WHY PATCHING WHILE SERIAL NUMBER IS FISHY

Private Desktop v1.6
A Cracking Tutorial 
by ASTAGA [D4C/C4A]


DISCLAIMER 

This reading material is not intended to violate Copyrights 
and/or it is law, but educational purposes only. I hold no 
responsibility ( by all means and in any shape whatsoever ) 
of the mis-used of this material.


ABOUT THE PROGRAM 

Private Desktop(tm) is the ultimate tool to insure your privacy 
at your computer. 
Its functionality provides instant transfer of any two screens 
you wish to maintain at the same time. While you view the screen 
you do not wish anyone else to see, another screen can be in the 
holding to make a quick switch within a split second.
It doesn't stop here. You create your own series of personal 
passwords to make Private Desktop(tm) impenetrable.


WHERE TO DOWNLOAD

Author   	: Silvio Kuczynski / Tropical Software
Homepage 	: http://www.tropsoft.com/privdesk/main.htm
URL		: http://www.tropsoft.com/privdesk.exe
Size 		:  KB  


HOW TO GET VALID SERIAL NUMBER by using SoftIce



1.  Run PRIVDSK.EXE, Drag your mouse cursor to the right corner of 
    the traybar, right click and choose SETTINGS submenu.
    In the main program's window click CLICK HERE TO.. button.
    ( Remember the rule of this program, default password is PRIVATE )
    
    In the registration dialog box type these below informations :

	Name	: Pirates Order
	Key    : 7388105099

    Do not click OK button yet

2.  Fire up SoftIce by pressing Ctrl + D , create a new breakpoint
    in this regard iam using HMEMCY by typing : 

	bpx hmemcpy  [enter]
	Press F5 to return to the main program.

3.  Click OK button now, you'll return back into SoftIce.
    Press F11, F5, F11 once again, to get into the main program
    press F12 several times until you get these below snippet
    codes : 
    _____________________________________________________________________

	0040230F: E8DCF9FFFF 	call	000401CF0  <=== you land HERE
	00402314: 83C410     	add  	esp,010 ;""
	00402317: 8D4C2424   	lea 	ecx,[esp][000 
	0040231B: 51  		push  	ecx        <== d ecx here
	0040231C: E81FFAFFFF  	call 	000401D40 
	00402321: 83C404      	add  	esp,004 ;""
	00402324: 8D542410  		lea   	edx,[esp][000
	00402328: 52        		push 	edx        <=== d edx here
	00402329: E812FAFFFF 	call 	000401D40  
	0040232E: 8A442428   	mov 	al,[esp][0002
	00402332: 83C404   		add  	esp,004 ;""
	00402335: 84C0     		test  	al,al
	00402337: 7524    		jne 	00040235D  <=== jump if not
								   equal
	......
	......

	Clear HMEMCPY breakpoint because you don't any longer.
	Set a new breakpoint at the main program code : 

		bc *  [enter]
		bpx 015F:0040230F  [enter]

	Press F10 3 times ( stop at 015F:0040231B ), dump/display
	ECX Register by typing : 

		d ecx  [enter]	user name appear in the Data Window

	Press F10 7 times ( stop at 015F:00402328 ), dump/display
	EDX Register by typing : 

		d edx  [enter]	fake s/n appear in the Data Window
					at 0167:64F7E4

	Press F10 12 times ( stop at 015F:00402337 ) ... just follow
	this JUMP ( JNE ) instruction until you landed at :

	0040235D: 8A442410	mov   	al,[esp][000
	00402361: 84C0    	test  	al,al
	00402363: 7525   	jne 	00040238A  <=== jump if not equal
	......
	......
	Press F10 3 times and just follow 	this JUMP ( JNE ) instruction 
	at 015F:00402363 until you landed at :

	0040238A: 8D542424      	lea    edx,[esp][00
	0040238E: 8D442410      	lea    eax,[esp][00
	00402392: 52     		push   edx
	00402393: 50      		push   eax
	00402394: E8770C0000		call	000403010
	00402399: 83C408      	add    esp,008 ;""
	0040239C: 85C0         	test   eax,eax
	......
	......
    
	Press F10 7 times until jump pass the call instruction at 
	015F:00402394  or stop at 015F:00402399 , dump/display EDX
	register by typing : 

	D EDX  [enter]

    	Did you see 8DA005E002 ( located at the memory address        
      0167:64F7A8 ) in the Data Window ??
	Scroll up one line above or dump/display ECX register, 
	you'll see your fake S/N together with the real one.
	
	Upto this step you can consider that 8DA005E002 is 
	your suspected real key ... so, just give it a try ...

4.  Now, disable current existing breakpoint ( BD * [enter ), 
    press F5 to return to the main program.

5.  Soon you're return back to the program, the 'beggar-off' msg
    appear on the screen, just click OK to confirm and quit the
    application ( nice try .... Kuczynski !!!! ).


6.  Re-run the program, repeat registration procedure and keyed-in
    8DA005E002 as your valid serial number.
    Successful registration will appear on the screen, you're
    illegaly registered now.

6.  Let's recap your job with the following questions : 

	-  can I have a shortway to reach the desired CALL instruction 
	   without pressing F10 21 times ??

	-  where the hell is my registration code is stored ??


7.  Take these following answers : 

	-  Make sure that previous breakpoint ( bpx 015F:0040230F ) is
	   not active/disable.
	   Make sure that GERKSEDS.DRU file is deleted.
	   Run the program, keyed-in new User name and fake S/N.
	   Create a new breakpoint at the address 015F:00402394
	   (  why here ?? ask by yourself ......... )

		bpx 015F:00402394  [enter]
		Press F5  to return to the registration window
		Click OK  
		You'll break in SoftIce at the address 015F:00402394
		Press F10 once , keep on eye in the Data Window ...
		       new S/N copied to the memory address 0167:64F7A8
			or type D EDX or D ECX  [enter]
		Repeat Step 4 and 5 in the above section.

	-  The correct registration code is encrypted and stored
	   in the file called GERKSEDS.DRU which located in your
	   Windows directory ( usually C:\WINDOWS ).


END NOTES

   This program is sold as shareware, so you can try before you buy.  
   This is convenient for you, saves expenses by dispensing with all 
   that packaging, and cuts out the middle person.  So it is cheap, 
   but it is not free.  
   If you like the program, and you will, be sure to register and pay.
   To keep shareware prices low,  users must do the right thing: 
   Register, pay up, and smile/grin at yourself in the mirror.

   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name. 
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) 

    More about LAMER(s):
	lamer /n./ [prob. originated in skateboarder slang]
	Synonym for luser, not used much by hackers but common among warez 
	d00dz, crackers, and phreakers. Oppose elite. Has the same connota
	tions of self-conscious elitism that use of luser does among 
	hackers.
    < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >


 _ Never attribute to malice that which is adequately explained by stupidity _


ASTAGA [D4C/C4A] tute-PrivateDeskto16.zip
[EOF] Sep 30,2000  01:00:08AM r way other than to try