WHY PATCHING WHILE SERIAL NUMBER IS FISHY

WinBoost 2001 Standard Edition
A Cracking Tutorial
by ASTAGA [D4C/C4A]


DISCLAIMER

This reading material is not intended to violate Copyrights
and/or it is law, but educational purposes only. I hold no
responsibility ( by all means and in any shape whatsoever )
of the mis-used of this material.


ABOUT THE PROGRAM

WINBOOST 2001
Expose all mysteries and reveal all secrets of Windows ME/98/95!
WinBoost is a special utility to configure and personalize Windows
ME/9X (98/98SE/95) looks and feels. Using easy to use graphical user
interface you can configure hundreds of Windows ME/9X hidden settings,
from the Start Menu, Desktop, Accessories, Windows Explorer,
to Internet Explorer.  This is something that you cannot do on the
regular operations. In addition, you will get hundreds of selected
Windows ME/9X Tips & Tricks to boost your Windows performance.



WHERE TO DOWNLOAD

Author   	: Magellass Corp
Homepage 	: http://www.magellass.com
URL		: http://www.winboost.com/wb2001s.zip
		  http://www.simtel.net/pub/simtelnet/win95/winme/
		  wb2001s.zip
Size 		: 1.3 MB - as of  October 23, 2000



HOW TO GET VALID SERIAL NUMBER by using SoftIce


This is my last series of the Magellass' program crack tutorial.
In fact, by reading my earlier tutorial ( InternetTweak, MemMonster
, KeyPack and DesktopCycler ) you can easily found the correct reg.
code because the protection are remain the same, at least they're
similar.  Currently they're available at :

	http://home.luna.nl/~enigma/TNT/tnt2k.htm  or
	http://www.ciafiles.visionz.eu.org/

Before you continue I remain you again that posibly this program
is packed and developed with anti debugging tricks, so, be
prepared to face unexpected occurances.

LASTLY, I personally expressed my sincere salutation to the Author
at Magellass Corporation :
Dani Okianto, Diki Septanto, Sandi Yulianto and	Irma Aryani
- the " barudak Bandung " - " juragan bakso " - " juragan
kurupuk " - you guys do the great job since you released
WinBoost mid 1998.
You never gave up fighting against the crackers all over
the Net.  Keep da GOOD WORK.
KANG DANI TEH HEBAT NYA ....EUY ???  Nice try with your CLSID
.... kajeun disumputkeun oge kapanggih euy ... hampura uing.
However, the secret that you keep has been revealed.


HOW TO GET VALID SERIAL NUMBER by using SoftIce


1.	Run WB2K1S.EXE, in the opening nag screen click that REGISTER
	button;
	In the registration dialog box type these below informations :

	User Name 	: Pirates Order
	Key		: 73881050

    	Do not click OK button yet


2.	Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint
	as follow :

	BPX HMEMCPY [enter] and
   	F5  to return to the main program

3.	Now click OK button... you'll return back into SoftIce.
    	In within SoftIce press F11, F5,and F11 once again.
	Press F12 several times until you reach the main program's code
	as follow :

	_________________________________________________________________

	015F:004BED96  E8F1F4F6FF	CALL      0042E28C  <===== break here
	015F:004BED9B  8B55F8     	MOV       EDX,[EBP-08]
	015F:004BED9E  8B45FC     	MOV       EAX,[EBP-04] <== d edx
	015F:004BEDA1  E82AFDFFFF 	CALL      004BEAD0
	015F:004BEDA6  8D55F0     	LEA       EDX,[EBP-10] <== ? eax
	015F:004BEDA9  E85294F4FF 	CALL      00408200
	015F:004BEDAE  33C0     	XOR       EAX,EAX  <====== ? ecx
	015F:004BEDB0  5A        	POP       EDX
	015F:004BEDB1  59        	POP       ECX
	015F:004BEDB2  59       	POP       ECX  <========== d ecx
	015F:004BEDB3  648910    	MOV       FS:[EAX],EDX
	015F:004BEDB6  6894FA4B00 	PUSH      004BFA94
	015F:004BEDBB  8B45F4     	MOV       EAX,[EBP-0C]
	015F:004BEDBE  8B55F0     	MOV       EDX,[EBP-10] <== d eax
	015F:004BEDC1  E8D24FF4FF  	CALL      00403D98 <====== d edx
	015F:004BEDC6  0F851F0100	JNZ       004BEEEB
	015F:004BEDCC  8B45F0      	MOV       EAX,[EBP-10]
	015F:004BEDCF  BA04FB4B00	MOV       EDX,004BFB04
	015F:004BEDD4  E8BF4FF4FF	CALL      00403D98
    	......
	......
	______________________WB2K1S!+000BDD90_______________________


	Disable previous breakpoint and create a new one as follow :

	BC *  [enter]
	BPX 015F:004BED96  [enter]

4.  Let's trace the above snippet codes.
    Press F10 2 times - stop at 015F:004BED9E - and display EDX
    register :

	d edx  [enter]  ==> 	your name appear in the Data Window
				at virtual address 0167:01282654 .

5.  Press F10 - stop at 015F:004BEDA6 - watch the Register Window
    did you see that now EAX=26380694 .

    Check the contents of EAX register :

	? EAX  [enter ]
	SoftIce will response :
	26380694 0641205908 "&8 " ==> pay attention .....

    The same value will be moved to ECX register, you can check
    it out when you're at the memory address 015F:004BEDAE.


6.  Press F10 - stop at 015F:004BEDB2 - display ECX and EDX
    register :

	d ecx  or
	d edx  [enter]  ==>	look in the Data Window between
				virtual address 0167:004BFB0A upto
				0167:004BFC3A  ... they're looks like a
				serial number right ?  but, who knows
				that's bogus or blacklisted reg code by
				the Author.
				However, write it down those suspicious
				reg.codes !!


    I'll show you how they're looks like :

	_____ WB2K1S!+000BEA8A____________byte__________PROT__________

	0167:004BFA8A E9 3D 3A ...... 59 59 64  .=:...'...3.ZYYd
	0167:004BFA9A 89 10 EB ...... 8C 79 40  ......8.......y@
	0167:004BFAAA 00 AF FA ...... E8 B8 3A  ...K..E..a.....:
	0167:004BFABA F4 FF 33 ...... 4B 00 8D  ..3.ZYYd..h..K..
	0167:004BFACA 85 8C FE ...... FE FF FF  ......8?........
	0167:004BFADA E8 2D 3F ...... E8 44 3F  .-?...E.......D?
	0167:004BFAEA F4 FF C3 ...... 8B E5 5D  .....9...._^[..]
	0167:004BFAFA C3 00 FF ...... 00 FF FF  ..........0.....
	0167:004BFB0A FF FF 09 ...... 39 32 00  ......417478292. <===
	0167:004BFB1A 00 00 FF ...... 32 38 37  ..........684287
	0167:004BFB2A 37 36 35 ...... 00 37 35  765...........75
	0167:004BFB3A 37 39 38 ...... FF 09 00  7989533.........
	0167:004BFB4A 00 00 34 ...... 00 FF FF  ..426952673.....
	0167:004BFB5A FF FF 09 ...... 37 38 00  ......423946978.
	0167:004BFB6A 00 00 FF ...... 33 37 30  ..........800370
	0167:004BFB7A 33 34 30 ...... 00 36 39  340...........69
	0167:004BFB8A 30 39 35 ...... FF 09 00  0959612.........
	0167:004BFB9A 00 00 34 ...... 00 FF FF  ..423925943.....
	0167:004BFBAA FF FF 09 ...... 32 37 00  ......409496927.
	0167:004BFBBA 00 00 FF ...... 35 39 33  ..........291593
	0167:004BFBCA 34 32 38 ...... 00 37 39  428...........79
	0167:004BFBDA 33 34 35 ...... FF 09 00  3459583.........
	0167:004BFBEA 00 00 39 ...... 00 FF FF  ..960946252.....
	0167:004BFBFA FF FF 09 ...... 34 30 00  ......744779840.
	0167:004BFC0A 00 00 FF ...... 39 32 30  ..........866920
	0167:004BFC1A 33 39 37 ...... 00 37 36  397...........76
	0167:004BFC2A 30 37 38 ...... FF 09 00  0783478.........
	0167:004BFC3A 00 00 36 ...... 00 FF FF  ..685275290..... <===
	0167:004BFC4A FF FF 2F ...... 74 20 32  ../...WinBoost 2
	0167:004BFC5A 30 30 31 ...... 72 65 67  001 has been reg
	0167:004BFC6A 69 73 74 ...... 73 73 66  istered successf
	0167:004BFC7A 75 6C 6C ...... 00 5C 77  ully..........\w
	0167:004BFC8A 69 6E 2E ...... FF 05 00  in.ini..........
	.....
	.....
	_______________________________________________________________


7.  Press F10 - stop at 015F:004BEDBE - display EAX register :

	d eax  [enter]  ==> 	your fake code appear at virtual address
				0167:01243B48


8.  Press F10 - stop at 015F:004BEDC1 - display EDX register :

	d edx  [enter]  ==> 	did you see  641205908 appear at virtual
				address 0167:01481E08  ???
				Do you remember what I told you in the
				Step #5 above ??
 				Don't you think this one is the real
				reg code ?  Write it down !


9.  Disable current existing breakpoint, press F5 to return to
    the registration dialog box.

	bd *  [enter]
	Press F5 to return to the registration dialog box


10.  Re-type your user name and keyed-in  641205908  as your registra
     tion code.  Ouch .... did you get " WinBoost 2001 has been regis
     tered successfully " appear on your screen.


11.  Noooooooooo ?? hehehe .... there must be something wrong here.
     Let's get back tracing the codes again ... repeat step #8 !
     Starting from  015F:004BEDC1 , press F10 until you reach these
     below snippet codes :

	015F:004BF654  E8D345F4FF 	CALL 	00403C2C
	015F:004BF659  33DB        	XOR  	EBX,EBX
	015F:004BF65B  8D8D90FEFF	LEA   	ECX,[EBP-0170]
	015F:004BF661  0FBFD3    	MOVSX	EDX,BX
	015F:004BF664  A17C1E4C00 	MOV   	EAX,[004C1E7C]
	015F:004BF669  8B00       	MOV  	EAX,[EAX]
	015F:004BF66B  8B4048      	MOV  	EAX,[EAX+48]
	015F:004BF66E  8B4024     	MOV  	EAX,[EAX+24]
	015F:004BF671  8B30       	MOV 	ESI,[EAX]
	015F:004BF673  FF560C   	CALL	[ESI+0C]
	015F:004BF676  8B9590FEFF	MOV	EDX,[EBP-0170]
	015F:004BF67C  8B45E8     	MOV	EAX,[EBP-18] <== D EDX
	015F:004BF67F  E81447F4FF  	CALL  	00403D98
	....
	....
	______________________WB2K1S!+000BE654_______________________


     at the 26th of pressing F10 - stop at 015F:004BF67C - and
     display EDX register :

	d edx  [enter]  ==> 	did you see  9M2R4-U974H-YE07H-1Y1P6 appear
				at virtual address 0167:013255A0  ???
 				Again, several lines below there are a lot
				of interesting unique codes.
				WRITE IT DOWN again !!!

	Here's what I got from my screen ( only a part of them ) :

	0167:013255A0 39 4D 32  45 30 37  9M2R4-U974H-YE07
	0167:013255B0 48 2D 31  00 00 00  H-1Y1P6.&.......
	0167:013255C0 14 00 00  35 2D 44  ....7W4Z4-O105-D
	0167:013255D0 5A 32 34  00 00 00  Z24-8U8J.U2.....
	0167:013255E0 01 00 00  6E 61 6C  ........BO11.nal
	0167:013255F0 18 00 00  00 00 00  ....&...........
	0167:01325600 31 58 32  4F 38 37  1X2K1-T562F-UO87
	0167:01325610 43 2D 36  00 00 00  C-6R4U8.&.......
	0167:01325620 17 00 00  33 55 2D  ....5E3D1-E283U-
	0167:01325630 50 57 32  00 00 00  PW23X-3R6H7.&...
	0167:01325640 01 00 00  2D 4E 39  ........7Z2H3-N9
	0167:01325650 36 35 51  53 35 00  65Q-OV65T-3M0S5.
	0167:01325660 26 00 00  4A 32 59  &...........7J2Y
	0167:01325670 36 2D 52  2D 35 42  6-R718G-HG36K-5B
	0167:01325680 35 53 32  00 00 00  5S2.&...........
	0167:01325690 35 48 31  4B 37 36  5H1K3-Q604V-JK76
	0167:013256A0 59 2D 38  00 00 00  Y-8L2V1.&.......
	0167:013256B0 17 00 00  36 4E 2D  ....8W1T6-H236N-
	0167:013256C0 49 4E 31  00 00 00  IN19W-2W5T6.&...
	0167:013256D0 01 00 00  2D 50 31  ........4R2W1-P1

     You can see another potential reg codes in different location
     i.e 0167:013256D0 upto 0167:013262C0 ; 0167:01326970 upto
     0167:013276C0 ...etc.,  just scroll up and down from the
     virtual address 0167:013255A0 .

     Iam not sure whether the Author genius or sick of mind ....
     during scrolling up/down you'll see weirdo sticky notes like
     " Si Brinos " ( means his dog name ), " Dani nu ganteng tea "
     ( means Dani the handsome guy ), " Juragan krupuk " ( means
     fried chips master ), " juragan bakso " ( means meatballs
     master ) .... etc.


12.  Enough zenough .... disable all breakpoints ( wait, dont
     forget to set a new breakpoint at 015F:004BF673 for further
     usage ).
     Repeat/retype user name and keyed-in 9M2R4-U974H-YE07H-1Y1P6
     as your registration code.
     Click OK/REGISTER button .... this time you get " WinBoost
     2001 has been registered successfully " .


13.  Where the hell is my registration code is stored ??

	The registration info is stored in the WIN.INI under this
	below statement :

	[WB]
	Owner=Pirates Order
	Registered=True
	( deleting this statement will return this program unregis
	tered )

	Also check this registry entry :

	REGEDIT4
	[HKEY_LOCAL_MACHINE\Software\Magellass\WinBoost 2001]
	"CDROM"=""
	"Welcome"="1"
	"StartText"="Start"
	"FavoritesText"="F&avorites"
	"DocumentsText"="&Documents"
	"FindText"="&Find"
	"SettingsText"="&Settings"
	"HelpText"="&Help"
	"LogOffText"="&Log Off"
	"ShutDownText"="Sh&ut Down..."
	"RunText"="&Run..."
	"InfoTip"="Click here to begin."
	"ProgramsText"="&Programs"
	"Dir"="C:\\Program Files\\WinBoost 2001"
	"Registered"="True"

	This below registry entry ... IT IS JUST COSMETIC !!!

	[HKEY_LOCAL_MACHINE\Software\Magellass\WinBoost 2001\Standard
	Edition]
	"Name"=""
	"Company"=""


14.  How can I practise with my own user name ?

	-  I strongly recommended you not to do this !



END NOTES

   This program is sold as shareware, so you can try before you buy.
   This is convenient for you, saves expenses by dispensing with all
   that packaging, and cuts out the middle person.  So it is cheap,
   but it is not free.
   If you like the program, and you will, be sure to register and pay.
   To keep shareware prices low,  users must do the right thing:
   Register, pay up, and smile/grin at yourself in the mirror.

   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name.
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 )

    More about LAMER(s):
	lamer /n./ [prob. originated in skateboarder slang]
	Synonym for luser, not used much by hackers but common among warez
	d00dz, crackers, and phreakers. Oppose elite. Has the same connota
	tions of self-conscious elitism that use of luser does among
	hackers.
    < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >


 _ Never attribute to malice that which is adequately explained by stupidity _


ASTAGA [D4C/C4A] tute-winboost2001.zip
[EOF] 10/30/00 6:32:09 PM0042368D add esp, 0Ch