Crack UltraISO v9.5.2

 

UltraISO is an ISO file editing and production tool for CD images. It allows you to create and edit ISO files from the CD and hard disk graphically. UltraISO can do: 1. Create a CD image file from the CD-ROM. 2. Create an ISO file for a hard disk, CD, or network disk. 3. Extract files or folders from ISO files. 4. edit various ISO files (such as Nero Burning ROM, Easy CD Creator, and the CD image files created by Clone CD ). 5. Create an ISO file. +) New ISO File Processing Kernel, more stable and efficient +) Powerful restoration function, which can accurately restore the edited file to ensure that the ISO file is not damaged +) you can create a 1.2 M/1.44 M/2.88M floppy disk simulation boot CD +) Complete help file (CHM format) +) to re-open the file list function +) allows you to create a CD image file in Windows 2000. *) fixed the problem that the directory cannot be opened when the disk is engraved.

Software: http://www.crsky.com/soft/1134.html

Use PEID to check the shell: ASPack 2.12-> Alexey Solodovnikov. It's a simple shell. I will not talk about it!

Load OD after installation

 

00C0E001> 60 pushad

00C0E002 E8 03000000 call UltraISO.00C0E00A

00C0E007-E9 EB045D45 jmp 461DE4F7

00C0E00C 55 push ebp

00C0E00D C3 retn

00C0E00E E8 01000000 call UltraISO.00C0E014

00C0E013 EB 5D jmp short UltraISO.00C0E072

 

After shelling

 

00401620> $/EB 10 jmp short dumped.00401632

00401622. | 66: 623A bound di, dword ptr ds: [edx]

00401625. | 43 inc ebx

00401626. | 2B2B sub ebp, dword ptr ds: [ebx]

00401628. | 48 dec eax

00401629. | 4F dec edi

0040162A. | 4F dec edi

0040162B. | 4B dec ebx

0040162C. | 90 nop

0040162D.-| E9 98006400 jmp dumped.00A416CA

00401632> \ A1 8B006400 mov eax, dword ptr ds: [64008B]

00401637. C1E0 02 shl eax, 2

0040163A. A3 8F006400 mov dword ptr ds: [64008F], eax

0040163F. 52 push edx

00401640. 6A 00 push 0;/pModule = NULL

00401642. E8 5BD02300 call <jmp. & kernel32.GetModuleHandleA>; \ GetModuleHandleA

 

Enter the user name and registration code, and the registration code is 16!

Annex 62386

Click "OK". The registration code has been entered. Run the program again. Needless to say, the software is restarted for verification!

Since it is a restart verification, it will basically store software in the computer, either a file or a registry! This software is saved in the registry! Use this (Regshot_2.0.1.66) software to monitor a registry and see what it has done.

Annex 62387

 

Annex 62388

 

It is our username, the registration code that stores it, looks like MD5

 

Open the system registry and enter "regedit" to search for "1234567890123456" in the operation. This is because the entered false code has been converted into "f5ace2b8a891ffd9fcaee0beae93fdd6" UserName by a series of operations, registry is the Registration code. Here UserName is the key and we will use it below.

 

Both BC ++ and DELPHI can be used, so we can use DEDE to load the files after shelling! Click a TfrmRegister icon.

Annex 62427

The address 00481EC0 is the button event to be searched.

 

Since it is the Registry restart verification, we will go back to the bp RegQueryValueExA breakpoint F9 several times later

0012F6C4 00472CCC/CALL to RegQueryValueExA from dumped.00472CC7

0012F6C8 000000CC | hKey = CC

0012F6CC 0066E5B6 | ValueName = "UserName"

0012F6D0 00000000 | Reserved = NULL

0012F6D4 0012FAF0 | pValueType = 0012FAF0

0012F6D8 0012F7E4 | Buffer = 0012F7E4

0012F6DC 0012 FAEC \ pBufSize = 0012 FAEC

0012F6E0 505C3A43

 

At this time, it is the best time to return to the program's airspace, Alt + F9 returned to the program's airspace.

00472CCC |. 85C0 test eax, eax

Next, F8 goes down in one step.

00472F34 |. 68 94C48200 push dumped.0082C494; ASCII "hello"

00472F39 |. E8 BEA31B00 call dumped.0062D2FC

00472F3E |. 83C4 08 add esp, 8

00472F41 |. FF75 0C push dword ptr ss: [ebp + C]

00472F44 |. 68 98C58200 push dumped.0082C598; ASCII "1234567890123456"

00472F49 |. E8 AEA31B00 call dumped.0062D2FC

00472F4E |. 83C4 08 add esp, 8

00472F51 |. B8 01000000 mov eax, 1

00472F56 |> 8BE5 mov esp, ebp

00472F58 |. 5D pop ebp

00472F59 \. C3 retn

 

F2 is disconnected at 00472F59, SHIFT + F9 is running, and F8 continues in one step.

 

00403344./74 0D je short dumped.00403353

00403346. | FF35 54E46700 push dword ptr ds: [67E454];/ExitCode = FFFFFFFF

0040334C. | E8 5BB22300 call <jmp. & kernel32.ExitProcess>; \ ExitProcess

00403351. | EB 07 jmp short dumped.0040335A

00403353> \ 33C0 xor eax, eax

 

Jump here, or the program will be OVER!

00403362. E8 75C01E00 call dumped.005EF3DC; activation registration dialog box

 

00403027 8B0D 94B76800 mov ecx, dword ptr ds: [68B794];

0040302D A1 C0006400 mov eax, dword ptr ds: [6400C0]; these two values are a bit strange. What we need for the perfect cracking

00403032 3BC8 cmp ecx, eax

00403034 74 19 je short dumped.0040304F; key jump

00403036 8B15 08BC6C00 mov edx, dword ptr ds: [6CBC08]; dumped.00B4ACE8

 

; Key jump, the above functions read our user name and false code, through some judgment, if the registration is successful, it will jump, but there is no jump, so I want it to jump

 

 

 

 

Key Aspect 1:

00401DAB |. E8 A8B62200 | call dumped.0062D458

00401DB0 |. 83C4 0C | add esp, 0C

00401DB3 |. 8945 BC | mov dword ptr ss: [ebp-44], eax

00401DB6 |. 8B45 BC | mov eax, dword ptr ss: [ebp-44]

00401DB9 |. 85C0 | test eax, eax

00401DBB 7E 09 jle short dumped.00401DC6; jump here

00401DBD |. 8B55 D8 | mov edx, dword ptr ss: [ebp-28]

00401DC0 |. 4A | dec edx

 

Key Aspect 2:

00401DF3 |. A1 94B76800 | mov eax, dword ptr ds: [68B794]

00401DF8 |. 3BC8 | cmp ecx, eax

00401DFA 75 2E jnz short dumped.00401E2A; here is a key CALL and cannot jump

 

 

Mov edx. dword ptr ds: [6400C0]

Mov dword ptr ds: [68B794], edx

Cmp ecx, eax

Jnz xxxx

It is not equal to the time transfer. So we want to make the content in the two equal, here is to limit the size of the ISO software,

 

1.

00401DBB |./7E 09 | jle short dumped.00401DC6; jump here and change it to JMP

00401DBD |. | 8B55 D8 | mov edx, dword ptr ss: [ebp-28]

00401DC0 |. | 4A | dec edx

00401DC1 |. | 8955 DC | mov dword ptr ss: [ebp-24], edx

00401DC4 |. | EB 56 | jmp short dumped.00401E1C

00401DC6 |> \ 8B4D BC | mov ecx, dword ptr ss: [ebp-44]

00401DC9 |. 85C9 | test ecx, ecx

00401DCB |. 7D 09 | jge short dumped.00401DD6

00401DCD |. 8B45 D8 | mov eax, dword ptr ss: [ebp-28]

00401DD0 |. 40 | inc eax

00401DD1 |. 8945 C8 | mov dword ptr ss: [ebp-38], eax

00401DD4 |. EB 46 | jmp short dumped.00401E1C

00401DD6 |> FF0D 94B76800 | dec dword ptr ds: [68B794]

00401DDC |. FF0D 94B76800 | dec dword ptr ds: [68B794]

00401DE2 |. 8B55 D0 | mov edx, dword ptr ss: [ebp-30]

00401DE5 |. 83C2 46 | add edx, 46

00401DE8 |. 8915 489F6400 | mov dword ptr ds: [649F48], edx

00401DEE |. 8B4D D0 | mov ecx, dword ptr ss: [ebp-30]

00401DF1 |. F7D1 | not ecx

00401DF3 |. A1 94B76800 | mov eax, dword ptr ds: [68B794]

00401DF8 |. 3BC8 | cmp ecx, eax

00401DFA 74 2E je short dumped.00401E2A; change to JE

00401DFC |. 8B15 C0006400 | mov edx, dword ptr ds: [6400C0]

00401E02 |. 8915 94B76800 | mov dword ptr ds: [68B794], edx

 

2.

004366b7./7E 09 jle short dumped.004366c2; change to JMP

004da-b9. | 8B55 D8 mov edx, dword ptr ss: [ebp-28]

004453BC. | 4A dec edx

004104bd. | 8955 DC mov dword ptr ss: [ebp-24], edx

0040000c0. | EB 56 jmp short dumped.00445418

004127c2> \ 8B4D BC mov ecx, dword ptr ss: [ebp-44]

004127c5. 85C9 test ecx, ecx

004366c7. 7D 09 jge short dumped.004366d2

004425c9. 8B45 D8 mov eax, dword ptr ss: [ebp-28]

004453CC. 40 inc eax

004127cd. 8945 C8 mov dword ptr ss: [ebp-38], eax

004453D0. EB 46 jmp short dumped.00445418

004127d2> FF0D 94B76800 dec dword ptr ds: [68B794]

004453D8. FF0D 94B76800 dec dword ptr ds: [68B794]

004da-de. 8B55 D0 mov edx, dword ptr ss: [ebp-30]

00410000e1. 83C2 46 add edx, 46

004425e4. 8915 248E6600 mov dword ptr ds: [668E24], edx

00420.ea. 8B4D D0 mov ecx, dword ptr ss: [ebp-30]

00410000ed. F7D1 not ecx

004366ef. A1 94B76800 mov eax, dword ptr ds: [68B794]

004127f4. 3BC8 cmp ecx, eax

0040000f6. 75 2E jnz short dumped.00445426; change to JZ

0040000f8. 8B15 C0006400 mov edx, dword ptr ds: [6400C0]

004366fe. 8915 94B76800 mov dword ptr ds: [68B794], edx

 

3.

004AEEE8/7E 09 jle short dumped.004AEEF3; changed to JMP

004 AEEEA. | 8B55 D8 mov edx, dword ptr ss: [ebp-28]

004 AEEED. | 4A dec edx

004 AEEEE .. | 8955 DC mov dword ptr ss: [ebp-24], edx

004AEEF1. | EB 56 jmp short dumped.004AEF49

004AEEF3> \ 8B4D BC mov ecx, dword ptr ss: [ebp-44]

004AEEF6. 85C9 test ecx, ecx

004AEEF8. 7D 09 jge short dumped.004AEF03

004 AEEFA. 8B45 D8 mov eax, dword ptr ss: [ebp-28]

004 AEEFD. 40 inc eax

004 AEEFE. 8945 C8 mov dword ptr ss: [ebp-38], eax

004AEF01. EB 46 jmp short dumped.004AEF49

004AEF03> FF0D 94B76800 dec dword ptr ds: [68B794]

004AEF09. FF0D 94B76800 dec dword ptr ds: [68B794]

004AEF0F. 8B55 D0 mov edx, dword ptr ss: [ebp-30]

004AEF12. 83C2 46 add edx, 46

004AEF15. 8915 ECA16800 mov dword ptr ds: [68A1EC], edx

004AEF1B. 8B4D D0 mov ecx, dword ptr ss: [ebp-30]

004AEF1E. F7D1 not ecx

004AEF20. A1 94B76800 mov eax, dword ptr ds: [68B794]

004AEF25. 3BC8 cmp ecx, eax

004AEF27. 75 2E jnz short dumped.004AEF57; change to jz

 

 

This is a perfect cracking.

Prepared by windowsa