WHY PATCHING WHILE SERIAL NUMBER IS FISHY
ScanDiskManager© - v1.1
A Cracking Tutorial
by ASTAGA [D4C/C4A]
DISCLAIMER
This reading material is not intended to violate Copyrights
and/or it is law, but educational purposes only. I hold no
responsibility ( by all means and in any shape whatsoever )
of the mis-used of this material.
ABOUT THE PROGRAM
Have you ever turned off your computer under Window 95 without
using the Windows shutdown/restart command? Once the computer
starts up you are greeted with the blue screen of ScanDisk.
ScanDisk wastes valuable time when the user knows there is
nothing wrong with their computer. This program will disable
(with the option of re-enabling ) ScanDisk. Just remember,
ScanDisk is a very useful program, it keeps your hard drive
from developing bad blocks, etc. If you use this program please
run Scandisk from within Windows every once and a while.
WHERE TO DOWNLOAD
Author : Random Solutions
Homepage : http://www.ics.uci.edu/~dmyers/software/
URL : http://sunsite.uakom.sk/pub/simtelnet/win95/util/sdm11.zip
Size : ? - as of October 18,2000
Release :
HOW TO GET VALID SERIAL NUMBER by using SoftIce
1. Run ScanDiskMan.exe, In the registration dialog box type these below
informations :
Name : Pirates Order
Reg KEY : 73881050
Do not click OK button yet
2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint
in this regard is HMEMCPY :
BPX HMEMCPY [enter] and
F5 to return to the main program
3. Now it's time to click OK button... you'll return back into SoftIce.
In within SoftIce press F11, F5,and F11 once again.
F12 seven times until you see the main progs code and landed
at :
015F:0040199D FFD6 CALL ESI
015F:0040199F 8D7C2414 LEA EDI,[ESP+14] <== break
here
015F:004019A3 83C9FF OR ECX,-01 <== d edi
015F:004019A6 33C0 XOR EAX,EAX
015F:004019A8 F2AE REPNZ SCASB
015F:004019AA F7D1 NOT ECX <== d edi
015F:004019AC 49 DEC ECX
015F:004019AD 83F903 CMP ECX,03
015F:004019B0 7725 JA 004019D7
__________________SCANDISKMAN!.text+099D__________________________
BD or BC 00 [enter]
BPX 015F:0040199D {enter]
Press F10 once ( at 015F:004019A3 ) in the command line type :
d edi [enter] ==> your fake code and user name appear
in the DAta Window. Look at several lines below, what
are those numbers/characters are ?
Press F10 stop at 015F:004019AA display EDI register, you'll
see your fake reg code at virtual address 0167:0063F28D .
STAY in this location and watch how the real code being copied
/processed.
Press F10 again and follow jump instruction at 015F:004019B0,
you'll break at :
__________________________________________________________________
015F:004019D7 33C0 XOR EAX,EAX <== break here
015F:004019D9 8A4C0414 MOV CL,[EAX+ESP+14]
015F:004019DD 884C0410 MOV [EAX+ESP+10],CL
015F:004019E1 884C043C MOV [EAX+ESP+3C],CL
015F:004019E5 40 INC EAX
015F:004019E6 83F803 CMP EAX,03
015F:004019E9 7CEE JL 004019D9
...
...
015F:00401A08 83C404 ADD ESP,04
015F:00401A0B 83FE03 CMP ESI,03
015F:00401A0E 7E1D JLE 00401A2D
015F:00401A10 33C9 XOR ECX,ECX
015F:00401A12 0FBE540C2B MOVSX EDX,BYTE PTR
[ECX+ESP+2B] <== ret
loop
015F:00401A17 03D0 ADD EDX,EAX
015F:00401A19 41 INC ECX
015F:00401A1A 8D541453 LEA EDX,[EDX+ESP+53]
015F:00401A1E 8A540AFF MOV DL,[ECX+EDX-01]
015F:00401A22 88540C3E MOV [ECX+ESP+3E],DL
015F:00401A26 8D5103 LEA EDX,[ECX+03]
015F:00401A29 3BD6 CMP EDX,ESI
015F:00401A2B 7CE5 JL 00401A12 ==> loop
015F:00401A2D 8D742414 LEA ESI,[ESP+14]
_______________________SCANDISKMAN!.text+09D7_____________________
Press F10 until loop process at 015F:00401A2B to 015F:00401A12
completely finished.
Did you notice 7380391927818518 between virtual address of
0167:0063F29D and 0167:0063F2AD ??? WRITE it DOWN.
Here is what you see in the Data Window :
0167:0063F28D 00 00 00 .... 72 61 74 ...........Pirat
0167:0063F29D 65 73 20 .... 00 00 37 es Order.......7 <== real
0167:0063F2AD 33 38 30 .... 31 38 00 380391927818518. <== code
0167:0063F2BD 00 00 00 .... 35 38 39 ...3141592653589
0167:0063F2CD 37 39 33 .... 38 33 32 7932384626433832
4. Disable current existing breakpoint, press F5 to return to the
registration dialog box.
Keyed-in 7380391927818518 as your reg.code , click OK button
and you're registered.
Restart the program as their requested.
5. Where the hell is my registration info is stored ??
- The correct registration code is stored in the registry
as follows :
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\ScanDiskManager]
"ScanDisk"="2"
If you delete value "2" with i.e "0" this program
returned UNREGISTERED.
11. How can I practise with another registration key ?
- I strongly recommended you not to do this !
END NOTES
This program is sold as shareware, so you can try before you buy.
This is convenient for you, saves expenses by dispensing with all
that packaging, and cuts out the middle person. So it is cheap,
but it is not free.
If you like the program, and you will, be sure to register and pay.
To keep shareware prices low, users must do the right thing:
Register, pay up, and smile/grin at yourself in the mirror.
Do not distribute your crack release based on this tutorial, because
you become a LAMER(s)!!!!!!!!
( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
personal computer, using Hex Editor, ripping off other group(s)
crack release, repacking (distro) them under his name.
Adopted from newsgroup alt.cracks, alt.crackers - February 1997 )
More about LAMER(s):
lamer /n./ [prob. originated in skateboarder slang]
Synonym for luser, not used much by hackers but common among warez
d00dz, crackers, and phreakers. Oppose elite. Has the same connota
tions of self-conscious elitism that use of luser does among
hackers.
< SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >
_ Never attribute to malice that which is adequately explained by stupidity _
ASTAGA [D4C/C4A] tute-SCANDISKMANAGER11.zip
[EOF] 10/20/00 9:51:44 AM
(All of the names above belong to their respective companies)oFindFirstUnit() is the first API called when looking for