VLMenuPlus 5.00.0058 patching help!!!

Site:- hxxp://www.viklele.com/

problem:- the ocx control displays the about box along with evaluation details

and ok button disabled, when ever the control is loaded in vb or 1ce the abt

box is opened in compiled mode....

i patched the ocx half the way round, now it shows registered adn no delay

in displaying the ok button,,, but just the problem is, i m not able 2 take

care of the nag,

if i try 2 patch the abt box then i get error messages,,, since the abt box

is not a messagebox, so i cant hook on messageboxa or anytrhing like that.

just needed some help in patching this nag...

thanx

TDW {RES}

[Newbie_Cracker]

Quote:

Originally Posted by The Day Walker!

if i try 2 patch the abt box then i get error messages,,, since the abt box

is not a messagebox, so i cant hook on messageboxa or anytrhing like that.

I'm confused. you didn't find MessageBox APIs, so you patched what?

I've seen something like this, SkinBoxer Demo. If I try to patch the MessageBox, It will be crashed. So the only way is emulating NAG button press by SendMessage !


But here, NAG is removable. Apply following change in VLMenu.ocx in SYSTEM32 :

Code:

1102C739   /74 1B           JE SHORT VLMenu.1102C756    ->  JMP

This will bypass NAG.

Just press few Ctrl+F9 + F8 from where you make it as a registered version to reach above address !!

hey brow, i patched where u suggested but nothing hap.

the nag is still there,,,

thanx

TDW {RES}

[Newbie_Cracker]

Hmm... I just test the VC++ 6.0 compiled file.

Didn't test .NET or others.

i dunno abt,,, VC++ files,, i just test using VB 6, but i think the patch should work 4 all.. and should not b prog depepndent.... as the same ocx is used in all the languages,,,,

thanx

TDW {RES}

[Newbie_Cracker]

Oh, last version is 5.0.0.59. Above address is for this version.

Look at the patched code :

Code:

1102C723   .  E8 F8470100   CALL VLMenu.11040F20     ->Reg check
1102C728   .  8B7D D0       MOV EDI,DWORD PTR SS:[EBP-30]
1102C72B   .  8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]
1102C72E   .  F7D7          NOT EDI
1102C730   .  FF15 7C120011 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;  MSVBVM60.__vbaFreeObj
1102C736   .  66:85FF       TEST DI,DI
1102C739      74 1B         JE SHORT VLMenu.1102C756	      -> patch to jump over NAG sub-routine
1102C73B   .  8B16          MOV EDX,DWORD PTR DS:[ESI]
1102C73D   .  56            PUSH ESI
1102C73E   .  FF92 84080000 CALL DWORD PTR DS:[EDX+884]              ;  VLMenu.1100889D  -> Shows Nag

Reg check

Code:

11040F20   $  55            PUSH EBP
11040F21   .  8BEC          MOV EBP,ESP
11040F23   .  83EC 08       SUB ESP,8
11040F26   .  68 46380011   PUSH <JMP.&MSVBVM60.__vbaExceptHandler>  ;  SE handler installation
11040F2B   .  64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
11040F31   .  50            PUSH EAX
...
...
...
11040FC2   .  8D55 D4       LEA EDX,DWORD PTR SS:[EBP-2C]
11040FC5   .  68 DCD90011   PUSH VLMenu.1100D9DC                     ;  UNICODE "Unknown"
11040FCA   .  52            PUSH EDX
11040FCB   .  FFD6          CALL ESI                                 ;  <&MSVBVM60.__vbaStrToAnsi>
11040FCD   .  50            PUSH EAX
11040FCE   .  8D45 D8       LEA EAX,DWORD PTR SS:[EBP-28]
11040FD1   .  68 CCD90011   PUSH VLMenu.1100D9CC                     ;  UNICODE "User"
11040FD6   .  50            PUSH EAX
11040FD7   .  FFD6          CALL ESI                                 ;  <&MSVBVM60.__vbaStrToAnsi>
11040FD9   .  50            PUSH EAX
11040FDA   .  8D4D DC       LEA ECX,DWORD PTR SS:[EBP-24]
11040FDD   .  68 14950011   PUSH VLMenu.11009514                     ;  UNICODE "VLMenu2"

Find these unicode strings. This sub-routine is called by 5 Call + 1 JMP. First Call is which we want.
If you cann't find it, use following sig to find NAG sub-routine. Maybe this is applicable :

Code:

FF 15 ?? ?? ?? ?? 83 EC ?? B9 ?? 00 00 00 8B DC B8 ?? ?? ?? ?? 83 EC 10 8B 3E 89 0B 8B 4D ?? 8B 17 89 4B

Patch the first instruction to RETN 4.

Please check this sig too, for finding above mentioned JE :

Code:

FF 15 ?? ?? ?? ?? 66 85 FF ?? 1B 8B ?? 56 FF ?? ?? ?? ?? 00 85 C0 7D ?? 68

Please upload the OCX for more analysis, if these worked or not.

Regards.

hey bro...

both of ur places doesnt affect anything.......y is that so?????

4 reg check, i patched at, address:- 11040704 and made it a NOP.
and volla all unknown...

and for the nag,,i traced something,,,,
the pace u suggested 4 reg check,
1102C723 . E8 F8470100 CALL VLMenu.11040F20 ->Reg check

instead of that, cleck the last place, 1103FFA9

when i go to the abt box, this place is checked,,,,

and hence forth when ever i do right click, this place is checked and soon after the

check, the nag is displayed.

1 thing i also noted, the reg check is not done, before the abt message box is

displayed. so no nags initially, abt 1ce abt box is displayed, the nag starts appearing.

thanx

TDW {RES}


P.S. by the way i 2 downloaded the built 59. and tryin on it.

[t4d]

Viklele use VLUtils.dll to check registration details stored
in viklele.ini (%SystemRoot%\viklele.ini)
If you look at exported functions in mentioned dll (e.g DilavSi == iSvaliD) and patch it at right place you can override every Viklele registration routine.

ill give a look at it 2...

thanx

TDW {RES}