SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING D E S K T O P D E S T R O Y E R V 2.0 A Cracking Tutorial by ASTAGA [WTF/TTM]* DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. Read END NOTES section at the end of this file. ABOUT THE PROGRAM Blow Up Your Desktop in 3D! This screen-saver takes a snapshot of your desktop and projects it into a 3D world, where it is dissected into an arbitrary number of explos ions. There are also modes where it will run a wave through your 3D screen, giving a cool wave effect. Almost every option is changeable, included animation support which allows the screen to rotate on all three axis and zoom in and out. Requirement : First, to make sure you have the latest opengl drivers for your video card get glSetup at www.glsetup.com. WHERE TO DOWNLOAD Author : Isotope244 Graphics LLC Copyright : Isotope244 Graphics LLC Homepage : http://www.isotope244.com URL : http://www.isotope244/DesktopDestroyer.zip Size : 105 KB as of December 27,2000 Rel Date : July 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This time you'll not fishing a serial number, but i will bring you to feel the codes in step by step until final decision to patch this program permanently. This tute is a third series of similar program that are Sliders v1.3 and SnowFlake3D v1.0. The last 2 tutes are serial number fishing approach. If you want to fish s/n of this program I recommend you to read my TUTE-SLIDERS13 .TXT - download at TNT website or tKC tute pack. tKC tute pack : http://www.ciafiles.visionz.eu.org/ TNT website : http://home.luna.nl/~enigma/TNT/tnt2k.htm 1. Activate 3D DESKTOP DESTROYER.SCR, click REGISTER NOW! button, in the registration dialog box type these below informations : Name : Pirates Order E-mail : rackham@pirates.com Code : 73881050 Do not click REGISTER button yet 2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX getdlgitemtexta [enter] and F5 to return to the main program 3. Now, click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11, F5 and F11 once again until you see and break at : ____________________________________________________________ 015F:00405DBC FFD7 CALL EDI break 015F:00405DBE 8D4C242C LEA ECX,[ESP+2C] <== here 015F:00405DC2 8D54247C LEA EDX,[ESP+7C] 015F:00405DC6 51 PUSH ECX 015F:00405DC7 8D8424D0000000 LEA EAX,[ESP+000000D0] 015F:00405DCE 52 PUSH EDX 015F:00405DCF 50 PUSH EAX 015F:00405DD0 6838B44100 PUSH 0041B438 015F:00405DD5 E8162E0000 CALL 00408BF0 015F:00405DDA 83C410 ADD ESP,10 015F:00405DDD 85C0 TEST EAX,EAX 015F:00405DDF 742F JZ 00405E10 015F:00405DE1 8B0D5CF14100 MOV ECX,[0041F15C] 015F:00405DE7 6A00 PUSH 00 015F:00405DE9 68205C4000 PUSH 00405C20 015F:00405DEE 56 PUSH ESI 015F:00405DEF 6A6C PUSH 6C 015F:00405DF1 51 PUSH ECX 015F:00405DF2 C70540B1410000 MOV DWORD PTR [0041B140],000 015F:00405DFC FF1590824100 CALL [USER32!DialogBoxParamA] ___________________ 3D DESKTOP DESTR!.text+4DBC _______________ Press F10 once - stop at 015F:00405DC2 - dump ECX register : : d ecx [enter] ==> your fake 73881050 is at 0167:0068F5E0 Press F10 once - stop at 015F:00405DC6 - dump EDX register : : d edx [enter] ==> your rackham@pirates at 0167:0068F630 Press F10 two times - stop at 015F:00405DCE - dump EAX register : : d EAX [enter] ==> your name Pirates Order is at 0167: 0068F680 Press F10 6 times - stop at 015F:00405DDF - it's a JZ instruction. Hold a while your reading tute. Step pass this address ( F10 I mean ), you'll land to 015F: 00405E10 and see several lines below ( scrolldown CTRL + PgDn if necessary ) did you see that function CALL [USER32! DialogBoxParamA] ??? and when you passed this line a beggar off message appear in your screen. That's not good right ? 4. Now, back to this tute - repeat again step #1 - #3. Stop again at 015F:00405DDF , look 8 lines below is similar trap CALL [USER32!DialogBoxParamA] at 015F:00405DFC . You can guess if you step pass that address, you'll get beggar-off message for the second time. Okay, what should you do then ?? There's no other way except to manipulate this JZ into JNZ instruction. But, how can I change that byte within SoftICe ? beside, one line above CALL [USER32!DialogBoxParamA] there is a comparison statement ( DWORD PTR [0041B140],000 ) whether this program registered or unregistered. How to handle this situation ? One way or another, let's change that JZ into JNZ and let SoftIce do it for you. Still stay at 015F:00405DDF , in the Command Line type : : r fl z [enter] ==> did you see that JUMP indicator now changed into ( NO JUMP ) To what you're doing is that you have just instructed SoftIce to ignore that JZ and become JNZ instruction. Now, you're free continue pressing F10 again. Step pass that worried CALL [USER32!DialogBoxParamA] at 015F:00405DFC ..... heeehaaauwww you got " Registration successful ... " . Click OK to confirm that classic message, and you'll returned back into SoftIce. 5. Now, disable all breakpoint. Press F5 to return to main program's window. REMEMBER, you have just registered this program virtualy in SoftIce DEBUG MODE ! You have permanently changed the byte / ASM code of JZ thru HexEditor. To prove this, quit the program, and re-run again .... you're still unregistered ! 6. Let's change permanently that byte by using HesEditor, in this case iam using HIEW ( Hacker's View v6.x ). Run HIEW.EXE , open and retrieve 3D DESKTOP DESTROYER.SCR now you're in Hiew's TEXT edit mode. Change TEXT mode to HEX mode by pressing [ENTER] key once or press F4 key and select HEX in the pulldown menu. Press F7 key ( Search Mode ) , do a search byte taken from the address of 015F:00405DDD that is " 74 2F " . Here HIEW's hex mode are looks like [Forward /Full ] ASCII: _______________ Hex: 85 C0 74 2F 8B 0D <== type here Before you press [ENTER] to begin search, you may ask " why should I type 85C0742F8B0D instead of 742F ? " Answer : It's true ! but, you'll found more than one location then later on confusing you or the worst thing you patch wrong address. That's why I took some byte before and after the target byte searched, and here's an excerpt from the above snippet codes : ^^^^ 015F:00405DDD 85C0 TEST EAX,EAX target 015F:00405DDF 742F JZ 00405E10 <== search 015F:00405DE1 8B0D5CF14100 MOV ECX,[0041F15C] ^^^^ By doing this you'll drop closed to the target searched location. Now, press [ENTER] , and you'll see like this : 3DDESK~1.SCR R ----- 352256 ¦ Hiew 6.00 (c)SEN ------------------------------------------------------- ==> here 00405DDD: 85C0 test eax,eax 00405DDF: 742F je 000405E10 00405DE1: 8B0D5CF14100 mov ecx,[00041F15C] You'll stop at hex address 00405DDD and cursor blinks at byte "85" . Since it was not the byte you'd have to change, press down arrow key once so byte "74" is now highlighted. To edit/change this byte press F3 key, and HIEW's screen will slightly change like this : 3DDESK~1.SCR W PE 00005DDF a32 Hiew 6.00 ----------------------------------------------------- 00005DDF: 742F je 000005E10 Overwrite byte 74 with 75 then press F9 to save your work. After all result will be like this : 00405DDF: 752F je 000405E10 ( after ) 00405DDF: 742F je 000405E10 ( before) You have just permanently changed ( patched ) the byte in the program. Now, it's time to test your work. Press F10 to quit HIEW. 7. Activate (patched) 3D DESKTOP DESTROYER.SCR, repeat registra tion procedure, keyed-in name, e-mail and codes whatever you like. Click OK button ..... there you're registered. 8. Well, I remind you NewBies DON'T BE HAPPY AT FIRST ATTEMP UPON SUCCESSFUL MAKE A PATCHING. ALWAYS CHECK and SEARCH ( trace and verify if necessary ) where your registration info is stored. THAT'S THE RULE! Take my note, if your patched *.SCR does not create info in the registry ( please refer to step #9 below ) - then you do WRONG PATCHING !! 9. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\InfoTech] [HKEY_CURRENT_USER\Software\InfoTech\ss] [HKEY_CURRENT_USER\Software\InfoTech\ss\dd] [HKEY_CURRENT_USER\Software\InfoTech\ss\dd\16] "Priority"=dword:00000002 "x_div"=dword:00000019 "y_div"=dword:00000013 "xyAmplitude"=dword:0000000a "xyFrequency1"=dword:0000000a "xyFrequency2"=dword:0000000a "xySizeX"=dword:0000003c "xySizeY"=dword:0000003c "Mode"=dword:00000000 "genChildren"=dword:00000002 "xyGoraud"=dword:00000001 "useLinear"=dword:00000001 "screenTextureWidth"=dword:00000200 "screenTextureHeight"=dword:00000100 "useTrails"=dword:00000000 "enableMovement"=dword:00000001 "rotX0"=dword:0000000a "rotX1"=dword:0000001e "rotY0"=dword:0000000a "rotY1"=dword:00000019 "rotZ0"=dword:0000002d "rotZ1"=dword:00000014 "zoom0"=dword:00000019 "zoom1"=dword:00000014 "useOGL"=dword:00000000 "randPreset"=dword:00000000 "tot"=dword:00000005 "tou"=dword:00000000 "tov"=dword:00000000 "tow"=dword:00000001 "resW"=dword:00000000 "resH"=dword:00000000 "resC"=dword:00000000 "r30"=dword:00000000 NOTE: deletion over "r30" value will return the program back into unregistered. 10. How can I practise with my own user name ? - I strongly recommended you not to do this ! E N D N O T E S Distributing your serial number is illegal and is no different than distributing illegal copies of the registered software. Violation of this rule may result in temporary or permanent revocation of this license and cancellation of the serial number; the original licensee will also be held responsible for damages, physical and estimated. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [WTF/TTM/D4C/C4A] tute-3desktopdestroyer20.zip [EOF] 1/4/01 10:23:59 PM