Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   VLMenuPlus 5.00.0058 patching help!!! (https://forum.exetools.com/showthread.php?t=9448)

The Day Walker! 04-12-2006 03:45
VLMenuPlus 5.00.0058 patching help!!!
 
Site:- hxxp://www.viklele.com/

problem:- the ocx control displays the about box along with evaluation details

and ok button disabled, when ever the control is loaded in vb or 1ce the abt

box is opened in compiled mode....

i patched the ocx half the way round, now it shows registered adn no delay

in displaying the ok button,,, but just the problem is, i m not able 2 take

care of the nag,

if i try 2 patch the abt box then i get error messages,,, since the abt box

is not a messagebox, so i cant hook on messageboxa or anytrhing like that.

just needed some help in patching this nag...

thanx

TDW {RES}

Newbie_Cracker 04-13-2006 09:19
Quote:
Originally Posted by The Day Walker!
if i try 2 patch the abt box then i get error messages,,, since the abt box

is not a messagebox, so i cant hook on messageboxa or anytrhing like that.
I'm confused. you didn't find MessageBox APIs, so you patched what? ;)

I've seen something like this, SkinBoxer Demo. If I try to patch the MessageBox, It will be crashed. So the only way is emulating NAG button press by SendMessage !


But here, NAG is removable. Apply following change in VLMenu.ocx in SYSTEM32 :

Code:
1102C739  /74 1B          JE SHORT VLMenu.1102C756    ->  JMP
This will bypass NAG. :)

Just press few Ctrl+F9 + F8 from where you make it as a registered version to reach above address !!

The Day Walker! 04-14-2006 11:56
hey brow, i patched where u suggested but nothing hap.

the nag is still there,,,

thanx

TDW {RES}

Newbie_Cracker 04-15-2006 06:38
Hmm... I just test the VC++ 6.0 compiled file.

Didn't test .NET or others.

The Day Walker! 04-16-2006 03:24
i dunno abt,,, VC++ files,, i just test using VB 6, but i think the patch should work 4 all.. and should not b prog depepndent.... as the same ocx is used in all the languages,,,,

thanx

TDW {RES}

Newbie_Cracker 04-16-2006 04:52
Oh, last version is 5.0.0.59. Above address is for this version.

Look at the patched code :

Code:
1102C723  .  E8 F8470100  CALL VLMenu.11040F20    ->Reg check
1102C728  .  8B7D D0      MOV EDI,DWORD PTR SS:[EBP-30]
1102C72B  .  8D4D E8      LEA ECX,DWORD PTR SS:[EBP-18]
1102C72E  .  F7D7          NOT EDI
1102C730  .  FF15 7C120011 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
1102C736  .  66:85FF      TEST DI,DI
1102C739      74 1B        JE SHORT VLMenu.1102C756              -> patch to jump over NAG sub-routine
1102C73B  .  8B16          MOV EDX,DWORD PTR DS:[ESI]
1102C73D  .  56            PUSH ESI
1102C73E  .  FF92 84080000 CALL DWORD PTR DS:[EDX+884]              ;  VLMenu.1100889D  -> Shows Nag

Reg check
Code:
11040F20  $  55            PUSH EBP
11040F21  .  8BEC          MOV EBP,ESP
11040F23  .  83EC 08      SUB ESP,8
11040F26  .  68 46380011  PUSH <JMP.&MSVBVM60.__vbaExceptHandler>  ;  SE handler installation
11040F2B  .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
11040F31  .  50            PUSH EAX
...
...
...
11040FC2  .  8D55 D4      LEA EDX,DWORD PTR SS:[EBP-2C]
11040FC5  .  68 DCD90011  PUSH VLMenu.1100D9DC                    ;  UNICODE "Unknown"
11040FCA  .  52            PUSH EDX
11040FCB  .  FFD6          CALL ESI                                ;  <&MSVBVM60.__vbaStrToAnsi>
11040FCD  .  50            PUSH EAX
11040FCE  .  8D45 D8      LEA EAX,DWORD PTR SS:[EBP-28]
11040FD1  .  68 CCD90011  PUSH VLMenu.1100D9CC                    ;  UNICODE "User"
11040FD6  .  50            PUSH EAX
11040FD7  .  FFD6          CALL ESI                                ;  <&MSVBVM60.__vbaStrToAnsi>
11040FD9  .  50            PUSH EAX
11040FDA  .  8D4D DC      LEA ECX,DWORD PTR SS:[EBP-24]
11040FDD  .  68 14950011  PUSH VLMenu.11009514                    ;  UNICODE "VLMenu2"

Find these unicode strings. This sub-routine is called by 5 Call + 1 JMP. First Call is which we want.
If you cann't find it, use following sig to find NAG sub-routine. Maybe this is applicable :

Code:
FF 15 ?? ?? ?? ?? 83 EC ?? B9 ?? 00 00 00 8B DC B8 ?? ?? ?? ?? 83 EC 10 8B 3E 89 0B 8B 4D ?? 8B 17 89 4B
Patch the first instruction to RETN 4.

Please check this sig too, for finding above mentioned JE :

Code:
FF 15 ?? ?? ?? ?? 66 85 FF ?? 1B 8B ?? 56 FF ?? ?? ?? ?? 00 85 C0 7D ?? 68
Please upload the OCX for more analysis, if these worked or not. :)

Regards.

The Day Walker! 04-16-2006 19:43
hey bro...

both of ur places doesnt affect anything.......y is that so?????

4 reg check, i patched at, address:- 11040704 and made it a NOP.
and volla all unknown...

and for the nag,,i traced something,,,,
the pace u suggested 4 reg check,
1102C723 . E8 F8470100 CALL VLMenu.11040F20 ->Reg check

instead of that, cleck the last place, 1103FFA9

when i go to the abt box, this place is checked,,,,

and hence forth when ever i do right click, this place is checked and soon after the

check, the nag is displayed.

1 thing i also noted, the reg check is not done, before the abt message box is

displayed. so no nags initially, abt 1ce abt box is displayed, the nag starts appearing.

thanx

TDW {RES}


P.S. by the way i 2 downloaded the built 59. and tryin on it.

t4d 04-18-2006 19:15
Viklele use VLUtils.dll to check registration details stored
in viklele.ini (%SystemRoot%\viklele.ini)
If you look at exported functions in mentioned dll (e.g DilavSi == iSvaliD) and patch it at right place you can override every Viklele registration routine.

The Day Walker! 04-19-2006 03:48
ill give a look at it 2...

thanx

TDW {RES}


All times are GMT +8. The time now is 01:40.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX