WHY PATCHING WHILE SERIAL NUMBER IS FISHY RegEditor v1.1 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM RegEditor is a registry editing tool which works with .reg (REGEDIT4 format)files. RegEditor is a registry editing tool which works with .reg files. These are files which are created by the Windows 95/98 registry. It allows the user to make changes and correct these files. RegEditor allows You to edit .REG files safely. After RegEditor installation .REG-files will be associated with it by default. By double-click on .REG-file this program will be executed to edit it. Toolbar's buttons purposed for quick access to menu entries. WHERE TO DOWNLOAD Author : A. Chabanenko ( NIT-New Information Technologies ) Homepage : http://www.nit.mk.ua/adregcln/index.html http://www.nit.mk.ua URL : http://www.nit.mk.ua/regeditr/regeditr.zip Size : 462 KB - as of September 12,2000 Release Date : May 25, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This program will create self program ID based on Window's default user name. My ID looks like as followS : AdvRegCln License number: 58C0-0802-1BF7 <== may differ in your PC Name: Pirates Order Country: United States E-Mail address: pirates@buccaneer.com Comments: Secondly, this program is packed with UPX and I didn't unpacking it as their normally should be. So, if you follow my step an unexpected occurances may posibly performed. 1. Run REGEDITOR.EXE, in the main program click on ENTER REG CODE button. In the registration dialog box type these below information : Registration Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, then press F12 several times until you see these below following snippet codes : ( ad lib : pls verify my notes at the end of this file ) ___________________________________________________________________ 015F:004551E3 E818A9FDFF CALL 0042FB00 <== break here 015F:004551E8 8B55D4 MOV EDX,[EBP-2C] 015F:004551EB 8B45F8 MOV EAX,[EBP-08] ==> D EDX 015F:004551EE E8A9E9FAFF CALL 00403B9C ..... ..... ______________________REGEDITOR!UPX0+000541E3______________________ Break due to BPX KERNEL!HMEMCPY Break due to G Clear previous breakpoint because you don't need anymore : : BC * [enter] Create new breakpoint as follow : : bpx 015F:004551E3 [enter] : x or F5 Break due to BPX #015F:004551E3 Press F10 2 times - stop at 015F:004551EB - display EDX register : : d edx [enter] ==> your fake code appear in the Data Window at virtual address 0167:00C0A874 . Set a new breakpoint at location where your fake code being copied to : : bpm 0167:00C0A874 [enter] : x [enter] 4. If nothing goes wrong you'll break at these below snippet codes : _______________________________________________________________ 015F:00403F03 8B1F MOV EBX,[EDI] 015F:00403F05 39D9 CMP ECX,EBX ==> break here 015F:00403F07 7558 JNZ 00403F61 ..... ..... ______________________REGEDITOR!UPX0+2F03_______________________ Break due to BPMB #0167:00C0A874 RW DR3 Did you recognize the CMP instruction at 015F:00403F05 ? Let's check what are the contents of those two registers : : ? ecx [enter] 38304635 0942687797 "80F5" ==> posible valid reg.code in reverse order : ? ebx [enter] 38383337 0943207223 "8837" ==> your fake code in reverse order So, where is the real code is located ? Just display ESI and EDI registers as follows : : d esi [enter] ==> lookie the Data Window, did you see 5F08-0FCA-1C3F at virtual address 0167:00C0F5D0 ???? 5. Disable all current existing breakpoint(s) : : bd * [enter] : x or F5 to return to registration dialog box 6. Repeat registration procedure, and keyed-in 5F08-0FCA-1C3F as your registration key. Click OK button ....... you're registered ! 7. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry CLSID as follow ( nice try Bro .... ) : REGEDIT4 [HKEY_CLASSES_ROOT\CLSID\{A4E78360-03CA-11D4-9395-981897B1F059}] [HKEY_CLASSES_ROOT\CLSID\{A4E78360-03CA-11D4-9395-981897B1F059}\ InprocServer32] @="shell32.dll" [HKEY_CLASSES_ROOT\CLSID\{A4E78360-03CA-11D4-9395-981897B1F059}\ Version] @="FFFF" 8. How can I practise with my own reg. key ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-regeditor11.zip [EOF] 11/9/00 8:51:25 PM ( note : If you cannot reach the snippet codes as I explained, try to get into main program's code by using another breakpoint. Do a search string by typing : s 0 l ffffffff E8 18 A9 FD FF 8B 55 D4 [enter] Pattern found at 0167:00XXXXXX <=== bpx this location : bpx 0167:00XXXXXX [enter] then continue tracing the codes ), yep, step #3