SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING
EASY CLEAN v3.5.00 Final release
A Cracking Tutorial
by ASTAGA [WTF/TTM]
DISCLAIMER
This reading material is not intended to violate Copyrights
and/or it is law, but educational purposes only. I hold no
responsibility ( by all means and in any shape whatsoever )
of the mis-used of this material.
Read END NOTES section at the end of this file.
ABOUT THE PROGRAM
EasyClean is a powerful application deinstallation tool. It can
monitor and register virtually all changes made to your system
by installation programs, enabling you remove applications very
thoroughly.
EasyClean is designed for Windows® 95, 98 and NT 4/5 and has
beentested extensively on all these systems. It is particularly
effective at monitoring and handling changes to the Windows reg
istry. This means that with EasyClean, your registry will no
longer be a bottomless pit full of data garbage!
Features :
o Correct handling of Shared DLLs:
o Faster registry and file compare for log file generation
(particularly with larger numbers of selected items)
o Bugfix: When restoring empty registry entries EasyClean
now writes a null string instead of '(empty)'.
o Restored log file items are now displayed grayed and they
are only restored once, even if you choose the same item
twice.
o An error message is now displayed when you attempt to
delete non-existent registry items.
o Recursive handling of subfolders in the log file now works
much better.
o New automatic check to prevent selection of duplicate reg
istry keys (e.g. HKEY_CURRENT_USER and HKEY_USERS, which
often contain duplicate entries).
WHERE TO DOWNLOAD
Author : Bernd Klaiber
Copyright : EDV-Beratung
Homepage : http://www.bkedv.de
URL : http://www.bkedv.de/download/EZClean3.zip
Size : 612 KB as of August 31, 2000
Rel Date : 10/10/99
HOW TO GET VALID SERIAL NUMBER by using SoftIce
I didn't check the above mentioned URL whether there is
new version or not, since it was found like a treasure
in my unopened harddisk. I like this one compare to
similar utilities i.e UnInstallmanager v3.21 feel like
more reliable and user friendly .
1. Run EASYCLEAN.EXE, in the registration dialog box type
these below informations :
Name : Red Rackham
Code : 73881050
Do not click OK button yet
2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as
follow :
BPX hmemcpy [enter] and
F5 to return to the main program
3. Now, click OK button... you'll return back into SoftIce!
In within SoftIce press F11, F5, F11, then F12 11 times
until you see and break at :
______________________________________________________________
015F:0049A679 E8BE42F9FF CALL 0042E93C break
015F:0049A67E 8B95F4FDFFFF MOV EDX,[EBP-020C] <== here
015F:0049A684 8D85F8FDFFFF LEA EAX,[EBP-0208]
015F:0049A68A B9FF000000 MOV ECX,000000FF
015F:0049A68F E83497F6FF CALL 00403DC8
015F:0049A694 8D95F8FDFFFF LEA EDX,[EBP-0208]
015F:0049A69A 8B8354040000 MOV EAX,[EBX+00000454]
015F:0049A6A0 59 POP ECX
015F:0049A6A1 E8EEAAFDFF CALL 00475194
015F:0049A6A6 85C0 TEST EAX,EAX
015F:0049A6A8 0F85CD000000 JNZ 0049A77B
___________________ EASYCLEAN!CODE+00099679 __________________
Create a new breakpoint by typing :
: bd * [enter] ==> hmemcpy no longer needed
: bpx 015F:0049A679 [enter]
Press F10 once - stop at 015F:0049A684 - display EDX register
: d edx [enter] did you see that fake code at virtual
address 0167:0055E690 ???
Press F10 6 times - stop at 015F:0049A6A1 - display ECX
register :
: d ecx [enter] did you see that fake code at virtual
address 0167:0075F810 ???
Press F10 once - stop at 015F:0049A6A6 - do these below
followings :
: ? ecx [enter]
34362409 0875963401 "46$ " ==> something suspicious ,
look at 2 lines below its XOR and
conditional JUMP instruction are
waiting for your next keystroke.
Think also at this stage why
EAX=1 instead of 0 if it is not
registered.
Secondly, EDX needs to be dumped.
: d edx [enter] ==> did you see a 'miracle' that your
fake code re-appear at virtual 0167:
0075F578 and 4 lines below is the
complete figures of ECX contents,
that is $64734880u .
Write down this suspicious code.
Note : do you wanna keygen ? trace CALL functions
at 015F:0049A68F and 015F:0049A6A1.
Remember, to me KeyGen is DEMON.
5. Disable all breakpoints by typing
BD * [enter]
Press F5 or X to return to the main program
8. Repeat registration procedure and keyed-in $64734880u as
your S/N.
Click OK button ..... there you're registered.
9. Where the hell is my registration code is stored ??
The correct registration code is stored in the Ezclean3.key
at your Windows folder.
10. How can I practise with my own user name ?
- I strongly recommended you not to do this !
E N D N O T E S
Distributing your serial number is illegal and is no
different than distributing illegal
copies of the registered
software. Violation of
this rule may
result in
temporary or permanent revocation of this
license and cancellation of the
serial number;
the original licensee
will also be held responsible for
damages, physical and estimated.
Do not distribute your crack release based on this tutorial, because
you become a LAMER(s)!!!!!!!!
( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
personal computer, using Hex Editor, ripping off other group(s)
crack release, repacking (distro) them under his name.
Adopted from newsgroup alt.cracks, alt.crackers - February 1997 )
More about LAMER(s):
lamer /n./ [prob. originated in skateboarder slang]
Synonym for luser, not used much by hackers but common among warez
d00dz, crackers, and phreakers. Oppose elite. Has the same connota
tions of self-conscious elitism that use of luser does among
hackers.
< SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >
Never attribute to malice that which is adequately
explained by stupidity
ASTAGA [WTF/TTM/D4C/C4A] tute-easyclean350.zip
[EOF] 1/18/01 8:51:13 AM
00) * BPX KERNEL!HMEMCPY
01) BPX #015F:0049A679