WHY PATCHING WHILE SERIAL NUMBER IS FISHY WinBoost 2001 Standard Edition A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM WINBOOST 2001 Expose all mysteries and reveal all secrets of Windows ME/98/95! WinBoost is a special utility to configure and personalize Windows ME/9X (98/98SE/95) looks and feels. Using easy to use graphical user interface you can configure hundreds of Windows ME/9X hidden settings, from the Start Menu, Desktop, Accessories, Windows Explorer, to Internet Explorer. This is something that you cannot do on the regular operations. In addition, you will get hundreds of selected Windows ME/9X Tips & Tricks to boost your Windows performance. WHERE TO DOWNLOAD Author : Magellass Corp Homepage : http://www.magellass.com URL : http://www.winboost.com/wb2001s.zip http://www.simtel.net/pub/simtelnet/win95/winme/ wb2001s.zip Size : 1.3 MB - as of October 23, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This is my last series of the Magellass' program crack tutorial. In fact, by reading my earlier tutorial ( InternetTweak, MemMonster , KeyPack and DesktopCycler ) you can easily found the correct reg. code because the protection are remain the same, at least they're similar. Currently they're available at : http://home.luna.nl/~enigma/TNT/tnt2k.htm or http://www.ciafiles.visionz.eu.org/ Before you continue I remain you again that posibly this program is packed and developed with anti debugging tricks, so, be prepared to face unexpected occurances. LASTLY, I personally expressed my sincere salutation to the Author at Magellass Corporation : Dani Okianto, Diki Septanto, Sandi Yulianto and Irma Aryani - the " barudak Bandung " - " juragan bakso " - " juragan kurupuk " - you guys do the great job since you released WinBoost mid 1998. You never gave up fighting against the crackers all over the Net. Keep da GOOD WORK. KANG DANI TEH HEBAT NYA ....EUY ??? Nice try with your CLSID .... kajeun disumputkeun oge kapanggih euy ... hampura uing. However, the secret that you keep has been revealed. HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run WB2K1S.EXE, in the opening nag screen click that REGISTER button; In the registration dialog box type these below informations : User Name : Pirates Order Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5,and F11 once again. Press F12 several times until you reach the main program's code as follow : _________________________________________________________________ 015F:004BED96 E8F1F4F6FF CALL 0042E28C <===== break here 015F:004BED9B 8B55F8 MOV EDX,[EBP-08] 015F:004BED9E 8B45FC MOV EAX,[EBP-04] <== d edx 015F:004BEDA1 E82AFDFFFF CALL 004BEAD0 015F:004BEDA6 8D55F0 LEA EDX,[EBP-10] <== ? eax 015F:004BEDA9 E85294F4FF CALL 00408200 015F:004BEDAE 33C0 XOR EAX,EAX <====== ? ecx 015F:004BEDB0 5A POP EDX 015F:004BEDB1 59 POP ECX 015F:004BEDB2 59 POP ECX <========== d ecx 015F:004BEDB3 648910 MOV FS:[EAX],EDX 015F:004BEDB6 6894FA4B00 PUSH 004BFA94 015F:004BEDBB 8B45F4 MOV EAX,[EBP-0C] 015F:004BEDBE 8B55F0 MOV EDX,[EBP-10] <== d eax 015F:004BEDC1 E8D24FF4FF CALL 00403D98 <====== d edx 015F:004BEDC6 0F851F0100 JNZ 004BEEEB 015F:004BEDCC 8B45F0 MOV EAX,[EBP-10] 015F:004BEDCF BA04FB4B00 MOV EDX,004BFB04 015F:004BEDD4 E8BF4FF4FF CALL 00403D98 ...... ...... ______________________WB2K1S!+000BDD90_______________________ Disable previous breakpoint and create a new one as follow : BC * [enter] BPX 015F:004BED96 [enter] 4. Let's trace the above snippet codes. Press F10 2 times - stop at 015F:004BED9E - and display EDX register : d edx [enter] ==> your name appear in the Data Window at virtual address 0167:01282654 . 5. Press F10 - stop at 015F:004BEDA6 - watch the Register Window did you see that now EAX=26380694 . Check the contents of EAX register : ? EAX [enter ] SoftIce will response : 26380694 0641205908 "&8 " ==> pay attention ..... The same value will be moved to ECX register, you can check it out when you're at the memory address 015F:004BEDAE. 6. Press F10 - stop at 015F:004BEDB2 - display ECX and EDX register : d ecx or d edx [enter] ==> look in the Data Window between virtual address 0167:004BFB0A upto 0167:004BFC3A ... they're looks like a serial number right ? but, who knows that's bogus or blacklisted reg code by the Author. However, write it down those suspicious reg.codes !! I'll show you how they're looks like : _____ WB2K1S!+000BEA8A____________byte__________PROT__________ 0167:004BFA8A E9 3D 3A ...... 59 59 64 .=:...'...3.ZYYd 0167:004BFA9A 89 10 EB ...... 8C 79 40 ......8.......y@ 0167:004BFAAA 00 AF FA ...... E8 B8 3A ...K..E..a.....: 0167:004BFABA F4 FF 33 ...... 4B 00 8D ..3.ZYYd..h..K.. 0167:004BFACA 85 8C FE ...... FE FF FF ......8?........ 0167:004BFADA E8 2D 3F ...... E8 44 3F .-?...E.......D? 0167:004BFAEA F4 FF C3 ...... 8B E5 5D .....9...._^[..] 0167:004BFAFA C3 00 FF ...... 00 FF FF ..........0..... 0167:004BFB0A FF FF 09 ...... 39 32 00 ......417478292. <=== 0167:004BFB1A 00 00 FF ...... 32 38 37 ..........684287 0167:004BFB2A 37 36 35 ...... 00 37 35 765...........75 0167:004BFB3A 37 39 38 ...... FF 09 00 7989533......... 0167:004BFB4A 00 00 34 ...... 00 FF FF ..426952673..... 0167:004BFB5A FF FF 09 ...... 37 38 00 ......423946978. 0167:004BFB6A 00 00 FF ...... 33 37 30 ..........800370 0167:004BFB7A 33 34 30 ...... 00 36 39 340...........69 0167:004BFB8A 30 39 35 ...... FF 09 00 0959612......... 0167:004BFB9A 00 00 34 ...... 00 FF FF ..423925943..... 0167:004BFBAA FF FF 09 ...... 32 37 00 ......409496927. 0167:004BFBBA 00 00 FF ...... 35 39 33 ..........291593 0167:004BFBCA 34 32 38 ...... 00 37 39 428...........79 0167:004BFBDA 33 34 35 ...... FF 09 00 3459583......... 0167:004BFBEA 00 00 39 ...... 00 FF FF ..960946252..... 0167:004BFBFA FF FF 09 ...... 34 30 00 ......744779840. 0167:004BFC0A 00 00 FF ...... 39 32 30 ..........866920 0167:004BFC1A 33 39 37 ...... 00 37 36 397...........76 0167:004BFC2A 30 37 38 ...... FF 09 00 0783478......... 0167:004BFC3A 00 00 36 ...... 00 FF FF ..685275290..... <=== 0167:004BFC4A FF FF 2F ...... 74 20 32 ../...WinBoost 2 0167:004BFC5A 30 30 31 ...... 72 65 67 001 has been reg 0167:004BFC6A 69 73 74 ...... 73 73 66 istered successf 0167:004BFC7A 75 6C 6C ...... 00 5C 77 ully..........\w 0167:004BFC8A 69 6E 2E ...... FF 05 00 in.ini.......... ..... ..... _______________________________________________________________ 7. Press F10 - stop at 015F:004BEDBE - display EAX register : d eax [enter] ==> your fake code appear at virtual address 0167:01243B48 8. Press F10 - stop at 015F:004BEDC1 - display EDX register : d edx [enter] ==> did you see 641205908 appear at virtual address 0167:01481E08 ??? Do you remember what I told you in the Step #5 above ?? Don't you think this one is the real reg code ? Write it down ! 9. Disable current existing breakpoint, press F5 to return to the registration dialog box. bd * [enter] Press F5 to return to the registration dialog box 10. Re-type your user name and keyed-in 641205908 as your registra tion code. Ouch .... did you get " WinBoost 2001 has been regis tered successfully " appear on your screen. 11. Noooooooooo ?? hehehe .... there must be something wrong here. Let's get back tracing the codes again ... repeat step #8 ! Starting from 015F:004BEDC1 , press F10 until you reach these below snippet codes : 015F:004BF654 E8D345F4FF CALL 00403C2C 015F:004BF659 33DB XOR EBX,EBX 015F:004BF65B 8D8D90FEFF LEA ECX,[EBP-0170] 015F:004BF661 0FBFD3 MOVSX EDX,BX 015F:004BF664 A17C1E4C00 MOV EAX,[004C1E7C] 015F:004BF669 8B00 MOV EAX,[EAX] 015F:004BF66B 8B4048 MOV EAX,[EAX+48] 015F:004BF66E 8B4024 MOV EAX,[EAX+24] 015F:004BF671 8B30 MOV ESI,[EAX] 015F:004BF673 FF560C CALL [ESI+0C] 015F:004BF676 8B9590FEFF MOV EDX,[EBP-0170] 015F:004BF67C 8B45E8 MOV EAX,[EBP-18] <== D EDX 015F:004BF67F E81447F4FF CALL 00403D98 .... .... ______________________WB2K1S!+000BE654_______________________ at the 26th of pressing F10 - stop at 015F:004BF67C - and display EDX register : d edx [enter] ==> did you see 9M2R4-U974H-YE07H-1Y1P6 appear at virtual address 0167:013255A0 ??? Again, several lines below there are a lot of interesting unique codes. WRITE IT DOWN again !!! Here's what I got from my screen ( only a part of them ) : 0167:013255A0 39 4D 32 45 30 37 9M2R4-U974H-YE07 0167:013255B0 48 2D 31 00 00 00 H-1Y1P6.&....... 0167:013255C0 14 00 00 35 2D 44 ....7W4Z4-O105-D 0167:013255D0 5A 32 34 00 00 00 Z24-8U8J.U2..... 0167:013255E0 01 00 00 6E 61 6C ........BO11.nal 0167:013255F0 18 00 00 00 00 00 ....&........... 0167:01325600 31 58 32 4F 38 37 1X2K1-T562F-UO87 0167:01325610 43 2D 36 00 00 00 C-6R4U8.&....... 0167:01325620 17 00 00 33 55 2D ....5E3D1-E283U- 0167:01325630 50 57 32 00 00 00 PW23X-3R6H7.&... 0167:01325640 01 00 00 2D 4E 39 ........7Z2H3-N9 0167:01325650 36 35 51 53 35 00 65Q-OV65T-3M0S5. 0167:01325660 26 00 00 4A 32 59 &...........7J2Y 0167:01325670 36 2D 52 2D 35 42 6-R718G-HG36K-5B 0167:01325680 35 53 32 00 00 00 5S2.&........... 0167:01325690 35 48 31 4B 37 36 5H1K3-Q604V-JK76 0167:013256A0 59 2D 38 00 00 00 Y-8L2V1.&....... 0167:013256B0 17 00 00 36 4E 2D ....8W1T6-H236N- 0167:013256C0 49 4E 31 00 00 00 IN19W-2W5T6.&... 0167:013256D0 01 00 00 2D 50 31 ........4R2W1-P1 You can see another potential reg codes in different location i.e 0167:013256D0 upto 0167:013262C0 ; 0167:01326970 upto 0167:013276C0 ...etc., just scroll up and down from the virtual address 0167:013255A0 . Iam not sure whether the Author genius or sick of mind .... during scrolling up/down you'll see weirdo sticky notes like " Si Brinos " ( means his dog name ), " Dani nu ganteng tea " ( means Dani the handsome guy ), " Juragan krupuk " ( means fried chips master ), " juragan bakso " ( means meatballs master ) .... etc. 12. Enough zenough .... disable all breakpoints ( wait, dont forget to set a new breakpoint at 015F:004BF673 for further usage ). Repeat/retype user name and keyed-in 9M2R4-U974H-YE07H-1Y1P6 as your registration code. Click OK/REGISTER button .... this time you get " WinBoost 2001 has been registered successfully " . 13. Where the hell is my registration code is stored ?? The registration info is stored in the WIN.INI under this below statement : [WB] Owner=Pirates Order Registered=True ( deleting this statement will return this program unregis tered ) Also check this registry entry : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass\WinBoost 2001] "CDROM"="" "Welcome"="1" "StartText"="Start" "FavoritesText"="F&avorites" "DocumentsText"="&Documents" "FindText"="&Find" "SettingsText"="&Settings" "HelpText"="&Help" "LogOffText"="&Log Off" "ShutDownText"="Sh&ut Down..." "RunText"="&Run..." "InfoTip"="Click here to begin." "ProgramsText"="&Programs" "Dir"="C:\\Program Files\\WinBoost 2001" "Registered"="True" This below registry entry ... IT IS JUST COSMETIC !!! [HKEY_LOCAL_MACHINE\Software\Magellass\WinBoost 2001\Standard Edition] "Name"="" "Company"="" 14. How can I practise with my own user name ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-winboost2001.zip [EOF] 10/30/00 6:32:09 PM0042368D add esp, 0Ch