-->Tutorial number 4--< Name : Clean Disk Security Version : 4.73 Target : Clndisk.exe Tools : W32dasm : Hiew : Brain Cracker : KlimaX Get it at, http://www.ozemail.com.au/~kevsol/sware.html ...---===This tut is best viewed in full screen===---... ==>DISCLAIMER<== For educational purposes ONLY! I hold absolutely NO responsibility for the misuse of this material! _____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____ ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ----====The cracking part====---- After using some time going through the prog in SICE, I decided to make a patch instead of using more time trying to locate the real serial. This protection scheme was very very easy, just follow my example, and you'll find out yourselves!!!!! ;) 1) The first thing we wan't to do, is to start the program, press "About" then "Enter password", fill out the box and press OK. Now a nasty message pops and tells you, that your password is incorrect, and on top of that, you'll have to wait a full 30 seconds before the message will disappear, and you can get on with your life. Well don't cry - crack!! ;) 2) Now we know the "Bad boy" message, let's fire up Wdasm and disassemble the prog. Search for the message under String Data References (remember they're all lined up in alfabetical order). You couldn't find it?. Me neither, so let's think ahead of where we are. We know the "Bad boy" message, but what about imagining what the "Good boy" message could be!. Well scroll down the SDR bar, and search for "Registered". Found it? I did, so let's doubleclick on it a couple of times, to see how many calls there might be. I counted 3. The first one should be here: * Possible StringData Ref from Code Obj ->"khfgsxdkknv" :0045E13C BA58E24500 MOV EDX, 0045E258 :0045E141 E8DE5EFAFF CALL 00404024 :0045E146 7536 JNE 0045E17E <- This we want to change to JE :0045E148 A1B4EF4700 MOV EAX, DWORD PTR [0047EFB4] :0045E14D C60001 MOV BYTE PTR [EAX], 01 :0045E150 A14CF34700 MOV EAX, DWORD PTR [0047F34C] :0045E155 8B00 MOV EAX, DWORD PTR [EAX] :0045E157 8BB0F4020000 MOV ESI, DWORD PTR [EAX+000002F4] * Possible StringData Ref from Code Obj ->"Registered" :0045E15D BA6CE24500 MOV EDX, 0045E26C <- You land here :0045E162 8BC6 MOV EAX, ESI :0045E164 E8BFFEFCFF CALL 0042E028 :0045E169 33D2 XOR EDX, EDX :0045E16B 8BC6 MOV EAX, ESI :0045E16D 8B08 MOV ECX, DWORD PTR [EAX] When you land at :0045E15D, you want to scroll up to the nearest conditional jump, in this case it is the JNE at :0045E146. Place the bar on the JNE and note the @offset (mine is 5D546). Now we move on to the second "Registered" call, so move the bar back to where we landed at, :0045E15D, (else you will land there again when you doubleclick on the "Registered" in SDR) and doubleclick on "Registered" in the SDR box. On the second one you'll land here: * Possible StringData Ref from Code Obj ->"cddodqddm" :0045E181 BA80E24500 MOV EDX, 0045E258 :0045E186 E8995EFAFF CALL 00404024 :0045E18B 7547 JNE 0045E1D4 <- This we want to change to JE :0045E18D A1B4EF4700 MOV EAX, DWORD PTR [0047EFB4] :0045E192 C60001 MOV BYTE PTR [EAX], 01 :0045E195 A14CF34700 MOV EAX, DWORD PTR [0047F34C] :0045E19A 8B00 MOV EAX, DWORD PTR [EAX] :0045E19C 8BB0F4020000 MOV ESI, DWORD PTR [EAX+000002F4] * Possible StringData Ref from Code Obj ->"Registered" :0045E1A2 BA6CE24500 MOV EDX, 0045E26C <- You land here :0045E1A7 8BC6 MOV EAX, ESI :0045E1A9 E87AFEFCFF CALL 0042E028 :0045E1AE 33D2 XOR EDX, EDX Again when you land at :0045E1A2, you want to scroll up, place the bar on the first comming JNE, and note the @offset (here mine is 5D58B) Now, scroll the bar downward and place it on where we landed (:0045E1A2), and doubleclick on "Registered" for the last time. Then you should land here: * Referenced by a (U)nconditional or (C)onditional Jump at address: |:0045E6FD(C) | :0045E768 803800 CMP BYTE PTR [EAX], 00 :0045E76B 741B JE 0045E788 <- This we want to change to JNE :0045E76D 8B9BF4020000 MOV EBX, DWORD PTR [EBX+000002F4] * Possible StringData Ref from Code Obj ->"Registered" :0045E773 BAA4E74500 MOV EDX, 0045E7A4 <- You land here :0045E778 8BC3 MOV EAX, EBX :0045E77A E8A9F8FCFF CALL 0042E028 :0045E77F 33D2 XOR EDX, EDX When you land at :0045E773, again scroll up to the nearest conditional jump, placed at :0045E76B. Note the @offset (mine is 5D86B), and shut down Wdasm. 3) Now we need to edit these 3 @offsets, so fire up Hiew (or any other hex-editor). Press F4 and select decode (you can also change the Hiew.ini so it'll always start in code mode. Simply open your Hiew.ini and write/select code as startmode, yes it's that easy;) Now press F5 and type in your first @offset number (5D546), press F3 when at the @offset and change the 75 to 74. Press F9 to save changes, and again F5 to type in the second @offset (5D58B). Again change the 75 to 74, and press F9 to save. Finally press F5 yet again, type in the third @offset (5DB6B), press F3 and change the 74 to 75 this time. Press F9 to save, and F10 to exit Hiew. Now try and open Clean Disk, press the about button and guess what, it says your registered, and we didn't even need to type in any stupid passwords, now that's a lame protection scheme. I give this protection 9 out of 10 stars in stupidity. --==!!Please notice that the contence of this tutorial will only make the "Enter Password" button say "Registered" and remove the shareware reminders, however the "Clean File Slack Space" option which will still be disabled ;) _____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____=====_____ ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== ===== --==>Please bear in mind that shareware programs are a commercial benefit, because it gives you the opportunity to "Try before you Buy". Therefore, if you like a shareware program, please be sure to pay the authors/makers, so they don't stop minking them. -=>LAST WORDS: If you have any comments on this tut, feel free to mail at KlimaX_v2000@mail.com _ _ _ _ _ _ _ _ Special thanks to tKC for releasing those great tut's, keep on making 'em!. They are the BEST!!!!! and the TNT Crack Team, as they have the ultimate cracking site, you simply have to try it!!!!!!!!