WHY PATCHING WHILE SERIAL NUMBER IS FISHY MemMonster v1.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM MemMonster is a special utility designed to help you solve the problems of Windows (98/95/NT/2000) memory management. Using easy to use interface you quickly and safely monitor and increase the amount of available physical memory. There are two versions of MemMonster, for Windows 9x and for Windows 2000/NT. Before using it, please make sure you have installed the correct version. WHERE TO DOWNLOAD Author : Magellass Corp Homepage : http://www.magellass.com URL : http://www.magellass.com/mem9x.zip Size : 738 KB - as of August 8, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce FIRSTLY, this program protected with AntiDebugging trick. NO RESPONSE when clicking .EXE file or " No Debug Allowed " message always appear even I had loaded the well known utilities to hide SoftIce from this kind of protection. WDASM83 got stunned when I tried to diassemble and debug this program.... sigh!! Until this morning I talk with Carpathia in the IRC, which tell me to download and try small and useful prog called... ... JUST ASK HER ! This small prog is great, I can even run another program i.e CXIE which has similar protection. Iam not stingy to not to tell you, I have 2B patience and wait until I can solve my stupidity and write this tute... see ... I downloaded this MEMMONSTER2000 2 months ago. Again, thank you Carphatia... without your help I still deepsinked in the darkness. SECONDLY, I personally expressed my sincere salutation to the Author at Magellass Corp. You guys ... Indonesian and Sundanese people do the great job since you released Win Boost in the mid 1997. You never gave up fighting against the crackers all over the Net. And by the way, send my regards to Dani ( one of the Author (?) who made a sticky note in the virtual address like " Horee Mas Dani deui ..... " that means " Horay .. it's Mr Dani again " in Sundanese language. Further, whatta nice try hiding in the CLSID's registry .. ........ HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run MEMONSTER.EXE, in the opening nag screen click that REGISTER button; In the registration dialog box type these below informations : User Name : Pirates Order Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5,and F11 once again. Press F12 several times until you reach the main program's code as follow : _________________________________________________________________ 015F:00484785 E82A89FAFF CALL 0042D0B4 015F:0048478A 8B55F4 MOV EDX,[EBP-0C] 015F:0048478D B884D94800 MOV EAX,0048D984 015F:00484792 E841F4F7FF CALL 00403BD8 015F:00484797 33C0 XOR EAX,EAX ... ... ____________________MEMMNSTR!CODE+0008377F____________________ Disable previous breakpoint and create a new breakpoint : bd * [enter] bpx 015F:00484785 [enter] I just wanna straight to the groin and brings you to where the potential were copied (echoed (?) into virtual address. Remember, I have traced for you. In the SoftIce's Command Line type as follows : s 0 l fffffffffffffff FF 56 0C 8B 55 F8 [enter] SoftIce will response : Pattern found at 0030:004846D1 ( may differ in your PC ) bpx 0030:004846D1 [enter] u 0030:004846D1 [enter] Press F5 or X, to let SoftIce break at new location 4. If nothing goes wrong, SoftIce will splash and break at the memory address as follow : ______________________________________________________________ 015F:004846D1 FF560C CALL [ESI+0C] <===== HERE 015F:004846D4 8B55F8 MOV EDX,[EBP-08] 015F:004846D7 A184D94800 MOV EAX,[0048D984] <== d EDX 015F:004846DC E82FF8F7FF CALL 00403F10 ____________________MEMMNSTR!CODE+000836CF____________________ Press F10 2 times and stop at 015F:004846D7, dump/display EDX register by typing : d edx [enter] Look at the Data Window - at the virtual address 0167:00DA530C - did you see 7K5L2-C3A7-KSAA-9H7N ?? One line below are 6R2E3-C976-HY63-4C2W , CY8D3-S642-PH68-AM9L , 5G4F4-S394-WF82-8G8F , 2XCN4-Y489-UX59-6VCD ...etc. Write down those suspicious reg codes... if you like. You can either repeat the above procedure or scroll up/down too see more potential reg codes. 5. Disable current existing breakpoint, press F5 to return to the registration dialog box. 6. Repeat registration procedures, keyed-in 7K5L2-C3A7-KSAA-9H7N as your serial number. Click OK ..... the classic message " MemMonster has been regis tered successfully.... " message appear on your screen. 5. Where the hell is my registration code is stored ?? Hahaha gotcha ! .... how hard you're using WXIR/WXIO and REGMON ... you'll never found anywhere in your harddisk. Read my preface in the above ... if you have enough time try search suspected CLSID {FD853CDD-7F86-11d0-82F2-0134 940705AB5}. Nice try Kang Dani ...... again and again. Beside, once you're registered they're registered forever, one strange occurances is that if you manually edited registry key and value in the "RegisteredOwner" with your own desired name ..... the prog still accepted ! MemMonster creates two registry entries as follows : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass\MemMonster] "Dir"="C:\\Program Files\\MemMonster 2000" "RegisteredOwner"="Pirates Order" and This below registry entry ... IS JUST COSMETIC !!! REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass Corp.] [HKEY_LOCAL_MACHINE\Software\Magellass Corp.\MemMonster 2000] [HKEY_LOCAL_MACHINE\Software\Magellass Corp.\MemMonster 2000\1.00] "Name"="" "Company"="" 9. How can I practise with my own user name ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-memmonster10.zip [EOF] 10/20/00 11:54:23 AMpeared in the HELP/ABOUT screen.