WHY PATCHING WHILE SERIAL NUMBER IS FISHY CleanReg v3.25/3.26 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM CleanReg is best used as a registry monitor program. Running CleanReg can alert you to registry intrusions and help clean up after uninstalling programs or systems. Normally when something is installed on the computer, it is associated with one or more files on a disk. These files usually have the extension EXE or DLL. Also, files used by the program are added to the registry and can have have any extension. Files are added to the registry by the programs that use them and the use is defined by that program. So only the developer of the program knows if the reference is required for proper operation or was added for another reason and is not required. The excellent program ICQ is an example of a program that adds many files to the registry and I have know idea why so I to leave them alone. CleanReg scans for the files referenced in the registry and provides and easy method to eliminate the reference. In some cases just the reference should be removed by zapping the name, and in other cases an entire high level key needs to be deleted. In other cases the file reference should not be changed. File names that have the extension DLL or EXE are located by testing the system directories and the system PATH environment variable. Not all files, especially DLL's and EXE's need to be in a system defined path, they may located by the using program with the using programs search criteria. WHERE TO DOWNLOAD Author : Armstrong Systems House, Inc Homepage : http://www.CleanReg.com URL : http://www.armstrongsystems.bizland.com/free/CleanReg3.exe Size : 1.5 MB as of August 08,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This program is packed with UPX. I suggest you to unpack the .exe file before you practise by yourself. In this tute I didn't unpack them att all, so, unexpected occurance (s) might be happened on your PC. 1. Run CLEANREG.EXE, click OPTIONS/ENTER REG CODE submenu, in the registration dialog box type these below informations : Name : Chavit 'Jueteng' Singson Code : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX hmemcpy [enter] and F5 to return to the main program 3. Now it's time to click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11, then F12 11 times until you see and break at : ______________________________________________________________ 015F:004062E7 E8D0B90000 CALL 00411CBC 015F:004062EC 8BF8 MOV EDI,EAX 015F:004062EE 85FF TEST EDI,EDI 015F:004062F0 745C JZ 0040634E 015F:004062F2 8B4C2408 MOV ECX,[ESP+08] 015F:004062F6 8B41F8 MOV EAX,[ECX-08] 015F:004062F9 85C0 TEST EAX,EAX 015F:004062FB 7E51 JLE 0040634E 015F:004062FD 8D542410 LEA EDX,[ESP+10] 015F:00406301 8D44240C LEA EAX,[ESP+0C] 015F:00406305 52 PUSH EDX 015F:00406306 8D4C240C LEA ECX,[ESP+0C] 015F:0040630A 50 PUSH EAX 015F:0040630B 51 PUSH ECX 015F:0040630C E83FB20000 CALL 00411550 015F:00406311 83C40C ADD ESP,0C 015F:00406314 85C0 TEST EAX,EAX 015F:00406316 7436 JZ 0040634E 015F:00406318 397C2410 CMP [ESP+10],EDI 015F:0040631C 7530 JNZ 0040634E _________________________CLEANREG3!UPX0+52E7___________________ Now, clear/disable previous breakpoint by typing : bc 00 [enter] Create a new breakpoint by typing : bpx 015F:004062E7 [enter] u 015F:004062E7 [enter] 4. Press F10 once - stop at 015F:004062EE - look at the REgister Window don't you think strange that the contents of EAX and EDI register are remain the same ? Let's check it out what was in there .... ? EAX [enter] and/or ? EDI SoftIce will response : 046755DA 0073881050 " gU " ... that's your fake reg code Here you can pressume that if your fake code more than 10 characters length, you'll be throw into another location as instructed by JZ instruction at 015F:004062F0. 5. Press F10 4 times - stop at 015F:004062F6 - display ECX regis ter by typing : D ECX [enter] Did you see your user name appear in the Data Window ? 6. Keep continue pressing F10 and stop at 015F:00406318 , then look at the Register Window ... in my case SS register are looks like as follow : ....... FS=35E7 GS=0000 SS:0066F3E0=0FC7E2B4 Let's check the contents of SS register : ? 0FC7E2B4 [enter] SoftIce will response : 0FC7E2B4 0264757940 " " Write down 0264757940 as your suspicious reg code, because if you press F10 once again you'll jump pass JNZ instruction at 015F:0040631C and get the beggar-off message. During this step you will not see the SS contents load into any register flags ... that's the reason i called this number suspicious. To prove this situation, try your fake reg code in 10 charac ters length, right after JZ instruction at 015F:004062F0 you'll throw into 015F:0040634E rather than continue to the next memory address. Later you'll find again the same JZ instruction at 015F:00406316. 7. Disable all breakpoints by typing BC * [enter] Press F5 or X to return to the main program 8. Repeat registration procedure and keyed-in 0264757940 as your S/N Click OK/REGISTER button ..... ouchh! the screen splash and there is no classic message " thank you .... " ?? . Just quit the application, re-run again the program, did you see your name in the opening window ? Simply, YOU'RE REGISTERED now... as a matter of fact it's ILLEGAL REGISTRATION!!!!! 10. Where the hell is my registration info is stored ?? - The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\ArmstrongSystems\CleanReg3\ Registered] "CodeB"=hex:14,00,00,00,03,02,05,00,c1,e2,d4,0f,60,f5, 4c,4c,05,40,c0,01 "User"="Chavit 'Jueteng' Singson" 11. How can I practise with another registration key ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-CleanReg325.zip [EOF] 10/27/00 6:27:09 PM