WHY PATCHING WHILE SERIAL NUMBER IS FISHY

QuikClean v1.1B
A Cracking Tutorial 
by ASTAGA [D4C/C4A]


DISCLAIMER 

This reading material is not intended to violate Copyrights 
and/or it is law, but educational purposes only. I hold no 
responsibility ( by all means and in any shape whatsoever ) 
of the mis-used of this material.


ABOUT THE PROGRAM 


QuikClean is a simple, quick, efficient and inexpensive redundant 
file scanner and remover. QuikClean scans your fixed disks for 
redundant, temporary and unused files, freeing up precious hard 
disk space...you will be surprised just how much space is taken 
up by  these files.
QuikClean will never remove Windows essential files, nor files 
created by recovery software.



WHERE TO DOWNLOAD

Author   	: G Pearson
Homepage 	: http://www.gpcom.f2s.com
URL		: http://www.downloadit.gr/~v_gpearson/qc11b.zip
Size 		: 836 KB  as of September 04,2000


HOW TO GET VALID SERIAL NUMBER by using SoftIce

I just realized this program was packed with UPX within SoftIce, but
to be honest I forced myself to stay and continue tracing the codes
just to cover my embarashing why didn't I checked the program at 
the first time.  This is another tips for newbies to check the prog
whether they're packed or not.  
You can easily noticed it by using HIEW, usually there is a descript
ion in front program entry code i.e : " This file is packed with the 
UPX executable packer ...." ; another packer ( Petite, ASPack, etc. ) 
do the same thing.  Once you noticed this, run unpacker program ( I 
suggest you to use ProcDump ) then load into SoftIce.



1.  Run QUIKCLEAN.EXE ( 187,392 bytes, packed .EXE file ), in the main 
    program click HELP/REGISTER submenu.
    In the registration dialog box type these below informations :

	Registration Key: 73881050

    Do not click OK button yet
    

2.  Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in
    this regard is HMEMCPY : 

	BPX HMEMCPY     [enter]   and
   	F5  to return to the main program

3.  Click OK button... you'll return back into SoftIce.  
    In within SoftIce press F11 then press F12 several times until you 
    see and landed at :

	_____________________________________________________________________

	0043DC35: E85251FDFF 	call	000412D8C  <==== you break here
	0043DC3A: 837DFC00		cmp 	d,[ebp][-0004],
	0043DC3E: 7407      		je 	00043DC47 
	0043DC40: 8BC3      		mov  	eax,ebx
	0043DC42: E825000000 	call	00043DC6C  <==== press F8 here 
	0043DC47: 33C0      		xor  	eax,eax
      _____________________________________________________________________

    Disable previous breakpoint, and set a new one as follow :

	bd*  [enter]
	bpx 015F:0043DC35  [enter]


4.  Press F10 4 times and stop at 015F:0043DC42 , press F8 to follow this
    CALL instruction.
    If nothing goes wrong, you'll break at these below snippet codes : 

	__________________________________________________________________

	0043DC6C: 55          	push      ebp  <==== you break here
	0043DC6D: 8BEC        	mov       ebp,esp
	0043DC6F: 6A00       	push      000
	0043DC71: 6A00           	push      000
	0043DC73: 53           	push      ebx
	0043DC74: 56             	push      esi
	0043DC75: 57            	push      edi
	0043DC76: 8BD8          	mov       ebx,eax
	0043DC78: 33C0        	xor       eax,eax
	0043DC7A: 55            	push      ebp
	0043DC7B: 6817DD4300     	push      00043DD17 ;" CŚ
	0043DC80: 64FF30       	push      d,fs:[eax]
	0043DC83: 648920        	mov       fs:[eax],esp
	0043DC86: 8D55FC        	lea       edx,[ebp][-0004]
	0043DC89: 8B83B0010000   	mov       eax,[ebx][000000
	0043DC8F: 8B80FC000000    	mov       eax,[eax][000000
	0043DC95: 8B08          	mov       ecx,[eax]
	0043DC97: FF5118       	call      d,[ecx][00018]
	0043DC9A: 8B45FC     	mov       eax,[ebp][-0004]
	0043DC9D: 50         	push      eax  <===== d eax here
	0043DC9E: 8D55F8           lea       edx,[ebp][-0008]
	_________________________________________________________________

	Press F10 19 times ( stop at 015F:0043DC9D ), dump/display EAX
	register by typing  :  
	
		d eax   [enter]
		did you see  QC11B-3256511  in the Data Window ? ...
		... in my case is at 0167:BD70E4 !

 		yes, that's the suspected serial number you're looking for.
		Write it down the key, disable all breakpoints, press F5
		to return to the main program.


5.  Repeat registration procedure and keyed-in   QC11B-3256511   as your
    registration key.
    Click OK .....  you'll get the classic message " Thank you for regis
    tering..... " .
    YOU'RE REGISTERED now... However, as a matter of fact it's ILLEGAL
    REGISTRATION!!!!!


6.  Let's recap your job.  Do you remember when you dump/display EAX
    register at 015F:0043DC9D ? In the Data Window there are another
    posible valid reg.key i.e  QC11B-621114, QC11B-01115888 etc.,
    that you can use to register this program.
    The point is if you trace the codes between 0043DC6C upto
    0043DC9D and  display EDX or ECX register you'll see a string
    " .../quikclean.lic " which can be interpreted the prog create
    this file to hold valid reg.key and stored somewhere in the
    program's folder or in the Windows directory.

    Upon successfull registration, you'll not found QUIKCLEAN.LIC
    anywhere in your harddisk !!!  So, you can't experiment with
    another posible registration key as you see at the memory
    address 0167:0167:BD70E4.


7.  Where the hell is my registration key is stored ??

	-  The correct registration code is stored in the registry
	   as follow :

	   REGEDIT4
	   [HKEY_CURRENT_USER\Software\Microsoft\TQC]
	   [HKEY_CURRENT_USER\Software\Microsoft\TQC\Used Times Stop]
	   "TimesUsed"="-1"

	-  If you delete value "-1" in the registry key "TimesUsed" ,
	   the program returned UNREGISTERED.


8.  How can I practise with another registration key ?

	-  I strongly recommended you not to do this !


9.  If you had finished reading this tute, run HIEW and go to hex 
    address  #54638 upto #547CD( unpacked quikclean.exe - 518,144 
    bytes )  you'll see more valid registration keys - 'ol cracker 
    said  " IT'S HARD CODED inside the program !".



END NOTES

   This program is sold as shareware, so you can try before you buy.  
   This is convenient for you, saves expenses by dispensing with all 
   that packaging, and cuts out the middle person.  So it is cheap, 
   but it is not free.  
   If you like the program, and you will, be sure to register and pay.
   To keep shareware prices low,  users must do the right thing: 
   Register, pay up, and smile/grin at yourself in the mirror.

   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name. 
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) 

    More about LAMER(s):
	lamer /n./ [prob. originated in skateboarder slang]
	Synonym for luser, not used much by hackers but common among warez 
	d00dz, crackers, and phreakers. Oppose elite. Has the same connota
	tions of self-conscious elitism that use of luser does among 
	hackers.
    < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >


 _ Never attribute to malice that which is adequately explained by stupidity _


ASTAGA [D4C/C4A] tute-QuikClean11b.zip
[EOF] 10/17/00 7:08:09 AM