V2m 1.0 problem fix with IDA Pro

[r0ger]

Yeah, today i've discovered it when most of tPORt releases, even with v2m's in it (with libv2 1.0 mostly), don't work on Vista and higher, so if u wanna test these releases/having some experience with them but ur just lazy too open them up in XP (or simply you don't have it), here's how i did it :

I firstly opened one of tPORt's releases with v2m in it i have in my collection with IDA pro , then i've analyzed the whole EXE file . The v2m initialization must start with DirectSoundCreate function most of it , from which it was called from this :

sub_406E82      proc near               ; CODE XREF: sub_403DEA+38^p
PS_____:00406E82
PS_____:00406E82 var_9C          = dword ptr -9Ch
PS_____:00406E82 arg_0           = dword ptr  4
PS_____:00406E82 arg_4           = dword ptr  8
PS_____:00406E82 arg_8           = dword ptr  0Ch
PS_____:00406E82
PS_____:00406E82                 pusha
PS_____:00406E83                 mov     ebx, offset dword_6722B4
PS_____:00406E88                 mov     ecx, 20082h
PS_____:00406E8D                 mov     edi, ebx
PS_____:00406E8F                 xor     eax, eax
PS_____:00406E91                 rep stosb
PS_____:00406E93                 mov     esi, [esp+20h+arg_0]
PS_____:00406E97                 mov     [ebx+0Ch], esi
PS_____:00406E9A                 mov     esi, [esp+20h+arg_4]
PS_____:00406E9E                 mov     [ebx+10h], esi
PS_____:00406EA1                 lea     esi, [ebx+8]
PS_____:00406EA4                 mov     [esi], eax
PS_____:00406EA6                 push    eax             ; pUnkOuter
PS_____:00406EA7                 push    esi             ; ppDS
PS_____:00406EA8                 push    eax             ; pcGuidDevice
PS_____:00406EA9                 call    DirectSoundCreate
PS_____:00406EAE                 mov     esi, [esi]
PS_____:00406EB0                 or      esi, esi
PS_____:00406EB2                 jz      short loc_406ED5
PS_____:00406EB4                 mov     al, 2
PS_____:00406EB6                 push    eax
PS_____:00406EB7                 push    [esp+24h+arg_8]
PS_____:00406EBB                 push    esi
PS_____:00406EBC                 mov     edi, [esi]
PS_____:00406EBE                 call    dword ptr [edi+18h]
PS_____:00406EC1                 or      eax, eax
PS_____:00406EC3                 jnz     short loc_406ED5
PS_____:00406EC5                 push    eax
PS_____:00406EC6                 lea     ebp, [ebx+4]
PS_____:00406EC9                 push    ebp
PS_____:00406ECA                 push    offset dword_407194
PS_____:00406ECF                 push    esi
PS_____:00406ED0                 call    dword ptr [edi+0Ch]
PS_____:00406ED3                 or      eax, eax
PS_____:00406ED5
PS_____:00406ED5 loc_406ED5:                             ; CODE XREF: sub_406E82+30^j
PS_____:00406ED5                                         ; sub_406E82+41^j
PS_____:00406ED5                 jnz     short loc_406EE6
PS_____:00406ED7                 push    eax
PS_____:00406ED8                 lea     edx, [ebx]
PS_____:00406EDA                 push    edx
PS_____:00406EDB                 push    offset dword_407180
PS_____:00406EE0                 push    esi
PS_____:00406EE1                 call    dword ptr [edi+0Ch]
PS_____:00406EE4                 or      eax, eax
PS_____:00406EE6
PS_____:00406EE6 loc_406EE6:                             ; CODE XREF: sub_406E82:loc_406ED5^j
PS_____:00406EE6                                         ; sub_406E82+A6ˇj
PS_____:00406EE6                 jnz     loc_406FB4
PS_____:00406EEC                 lea     edi, [ebx+70h]
PS_____:00406EEF                 push    edi
PS_____:00406EF0                 lea     esi, word_40716E
PS_____:00406EF6                 lea     ecx, [eax+12h]
PS_____:00406EF9                 rep movsb
PS_____:00406EFB                 mov     esi, [ebp+0]
PS_____:00406EFE                 push    esi
PS_____:00406EFF                 mov     edi, [esi]
PS_____:00406F01                 call    dword ptr [edi+38h]
PS_____:00406F04                 xor     esi, esi
PS_____:00406F06                 push    2
PS_____:00406F0B                 lea     edx, [ebx+2Ch]
PS_____:00406F0E                 push    edx
PS_____:00406F0F                 lea     edx, [ebx+28h]
PS_____:00406F12                 push    edx
PS_____:00406F13                 lea     edx, [ebx+24h]
PS_____:00406F16                 push    edx
PS_____:00406F17                 lea     edx, [ebx+20h]
PS_____:00406F1A                 push    edx
PS_____:00406F1B                 push    esi
PS_____:00406F1C                 push    esi
PS_____:00406F1D                 mov     ebp, [ebx]
PS_____:00406F1F                 mov     esi, [ebp+0]
PS_____:00406F22                 push    ebp
PS_____:00406F23                 call    dword ptr [esi+2Ch]
PS_____:00406F26                 or      eax, eax
PS_____:00406F28                 jnz     short loc_406EE6
PS_____:00406F2A                 mov     ecx, [ebx+24h]
PS_____:00406F2D                 mov     edi, [ebx+20h]
PS_____:00406F30                 rep stosb
PS_____:00406F32                 mov     ecx, [ebx+2Ch]
PS_____:00406F35                 mov     edi, [ebx+28h]
PS_____:00406F38                 rep stosb
PS_____:00406F3A                 push    dword ptr [ebx+2Ch]
PS_____:00406F3D                 push    dword ptr [ebx+28h]
PS_____:00406F40                 push    dword ptr [ebx+24h]
PS_____:00406F43                 push    dword ptr [ebx+20h]
PS_____:00406F46                 push    ebp
PS_____:00406F47                 call    dword ptr [esi+4Ch]
PS_____:00406F4A                 or      eax, eax
PS_____:00406F4C                 jnz     short loc_406FB4
PS_____:00406F4E                 mov     dword ptr [ebx+68h], 0FFFF0000h
PS_____:00406F55                 mov     dword ptr [ebx+6Ch], 0FFFF0000h
PS_____:00406F5C                 xor     eax, eax
PS_____:00406F5E                 push    eax             ; lpName
PS_____:00406F5F                 push    eax             ; bInitialState
PS_____:00406F60                 push    eax             ; bManualReset
PS_____:00406F61                 push    eax             ; lpEventAttributes
PS_____:00406F62                 call    CreateEventA
PS_____:00406F67                 mov     [ebx+40h], eax
PS_____:00406F6A                 lea     eax, [ebx+48h]
PS_____:00406F6D                 push    eax             ; lpCriticalSection
PS_____:00406F6E                 call    InitializeCriticalSection
PS_____:00406F73                 xor     eax, eax
PS_____:00406F75                 inc     al
PS_____:00406F77                 push    eax
PS_____:00406F78                 push    1
PS_____:00406F7D                 dec     al
PS_____:00406F7F                 push    eax
PS_____:00406F80                 push    eax
PS_____:00406F81                 push    ebp             ; nPriority
PS_____:00406F82                 call    dword ptr [esi+30h]
PS_____:00406F85                 or      eax, eax
PS_____:00406F87                 jnz     short loc_406FB4
PS_____:00406F89                 fld     flt_406E50
PS_____:00406F8F                 fstp    dword ptr [ebx+14h]
PS_____:00406F92                 lea     edx, [ebx+3Ch]
PS_____:00406F95                 push    edx             ; lpThreadId
PS_____:00406F96                 push    eax             ; dwCreationFlags
PS_____:00406F97                 push    eax             ; lpParameter
PS_____:00406F98                 push    offset sub_407009 ; lpStartAddress
PS_____:00406F9D                 push    eax             ; dwStackSize
PS_____:00406F9E                 push    eax             ; lpThreadAttributes
PS_____:00406F9F                 call    CreateThread
PS_____:00406FA4                 mov     [ebx+1Ch], eax
PS_____:00406FA7                 inc     [esp+9Ch+var_9C]
PS_____:00406FAA                 push    eax             ; hThread
PS_____:00406FAB                 call    SetThreadPriority
PS_____:00406FB0                 popa
PS_____:00406FB1                 stc
PS_____:00406FB2                 jmp     short loc_406FBB
PS_____:00406FB4 ; ---------------------------------------------------------------------------
PS_____:00406FB4
PS_____:00406FB4 loc_406FB4:                             ; CODE XREF: sub_406E82:loc_406EE6^j
PS_____:00406FB4                                         ; sub_406E82+CA^j ...
PS_____:00406FB4                 call    sub_406FC0
PS_____:00406FB9                 popa
PS_____:00406FBA                 clc
PS_____:00406FBB
PS_____:00406FBB loc_406FBB:                             ; CODE XREF: sub_406E82+130^j
PS_____:00406FBB                 sbb     eax, eax
PS_____:00406FBD                 retn    0Ch
PS_____:00406FBD sub_406E82      endp

.... then from this subroutine which was called in DialogFunc :

sub_403DEA      proc near
PS_____:00403DEA
PS_____:00403DEA var_4           = dword ptr -4
PS_____:00403DEA arg_0           = dword ptr  4
PS_____:00403DEA arg_4           = dword ptr  8
PS_____:00403DEA
PS_____:00403DEA                 mov     ecx, [esp+arg_0]
PS_____:00403DEE                 mov     edx, offset dword_40B160
PS_____:00403DF3                 call    sub_403558
PS_____:00403DF8                 call    sub_403666
PS_____:00403DFD                 push    [esp+arg_4]
PS_____:00403E01                 xor     eax, eax
PS_____:00403E03                 push    eax
PS_____:00403E04                 push    offset sub_403D0F
PS_____:00403E09                 mov     dword_40B154, eax
PS_____:00403E0E                 mov     dword_40B150, eax
PS_____:00403E13                 mov     dword_40A718, eax
PS_____:00403E18                 mov     dword_40A71C, 1
PS_____:00403E22                 call    sub_406E82
PS_____:00403E27                 fld1
PS_____:00403E29                 push    ecx
PS_____:00403E2A                 fstp    [esp+4+var_4]   ; float
PS_____:00403E2D                 call    sub_407147
PS_____:00403E32                 retn    8
PS_____:00403E32 sub_403DEA      endp

and this was the block of codes where the v2m playback was initiated :

PS_____:00401AD4                 call    sub_403DEA
PS_____:00401AD9                 call    sub_403E35
PS_____:00401ADE                 mov     byte_409520, 1

So what i did was patching them with NOP's only so this would skip the whole V2M playback subroutine (yep, this will not play v2m anymore.) :

Final result (for example i chose AutoRun_Pro_6.0.1.40.Keygen.ev1l^4.tPORt ) :

Without patching (and with v2m playback called, and about to play in the keygen) may result in this error (which is manifested from Vista and higher - the keygen will run normally with v2m playback only on Windows XP) ...:

other results :

ObjectRescuePro_v3.0_Crack_by_M!H@N

Drive_Discovery_v2.1.Keygen.LaZzy.tPORt

MetaProducts Flash and Media Capture v1.2.43 SR1 by tPORt



MOV_to_AVI_MPEG_WMV_Converter_v_1_8_4



X-NetStat_Pro_5.5.Keygen.tPORt



Xilisoft_OGG_MP3_Converter_2.1.63.Keygen.tPORt



But i know there was a patch solution for it i've found months ago in which can play the v2m's in windows 7 with libv2 1.0 , idk if it really is but if i see it and the patch solution getting to work even on 7 , maybe i'll post the solution.
Anyway,this is how i fixed the releases using IDA only.

[r0ger]

As a matter of fact, since i have all their resources, i'm gonna remake some of these templates above, but using MagicH's v2m engine on them for almost-full experience (perhaps i won't include their keygen algos). And i'll be posting them directly in Downloads section.