##########################################################################################################################################################################################################################################################


Target: SuperDVDRipper 1.90

http://www.dvdtodivx.net

Protection:trial run,serial

Tools: IDA,Ollydbg


I dont know is this software functional at all,when i download trial version and try to ripp some dvd,i get error message "compress frame failed",but maybe someone find text useful.




1. Removing nag and runtime limits,re-enabling wizard
----------------------------------------------------------

Start program,you can see nag which telling us that we can run app 9 times and after that program will expired,i try to ripp dvd to avi but i get error message,i try to convert vob to svcd and app convert 16 frames,nevermind,only burn cd is working 100%,well maybe my codec is wrong,i run app 10 times and now when you click on wizard there is nag saying our program is expired.

Lets load app in IDA, wait till program is loaded and than click on Names button,we can see there is 2328 lines,well scroll down and try to find something interesting, at line 1181 we can see "Please register" name,and at 1182 "aYou have reached" probably our trial period is over. Click on line 1182 and go back to IDA,yes now we can see whole message that out trial period is over,but more important thing is that we can see that name is referenced to sub_4102B0 function,well thats the function which decide is our trial over or not.

Now click on functon button and look for sub_4102B0,find it at line 127,click on function and get back to IDA you shoud be at:

now lets analize code


.text:004102B0 
.text:004102B0                 push    0FFFFFFFFh
.text:004102B2                 mov     eax, large fs:0
.text:004102B8                 push    offset loc_495A29
.text:004102BD                 push    eax
.text:004102BE                 mov     eax, 1200h
.text:004102C3                 mov     large fs:0, esp
.text:004102CA                 call    __alloca_probe
.text:004102CF                 push    ebx----------------------->start our trial routine
.text:004102D0                 mov     ebx, [esp+1210h+arg_0]
.text:004102D7                 push    ebp
.text:004102D8                 push    esi
.text:004102D9                 cmp     ebx, 489h
.text:004102DF                 push    edi
.text:004102E0                 mov     ebp, ecx------------------>move number of runs 
.text:004102E2                 jnz     loc_410375---------------->if bigger than 9 jump to trial over routine,nop this jump
.text:004102E8                 push    ebp
.text:004102E9                 lea     ecx, [esp+1220h+var_1088]
.text:004102F0                 call    sub_404880
.text:004102F5                 mov     eax, [ebp+388Ch]
.text:004102FB                 mov     [esp+121Ch+var_4], 0
.text:00410306                 test    eax, eax----------------->if eax is different from 0,jump otherwise show register nag
.text:00410308                 jnz     short loc_41032E--------->we will force jump here
.text:0041030A                 lea     ecx, [esp+121Ch+var_1088]
.text:00410311                 call    ?DoModal@CDialog@@UAEHXZ ; CDialog::DoModal(void)
.text:00410316                 cmp     eax, 1
.text:00410319                 jnz     short loc_41032E
.text:0041031B                 mov     eax, [ebp+20h]
.text:0041031E                 push    0               ; lParam
.text:00410320                 push    0               ; wParam
.text:00410322                 push    488h            ; Msg------>please register message
.text:00410327                 push    eax             ; hWnd
.text:00410328                 call    ds:PostMessageA
.text:0041032E 
.text:0041032E loc_41032E:                             ; CODE XREF: sub_4102B0+58j
.text:0041032E                                         ; sub_4102B0+69j

we will jump here

.text:0041032E                 lea     ecx, [esp+121Ch+var_FE8]
.text:00410335                 mov     [esp+121Ch+var_4], 2
.text:00410340                 call    ??1CEdit@@UAE@XZ ; CEdit::~CEdit(void)
.text:00410345                 lea     ecx, [esp+121Ch+var_1028]
.text:0041034C                 mov     byte ptr [esp+121Ch+var_4], 1
.text:00410354                 call    ??1CEdit@@UAE@XZ ; CEdit::~CEdit(void)
.text:00410359                 lea     ecx, [esp+121Ch+var_1088]
.text:00410360                 mov     [esp+121Ch+var_4], 0FFFFFFFFh
.text:0041036B                 call    ??1CDialog@@UAE@XZ ; CDialog::~CDialog(void)
.text:00410370                 jmp     loc_410ADA----------------------------------->jump to 410ADA,from there to user32 										             module and start program
.text:00410375 ; --------------------------------------cut here--------------------------------------------------------------



Now open ripper in olly,go to 004102BO,you can analize code. At 004102E2 right click,select binary and then fill with NOPs,after that at 00410308 right click select binary choose edit change 75 24 to EB 24.Go back to olly,right click selct copy to executable,choose all modifications, than copy all,ctrl+F4 and overwrite file.

Now lets start ripper again,there is no "please register" nag at start up,click on wizard and nothing happen,why?well program disable wizard after trial period. 

Load app in olly,F9 and program start,now before we press wizard button,we will put breakpoint,why now?because if put breakpoint on project selection,we will see only end of routine. Now click on executable modules and select user32 then right click and choose view names,now scroll down till GetDlgItem,we will put breakpoint here,right click and then togle breakpoint,now press wizard button,and olly break. We cant find anything useful here we just want to paste this routine and then when dialog with project selection pop up,we can select any project we want and olly will break again,so we will not remove our breakpoint just keep pressing F8 till dialog with project dont show up. After couple of F8,not to many when we past thread in sdvdrip module in mfc42 module  dialog with our project selection is ready to go,in the right corner we can see Running,now click on Superdvd ripper on the taskbar and now you can select project,I choose dvd to avi and olly break again (dont remove our breakpoint),right in the place where dialog pop up at mfc42,now F8 slowly and after couple F8 you shoud be in this part of code:

0040FCAF  |. BF 01000000    MOV EDI,1
0040FCB4  |. 3BC7           CMP EAX,EDI
0040FCB6  |. 0F85 C4030000  JNZ sdvdrip.00410080----------->trial over rotine,but if you patch app here,you will get error 							   message "decoder not ready" all the time
0040FCBC  |. D986 2CA50000  FLD DWORD PTR DS:[ESI+A52C]
0040FCC2  |. DC1D 509B4900  FCOMP QWORD PTR DS:[499B50]
0040FCC8  |. DFE0           FSTSW AX
0040FCCA  |. 25 00410000    AND EAX,4100
0040FCCF  |. 75 0C          JNZ SHORT sdvdrip.0040FCDD------>enable wizard,we will force jump here
0040FCD1  |. 399E 8C380000  CMP DWORD PTR DS:[ESI+388C],EBX
0040FCD7  |. 0F84 92030000  JE sdvdrip.0041006F------------> disable wizard

jump here and wizard is enable

0040FCDD  |> A1 54054F00    MOV EAX,DWORD PTR DS:[4F0554]
0040FCE2  |. 83F8 06        CMP EAX,6                                ;  Switch (cases 0..6)
0040FCE5  |. 0F87 79030000  JA sdvdrip.00410064
0040FCEB  |. FF2485 5401410>JMP DWORD PTR DS:[EAX*4+410154]
---------------------------------------------------------cut here------------------------------------------------------------ 

So at 0040FCCF 75 0C,right click select binary than edit and change 75 0C TO EB 0C.

Copy to executable our modifications and thats it.


Regards to all in exe tools forum,really great place to learn.

by:el-kiwi
#############################################################################################################################################################################################