinMagic. dll"); bundled file name
Ecx = 003C2370
Bytes ---------------------------------------------------------------------------------------------------
Now we have to prepare for the following main program shelling.
Find 2 "EXECUTABLE" double-click
0048596D 68 C40B4900 push Allok_Vi.00490BC4; ASCII "EXECUTABLE"
00485972 8B0D 90184900 mov ecx, dword ptr ds: [491890]; Allok_Vi.00400108
00485978 51 push ecx
00485979 8B55 E8 mov edx, dword ptr ss: [ebp-18]
0048597C 52 push edx

004859F0 8BE5 mov esp, ebp
004859F2 5D pop ebp
004859F3 C3 retn; next F2 disconnection
Bytes -----------------------------------------------------------------------------------------------------------------------
I know the file name. Now I want to know what to do.
BP CreateFileA
After two interruptions, we can see in the stack that the breakpoint is canceled.
0012FC48 00000063c/CALL to CreateFileA from allok_vi.000000636
0012FC4C 009C17E0 | FileName = "D: \ DOCUME ~ 1 \ FOBNN \ LOCALS ~ 1 \ TEMP \ MBX @ 540 @ 3C2458. ### "; create a file, which is the bound file.
0012FC50 40000000 | Access = GENERIC_WRITE
0012FC54 00000000 | idle mode = 0
0012FC58 00000000 | pSecurity = NULL
0012FC5C 00000002 | Mode = CREATE_ALWAYS
0012FC60 00000000 | Attributes = 0
0012FC64 00000000 \ hTemplateFile = NULL
Bytes ------------------------------------------------------------------------------------------------
It doesn't mean you can find the file and change the name to use it.
We follow
009C17E8 5C317E45
009C17EC 4e0000f46
009C17F0 4F4C5C4E
009C17F4 534C4143
009C17F8 545C317E
009C17FC 5C504D45
009C1800 40580000d
009C1804 40303435
009C1808 34324333
009C180C 232E3835
009C1810 00002323
009C1814 00000000

Change MBX @ 540 @ 3C2458. ### to the actual file name SkinMagic. dll.
Bytes --------------------------------------------------------------------------------------------------------
Okay. Change the file name and take it out.
BP GetModuleHandleA: after the interruption, the breakpoint is canceled. ALT + M. A prompt is displayed, indicating you do not need to worry.
Memory ing, project 39
Address = 10001000
Size = 0003A000 (237568 .)
Owner = SkinMagi 10000000
Section =. text
Include = code
Type = Imag 01001002
Access = R
Initial access = RWE
It is disconnected under SkinMagic CODE F2.

 
--------------------------------------------------------------------------
F9 runs and is directly disconnected from the OEP of the DLL.
100010E9 55 push ebp
100010EA 8BEC mov ebp, esp
100010EC 53 push ebx
100010ED 8B5D 08 mov ebx, dword ptr ss: [ebp + 8]
100010F0 56 push esi
100010F1 8B75 0C mov esi, dword ptr ss: [ebp + C]
100010F4 57 push edi
100010F5 8B7D 10 mov edi, dword ptr ss: [ebp + 10]
-------------------------------------------------------------------
Use LORDPE to DUMP the DLL.
Use PE to edit the data base and size of the dump dll, and change it to the RAV size of the DLL. reloc segment.
.
 

Fix the input table after modification. OEP = 10E9

OK. The DLL has been taken out.
==========================================
③. Program shelling
Run F9,
Takes effect from the breakpoint above
004859F0 8BE5 mov esp, ebp
004859F2 5D pop ebp
004859F3 C3 retn; interrupt here

Here
0047F2CB 8B4D EC mov ecx, dword ptr ss: [ebp-14]; Allok_Vi.0041F872
0047F2CE 894D 08 mov dword ptr ss: [ebp + 8], ecx
0047F2D1 833D B4594900 0> cmp dword ptr ds: [4959B4], 0
0047F2D8 74 13 je short Allok_Vi.0047F2ED
0047F2DA 6A 00 push 0
0047F2DC 6A 00 push 0
0047F2DE 6A 00 push 0
0047F2E0 8B15 B4594900 mov edx, dword ptr ds: [4959B4]
0047F2E6 52 push edx
0047F2E7 FF15 B8174900 call dword ptr ds: [4917B8]; USER32.PostMessageA
0047F2ED 33C0 xor eax, eax
0047F2EF 5F pop edi
0047F2F0 5E pop esi
0047F2F1 5B pop ebx
0047F2F2 8BE5 mov esp, ebp
0047F2F4 5D pop ebp
0047F2F5 C3 retn


Here
0047E72B 58 pop eax; Allok_Vi.0041F872
0047E72C 894424 24 mov dword ptr ss: [esp + 24], eax
0047E730 61 popad
0047E731 58 pop eax
0047E732 58 pop eax
0047E733 FFD0 call eax; jump to OEP
0047E735 E8 A6C00000 call Allok_Vi.0048A7E0
Certificate ------------------------------------------------------------------------------------------------------------------------------------------
0041F872 55 push ebp; OEP to DUMP. Fix.
0041F873 8BEC mov ebp, esp
0041F875 6A FF push-1
0041F877 68 68644200 push allok_vi.00410468
0041F87C 68 E8F94100 push Allok_Vi.0041F9E8; jmp to msvcrt. _ effect_handler3
0041F881 64: A1 00000000 mov eax, dword ptr fs: [0]
0041F887 50 push eax
0041F888 64: 8925 0000000> mov dword ptr fs: [0], esp
0041F88F 83EC 68 sub esp, 68
0041F892 53 push ebx
0041F893 56 push esi
0041F894 57 push edi
0041F895 8965 E8 mov dword ptr ss: [ebp-18], esp
0041F898 33DB xor ebx, ebx
0041F89A 895D FC mov dword ptr ss: [ebp-4], ebx
0041F89D 6A 02 push 2
Bytes -----------------------------------------------------------------------------------------------
④ Cracking
Run the program after shelling.
Cracking is quite simple. You can directly write the user name, registration code, and change the registration mark.