
 Target : CleanUp 1.5
 Toolz: SICE, W32Dasm
 Level: 1
 Protection: Serial, 30-day limit
 URL: http://www.worldlynx.net/pgehart

 Background info:

 I was browsing thru ShareWare.com for some new cool shareware stuff that I could
 actually use.. not just pick 'em and crack 'em. Nope.. I don't prefer doing that.
 But this time I was lucky.. I found CleanUp: (Taken from the program)

 Automatically finds files you believe to be useless and lets you delete them.
 CleanUp never deletes anything without first letting you review those files.

 Go ahead, save a Meg!

 
 Btw.. this tute will only show the easier, shorter way ;).. the other way can 
 be done thru by BPX GetWindowTextA and happy tracing...
 Let's roll on.. if you fill up the reg boxes with your dummy info you get a nag
 saying Name / Code mis-match or something like that.. I fired up my w32dasm
 and did some disassembling, this is what I eventually came up:

 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
 |:00408410(C), :0040842A(C) <-- Hiho
 |
 :00408496 6A00                    push 00000000
 :00408498 6A00                    push 00000000
 
 * Possible StringData Ref from Data Obj ->"Name / Code mis-match. Try again."

 heh .. i scrolled up little up since I saw the referenced address wasn't far away.. 
 and coz address 40842A was closer than the other one I went straight on to it.. :

 :0040841E E80DCDFFFF              call 00405130 <-- call to serial check
 :00408423 25FF000000              and eax, 000000FF
 :00408428 85C0                    test eax, eax  <-- how did you do?
 :0040842A 746A                    je 00408496  <-- if eax == 0, jump to reg failed
 :0040842C E87F96FFFF              call 00401AB0
 :00408431 894584                  mov dword ptr [ebp-7C], eax
 :00408434 8D4DF0                  lea ecx, dword ptr [ebp-10]
 :00408437 E86496FFFF              call 00401AA0
 :0040843C 50                      push eax

 There's a similar check if you scroll a little up to see the second reference.. 
 lets see there..
 
 trace this call 
 
 :00408409 E8F2010000              call 00408600 (scroll a tiny bit up!)
 -----------------------------------------------------------------------
 :00408600 55                      push ebp
 :00408601 8BEC                    mov ebp, esp
 :00408603 51                      push ecx
 :00408604 894DFC                  mov dword ptr [ebp-04], ecx
 :00408607 8B4DFC                  mov ecx, dword ptr [ebp-04]
 :0040860A E8F18CFFFF              call 00401300 <-- ya gotta trace this one too

 :00401300 55                      push ebp
 :00401301 8BEC                    mov ebp, esp
 :00401303 51                      push ecx
 :00401304 894DFC                  mov dword ptr [ebp-04], ecx
 :00401307 8B45FC                  mov eax, dword ptr [ebp-04]
 :0040130A 8B00                    mov eax, dword ptr [eax] <-- your serial in [eax]
 :0040130C 83E80C                  sub eax, 0000000C
 :0040130F 8BE5                    mov esp, ebp
 :00401311 5D                      pop ebp
 :00401312 C3                      ret

 If you look the right upper corner in SICE window you can see the highlited code there..
 place a mouse cursor upon it and press right button and choose display code.. it indeed
 does what it says ;)

 -C_DKnight

 yah.. the usual greetings go to everyone I'm lucky to know at #cracking4newbies, #caliber & #cdrinfo
 u r0ck l33t0rs..