WHY PATCHING WHILE SERIAL NUMBER IS FISHY QuikClean v1.1B A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM QuikClean is a simple, quick, efficient and inexpensive redundant file scanner and remover. QuikClean scans your fixed disks for redundant, temporary and unused files, freeing up precious hard disk space...you will be surprised just how much space is taken up by these files. QuikClean will never remove Windows essential files, nor files created by recovery software. WHERE TO DOWNLOAD Author : G Pearson Homepage : http://www.gpcom.f2s.com URL : http://www.downloadit.gr/~v_gpearson/qc11b.zip Size : 836 KB as of September 04,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce I just realized this program was packed with UPX within SoftIce, but to be honest I forced myself to stay and continue tracing the codes just to cover my embarashing why didn't I checked the program at the first time. This is another tips for newbies to check the prog whether they're packed or not. You can easily noticed it by using HIEW, usually there is a descript ion in front program entry code i.e : " This file is packed with the UPX executable packer ...." ; another packer ( Petite, ASPack, etc. ) do the same thing. Once you noticed this, run unpacker program ( I suggest you to use ProcDump ) then load into SoftIce. 1. Run QUIKCLEAN.EXE ( 187,392 bytes, packed .EXE file ), in the main program click HELP/REGISTER submenu. In the registration dialog box type these below informations : Registration Key: 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Click OK button... you'll return back into SoftIce. In within SoftIce press F11 then press F12 several times until you see and landed at : _____________________________________________________________________ 0043DC35: E85251FDFF call 000412D8C <==== you break here 0043DC3A: 837DFC00 cmp d,[ebp][-0004], 0043DC3E: 7407 je 00043DC47 0043DC40: 8BC3 mov eax,ebx 0043DC42: E825000000 call 00043DC6C <==== press F8 here 0043DC47: 33C0 xor eax,eax _____________________________________________________________________ Disable previous breakpoint, and set a new one as follow : bd* [enter] bpx 015F:0043DC35 [enter] 4. Press F10 4 times and stop at 015F:0043DC42 , press F8 to follow this CALL instruction. If nothing goes wrong, you'll break at these below snippet codes : __________________________________________________________________ 0043DC6C: 55 push ebp <==== you break here 0043DC6D: 8BEC mov ebp,esp 0043DC6F: 6A00 push 000 0043DC71: 6A00 push 000 0043DC73: 53 push ebx 0043DC74: 56 push esi 0043DC75: 57 push edi 0043DC76: 8BD8 mov ebx,eax 0043DC78: 33C0 xor eax,eax 0043DC7A: 55 push ebp 0043DC7B: 6817DD4300 push 00043DD17 ;" C¦ 0043DC80: 64FF30 push d,fs:[eax] 0043DC83: 648920 mov fs:[eax],esp 0043DC86: 8D55FC lea edx,[ebp][-0004] 0043DC89: 8B83B0010000 mov eax,[ebx][000000 0043DC8F: 8B80FC000000 mov eax,[eax][000000 0043DC95: 8B08 mov ecx,[eax] 0043DC97: FF5118 call d,[ecx][00018] 0043DC9A: 8B45FC mov eax,[ebp][-0004] 0043DC9D: 50 push eax <===== d eax here 0043DC9E: 8D55F8 lea edx,[ebp][-0008] _________________________________________________________________ Press F10 19 times ( stop at 015F:0043DC9D ), dump/display EAX register by typing : d eax [enter] did you see QC11B-3256511 in the Data Window ? ... ... in my case is at 0167:BD70E4 ! yes, that's the suspected serial number you're looking for. Write it down the key, disable all breakpoints, press F5 to return to the main program. 5. Repeat registration procedure and keyed-in QC11B-3256511 as your registration key. Click OK ..... you'll get the classic message " Thank you for regis tering..... " . YOU'RE REGISTERED now... However, as a matter of fact it's ILLEGAL REGISTRATION!!!!! 6. Let's recap your job. Do you remember when you dump/display EAX register at 015F:0043DC9D ? In the Data Window there are another posible valid reg.key i.e QC11B-621114, QC11B-01115888 etc., that you can use to register this program. The point is if you trace the codes between 0043DC6C upto 0043DC9D and display EDX or ECX register you'll see a string " .../quikclean.lic " which can be interpreted the prog create this file to hold valid reg.key and stored somewhere in the program's folder or in the Windows directory. Upon successfull registration, you'll not found QUIKCLEAN.LIC anywhere in your harddisk !!! So, you can't experiment with another posible registration key as you see at the memory address 0167:0167:BD70E4. 7. Where the hell is my registration key is stored ?? - The correct registration code is stored in the registry as follow : REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\TQC] [HKEY_CURRENT_USER\Software\Microsoft\TQC\Used Times Stop] "TimesUsed"="-1" - If you delete value "-1" in the registry key "TimesUsed" , the program returned UNREGISTERED. 8. How can I practise with another registration key ? - I strongly recommended you not to do this ! 9. If you had finished reading this tute, run HIEW and go to hex address #54638 upto #547CD( unpacked quikclean.exe - 518,144 bytes ) you'll see more valid registration keys - 'ol cracker said " IT'S HARD CODED inside the program !". END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-QuikClean11b.zip [EOF] 10/17/00 7:08:09 AM