WHY PATCHING WHILE SERIAL NUMBER IS FISHY StartUp Deluxe v1.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM StartUp Deluxe allows you to quickly add or remove applications from your windows startup group...easy. StartUp Deluxe is fully functional shareware that will allow thirty (30) launches before registration is required. WHERE TO DOWNLOAD Author : G Pearson Homepage : http://www.gpcom.f2s.com URL : http://www.downloadit.gr/~v_gpearson/supd10.zip Size : 810 KB as of September 04,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This program is packed with UPX. Unpack the program FIRST ! Iam warning you not to follow this tute that might caused improperly done in your PC. Iam doing this because intentionally and ashamed not to do care with the program protection, and this kind of negligence is not good for NEWBIES !!! I recommend you to read TUTE-QUIKCLEAN11B.TXT ( c_tkc10x.zip ) before applying this tutorial. 1. Run STARTUPD.EXE ( 224,256 bytes, packed .EXE file ). You cannot found registration window right ? ... nice try Pearson ! Look at the title bar, did you see " Shareware Version ( 31 uses left ) " ? That means you should elapsed that limitation usage. Just do it ! Go and quit the program for 31 times until you get " The trial period of this shareware version has expired " msg. ( Later on I will tell how to skip this damneD hell procedure ). Click OK, and registration window will appear on your screen. In the registration dialog box type these below informations : Registration Key: 73881050 Do not click OK/REGISTER button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Click OK button... you'll return back into SoftIce. In within SoftIce press F11 then press F12 several times until you see and landed at : _____________________________________________________________________ 004516D5: E89E33FCFF call 000414A78 <==== you break here 004516DA: 837DFC00 cmp d,[ebp][-0004],000 004516DE: 750C jne 0004516EC 004516E0: B820174500 mov eax,000451720 ;" E 004516E5: E80AD7FDFF call 00042EDF4 004516EA: EB07 jmps 0004516F3 004516EC: 8BC3 mov eax,ebx 004516EE: E849000000 call 00045173C <==== press F8 here 004516F3: 33C0 xor eax,eax _____________________________________________________________________ Disable previous breakpoint, and set a new one as follow : bd* [enter] bpx 015F:004516D5 [enter] 4. Press F10 4 times and stop at 015F:004516EE , press F8 to follow this CALL instruction. If nothing goes wrong, you'll break at these below snippet codes : __________________________________________________________________ 0045173C: 55 push ebp <==== you break here 0045173D: 8BEC mov ebp,esp 0045173F: 6A00 push 000 00451741: 6A00 push 000 00451743: 53 push ebx 00451744: 56 push esi 00451745: 57 push edi 00451746: 8BD8 mov ebx,eax 00451748: 33C0 xor eax,eax 0045174A: 55 push ebp 0045174B: 68E7174500 push 0004517E7 ;" E_ 00451750: 64FF30 push d,fs:[eax] 00451753: 648920 mov fs:[eax],esp 00451756: 8D55FC lea edx,[ebp][-0004] 00451759: 8B83B0010000 mov eax,[ebx][000000 0045175F: 8B80FC000000 mov eax,[eax][000000 00451765: 8B08 mov ecx,[eax] 00451767: FF5118 call d,[ecx][00018] 0045176A: 8B45FC mov eax,[ebp][-0004] 0045176D: 50 push eax <===== d eax here 0045176E: 8D55F8 lea edx,[ebp][-0008] _________________________________________________________________ Press F10 19 times ( stop at 015F:0045176D ), dump/display EAX register by typing : d eax [enter] did you see SUD1-0036521 in the Data Window ? ... ... in my case is at 0167:00BE70A4 ! yes, that's the suspected serial number you're looking for. Write it down the key, disable all breakpoints, press F5 to return to the main program. 5. Repeat registration procedure and keyed-in SUD1-0036521 as your registration key. Click OK ..... you'll get the classic message " Thank you for regis tering..... " . YOU'RE REGISTERED now... However, as a matter of fact it's ILLEGAL REGISTRATION!!!!! 6. Let's recap your job. FIRST, are you frustrated to reach 31 usage until they're elapsed ? Sure. Here is how to cheat them, run REGEDIT.COM , search and edit these below registry entries to be as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Sud] [HKEY_CURRENT_USER\Software\Microsoft\Sud\Break] "TimesUsed"="31" ( create registry key "TimesUsed" + value 31 if necessary ) Re-run the program, enter fake reg.key and load SoftIce. Repeat step 1 upto 5 accordingly. Another way, during trial period click "?" icon in upper right corner of the title bar, then click REGISTER button. ..... again, WHATTA nice try Pearson !!!!!!! SECOND, Do you remember when you dump/display EAX register at 015F: 0045176D ? In the Data Window there are another posible valid reg. key i.e SUD1-XXXXXXX, SUD1-YYYYYYY etc., that you can use to regis ter this program. The point is if you trace the codes between 0045173C upto 0045176D and display EDX or ECX register you'll see a string " .../STARTUPD.LIC " which can be interpreted the prog create this file to hold valid reg.key and stored somewhere in the program's folder or in the Windows directory. Upon successfull registration, you'll not found STARTUPD.LIC anywhere in your harddisk !!! So, you can't experiment with another posible registration key as you see at the memory address 0167:0167:BD70E4. 7. Where the hell is my registration key is stored ?? - The correct registration code is stored in the registry as follow : REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Sud] [HKEY_CURRENT_USER\Software\Microsoft\Sud\Break] "TimesUsed"="-1" - If you delete value "-1" in the registry key "TimesUsed" , the program returned UNREGISTERED. 8. How can I practise with another registration key ? - I strongly recommended you not to do this ! 9. If you had finished reading this tute, run HIEW and go to hex address #80494 upto #8062A( unpacked STARTUPD.EXE - 555,520 bytes ) you'll see more valid registration keys - 'ol cracker said " IT'S HARD CODED inside the program !". END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-StartUpDeluxe10.zip [EOF] 10/17/00 10:37:00 AM