WHY PATCHING WHILE SERIAL NUMBER IS FISHY KeyPack 2000 v1.5 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM KeyPack 2000 is a special utility designed to manage and keep track all kind of passwords, including web site acces codes, software serial numbers and other secret numbers you may have. Using easy to use interface you can quickly and safely store, edit, search, create backup, print, or generate new password. WHERE TO DOWNLOAD Author : Magellass Corp Homepage : http://www.magellass.com URL : http://www.magellass.com/kp2000.zip Size : 706 KB - as of August 8, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This is my last series of the Magellass' program crack tutorial. In fact, by reading my earlier tutorial ( InternetTweak, MemMonster and DesktopCycler ) you can easily found the correct reg.code because the protection are remain the same. Before you continue I remain you again that posibly this program is packed and developed with anti debugging tricks, so, be prepared to face unexpected occurances. LASTLY, I personally expressed my sincere salutation to the Author at Magellass Corp. You guys ... Indonesian and Bandung people do the great job since you released Win Boost in the mid 1997. You never gave up fighting against the crackers all over the Net. KANG DANI TEH HEBAT NYA ....EUY ??? Nice play with your CLSID .... Teuing atuh urang mah. HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run KP2000.EXE, in the opening nag screen click that REGISTER button; In the registration dialog box type these below informations : User Name : DANI TEA HEBAT EUY Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5,and F11 once again. Press F12 several times until you reach the main program's code as follow : _________________________________________________________________ 015F:0048FEF9 E80ECDF9FF CALL 0042CC0C 015F:0048FEFE 8B55F4 MOV EDX,[EBP-0C] <== break here 015F:0048FF01 B8C8AD4900 MOV EAX,0049ADC8 <== d EDX 015F:0048FF06 E8DD3BF7FF CALL 00403AE8 015F:0048FF0B 33C0 XOR EAX,EAX 015F:0048FF0D 5A POP EDX 015F:0048FF0E 59 POP ECX 015F:0048FF0F 59 POP ECX 015F:0048FF10 648910 MOV FS:[EAX],EDX 015F:0048FF13 6893014900 PUSH 00490193 015F:0048FF18 8B45FC MOV EAX,[EBP-04] 015F:0048FF1B E8BCFEFFFF CALL 0048FDDC 015F:0048FF20 A1C0AD4900 MOV EAX,[0049ADC0] <== d EDX 015F:0048FF25 F7D8 NEG EAX ...... ...... ______________________KP2000!CODE+0008EEF9_______________________ Disable previous breakpoint and create a new one as follow : BC * [enter] BPX #015F:0048FEF9 [enter] Press F10 once and display EDX register : d edx [enter] ==> your fake code appear in the Data Window Press F10 again and stop at 015F:0048FF20, and display EDX register : d edx [enter] ==> your name and fake code ( in different virtual address ) appear in the DAta Window. Create a new breakpoint as follow : bpm 0167:00C833C8 [enter] 4. Press X or F5 , you'll break at these below snippet codes : ______________________________________________________________ 17D7:0929 26800F00 OR BYTE PTR ES:[BX],00 17D7:092D C3 RET 17D7:092E 0BC0 OR AX,AX 17D7:0930 7502 JNZ 0934 17D7:0932 E30E JCXZ 0942 ... ... ___________________________ USER(03)__________________________ :Break due to BPMB #0167:00C833C8 RW DR3 I know this not the location that we want to break ... right ? Let's press F5 again ( 2 times ) until you break at : 015F:00403E49 8B0E MOV ECX,[ESI] 015F:00403E4B 8B1F MOV EBX,[EDI] <== break here 015F:00403E4D 39D9 CMP ECX,EBX 015F:00403E4F 7558 JNZ 00403EA9 ..... ..... _______________________ KP2000!CODE+2E49 ______________________ Did you see an interesting CMP instruction at 015F:00403E4D ? Press F10 once then let's check what are the contents of those registers : ? ecx [enter] SoftIce will response : 38383337 0943207223 "8837" <== your fake code in reverse order ? ebx [enter] SoftIce will response : 43364841 1127630913 "C6HA" <== potential real code in reverse order So, where the heck is your valid registration code then .... Don't be panic, just do these following steps : d esi [enter] ==> yeah fake code at 0167:00C833C8 d edi [enter] ==> look at the DAta Window, did you see AH6C8-N256-YA66-5M5F at virtual address of 0167:00C60138 ???? WRITE IT DOWN !!! Observe further several line below of your potential reg code, either you can scroll down/up there would be a lot of interesting numeric characters which also suspicious to be as valid reg.codes. I'll show you what I got from the Data Window : ( this is only a part of them ) 0167:00C60138 41 48 ............ 36 36 2D AH6C8-N256-YA66- 0167:00C60148 35 4D ............ 00 00 00 5M5F....&....... 0167:00C60158 14 00 ............ 36 2D 41 ....7VAS4-LC76-A 0167:00C60168 4D 35 ............ 00 00 00 M52-3SAB.86c&... 0167:00C60178 01 00 ............ 2D 4A 35 ........7D9ZC-J5 0167:00C60188 32 32 ............ 38 37 34 22-RM73-6H9H.874 0167:00C60198 16 00 ............ 43 41 4C .....G......6CAL 0167:00C601A8 14 00 ............ 00 00 00 ....&........... 0167:00C601B8 34 5A ............ 38 33 2D 4ZAF6-P265-AL83- 0167:00C601C8 32 5A ............ 00 00 00 2Z7P.874........ 0167:00C601D8 14 00 ............ 33 2D 4C ....2EAF3-BA63-L 0167:00C601E8 44 32 ............ 2D 55 36 D23-5J5E.Q9X5-U6 0167:00C601F8 2C 00 ............ 00 00 00 ,...&........... 0167:00C60208 34 4C ............ 36 34 2D 4L2P7-H327-LX64- ... ... 5. Disable current existing breakpoint, press F5 to return to the registration dialog box. bd * [enter] Press F5 to return to the registration dialog box 6. Re-type your user name and keyed-in AH6C8-N256-YA66-5M5F as your registration code. Ouch ... " KeyPack 2000 has been registered successfully " appear on your screen. Note : In actual practise iam using 2BAK8-H338-QU66-3X6U which I found several line above from the virtual address of 0167:00C60138,as my registration code. I suggest you to write down all suspicious regis tration codes you'd found around 0167:00C60138 to avoid Author's temporary reg. code. 7. Where the hell is my registration code is stored ?? Hahaha gotcha ! .... how hard you're using WXIR/WXIO and REGMON ... you'll never found anywhere in your harddisk. Read my preface in the above ... if you have enough time try search suspected \CLSID\{C03F02C5-F728-11D1-87D5-134940 70a7c98}. Nice try Kang Dani anu kasep tea lah .... again and again. Beside, once you're registered they're registered forever, one strange occurances is that if you manually edited registry key and value in the "RegisteredOwner" with your own desired name ..... the prog still registered ! REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass\KeyPack 2000] "RegisteredOwner"="DANI TEA HEBAT EUY" This below registry entry ... IT IS JUST COSMETIC !!! [HKEY_LOCAL_MACHINE\Software\Magellass\KeyPack 2000\1.50] "Name"="" "Company"="" 9. How can I practise with my own user name ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-keypack2000.zip [EOF] 10/29/00 1:57:46 PMas